Troubleshooting your cybersecurity career transition challenges

Cybersecurity has a talent pipeline problem. But what can you, as a candidate, do about it in the meantime?

Depending on which article you cite, there are between 1 and 3 million open cybersecurity jobs that remain unfulfilled, with that number increasing each year. At the same time, there are plenty of graduating students, career transitioners, and self-taught cyber whizzes who are struggling to land their first cybersecurity job — keeping our experienced cybersecurity workforce artificially low.

There are plenty of outspoken champions trying to address this imbalance by eliminating the gatekeeping in our industry. This effort is laudable, but it certainly is not easy and will therefore take time to make systemic shifts in our field. The good news is that you don’t have to wait years for this work to conclude before you try to break into cybersecurity, but it does mean you have to be clear on what your biggest challenge is so you can overcome it.

What exactly is the problem?

When I meet with people trying to transition into cybersecurity, I hear a consistent theme of frustration. They seemingly have everything possible to make themselves a good candidate: they’ve studied, obtained impressive certifications, financed and attended bootcamps, built a home lab, completed countless CTFs, and regularly posted security content on LinkedIn and Twitter. They’ve applied for jobs but have never landed one, and they wonder if their efforts were in vain.

Typically at this point, people will ask me what else they should be doing, what languages they should learn, what classes they should take, and what people they should meet. As a hiring manager, these are the exact people I’d love to have on my team — the ones who take responsibility for their own careers and don’t make excuses, even though the systems aren’t in their favor.

However, for candidates who have already done everything they can without actually having a job in cybersecurity, this is usually the wrong problem to solve. Instead, the key is to pinpoint the part of the hiring process where you struggle. To do that, you first must understand what you’re up against.

The Hiring Process

The following outlines a generic hiring process. Of course, every company has their own unique flavor and may omit or switch the order of a few of these steps, but the general process is relatively the same.

You apply to a job posting.

You upload your resume and answer some basic questions regarding your work authorization, current location, and security clearances (if required).

Your resume is reviewed to determine fit.

Typically there are multiple levels of review. Especially for roles with high applicant volumes, some companies first use resume parsers or scanners to algorithmically determine your fit. Think of this like Netflix, where it will say that Bridgerton is a 98% match for me based on my previous viewing history. Resume scanners can do the same, and they compare the keywords in job descriptions with your resume contents. This allows a machine to filter out resumes that are lower than a 60% or 70% match to reduce the number of resumes a human must review.

Next, a member of HR or talent acquisition will review the resumes and try to identify the top candidates for a role. They will recall their conversations with hiring managers, who have described their ideal candidates, and they will apply human judgment as to your suitability based on the job description.

It’s critical to understand that at most companies, HR or talent acquisition will not be cybersecurity experts. Therefore, it is critical to make sure they aren’t left guessing if you are a good fit; your resume should make that obvious. Now, it’s tempting to disparage HR or talent acquisition for filtering out candidates in a domain outside of their expertise. Do not do this. Talent acquisition is its own art. These people are professional matchmakers whose job is to usher in talent to help the company accomplish its goals and be successful. Their focus should be on creating an excellent candidate experience, sourcing diverse talent, and delighting hiring managers by putting forth high-quality candidates. Their lack of cybersecurity domain expertise is to be expected, and is something you should account for as you market yourself (but more on that in another blog post).

Finally, the hiring managers review the resumes of HR’s top picks and identify which candidates they’d like to move forward to the interview process.

You Interview.

After all the resume review, it’s time for you and the organization to meet one another. Generally, there are three steps in the process:

1. HR Screening. A member of HR or talent acquisition will have an initial call with you. In this conversation, talent acquisition may review your experience, discuss compensation expectations, share information about company culture, and identify any areas of concern that may indicate a poor fit. Ultimately, this person wants to make sure neither you nor the company waste each other’s time in subsequent interviews.
2. Hiring Manager meeting. Before investing several more hours in an interview process, you will generally speak with the hiring manager or a delegate who has deep understanding of the role. This conversation is the opportunity for you and the hiring manager to talk specifically about the job responsibilities to ensure the potential for a mutual fit. If all goes well, you will move forward with interviews.
3. Full Interview. This process varies widely at different companies, but generally you will speak to multiple members of the organization who may be your direct or indirect leaders, members on your team, or folks you would regularly work with. They may ask behavioral questions or assess your technical skills in a variety of ways. These interviews may be conducted in multiple rounds, or in a single round with multiple sessions. Ultimately, your interviewers are tasked with determining if you could perform the job responsibilities required and build successful working relationships with others.

The company makes a decision.

Following the interviews, the interviewers will convene, compare notes, and select a candidate (if there are multiple to choose from) or make a hire/pass decision on you.

Putting it All Together

While the process I’ve described above sounds linear and cumbersome, it is most often designed for efficiency, where candidates can be filtered out at each step. In theory, this allows the company to focus their limited time and attention on the candidates who are the most promising fits, it and allows for quicker feedback to candidates.

A typical hiring process, with candidates filtered out at each level.

Troubleshooting your particular problem

Now that we have a mental model for the hiring process, it becomes simpler to diagnose the particular challenge you, as a candidate, are having. In my experience, there are three discrete pieces of criteria that are used to filter candidates out at these various stages, as illustrated below.

Basic Screening Questions

If a company will not sponsor workers who aren’t authorized to work in the country on a permanent basis, that will be a non-starter. Similarly, if a role requires you to work onsite in another city, you may be excluded from consideration if there are plenty of other candidates who would not have to relocate. Unfortunately, there are no easy fixes to problems like these, but they can help you more accurately identify future job targets.

Your Resume

Like it or not, the first several steps in the hiring process take place without you being in the room. Your only proxy is your resume — a piece of (digital) paper that is supposed to make you stand out and land you an interview. If you are applying to dozens of roles and you aren’t receiving any phone calls, your problem is your resume. Hopefully soon, I will be publishing one or more posts on how to present yourself on paper so you can start getting initial phone calls.

Your Interview

If you’re lucky enough to receive phone calls but you’re never getting a job offer, then you’re being filtered out in the interview stage. While interviewing is arguably the most intimidating part of the job process, the good news is that interview skills can be developed and honed. I used to give talks to college students on this topic, and I plan to publish my experiences and advice in a future post.

It is critical to note that for simplicity in this article, I am omitting bias (sexism, racism, ableism, etc.) as a filter criteria. These biases unfortunately are very real and can manifest at any stage of the hiring process, but I cannot do justice to these issues within the scope of this post.

Knowing is half the battle

Knowing more concretely where your struggles lie unfortunately does not solve your immediate issue of receiving your first cybersecurity job offer. However, it helps you more specifically focus your efforts.

If you are able to articulate things like “I apply to jobs but never get a call-back” or “I talk to a lot of hiring managers but never move on to the full interview,” those become very specific problems to diagnose and solve. You can start to practice those areas, receive feedback, and improve. More importantly, it helps you avoid investing a lot of time, energy, and money in a low-leverage area. After all, you will never be done learning in your cybersecurity career, but it helps to land a job and officially begin your career in your first place.