The dire shortage of information security experts has left organizations struggling to keep up with the growing demand for their skills. Still, getting a job in cybersecurity tends to take time and effort.
In this Help Net Security interview, Joseph Cooper, Cybersecurity Recruiter at Aspiron Search, offers practical advice for job seekers and talks about how the cybersecurity profession continues to expand.
1. Despite a significant cybersecurity skills gap, getting an entry-level job is difficult. What advice would you give to applicants with little or no experience trying to get into cybersecurity?
My three biggest pieces of advice for candidates looking to get into the cybersecurity industry and land an entry-level position are:
1. Identify which area of the cybersecurity specialism you would like to work in. We typically break cybersecurity into 16 category specialisms, so when you identify which area you would like to work in, for example, security testing or security operations, you can move on to my second piece of advice – here are the 16 specialisms.
2. After you have identified the area of cybersecurity you would like to have a career in, build your foundational knowledge. For example, if you decide you want to work in the SOC, it would be a good idea to learn foundational IT networking. I like the CompTIA certs as they are vendor-neutral. All the training is free with the incredible Professor Messer on YouTube. Unfortunately, the exam will cost you unless you can find a sponsor like Aspiron Search which provides scholars under the FirstStep Initiative with exam vouchers.
3. Finally: network, network, network! This can be done from the comfort of your own home these days, especially with the power of LinkedIn, but take it further. If you are serious, get down to some of the industry-specific conferences like Black Hat or Infosecurity Europe.
2. What soft skills do companies look for?
Communication skills, all the clients I work with look for strong communicators. When I say communication skills, I don’t mean the ability to stand up and deliver a keynote on the mainstage at RSAC, but more importantly, the ability to effectively communicate your work.
The security industry is notorious for folks feeling at home in server rooms on their own rather than in a room full of people, so absolutely become strong in the documentation. When the pandemic hit, soft skills become less important. Every organization that didn’t already, had to adapt to hiring remotely. Hiring remotely hosts its own challenges, but what it does do is allow technical skills to flourish, and fewer social skills are needed.
3. What are some of the main challenges of your work as a recruiter?
Recruitment, in general, is tough, but the reality is recruiting in the cybersecurity market is even tougher. The skills gap is very much real and cybersecurity expertise has become one of the most sought-after skillsets for any employer.
Right now, the market is tight, and the looming potential of a recession and mass lay-offs across the tech sector would naturally cause concern. However, I am optimistic and see this as more of a talent reset or correction due to over-hiring and increased candidate confidence to change jobs in 2021 rather than weak business performance. Another challenge last year particularly was managing counter offers which were at an all-time high as employers fought to hold on to their much-valued security talent, and I do expect to see the same again this year.
4. What technical expertise do employers seek in their candidates to stay ahead in the constantly evolving threat landscape?
There are constantly new tools and technologies being released to combat the evolving threat landscape but from a technical expertise perspective we have seen as a business with the increased adoption of cloud technology over the last few years a real demand for cloud security professionals.
I would encourage security professionals to learn as much about the cloud and cloud security as they can particularly across all the major public players: AWS, Azure and GCP.
We have also seen an increase in searches for identity & access management (IAM) talent, which makes it really interesting to see Thomas Bravo acquiring three identity companies alone in 2022: SailPoint, Ping Identity and ForgeRock.
Generally speaking from a technical perspective security engineering is always going to be a number one priority for IT teams.
5. How important are formal education, certifications, and experience? What do employers value the most?
This is a really interesting question, I am a big advocate of education and accreditations, but the reality is every employer is different. One of my clients, a leading OT security player, don’t give a damn about education or certifications they believe if you are the best person for the job you are getting hired regardless of academic backgrounds and number of certifications. Then, on the other side of the fence I have clients who are recognized as the world’s most prestigious hedge funds that expect their employees to be Ivy League University educated with 3.8+ out of 4.0 GPAs (top grades in the US education system).
6. What does a good CV look like? What should people pay special attention to?
Your resume is typically the first thing a potential employer sees, stripping it right back to the basics. Try and keep your resume to 2 pages, if you have had a long career with multiple roles the reality is recruiters and hiring managers do not care about your first job out of school, they are focused very much on your last 3 roles, what your experience was, what you achieved and how you can add value in your next role.
I read hundreds of resumes a week, and the most common piece of advice I find myself giving to candidates is sell yourself, why should someone hire you? It might seem simple but most of the time resumes are just multiple cybersecurity job descriptions of roles that the candidate has been in cut and paste from contracts or even other websites they find similar roles. Instead, go into as much details as you can about the experience you gained, highlight any exposure to technology and tools you managed and sell yourself by explaining the value you can add to your next employer.
7. What steps should job seekers take to effectively prepare for a cybersecurity job interview?
My biggest piece of advice here would be to get close to a niche industry-specific recruiter like myself, I would welcome anyone to reach out for interview preparation, recruiters have a ton of valuable insight into the market, recruiting processes, and interview questions. Most recruiters will have an interview preparation guide they would be happy to share for free too.