Last year, I personally mentored 164 people transitioning into security or moving upward in their security careers. That's 164 personal relationships where we met (digitally) face to face and talked. That doesn't count social media direct messaging or anything else. Just one-on-one time talking.
I'm the Vice President for Cyber for a sales organization. I see tons of partner networks, tons of development environments, tons of teams, tons of incident response, and TONS of vendor products (which I sell). I led cyber teams in the military. I started a cyber recruiting agency and sold it. I've watched people come and go. I tell you that because I want you to know that this is the sum total of my observations and what I coach people on daily. You get it for free.
First off, you probably don't know just how excited I am for you! The cyber career field is crazy and fun. It blends art, science, and people together into this amalgamation that's difficult to explain. It's also frustrating. Incredibly so.
And you're following the rabbit down the hole to a magical place where the Cheshire Cat's grin makes sense. Welcome to the Adventure. It's a wonderful, terrible world that, unlike most adventures, somehow pays well once you're in.
Pleasantries aside, let's get into the meat of the conversation. There are two major reasons you'll fail when getting into security. The first reason is that
Reason Number 1: You're not good at it.
Keep reading. I'll explain.
Almost every "cyber" voice in the market tells you that to get into cyber, you have to start off by taking a big pay cut, get your A+ certification, spend a couple years as a help desk technician, get some security certs, and then become a hacker. First off, I fundamentally disagree with that idea. I reject that reality. We'll break that down later.
The Helpdesk to Hacker technical track is still a valid way to get into security. But it isn't realistic for most people. Moving into an entry-level role just isn't tenable for most people both in pay and status. It also assumes that you either have a strong aptitude for the technical half of security or that you should take any technical route. The fact is, you don't have to.
You are amazing at something! JUST DO THAT, but in the context of cyber security. Let's look at some examples.
- You are really great at building relationships. Go into sales or business development. You don't need to be technical, you have a sales engineer for that.
- You are amazing at design. Go design for some security firms.
- You are a phenom database developer. Go dev databases for a cyber company.
- No one can touch your CPA skills. Transition to cyber auditing.
- You're really great in business ops. Go look for non-technical ops roles at...security companies.
- You won a couple journalism awards. Go write about cyber.
- You work in a legal office? Go work in a legal office...that advises on security.
There are so many other avenues than the purely technical route. And if you want to go down the technical route, what I actually recommend for people without much technical background is to start with AWS's Cloud Practitioner certification, and then AWS Solutions Architect Associate, and then AWS Security. They should really start sponsoring me since I send a lot of people their way. Regardless, they have great market penetration and that route tends to bear fruit far faster and make you more relevant to the market than going the Helpdesk to Hacker route. Shameless plug: read my breakdown on cyber certifications here.
Remember that technical versus non-technical difference? That's really, really important. In fact, it's so important that I often have people come to me a few years into the career field looking to move because. Why? They aren't happy. If you're not happy, you won't be good at it. Not at this stress level. You might meet every requirement intellectually and experientially but if your personality and your own internal love languages don't match what you're doing, you'll leave.
They feel like they were cheated. Been there, done that. I have all the aptitude I need to be a highly skilled technician but it simply doesn't make me happy. Is it really that important? Yes. Heck yes it is.
So let's solve the happiness factor before you get six years down the road.
Here's what I recommend. Pick your two favorite personality frameworks like the Myers–Briggs Type Indicator, or StrengthsFinder 2.0, PI Behavioral Assessment, or whatever other one you can get your hands on. Take them and take them seriously. Read the results. Then go for a walk. Take the weekend off. Reflect on what the results say. Then and only then, decide your route. Let's use me as the case study. I discounted my skills versus my peers in the Army that absolutely loved their technical work. Our profiles weren't aligned. So while they were amazing at it, I was far more amazing at building teams and getting different, conflicting teams together to support a common goal. Playing the Devil's Advocate, I almost always recommend people do the most technically challenge professional development first for this reason: even if you have the aptitude, most people won't go back and do the hard technical work later. There are tons of engineers with MBAs but only a few business undergrads with Masters of Science.
See? You can get good at it. You just have to pick the route that's right for you, the route that you can be good at. The route that will make you happy.
Now, here's the kicker: it will probably take you two years to really get the hang of the technical side of the house. That's an average and usually about right. The technical route takes time. To compound the time aspect, even with the right education, the right certifications, the right home lab, and the right blog posts, chances are that you're still going to struggle finding that first job. That leads us to the Second Reason that you're going to fail at cyber security.
Reason Number 2: You don't have hustle.
That's right. I said it. This is where the technical track people get blown away by the non-technical track people who hustle daily.
Meanwhile, I see tons of technical track people that put in just enough time to hit the minimum level of effort to get a couple certs but get frustrated and upset.
HR doesn't know or understand security certs. Most recruiters don't know or understand your home lab. Most hiring managers just want someone with technical aptitude, maybe a bit of knowledge, and some grit.
You're in a Catch-22.
Get out there and hustle, hustle, hustle. No one's going to come knocking at your door. Sell your skills. Market yourself. Don't fight the system, embrace it. Here's some tips.
- If you want to be a hacker/red team/pentester - you better be COMPETING your butt off in CTFs (capture the flag competitions) locally, virtually, and at conferences. Competitions are phenomenal auditions.
- If you want to go blue team (much bigger market, btw) - you better be blogging the heck about the cool stuff you're doing on your home lab. There's CTFs for blue teams, too.
- Regardless of what technical route you want to go, you should have a home lab either in the closet or cloud to expand your skillset.
- You should be out volunteering to help secure....ANY ORGANIZATION that will let you volunteer with them.
- You should be networking until your eyes bleed. Socially networking. Get into career-focused channels where people post new openings and share ideas and projects.
- You should be volunteering to talk at local conferences. Many local conferences have first-time speaker tracks just to help get the next generation involved.
- You should be volunteering for anything you can volunteer for at conferences. Hand out flyers, help with coat check, stand there with a giant question mark sign and answer questions. You're there to meet people and convince them to give you a job.
- You have to talk to people to convince them they should hire you.
- You should be practicing top interview questions like, "What happens when you type in a URL and hit enter?" That question, by the way, should take 30-60 minutes to answer. Hint: make assumptions.
Most of the voices in the market today talk about the need for people networking. I will argue that it is actually the single biggest factor to your success in getting that first cyber role.
How did most of us end up in security? Right place right time.
But there's nothing easy about figuring out where the right place is, when to show up, and whom to talk to when you're there.
You have to do that work yourself.
Get out there and hustle.
This article was originally published at: https://www.linkedin.com/pulse/why-youll-fail-cyber-security-stephen-semmelroth-/