How to Stand Apart in Your InfoSec Job Search

Analyzing Cyber Business and Pathways to your first job. By Scott Bowman, Career Services Manager at SecureSet Denver.

Information Security is broad and always evolving. The threat is ever-vigilant. Therefore the pathways to entering the field are not always clear (or clean). At SecureSet Academy, we have the exhilarating task of identifying and clarifying industry trends to help make sense of it all. This is important not only for our students, but also for our industry partners, who have successfully grown their teams with SecureSet’s support. We identify trends in hiring through conversations with CISO’s and executives at Fortune 500 companies, human resources and talent acquisition, market research and analysis, and directly from our 100+ graduates embedded in the industry in Colorado and around the country.

Here I will break down recent trends (some obvious, others not so) in general terms. For the record my specialty is solving people problems, not cybersecurity!

Information Security, often referred to as InfoSec or cybersecurity, has been around now for decades and is only going to be more prevalent as companies place a higher emphasis on data collection, storage, and internet commerce. Business drives the need for cybersecurity, and wherever there is money to be made, there is also a lesser-seen malicious element. Now for the exciting part, there are near limitless opportunities to join in the fun. We have broken the industry down into three categories: security products, security services, and secured enterprises. This is organized from least to most amount of opportunity.

Security Products

Typically the focus of security in this type of company is to perform [insert here] security infrastructure function. They are businesses with the goal of selling their product to other businesses, consumers, or the government. Antivirus companies are among the most familiar. Security products have a relatively low need for entry-level talent. Their primary job functions include product development, software engineering, sales, and support. Early-stage security products need experienced professionals due to a strain on resources, which restricts their ability to train new talent.

Colorado examples include: Webroot, LogRhythm, Swimlane, Red Hat, and Automox. The number of opportunities for entry-level talent in Colorado are expected to be in the 100’s this year.

Skills that help you stand out are coding/programming, engineering, sales and marketing, customer service, project management, and executive leadership. Individuals interested in pursuing this pathway should consider bolstering their GitHub or portfolio with projects in C-based languages (Python, Java, C#, JavaScript, PHP, etc). Another way to stand out is by contributing to an open-source project. Many security products have their own open-source communities where those dedicated to their craft can contribute. Swimlane, for example, has SecOps Hub. Another way to find and join a project is through OpenCollective or by teaming up with other professionals. There are also numerous bug bounties available if you are up for a challenge.

Hard work truly pays off. Challenge yourself to build your own security product, even if it’s just an early prototype. Write an application and learn to penetration test it. Read as much code as you can and write it every day. Ask for code reviews from experienced developers for feedback and best practices if you are less than confident about your skills. Any of these strategies will help you gain valuable insight into the daily challenges of an engineer in this environment. If you have a background in customer service or sales and excellent communication skills, it’s only going to help you make your case as to why you should be the one interfacing with customers when times are tough. Leverage your past experience and skills gained to give yourself a unique edge on your competition.

Security Services

Typically, the focus of this type of company is to provide contractual services to design and deploy security infrastructure and/or maintain and monitor security as needed, often proactively. Companies often will define themselves as a managed security services provider (MSSP) and/or a federal contractor. Do not be confused; security products often provide managed security services as a premium to enterprises utilizing their product (see Red Canary or Carbon Black).

It’s no secret; 2018 is the year of the SOC (Security Operations Center). Security services may run their operations 24/7 to ensure that security is maintained around the clock for their clients. Operations centers will employ security analysts in “tiers of escalation” with Tier 1 responding to the majority of incidents before escalating more pervasive threats up the chain.

MSSP’s offer services like IT consulting, vulnerability assessments, penetration testing, data management, forensic investigation and incident response, compliance and auditing, and management consulting (among others). For the majority of secured enterprises (described below), utilizing security services is the most fiscally economical solution. Customers of security services include everyone from Fortune 500 companies to small startups, with services often scaled to the number of “endpoints” (every device connected to the enterprise’s network) and/or scope of security needs.

The relative need for entry-level talent in security services is higher than for security products. This is expected to grow in Colorado as more SOC’s continue to open in 2018 and 2019. Among defense contractors, there is a feeding frenzy for active secret and top secret clearances. Companies like Lockheed Martin and Leidos often accept cleared and military applicants with little to no experience.

Skills that help an entry-level job seeker stand out in this segment are unique to each team, but trends persist. In an information session at SecureSet Academy in April 2018, Doug Brush of Kivu Consulting provided some valuable insight:

• Interest: Log Analysis; important skills: structures, timing, being able to describe artifacts.
• Interest: Penetration Testing; important skills: e-commerce platforms, learning the layers that sit on top of infrastructure, understanding credentials.
• Interest: Forensics; important skills: learn dead box analysis and tools like Axiom and Autopsy.
• Additional skills necessary include being able to effectively (and persuasively) communicate risk.
• Stay aware of industry news and trends through security podcasts and recent events.
• Be able to describe your background and experience in the form of accomplishments: “I was brought in, here’s what I did, here’s my impact.”

Graduates of SecureSet, who found success in security services, have recommended the following:

“Do as many projects related to SIEM’s and ethical hacking on your own. If something doesn’t work and you are running into a wall of frustration, use that. Employers want to hear that you tried and that you are working on a lifetime of learning.” — SecureSet graduate, GuidePoint Security.

“Research things on your own time, leverage the resources online, play around with Security Onion, try to detonate malware inside a Cuckoo VM (sandbox),” […] “Study for certs, not just Sec+ or CySA, go for the basic platform certs, for example, for Splunk (the basic one is free), Microsoft Azure (free training with a Microsoft Imagine account that you have access to with the admission letter from SecureSet), AWS certs (get a free year of access to training) and many more.” [..] “Just continue your education and talk about those things in an interview. The employers will be impressed and if that won’t make you stand out, I’m not sure what will.” — SecureSet graduate, Alchemy Security.

Additional suggestions: Keep an eye open for certifications from CompTIA if you have minimal experience. Training from SecureSet Academy provides the necessary classroom and lab-based experience to perform the daily tasks of a security analyst.

Secured Enterprises

These are the easiest to identify. Simply put, secured enterprises are all industries and companies connected to the internet. They make up the biggest need for security and are some of the biggest targets. Enterprises are the primary customer of security products and services. Much of the focus surrounds compliance (especially with regards to regulations in payments, data collection and privacy, as well as looming state and federal mandates) and securing/maintaining existing IT infrastructure. We are seeing trends in cloud data migration and application security as enterprises seek to mitigate the risk of another major breach (See Equifax or Best Buy).

Industries of greatest need include telecommunications, financial services, aerospace, defense, computer technology, and healthcare. While the overall need for security professionals remains low, the number of enterprises will keep the opportunities in the 10,000’s across Colorado. This means that secured enterprises currently hold and will grow the most amount of future prospects for entry-level talent.

Enterprises are usually larger companies with well-defined roles and departments. Human Resources is in charge of sourcing (or gathering) credentials of qualified applicants. Department managers receive that information based on open requisitions (or active hiring requests) and proceed with interviews until they find their best available candidate. This means the hiring process can take longer and may have more barriers between an applicant and his or her offer.

While not every role at an enterprise is clearly defined in the terms of cybersecurity, the opportunities persist. Typically defined as information technology, information security, operations technology (or some variation thereof), roles are often defined in terms of tiers of escalation (see security services). Roles range from IT and desktop support, access management, project management, hardware and software engineering, development operations (DevOps), account management and sales, risk and compliance, to business analysis and more. Some secured enterprises with in-house services may define their roles more specifically as security analysts, engineers, architects, etc.

A great way to adapt to roles with secured enterprises is to pay close attention to the company’s website, including their mission, values, and keywords in the job description; then, adapt your strategy to reflect a stronger interest. An even better way is to meet people who work at that company in the security roles you want. They have the best insight on the daily workflow and skills needed to be successful. A little trust and communication goes a long way. Take a genuine approach of learning from these professionals and you will find that there are a lot of commonalities. We are only human. Bonus points if that person will pass your resume to their hiring manager or vouch for you as a referral.

Regardless of how you approach each company, intangibles like communication, the demonstrated ability to learn quickly or remain calm under pressure, mentality around building or maintaining, thinking like a hacker, and even your ability to persuade or reassure others; these and many other “soft” skills may have a larger impact on your effectiveness in earning your next role. Focus on your niche and learn the skills that matter. Challenge yourself to meet other security professionals and learn their perspective on the industry. Ours is not the final word. Keep an open mind and you will thrive.

Scott Bowman is Career Services Manager for the Denver campus and brings over 7 years of experience coaching professionals in career transition in both higher education and human services, across the country. Originally from Wisconsin, he achieved a Masters in Higher Education Leadership from the University of Colorado. Scott is passionate about the great outdoors, as well as supporting students and facilitating valuable relationships with pillars of the cybersecurity industry.