Infosec Jobs

I unintentionally started a small storm on #infosec twitter the other day. In that storm I received responses in extremes that I didn’t even know existed. I wanted to give a bit more depth to that thread than what 140 characters can convey.

Let me clear the air a bit first. That was not an attempt to broadcast me searching for a job. I am not ‘on the market’ and no I didn’t apply to any of those jobs that I tweeted about. That was also not an attempt to phish for compliments, ego inflation, or many other interesting things I was accused of in private messages and subtweets.

The Backstory

Here is what happened. As a Senior Consultant for an Incident Response firm, I periodically take a look at other jobs that show up on the market for situational awareness. I have found that the industry titles seem to vary quite a bit as the responsibilities of my Senior title seem to be equivalent to other firms’ Principle, Lead, Manager, or even Director titles. There are Managers that don’t manage, and there are Leads who do. It is pretty spread out.

While looking at one of those postings, I said to myself “Hmmf. I can’t qualify for this job with the same title at a different firm.” I then did a mental inventory of my professional network and started identifying people I have connected with in the past that I could reach out to if I were to go through the application process for that job. That took me to another statement to myself, “How does someone with less time in the industry (and likely less connections) make it past any of these requirements.” Naturally, this mostly applies to folks that are very new to the industry. Then off to twitter I went.

The Response

The responses that I received came in through all different avenues: text, LinkedIn, Twitter, Email, even one on Instagram. I would have probably seen a few on Facebook, however I do not currently possess any credentials to logon to that god-forsaken website.

The responses also varied in their messages. I got a few that definitely do not need repeating, and I’m not exactly sure where the motivation came from behind them. On the other extreme, I received a response from someone (or someones) in my network at every one of those companies that I mentioned in a tweet. Many have very graciously offered to put me in touch with someone to get me hired there, and this would bypass the HR and recruiters to ensure that I was considered. I am thankful for all of those responses since it shows how much of a community I have with those individuals. That wasn’t my intent though, and I hope this post makes that more clear.

The Bypass

What makes me so special? Why did so many people offer to take me around the filters?

I have been in the industry for a really long time
This doesn’t mean I know what I am doing. At the most basic level, it means I have been able to fool enough people for a long enough time to stay employed. While that is not an accurate representation of me as a whole, my length of time makes no other indication.

I work for BigName firm
Yup, I do. I also know a lot of people that are very new to the industry and still have a lot more to learn that also work for big name firms. This also does not show anything about me.

I have followers on Twitter
Ya, I have some. There are plenty of people that have tons more followers than I do. There are also folks that I know who are extremely knowledgable and very good at their jobs with a double digit follower count or no Twitter account at all. It is quite easy to look smart on the internet when I have time to plan and research what I decide to make public.

I have a blog to share my thoughts and research
Now we are getting somewhere. My posts on this blog are a far better representation of who I am than some of the things mentioned above this. Although, it is still quite easy to look smart here because of the time allowed for planning and research. What is more difficult to fake, however, is my communication skills. My writing here is a clear demonstration of my abilities to convey points to a widely varied audience, although the majority of readers here seem to be more technically focused. We are finally looking at something that employers could use in their evaluation of me as a potential candidate.

I have spoken at conferences
Another point that gets more into who I am. We are also getting into an area that is a bit harder to fake. Sure, there is still prep and research involved ahead of the point in which I am delivering my talk, and I certainly do plenty of that. What is nearly impossible to fake is my presence in the room and my authority on a topic. As a bonus, there have even been recorded sessions I have delivered that are available publicly on the internet, and this allows me to provide another demonstration of me to a potential employer.

I know lots of people
This seems to be the most significant point in this list. My time in this industry has put me in contact with a large amount of people. People I have made enough personal connection with to where they care about my wellbeing in terms of being employed. People that have calculated the risk involved, and are still willing to put their reputation and connections on the line to help me.

The Takeaway

Every job I have held has been through some connection. I have not received any jobs where I applied through some web portal. I have tried some of those in the past, and have many times not even received a courtesy rejection letter. My experience is often not categorized as ‘cybersecurity’ or ‘infosec’ depending on which recruiter I talk to.

If you are struggling with breaking into the industry, here are my pointers (which is really an echo of so many others’ great advice as well):

  1. Start a blog and post about stuff. it can be research, thoughts, infosec challenges, or a number of any other topics. If you would like some help getting started on this, please feel free to reach out to me. I enjoy helping motivated people. The information you put in public can give employers more data to consume when you are short on other requirements.
  2. Work on your soft skills. I have a few posts up here about how soft skills can be improved in various ways, and I intend to continue these posts. You need soft skills in this industry if you want to get into the better jobs. Interviews will make or break your job application in the end.
  3. Go out and meet people. This can be virtually or physically. There are quite a number of people who I would consider to be a step above acquaintance in terms of relationship who I have never met. Some I might not even know their real names! Connections will get you in the door.

Last point, I am in no way criticizing the companies that put up those job listings. They have reasons for asking for those requirements, probably because something has bit them in the past. I am not saying they should relax their requirements either. What you as an applicant has to recognize is that the requirements are not always requirements. You need to make meaningful connections to get access to the people that are making the hiring decisions.

I hesitated about initially sending those tweets, and again about writing this post. I am sure another round of hatemail will be heading my way soon. Also, it is not easy to publicly admit that I don’t qualify for so many positions in the industry I have been in for so long. I probably don’t even qualify for the requirements of my current position either. As someone facing the challenges of the hiring process, I hope this can give some comfort and help in your quest.

Good Luck!

James Habben
@JamesHabben