“I’m still really interested in cybersecurity, but I had no idea getting an entry level job would be this difficult! I thought you said companies are desperate to fill these roles, and they’re basically hiring anyone who applies?” Jason lamented, after being rejected for yet another job. Jason has been working as a desktop support admin for a few years, but has since realized he wants to start a career in cybersecurity instead.
“Hmmm, that’s not quite what I said. What I said was that there are lots of opportunities in cybersecurity for smart people who can show their value to a hiring manager,” Jason’s aunt Susan replied. Susan is the CISO at a regional bank, and she’s trying to help her young nephew start a career in cybersecurity.
It hasn’t been going well so far.
“That’s a big difference – it’s not a cakewalk. You need to think about how your application looks to the hiring manager,” Susan added. “You’re targeting entry level jobs, so it’s ok that you don’t have much cybersecurity work experience, but they likely have a pile of other applications too. What are you doing to make them want to pick you? What did you put on your resume, anyway?”
“Well, I’m getting ready to take some cybersecurity certification tests, so I put that on, and I pumped up some of the stuff I did when I was an intern to make the job sound more relevant. Then, I mostly just listed out the duties I have now at my IT job to fill out the resume,” explained Jason.
“I’ve actually been doing a lot on the side to learn about security and experiment with AWS security tools, but I wasn’t sure if that was appropriate to put on my resume.”
Jason has good intentions but he’s probably going about this the wrong way. Here’s what every aspiring cybersecurity professional should understand before they start applying.
Paint yourself in colors
Newcomers often don’t realize that cybersecurity is a rapidly expanding field with many different specializations and varied career paths. It’s not just penetration testing, digital forensics, and other tech-heavy jobs! Despite what most undergraduate cybersecurity degree programs teach, there is a much broader need for all sorts of cybersecurity professionals, especially ones who can measure, communicate, and manage cyber risks for their employers.
The cybersecurity tent is big enough for everyone – you just have to know where you want to be in it.
Beyond the well-known “red team” (offensive security), “blue team” (defensive security), and “purple team” (a mix of red/blue roles) specializations, there’s a whole color wheel of other cybersecurity career paths. There’s demand across the board for people with cybersecurity skills – cloud operations, software design, employee training, risk & compliance, access management, QA testing, global intelligence, contracts & legal, vendor management, internal audit, and incident response, to name a few.
And here’s the big secret – many of these positions aren’t purely technical in nature! In fact, just being a good communicator is often the most important skill you can have with many of them.
So, if you don’t see yourself in a job that focuses heavily on technical security skills, then think about how to present yourself in a different light.
Highlight your other non-security skills that would help you be successful in your target role – things like project management, client management, technical writing, and other professional or analytical skills.
Make it easy for a future employer to see how you can handle all of the various aspects of the job. Smart hiring managers are always on the lookout for candidates that check all the requirements for a position – not just one in-demand security skill.
Cybersecurity Certifications – are they worth it?
Certifications can be a great way to prove to yourself that you know a cybersecurity topic and give you confidence to apply for a new job with that focus. But is it going to make any difference to the hiring manager who just sees a string of letters on your resume?
The short answer is: it depends.
For entry or junior level positions, certifications can sometimes be a good way to show you have some command of basic cybersecurity topics. But it only goes so far – don’t expect the person reading your resume to know about every possible security certification out there.
There are only a few early career path certifications that you can expect most hiring managers to know about:
- CompTIA Security+ – Far and away the most common entry level certification. It covers a very broad (but shallow) range of security topics. It is not that difficult to obtain, so don’t expect managers to be overly impressed that you have it. To be honest, the main reason to consider getting it is only so you don’t get outshined by all the many other applicants who will have it.
- Certified Ethical Hacker (CEH) – another common certification, but expect more of a mixed response. More likely to be respected by managers hiring for offensive security positions (“red team”). EC-Council, the governing body for this certification, has suffered some serious reputational damage after some recent well-publicized organizational scandals. Pursue this one only if it is directly relevant to your career path.
- CompTIA CySA+ or ISC² SSCP – both well regarded but slightly less known certifications relevant for a broad range of cybersecurity career paths. People applying for jobs as analysts, cloud engineers, administrators, or “all-in-one” security positions at smaller companies may want to consider either of these certifications. For people early in their career, they show a higher level of commitment and are a nice way to stand out from the sea of Security+ applicants!
Don’t go overboard though and rack up certifications just to put a long list of them on your resume. Most resume readers will just gloss over a long list, reducing the impact of the most relevant ones.
For people early in or just looking to start a career in cybersecurity, it’s best to include no more than two or three.
Be wary about going all-in and trying to get a more advanced certification just to impress hiring managers. It may be a great way to test yourself, but it actually looks a bit strange to have a ISC² CISSP or GIAC Security Expert certification on your resume when applying for an entry level SOC position.
The hiring manager will think you’re either overqualified and aiming too low, or worse, you’re not being honest on your resume. Either way, you’re making the hiring manager do extra work to figure out if you’re a right fit for the job, which is never a good thing!
Whenever possible, include the registration numbers for your certifications on your resume to give the hiring manager the option to validate if they wish. Unfortunately, some people tend to “exaggerate” their certifications, so it’s natural for some hiring managers to be a little skeptical. If your cert doesn’t have registration numbers you can share, then it might be a good idea to offer other proof that you actually earned your certification.
A final note on certifications – avoid the temptation to use phrases like “studying for” on your resume, as in “CompTIA Security+ (studying for)”.
Sometimes job seekers do this because they think it will help with keyword searches, but it’s a very obvious trick and doesn’t look good. Even worse, sometimes the “studying for” isn’t there at all, which gives the impression that the certification has already been earned. This is a dishonest misrepresentation, and if discovered most companies will immediately reject the application – or even fire the employee if discovered after the fact.
Never put something on your resume that you didn’t yet fully earn!
Cybersecurity degree? Nice, but not necessary.
Cybersecurity is a young field that sprung up faster than universities and colleges could develop degree programs to match, and they’re only now starting to catch up. Most mid-to-senior level cyber professionals learned security on-the-job, not in the classroom. Very few hiring managers think that you must have a cyber degree from a good school to be successful in the field.
Ambivalence about cybersecurity degrees exists mainly because higher education hasn’t quite settled on what a standard cybersecurity degree program should even look like.
Quality and content varies greatly across institutions, and it’s very difficult for people making hiring decisions to just make an assumption that a degree means that the candidate knows the specific skills needed for a job. Many degree programs tend to be heavy on offensive (red team) security skills, which aren’t even needed for a large number of cybersecurity jobs!
So, if you do have a cybersecurity degree, it is far more important than usual for you to spell out what your coursework was actually like.
Help the person reading your resume understand your educational experience better by listing out five or six of your most interesting and challenging courses or major projects. Pick the ones you’re most excited to talk about and that present a well-rounded picture of what you learned. It’s an especially good idea to highlight any course that touched on “the business of cybersecurity,” where you may have covered risk management, cybersecurity policies, compliance frameworks, or cyber law and insurance. These courses show your value in a far broader light than just as a tech worker.
But what if you don’t have a cybersecurity degree?
Easy, it usually doesn’t matter – especially if you have a degree in some adjacent field, like computer science or engineering, and some on-the-job security experience. For most hiring managers this is equivalent (and sometimes better) than just having a cybersecurity degree.
Where it may get more challenging is if you’re trying to radically change your career path, and don’t have a cybersecurity (or adjacent) degree and little or no relevant work experience. In this situation, it is more challenging (but not impossible) to start a career in cybersecurity. Depending on the company, they may be willing to train people for some entry level positions, but those opportunities are becoming harder to find.
If you find yourself in this situation, one option to consider is an extended cybersecurity “boot camp” training program. For some, this may be the only reasonable alternative to a degree program, particularly if you just need the basics. Just be sure to do your research and find a high-quality program.
If you sign up for one of these programs, do it primarily to learn and build your skills, and not just to have a certificate of completion. Unlike a degree, it will not be coming from an accredited institution, so it’s even harder for the hiring manager to form a snap opinion about its worth. It’s even more important then to elaborate on what subjects were taught and how rigorous of an experience it was.
This may also be a situation where having a few well known certifications would help to round out the application.
Find some cover!
Sometimes, a resume on its own can’t tell the whole story, particularly when changing careers.
This happens a lot in cybersecurity, where it’s common for people to gravitate towards it from related fields. It may not be obvious how past work experience aligns with the new job you want, and it’s hard to show on a resume just how motivated and interested you are in a cybersecurity career.
The answer to this problem is to create a short, well-crafted, and detailed cover letter.
If you can explain in a paragraph or two how you became interested in cybersecurity, what you’ve done to prepare yourself for the transition, any cross-over skills from previous jobs, and what specializations you see yourself pursuing, then you’ll answer all the questions in the hiring manager’s head about why you’re applying for a position that doesn’t seem to be an obvious fit.
If you also convey earnest enthusiasm about the job, it’s quite possible you can even outshine other, more skilled candidates. The results can be amazing!
What you don’t want to do though is create a generic, pro forma cover letter that doesn’t give any insight into you as a person or how you’ll fit into the company where you’re applying. A letter like “Dear Sir or Madam, please consider my application for the cybersecurity analyst position … “ is counterproductive. They only make more work for the hiring manager to read, so avoid at all costs! Only create a cover letter if it truly is worthwhile for the hiring manager to read it – better to skip it rather than send a bad one.
A word of caution – the larger the company, the less likely a cover letter is going to be effective, or even read at all.
Save your persuasive writing skills for that dream job at a smaller company. Cultural fit is often more important in those companies and hiring managers are more likely to appreciate the insight the cover letter provides.
How to start a career in cybersecurity – putting it all together.
People early in their careers might not realize just how many resumes most hiring managers have to wade through to fill a single position, and just how poorly crafted so many of them are.
Your resume is the first – and maybe last – opportunity to make an impression on the hiring manager. If you can’t put together a nice looking resume, then no one is going to hire you to create risk assessment reports that need to be presentable enough to be seen by the CEO!
Keep yourself in the running for the job by avoiding these common problems:
Unforced errors – spelling mistakes, issues with grammar, and other very preventable errors are as common as they are cringe-worthy and unexcusable. Use multiple different grammar and spell checkers. If English isn’t your first language, get someone else to double check for you.
Overly verbose – make sure that every word on your resume is worth the time to read it. No hiring manager is going to bother to read a giant list of bullets that go through every facet of your past jobs. Filter down to the most important aspects and use summary statements that focus on the value you added to the company, not just the tasks you performed.
Style over substance – Be cautious about using pictures, logos, and wildly unusual fonts or layouts on your resume just to get it noticed. It can be distracting and overshadow the real star – you and your story!
Superfluous details – Only include information that is relevant to the job or highlights abilities that may set you apart. The manager does not need to see that you know “Word, Excel, and Windows” because it is pretty much assumed that every applicant does too. Be cautious about elaborating on non-career jobs if you can’t tie them in some way to the job you’re seeking.
If your resume has any of these problems, it gives the reader the impression that you don’t care about the time they’re putting into reviewing your application. In that case, why should they ever think you’ll be a good fit for their company?
Your resume should provide hiring managers the information they need while requiring the least amount of their time to review. Ultimately, you want to make it so they actually enjoy reading your resume!
A fresh start
Back to Jason and his job search, his aunt discussed these ideas with him, and he decided to make these adjustments:
- Most importantly, he realized that he didn’t really know what kind of cybersecurity job he actually wanted. After he did some research and discussed it more with his aunt, he zeroed in on cloud security operations, so he could combine it with his prior experience with AWS and Azure.
- For now, he removed any references to cybersecurity certifications he hadn’t earned yet. This motivated him to finish studying and finally sit for the CompTIA Security+ exam in a couple weeks, which he passed easily (and then put back on his resume).
- He trimmed down details about his past work experience to only relevant items and more value statements, like “reduced insider risk by making many improvements to IT’s monthly privileged access review process.” He also thought of a good example to back up each bullet, in case he was asked about it during an interview. This resulted in a much more concise and readable one page resume that he was excited to talk about.
- He dialed back any other exaggerations or embellishments about his prior work experience. Instead of just trying to make some very thin connections to cybersecurity concepts, he focused more on highlighting his strengths, like being able to handle complicated analyses and having great project management skills.
- He added a few short details about his cybersecurity activities out of work, including weekend competitions and an industry conference he attended with his aunt.
- And finally, he drafted a cover letter that explained why he was so interested in cybersecurity and what he has been doing to prepare for this career change. He mentioned a senior colleague who first showed him what it took to build a secure cloud architecture and how that fascinated him. He also detailed how he had built his own AWS environments to teach himself how to build secure, well instrumented architectures. He left it there for now, knowing that he’d probably want to add a sentence or two about the job he was applying for when the time came. He knew he wouldn’t want to send a cover letter for every job he applied for, but it was good to have it ready for when he needed it.
Susan knew that Jason’s revamped approach would greatly increase his chances of landing the job he really wanted all because of one simple reason – Jason was consciously trying to make it as easy as possible for the hiring manager to see how he would be successful in the job.
By thinking like a hiring manager, he knew to highlight the skills, experience, training, and attitude they would be looking for, and he didn’t clutter his resume up with irrelevant details. He still braced for the inevitable rejections, but he knew he was now putting his best foot forward to start a career in cybersecurity!
Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.