Before I moved into cyber security, I worked as a recruiter for 20 years helping people find new career opportunities or to move into cyber security roles. I also Head up the Mentoring programme for Capslock, which is a training programme for those new to cyber security, offering them the chance to reskill.
Over the years I have advised, mentored or helped place hundreds of people into new careers in cyber security. Now, I will caveat; there is no one-size-fits-all bulletproof plan to find your first role in the industry. However, these are my top 5 tips that I know have either worked for me or worked for others new to cyber security to find their first role.
1. Decide what type of role within cyber security you want to go into
It’s no good saying “I want to work in Cyber” as it’s similar to saying “I want to work in Science”. Are you more interested in technical aspects, such as penetration testing? Do you enjoy process management such as risk or compliance? Do you enjoy teaching and fancy security training or security awareness?
You need to reflect on your passions, your interests and your skills, and where you feel your talents and interests will develop the most. There are 16 different specialisms within the Cyber Security Framework, so don’t feel like you have to start as either a SOC Analyst or a Pen Tester.
2. Consider your background and your transferable skills
3. Learning the fundamentals is critical
Cyber security isn’t an entry-level job. Although some businesses will train people from scratch, you are going to have a better chance of gaining that first role by understanding the basics, such as:
- Network Fundamentals – how networks operate, including TCP/IP, routing and subnetting, as well as common network protocols
- Operating Systems – especially Windows and Linux
- Cyber Security Concepts – such as threat actors, attack vectors, security frameworks and security controls
- Security Tooling – such as Wireshark for network analysis, Nmap for network scanning and other pen test tooling. Having a knowledge of SIEM tooling is also useful. Check out open source tools such as Security Onion as a way to start to build skills
- Cloud Security – many businesses now have cloud environments or hybrid environments. Having a good understanding of one of the main environments – i.e. AWS or Azure – and the security challenges around cloud is useful.
4. Self study is important
Cyber security careers involve continual learning, even when you’re not new to cyber security. There are always new threats, new tools, new attack vectors and new vulnerabilities in this career. You will always be learning and need to enjoy continuous development to thrive in this industry. Any employer will want to understand why you want to work in this industry, as well as what you already know. If you want to be a penetration tester, they will expect you to be playing around on TryHackMe and completing challenges there. TryHackMe also has a range of defensive learning paths for wannabe SOC Analysts, as does Blue Team Labs Online.
If you want to work in compliance or risk, maybe you have looked at Professor Messer’s online risk courses or Gerald Auger’s Simply Cyber Courses. If you want to work in a technical role, do you have a home lab or have you spun up test environments to learn hands on how to defend or secure a network? Projects like this will really help you to stand out.
5. Network both with seasoned professionals and those new to cyber security
Now this is the most important tip, but there is a reason I’ve left it until last.
As you start to build your knowledge and your experience, it’s important to also begin to build your professional network. If you decide you want to work in malware, for example, you can begin to watch previous BSides videos of talks around malware, then reach out to those speakers on LinkedIn. If you watch an interesting talk and want to learn more you can connect with the speakers and let them know that their talk has inspired you, for example.
LinkedIn is a professional networking site so once you have set up your profile, you can begin to connect with others, comment on their posts, read and comment on the latest news etc. LinkedIn likes engagement within the platform, so the more you interact with others – either by commenting on their posts or resharing to create your own content – the more your content will be seen. However, do remember this is a professional site. Potential employers will review your LinkedIn profile, and both your profile and your activity is a reflection of you and your work style.
Another easy way to network; if you decide you want to be a SOC Analyst, and you live in Leeds, you can reach out to other SOC Analysts who live near Leeds. Let them know you are new to cyber security and currently aspiring to be a SOC Analyst, and ask them for their advice on how to gain that first role or how to build skills. Maybe they know of different professional cyber networking groups in the local area you could go along to? There are also many professional networking groups, details of some of which can be found below:
- Defcon Groups typically meet mid week for example once a month. Leeds, Worcester, and Dundee, for example, all have Defcon Groups
- 2600 meetings happen on the first Friday of every month – London, Bournemouth, Cheltenham, Glasgow and Manchester all have 2600s (in fact, I am an organiser for the renewed Manchester 2600!)
- Ladies Hacking Society has chapters in London, Cheltenham and Newcastle, and has different groups.
- There are BSides events in most big cities now, which happen once a year. Check out Twitter and LinkedIn to find out about your local BSides – when is it, and can you volunteer or attend? It’s a great way to meet people, and volunteering is another great experience piece for your CV.
If there isn’t a local community near you, and after reaching out to local cyber professionals you can’t find out about one, why not set up a local meet? Networking with others who are local to you, or who are working in roles that you want to work in, is the fastest way to find out about opportunities that aren’t always advertised. It also means you can begin to learn about companies or people you would like to work with, which may give you an opportunity to proactively send your CV to companies.
If you do get an interview, and you already have developed a relationship with people who work for that company, you can no doubt gain some insights to the culture and the working environment ahead of that interview.
I hope you find these tips useful, and if there is anything you think I have missed, please feel free to get in touch with me on LinkedIn!
