CYBERSECURITY JOB HUNTING GUIDE
  • Home
  • Introduction
    • Things you should know
    • The strategy
  • Paths into Cybersecurity
    • First steps
    • SWOT Analysis
    • How much time do you need?
    • Calculate& Evaluate Knowledge
    • Imposter syndrome
    • Time Management
    • Cybersecurity Domains
    • Cloud Security
    • Financial advice >
      • Credit score
    • The salary
    • Advocacy for underrepresented groups
  • Goal Setting & Career paths
    • Find your career in 5 steps
    • Cybersecurity career options
    • Career finding with LinkedIn
    • Transferable Skills (general)
    • Transferable IT Skills
    • Find a path with job descriptions
    • The I do not know path
    • Do you know “garbage” jobs?
    • “Bonus” knowledge
    • Learning & Motivation
    • Particular vs. any job
    • Pentester path (start)
    • Pen Testing as Career
    • SOC Analyst as career
    • Security Engineer as career
    • Compliance & Risk as career
    • How to find a career (IAM Engineer)
    • Find a company
  • Networking
    • Networking like a pro
    • LinkedIn
    • Referrals & Skills
    • LinkedIn Recruiters >
      • Working with a recruiter
    • Cyber Community
    • Networking University
    • Mentoring
    • Build your personal brand
    • Goal of Networking
  • Hands-on
    • The home lab >
      • Designing a home lab
      • Ways to create a home lab
      • Hypervisors >
        • VirtualBox
        • VMWare Player
        • QEMU/KVM
      • Docker
      • Operating Systems >
        • Kali Linux >
          • Installing Kali with VirtualBox
        • Parrot
        • BlackArch
        • Red Hat Enterprise Linux >
          • RHCSA
        • Security Onion >
          • Installation Security Onion
        • Metasploitable2
        • Ubuntu
        • Windows >
          • Windows in a VM
          • Windows with Virtual Machine Manager
          • Preparing Windows logging
          • John Strand's ADHD VM
      • Firewalls >
        • pfSense Installation
        • pfSense configuration for Security Onion
    • Volunteer Work
    • Note Taking
    • Red labs >
      • Cyberseclabs
      • HackTheBox >
        • HackTheBox Academy
      • INE red side
      • RangeForce
      • Offensive Security
      • TryHackMe
      • Virtual Hacking Labs
    • Red tools & techniques >
      • Atomic Red Team
      • DVWA
      • Metasploit
      • OSINT tools
      • OWASP Juice Shop
    • Blue labs >
      • Blue Team Labs Online
      • DetectionLab (free)
      • INE
      • Letsdefend >
        • LetsDefend password stealer
      • Opensecuritytraining (free)
      • PurpleLabs
      • RangeForce
    • Blue tools >
      • Install a Canary Token
      • CyberChef
      • EDR Lima Charlie installation
      • EDR LimaCharlie configuration
      • EDR Velociraptor (free)
      • EDR Bluespawn (free)
      • DeepBlueCLI (logs Powershell, free)
      • Raccine (ransomware protection, free)
      • Install RITA (detects C2 traffic, free)
      • Sandboxes >
        • Joe's Sandbox
      • SIEM ELK Stack
      • SIEM Graylog >
        • Getting started with Graylog
        • Install Graylog
        • Graylog Windows agent
        • Graylog Linux agent
        • Graylog as application
      • Suricata with RangeForce
      • Identifying IoCs with RangeForce
      • What2Log
  • Certifications, Degree & Courses
    • Overview
    • Free & Affordable Resources
    • Pick your cert
    • Skill Assessment
    • Get a cheap degree
  • (Employment) fraud & scams
    • Suspicious Offer
    • Second Offer
    • Certification Scams
    • Fraud with courses
  • Analyzing a job ad
    • The Header
    • Building a Bridge
    • The Responsibilities
    • Desired Skills
    • Preferred Qualification
    • Benefits
    • Own skills vs job ad
    • Dealing with poorly written job ads
  • Resume writing
    • Templates
    • Building a draft
    • Resume in Detail
    • Understand the company
    • ATS and tailoring
    • Last Step
  • Cover letter
    • Writing a cover letter
  • Preparation & Interview
    • Organize your job hunt
    • SWOT Again (interview)
    • Twitter
    • The interview
    • Interview Questions Designed To Trick You
    • Post interview tasks
  • I did it all, but...
    • You are not alone
    • Try Something New
    • Why You'll Fail in Cyber Security
  • Yes, I got a job!
    • Two, or more offers?
    • Continued learning
    • Moving up
    • Lessons learned
  • Conclusion
  • Additional things
    • Reviews (labs, courses, certs) >
      • CompTIA A+
      • CompTIA Network+
      • CompTIA Security+
      • CompTIA Server+
      • CompTIA PenTest+
      • DroneSec DSOC
      • Defensive-Security Purple Labs
      • FAA Part 107
      • INE eCPPT & PTP
      • Letsdefend review
      • Microsoft AZ-500
      • RangeForce SOC 1
      • RangeForce SOC 2
    • Work In A Different Country >
      • The Work Permit
      • Working in the US
      • Studying in the US
      • Studying in Germany
      • Work in a different country
    • Other Resources >
      • Useful Links >
        • All about careers
        • Red resources
        • Blue resources
      • YouTube
      • Twitch
      • Podcasts
      • Books
      • Udemy
      • Thanks
    • Contributors
  • Stefan Waldvogel, where can I help?
  • Home
  • Introduction
    • Things you should know
    • The strategy
  • Paths into Cybersecurity
    • First steps
    • SWOT Analysis
    • How much time do you need?
    • Calculate& Evaluate Knowledge
    • Imposter syndrome
    • Time Management
    • Cybersecurity Domains
    • Cloud Security
    • Financial advice >
      • Credit score
    • The salary
    • Advocacy for underrepresented groups
  • Goal Setting & Career paths
    • Find your career in 5 steps
    • Cybersecurity career options
    • Career finding with LinkedIn
    • Transferable Skills (general)
    • Transferable IT Skills
    • Find a path with job descriptions
    • The I do not know path
    • Do you know “garbage” jobs?
    • “Bonus” knowledge
    • Learning & Motivation
    • Particular vs. any job
    • Pentester path (start)
    • Pen Testing as Career
    • SOC Analyst as career
    • Security Engineer as career
    • Compliance & Risk as career
    • How to find a career (IAM Engineer)
    • Find a company
  • Networking
    • Networking like a pro
    • LinkedIn
    • Referrals & Skills
    • LinkedIn Recruiters >
      • Working with a recruiter
    • Cyber Community
    • Networking University
    • Mentoring
    • Build your personal brand
    • Goal of Networking
  • Hands-on
    • The home lab >
      • Designing a home lab
      • Ways to create a home lab
      • Hypervisors >
        • VirtualBox
        • VMWare Player
        • QEMU/KVM
      • Docker
      • Operating Systems >
        • Kali Linux >
          • Installing Kali with VirtualBox
        • Parrot
        • BlackArch
        • Red Hat Enterprise Linux >
          • RHCSA
        • Security Onion >
          • Installation Security Onion
        • Metasploitable2
        • Ubuntu
        • Windows >
          • Windows in a VM
          • Windows with Virtual Machine Manager
          • Preparing Windows logging
          • John Strand's ADHD VM
      • Firewalls >
        • pfSense Installation
        • pfSense configuration for Security Onion
    • Volunteer Work
    • Note Taking
    • Red labs >
      • Cyberseclabs
      • HackTheBox >
        • HackTheBox Academy
      • INE red side
      • RangeForce
      • Offensive Security
      • TryHackMe
      • Virtual Hacking Labs
    • Red tools & techniques >
      • Atomic Red Team
      • DVWA
      • Metasploit
      • OSINT tools
      • OWASP Juice Shop
    • Blue labs >
      • Blue Team Labs Online
      • DetectionLab (free)
      • INE
      • Letsdefend >
        • LetsDefend password stealer
      • Opensecuritytraining (free)
      • PurpleLabs
      • RangeForce
    • Blue tools >
      • Install a Canary Token
      • CyberChef
      • EDR Lima Charlie installation
      • EDR LimaCharlie configuration
      • EDR Velociraptor (free)
      • EDR Bluespawn (free)
      • DeepBlueCLI (logs Powershell, free)
      • Raccine (ransomware protection, free)
      • Install RITA (detects C2 traffic, free)
      • Sandboxes >
        • Joe's Sandbox
      • SIEM ELK Stack
      • SIEM Graylog >
        • Getting started with Graylog
        • Install Graylog
        • Graylog Windows agent
        • Graylog Linux agent
        • Graylog as application
      • Suricata with RangeForce
      • Identifying IoCs with RangeForce
      • What2Log
  • Certifications, Degree & Courses
    • Overview
    • Free & Affordable Resources
    • Pick your cert
    • Skill Assessment
    • Get a cheap degree
  • (Employment) fraud & scams
    • Suspicious Offer
    • Second Offer
    • Certification Scams
    • Fraud with courses
  • Analyzing a job ad
    • The Header
    • Building a Bridge
    • The Responsibilities
    • Desired Skills
    • Preferred Qualification
    • Benefits
    • Own skills vs job ad
    • Dealing with poorly written job ads
  • Resume writing
    • Templates
    • Building a draft
    • Resume in Detail
    • Understand the company
    • ATS and tailoring
    • Last Step
  • Cover letter
    • Writing a cover letter
  • Preparation & Interview
    • Organize your job hunt
    • SWOT Again (interview)
    • Twitter
    • The interview
    • Interview Questions Designed To Trick You
    • Post interview tasks
  • I did it all, but...
    • You are not alone
    • Try Something New
    • Why You'll Fail in Cyber Security
  • Yes, I got a job!
    • Two, or more offers?
    • Continued learning
    • Moving up
    • Lessons learned
  • Conclusion
  • Additional things
    • Reviews (labs, courses, certs) >
      • CompTIA A+
      • CompTIA Network+
      • CompTIA Security+
      • CompTIA Server+
      • CompTIA PenTest+
      • DroneSec DSOC
      • Defensive-Security Purple Labs
      • FAA Part 107
      • INE eCPPT & PTP
      • Letsdefend review
      • Microsoft AZ-500
      • RangeForce SOC 1
      • RangeForce SOC 2
    • Work In A Different Country >
      • The Work Permit
      • Working in the US
      • Studying in the US
      • Studying in Germany
      • Work in a different country
    • Other Resources >
      • Useful Links >
        • All about careers
        • Red resources
        • Blue resources
      • YouTube
      • Twitch
      • Podcasts
      • Books
      • Udemy
      • Thanks
    • Contributors
  • Stefan Waldvogel, where can I help?
  CYBERSECURITY JOB HUNTING GUIDE

Why You'll Fail in Cyber Security.

Author: Stephen Semmelroth
Source: ​https://www.linkedin.com/pulse/why-youll-fail-cyber-security-stephen-semmelroth-/
Picture
Last year, I personally mentored 164 people transitioning into security or moving upward in their security careers. That's 164 personal relationships where we met (digitally) face to face and talked. That doesn't count social media direct messaging or anything else. Just one-on-one time talking.

I'm the Vice President for Cyber for a sales organization. I see tons of partner networks, tons of development environments, tons of teams, tons of incident response, and TONS of vendor products (which I sell). I led cyber teams in the military. I started a cyber recruiting agency and sold it. I've watched people come and go. I tell you that because I want you to know that this is the sum total of my observations and what I coach people on daily. You get it for free.

First off, you probably don't know just how excited I am for you! The cyber career field is crazy and fun. It blends art, science, and people together into this amalgamation that's difficult to explain. It's also frustrating. Incredibly so.

And you're following the rabbit down the hole to a magical place where the Cheshire Cat's grin makes sense. Welcome to the Adventure. It's a wonderful, terrible world that, unlike most adventures, somehow pays well once you're in.

Pleasantries aside, let's get into the meat of the conversation. There are two major reasons you'll fail when getting into security. The first reason is that

Reason Number 1: You're not good at it.

Keep reading. I'll explain.

Almost every "cyber" voice in the market tells you that to get into cyber, you have to start off by taking a big pay cut, get your A+ certification, spend a couple years as a help desk technician, get some security certs, and then become a hacker. First off, I fundamentally disagree with that idea. I reject that reality. We'll break that down later.

The Helpdesk to Hacker technical track is still a valid way to get into security. But it isn't realistic for most people. Moving into an entry-level role just isn't tenable for most people both in pay and status. It also assumes that you either have a strong aptitude for the technical half of security or that you should take any technical route. The fact is, you don't have to.

You are amazing at something! JUST DO THAT, but in the context of cyber security. Let's look at some examples.
  • You are really great at building relationships. Go into sales or business development. You don't need to be technical, you have a sales engineer for that.
  • You are amazing at design. Go design for some security firms.
  • You are a phenom database developer. Go dev databases for a cyber company.
  • No one can touch your CPA skills. Transition to cyber auditing.
  • You're really great in business ops. Go look for non-technical ops roles at...security companies.
  • You won a couple journalism awards. Go write about cyber.
  • You work in a legal office? Go work in a legal office...that advises on security.
There are so many other avenues than the purely technical route. And if you want to go down the technical route, what I actually recommend for people without much technical background is to start with AWS's Cloud Practitioner certification, and then AWS Solutions Architect Associate, and then AWS Security. They should really start sponsoring me since I send a lot of people their way. Regardless, they have great market penetration and that route tends to bear fruit far faster and make you more relevant to the market than going the Helpdesk to Hacker route. Shameless plug: read my breakdown on cyber certifications here.

Remember that technical versus non-technical difference? That's really, really important. In fact, it's so important that I often have people come to me a few years into the career field looking to move because. Why? They aren't happy. If you're not happy, you won't be good at it. Not at this stress level. You might meet every requirement intellectually and experientially but if your personality and your own internal love languages don't match what you're doing, you'll leave.

That's tough.

They feel like they were cheated. Been there, done that. I have all the aptitude I need to be a highly skilled technician but it simply doesn't make me happy. Is it really that important? Yes. Heck yes it is.

So let's solve the happiness factor before you get six years down the road.

Here's what I recommend. Pick your two favorite personality frameworks like the Myers–Briggs Type Indicator, or StrengthsFinder 2.0, PI Behavioral Assessment, or whatever other one you can get your hands on. Take them and take them seriously. Read the results. Then go for a walk. Take the weekend off. Reflect on what the results say. Then and only then, decide your route. Let's use me as the case study. I discounted my skills versus my peers in the Army that absolutely loved their technical work. Our profiles weren't aligned. So while they were amazing at it, I was far more amazing at building teams and getting different, conflicting teams together to support a common goal. Playing the Devil's Advocate, I almost always recommend people do the most technically challenge professional development first for this reason: even if you have the aptitude, most people won't go back and do the hard technical work later. There are tons of engineers with MBAs but only a few business undergrads with Masters of Science.

See? You can get good at it. You just have to pick the route that's right for you, the route that you can be good at. The route that will make you happy.

Now, here's the kicker: even with the right education, the right certifications, the right home lab, and the right blog posts, chances are that you're still going to struggle finding that first job. That leads us to the Second Reason that you're going to fail at cyber security.

Reason Number 2: You don't have hustle.

That's right. I said it. This is where the technical track people get blown away by the non-technical track people who hustle daily.
Meanwhile, I see tons of technical track people that put in just enough time to hit the minimum level of effort to get a couple certs but get frustrated and upset.

HR doesn't know or understand security certs. Most recruiters don't know or understand your home lab. Most hiring managers just want someone with technical aptitude, maybe a bit of knowledge, and some grit.

You're in a Catch-22.

Get out there and hustle, hustle, hustle. No one's going to come knocking at your door. Sell your skills. Market yourself. Don't fight the system, embrace it. Here's some tips.
  • If you want to be a hacker/red team/pentester - you better be COMPETING your butt off in CTFs (capture the flag competitions) locally, virtually, and at conferences. Competitions are phenomenal auditions.
  • If you want to go blue team (much bigger market, btw) - you better be blogging the heck about the cool stuff you're doing on your home lab. There's CTFs for blue teams, too.
  • Regardless of what technical route you want to go, you should have a home lab either in the closet or cloud to expand your skillset.
  • You should be out volunteering to help secure....ANY ORGANIZATION that will let you volunteer with them.
  • You should be networking until your eyes bleed. Socially networking. Get into career-focused channels where people post new openings and share ideas and projects.
  • You should be volunteering to talk at local conferences. Many local conferences have first-time speaker tracks just to help get the next generation involved.
  • You should be volunteering for anything you can volunteer for at conferences. Hand out flyers, help with coat check, stand there with a giant question mark sign and answer questions. You're there to meet people and convince them to give you a job.
  • You have to talk to people to convince them they should hire you.
  • You should be practicing top interview questions like, "What happens when you type in a URL and hit enter?" That question, by the way, should take 30-60 minutes to answer. Hint: make assumptions.
Most of the voices in the market today talk about the need for people networking. I will argue that it is actually the single biggest factor to your success in getting that first cyber role.

How did most of us end up in security? Right place right time.

But there's nothing easy about figuring out where the right place is, when to show up, and whom to talk to when you're there.
​
You have to do that work yourself.

Get out there and hustle.
Next: Yes, I got a job
© 2021. This work is licensed under a CC BY-SA 4.0 license​