Information security jobs are tough to get into, and with good reason. In order to land such a role, you need to demonstrate to a potential employer that you have what it takes to be the best in your field. That often means showing off your skills and experience as they relate to IT in general and security specifically. With so much emphasis on the importance of certification in all fields that relate to IT, you might be wondering why experience is so important. Surely this is enough to prove that you know what you are doing, especially if you have a degree or a high-level certification?
Experience is so important because it teaches you real-world skills that a certification simply can’t, such as the extreme example of becoming a Cyber Security Incident Responder (CSIRT). Real-world scenarios are never perfect, and things can get really messy outside of a lab environment. Having experience shows potential employers that you have worked in some pretty challenging and stressful conditions, which can help to reveal more about your suitability for a position with them.
If you are just starting out, then you are probably already asking yourself how to get the experience that employers want. On the surface, the whole process appears to be an infinite and impossible loop: employers want experience that you don’t have, so you have no way of gaining any experience because you can’t get a job without any experience. Right?
Fortunately, there are many creative ways to stand out in information security. You just have to be willing to try a few new things and experiment. There are probably many other ways than just the methods that we are going to be talking about, but this list should be an excellent starting point for you.
In this list, we’ll look at some of the ways that can show your next boss how creative and dynamic you can be when you need to.
Volunteering your services
Find local organizations in your community and offer your services to them. Perform risk assessments and apply your knowledge to their specific requirements. Make a project document and go into professional detail so that you can show it to a potential employer (with permission). Do as many volunteer jobs as you can, because even if you are not charging for your services you are racking up important experience and gaining solid contacts, which could lead to greater things.
Tip: Build good relationships and contacts within these organizations, especially with the heads of the IT departments. After you have finished volunteering, you can ask for a character testimonial or work recommendation from them if you work well and present yourself professionally. As an added bonus, you will also have some more referrals for your resume. Recruiters sometimes like to contact these references and ask questions about your skills, knowledge and personality.
Attending and organizing events
Try to attend hackathon or CTF events and document your progress. If you solve a particularly difficult challenge, document your solution and keep it as part of a portfolio. This will help to demonstrate your technical abilities when discussing a position with a potential employer further down the line.
Tip: Attending events and even hosting your own events such as meetups and get-togethers can help you to broaden your connections and strengthen your network, which can also help to open doors in unexpected directions.
Starting a project
Do you have a great idea for a software tool or a useful application? Why not start your own GitHub page? You can prepare the documentation and use cases for your tool and show off your coding or scripting skills. You can list this kind of activity on your resume as experience, and you can also define your role as the project owner or technical lead on the project. This is not the same type of experience that you would derive from working for an employer, but it’s definitely something that an interviewer or recruitment agent would find interesting about your job application.
Tip: If your tool or application becomes popular then you can make more contacts and connections through your project, or even pursue its further development full-time if it shows commercial viability.
Find out what people with similar certifications and qualifications charge for small gigs and side jobs around you. Even better, find out if there are any online platforms that could use your services and do some work for them remotely.
Advertising your services can also help, although you don’t want to over-promise and under-deliver when you are just starting out. You will want to be entirely honest with any potential clients and let them know that you are just starting out but are fully qualified to handle their information security requirements. You should always aim to under-promise and over-deliver when working with your own clients where possible.
Tip: Freelancing is a great way to get experience, especially if you find the right client. You can accept or decline jobs based on what you are comfortable with doing, so you don’t have to take on massive projects if you feel like any of them are beyond your capabilities. Instead, start small, gain experience and then work your way up to bigger, more technical projects.
Freelancing can become a career in its own right, so you have a lot of options if freelancing is an avenue that you would like to pursue.
Researching the company
Being qualified is an excellent way to get yourself into an interview, but how do you set yourself apart from all the rest of the candidates that will be applying for the same job? Researching valuable trends in IT security that are currently in high demand will get an interviewer’s attention. One example is the GISWS report which looks at, among other things, what hiring managers are looking for in candidates to address the skills shortfall in cybersecurity.
If you have managed to get some experience in one of these fields, then you could become the favorite for the job. If the job that you are interviewing for faces specific cybersecurity threats, then be sure to study those trends and try to slip them into some of your answers.
Tip: A general interviewing technique from a candidate’s perspective is to learn as much about the company that you are interviewing at as possible. You can shape your answers around your understanding of the business and show that you have taken an active interest in the organization and its position in the market.
Building an online portfolio
Similar to starting a project, your online portfolio can be a selection of projects, tools, blog posts and anything else of interest to information security professionals (and recruiters) that you have created. If the website looks professional then it will reflect favorably on you if anyone looks at it while researching your suitability for a role, so keep it neat and well-structured.
Tip: You can make a really interesting and professional website in no time at all, sometimes even for free. You might want to spend a little bit of money on getting a proper domain name, though, as this adds to the website’s professional image. If your website uses a free domain allocation, then the URL will be long and complicated and will just look messy on your resume. Remember that sometimes a recruiter or HR person will only have a printed version of your resume, so keep the URL short, neat and easy to remember if you hope to have anyone look at it.
Aim (slightly) lower
Getting experience in the job that you are qualified for is not always possible, and this is for many reasons. You might live in a small town where roles like the one that you are after are not available. Alternatively, you could have plenty of available jobs that match your skill set where you live, but you have so much competition that you are finding it difficult to stand out. There are hundreds of factors that influence your ability to get a job in your field of expertise. You might have to look at a role that within IT, but slightly different to what you were looking to do. This is not an ideal choice, and it should not be taken lightly.
Tip: The aim in this instance is to land a role within a company and then work towards your preferred position. You will gain valuable hands on experience in IT while you work towards your goals. Remember that this is a temporary measure and a means to an end.
No matter what approach you take, you need to make sure that your certification is indeed up to date and valid, especially if you are looking to find a job without the relevant experience. Being certified is not the be-all and end-all of information security, but if you are in a position where you don’t have any experience then your certifications certainly need to be up to scratch. Information security roles require that you go a step further than merely gaining certification, as there is a practical element to any role that centers around security.
By emphasizing your commitment to ongoing training and certification, you not only show that you are looking to solidify your career in IT security but that you are keen on self-development and upskilling. To do this, you need to show that you are always working towards bettering your understanding and knowledge in the field.
Be sure to try out some of these methods when trying to land your dream job and see what happens. You don’t have to choose one approach only, as many of these steps can be tried in conjunction with one another. Good luck and happy job hunting!
- 2017 Global Information Security Workforce Study, Frost & Sullivan