Your first security role — what should you be looking for?
Opinions expressed are solely my own and do not express the views or opinions of my employer
I’ve spent the last week thinking a lot about the challenges about finding the right role as a new starter in the security industry. It’s quite sobering to review how many entry-level** security analysts or security engineering roles are being advertised at the moment — it gives some insight into the volume of talent and resources we desperately need in this industry.
It also means that there are a ton of roles that a new starter in the security industry could be applying to. So I wanted to spend a bit of my time helping outline what I believe are characteristics that you should be looking for in a security team to help you work out which roles are right for you. I believe these are indicative of a great security culture, more so than a good review on glassdoor. Importantly I think they indicate an organization which will foster your talent and could therefore make a huge difference to your job satisfaction and long term success in the security industry.
Active participation in the security community
An organization and leadership that encourages and supports active participation in the security community doesn’t sound like much, but it actually means a lot — in ways that aren’t immediately apparent. Participation could range from sponsorship of conferences to contribution to open source projects or more typical is participation and involvement in meetups and attendance by staff at training opportunities.
It demonstrates an organization and leaders that are willing to invest in the development of the industry as a whole and importantly in the development of their employees — which means that they are likely to be able to invest in your development and encourage your participation in the community as well. It also says a lot about the philosophy of the organization to sharing and an understanding that security is about more than a single organization. Personally this is the type of organization that I want to work for.
Diversity across the team and hopefully in leadership
An organization and leadership that has proactively fostered a diverse security workforce understands two things. Firstly that you absolutely need diversity of thought (and hence diversity of gender, race, sexual orientation, backgrounds etc) to be a successful security team and secondly that you can’t wait for the industry to catchup, but need to actively invest and encourage diversity.
This active investment in diversity is indicative of leadership that is not only focused on the technology, but understands the challenges that we face as an industry as a whole and is tackling it head on. What an amazing environment to develop in as a new security practitioner! Day-to-day exposure of an array of diverse thinking tackling big industry problems.
A busy but not frantic team
Did I say work/life balance? This probably sounds like an easy thing to aim for, but it is incredibly hard for a security function to achieve. Security will unfortunately never be a 9 to 5 type of job in our digital world — mostly because cyber criminals also live on the internet (which never sleeps). It’s a sad truth that there really isn’t a nirvana state of being “secure” that we will hopefully one day all achieve. It’s a fact that there will be incidents and events that require a lot of work at times, but you don’t want this to be all the time.
Ideally you want to join an organization that is well prepared and has planned for things to go wrong — both in terms of resourcing and by practicing. Continually evolving and tested response plans are non-negotiable in today’s world to ensure that the inevitable can be managed without descending into chaos. Selfishly for a new starter — a well resourced and prepared organization means more time to invest in your on-the-job training and mentoring and more opportunity to get stuck into strategic tasks rather than simply being reactive.
The best way to tell whether a security team is resourced and prepared adequately is judging how busy the team is, but also what they are spending their time on. If you are joining a team where every one is working on responding to incidents, it’s likely everyone is in a world of pain. This may be a great opportunity to learn on the job, but is more likely to simply restrict your ability to be mentored and tutored by senior staff.
Lastly but most importantly you are looking an exciting and challenging role
This is something that is simply essential to me. I personally want to learn from every role and every organization that I take on. It needs to be a challenge and not something that I’ve done before. I honestly think that I would never have progressed as far as I have in my career without this mindset.
My advice to any new starter is to apply for roles where you are comfortable with around 50% to 75% of the requirements of the role and maybe even less. But be honest about what you know and don’t know. I would prefer to hire someone who knows they can’t do everything, but is willing to work on it .
I would love to hear about what you look for in a new role and of course, feel free to reach out to me directly to ask for any advice.
** An analysis for a possible future post is to understand how many of those roles are actually appropriately aimed as entry level roles — compared to the number looking for experienced or senior analysts or someone with a strong background or security certifications.
