What Do You Need To Successfully Cybersecurity Job Hunt?
Peter Strouse, Managing Partner of InfoSec Connect & Infosec Hires is on this SimplyCyber livestream and it's EPIC! Whats the best way to get a great job in cybersecurity? What certifications are hot? What are you doing to unconsciously undermine yourself in nailing the interview?
Transcription from this interview:
Hello and welcome to simply cyber live. I'm your host Gerald ogre and every Thursday we talk with experts to help you take your cyber career further faster. If you like this, be sure to check out the simply cyber YouTube channel for more great content. Special thanks to side channel for hosting a virtual social happy hour after this live stream, and if you are interested in attending, you can go to social our side channel.com Right there on the bottom. Today we have an incredible show we are joined by two senior, very seasoned, very experienced cybersecurity recruiters, who are going to spend the next half hour with us pulling back the curtain on the job hunting process in answer all of our questions, so feel free to just fire them in the comments. I'm gonna be facilitating to them. We are joined today by Joe Hudson and Pete Straus lumbering them up into the into the studio here. Hey, Joe. Hey, Pete. Hello. So today's mostly going to be q&a. So I won't go through a long bio intro, but just you know, so the audience can kind of establish background can Joe, can you go first? And then Pete? Can you guys just give like, you know, a 32nd, high level on why people want to listen to you and talk to you.
No problem. Yes. I've been working at a company called hump source to celebrate three years last week. Before that, two years of very unrelated contracting, contract recruiting. I taught elementary school for nine years before that, and needed my students to kind of tell me how to work the smartboard. So I definitely didn't come from a tech background. I'm an absolute addict for everything we focus on here at hunt, source, love working here. Love talking to all the people that we get to talk to you and really talk about real problems or real successes. And it's an ongoing Joy everyday really.
Awesome. Well, I'm Pete Straus. I am the co founder, managing partner of InfoSec. hires. I started in recruiting back in 2014, in the IT realm, and then I've kind of transitioned since into the security recruiting world. And I've been at security recruiting for over six years now. I've been on the corporate side, as well as now. We call it the agency side of recruiting where I'm helping other companies find people and like I said, been in the security world for about six years. And yeah, I guess that's about it.
Awesome. Well, thank you guys, both for taking the time to be with us today. Really excited. So I thought, um, you know, we're obviously going to start letting questions queue up and stuff like that. But the one question I wanted to start with, and thank Special thanks to those who submitted questions ahead of time. I feel like this is probably the most prevalent question you get in all of cybersecurity, it's certainly feels that way is, you know, entry level job, years of experience is five years. I mean, I've seen multiple jokes where it's like, you just have four years of fast API experience. And the guy who created it says, Well, I invented it a year and a half ago. So I don't really know how to how to meet that goal. So you know, what are your thoughts and perspective around, you know, that paradox of years of experience for an entry level job, if that just doesn't feel like it maps?
I can kind of take that. So I think really where that comes from. And there's a couple of things at play here. First is that often there's a disconnect between the hiring managers and security and the HR or recruitment teams. So you'll see job descriptions put together by somebody in HR, who doesn't necessarily understand the security world, or the certifications, or the experience requirements, things like that. And then I've also heard from plenty of hiring managers out there that security isn't necessarily an entry level profession. A lot of folks see it as a more advanced profession under the larger umbrella of it. So when hiring managers say that they're looking for a few years of experience for an entry level job, basically, they're saying though, it's entry level for security, it's not entry level as a whole as a role in general. So in a lot of cases, then folks are looking for people that have had a couple of years of IT experience and then parlayed that into a into a career in security later on.
Yeah, I would agree. On the flip side, I think the narrative that's being told to a lot of applicants, is is it's a different narrative from different directions. I talked to a lot of college graduates that haven't had their first job yet, and they're saying out loud, I'm worth $80,000. And, you know, they believe that that might be a case that they can actually have. And some people might be getting hired right out of school. Definitely some people are qualified. But what you're looking at is mixed messaging. And you're right, Pete I think the the messaging and the disconnect between hiring managers and HR, there are companies where a hiring manager can walk down the hallway with his candidate he wants to hire, he knows he's very qualified or she's very qualified. But that candidate fails some sort of requirement through the application process and HR automatically rules them out. And this man legally can't even hire the person. So it's company specific, I think I think it's location and geography specific. You know, different cities have different personalities, and companies have different personalities for what they would consider entry level. And really how advanced and mature is your program? And and How seriously do you take security from the top down? It's really what I would see. It's just inconsistency kind of landmines, I think all over the country in different ways. And there's really no one answer, I think it applies to specific companies that we would talk about good.
That's a great point. So it's some questions in here, I'm gonna I'm gonna start throwing them in here a question from Steve Hayes guy I used to work with I know him quite well. Steve was wondering if you guys could, you know, rank in terms of importance, those key things that you would see, you know, any candidate have across it. So certifications degree years of experience, he puts clearance here, but you know, I really think it's certification degrees and years of experience.
I would say among all of those things, the one thing that kind of, they're the two things, I guess that kind of stand out is consistent among all different seniority levels, people's, you know, different levels of experiences, what specific experience you have that's relevant to that job. So experience would be number one. And then the second thing would be passion. Universally, all hiring managers are looking for folks that are passionate about the field that want to learn more, that are information sponges that maybe have a lab set up at home, or they go to all the virtual, you know, networking events for security people, they're going to their local makerspace, and things like that. So I think pretty universally, you'll see that hiring managers are looking for passion in demonstrated passion. If you can show that you're passionate about the field by doing X, Y, and Z, that's really important versus just saying, I have a passion for the field, you need to be able to demonstrate that. And then the second part of that experience, just making sure that your experience directly aligns with the position at hand with how siloed security can be in many cases, it's super important to be able to match your exact experience to the that exact experience required by the job. In some cases, in order to get through HR and recruitment teams, you have to really make sure that your resumes have keywords in the matchup directly to that job. And so you might need to have, you know, multiple versions of your resume, just to get through those filters. But when it comes to what a hiring manager is looking for, just need to make sure that you have experience with the tech stack that they're looking for. And you know, that could come through academic experience, it could come through self study, it doesn't necessarily need to come from on the job, training or experience, you can get a lot of those things just through doing your own research, which is super key and goes back to that passion point.
Yeah, Pete, I think you nailed it with a passion. I think the problem with that part is it's really tough to communicate that if you're like an applicant, and you're putting on your resume. You know, I don't think we see too many resumes and say, I watch six hours of YouTube videos every day on security. And you know, I network with people and I apply to 50 jobs a day or whatnot. That part though, it's it's irreplaceable. And you're right, the home lab, that's something that we've been tinkering with the idea of, like, where's the scholarship out there for building home labs for people, you know, things like that, I want to see things that are putting people in place to be successful. But from the question that Steve asked it, as a recruiter, it depends on our client, we have to know our client, we have to know, okay, yes, the job description says bachelor's degree, it's not required, or hey, don't send anybody without a degree, you know, and we have to know that from a recruiting perspective, a W thing, certifications rank higher in my eyes, in terms of value than a degree, especially for a specific technology or, you know, profession that you're looking at. So if you have no SCP, but you're applying to a risk management, you know, or risk assessor job, it may not necessarily be that applicable. So it just kind of depends on the role that you're looking at. I think when it comes to clearances, that's a that's a very little wiggle room type of environment, depending on it, you know, I do much more on the private sector side, but for sure, it works in clear jobs and kind of had to learn the hard way, the little flexibility that there might be or the fact that yes, we can bring this person on and we'll call you in 10 months when we're ready to hire. But I think that that that topic, the certifications versus degrees, you can you can start to sneak by some of the years of experience if you offset it with some of these other qualifications depending on the company but that's one of the only ways I see sometimes around the years of experience unless you know somebody or unless you can get an interview and actually knock their socks off, just by being your authentic self. Really?
Yeah. So we got another another couple questions that are kind of similar, in a sense, but I'll bring enroll in here. So Rollins, basically, what do you do? It's taken up quite a bit of real estate on our screen here. Um, what do you do when you're like a one man cyber shop, one woman cyber shop, and you kind of do risk compliance, security operations in center response, you know, endpoint stuff? And how do you translate that into, you know, when you're trying to get it up? And we've got another question here from a student who is a student at but doing SOC type work, but feels there be they're having a tough time explaining who they are, because they're seen as a student, again, I feel like they're similar, where it's like, you know, you're just, you know, jack of all trades, I'm going to take this question now and roll and just so we can see the speakers. But, you know, to you guys, please,
cool, I'll tell you, his feet are laid off, at least, I mean, I think that that can be a tough thing to communicate. And that's where you really have to, I mean, that's where I think talking to people like us might be able to help you honestly, customize or curtail your resume towards an audience that you're looking, there could be a role that you're applying to that has 15 descriptions. So and we would love somebody that can deal with the frameworks that compliance, can do some pen testing, can do the vulnerability scans, and actually has great communication skills can tie their shoes with, you know, one arm and it can do all these things, they might be asking for that. But a lot of the roles that we see are a little bit more niche, even though the job descriptions are a page and a half, for you know, a little bit narrower job, tweaking your resume to fit the the bread and butter of what it is you're going after, you know, I think it's a big plus, if you have an ability to step into environment and kind of tackle any problem. But sometimes, and oftentimes, that's not what people are looking for. So figuring out a way to work with and network with or partner with either recruiters or people that you know, that have gone a distance and gotten good careers and security to kind of tell the story that you want for this specific audience. It's pretty imperative, because I definitely think Pete and I probably have seen our fair share of five, six page resumes where it's rigored through it, and we go, okay, this person is very qualified, but I don't really know a, what they're great at, or be what they really want to be great as well want to do before.
Yeah, it's it's all about making the information that you want the audience to see, easy to see. So, you know, the longer resume gets, the harder it is to find the information, you know, for us recruiters that we want to see. So it's important to be able to kind of condense down why you think that you're a good fit for a specific position, and a small amount of space, the average recruiter spends like between six and 10 seconds on the resume. So obviously, that's not a lot of time. And it sounds kind of crappy. But that's the reality of it. So anything that you can do to really capture somebody's eye in a short amount of time is super important. And I think the hardest part of getting a job in security, or really any field is just getting past all the automatic filters and algorithms and recruiters who don't know what they're looking at. So it's super important to have different version versions of your resume. Some practical advice here I would say is like have a folder for all of your resumes and have I would do Pete underscore Straus underscore, incident response, resume, Pete, underscore Strauss underscore, general security operations, resume, stuff like that. So you can easily see which resume you have for each specific job that you're targeting. And instead of trying to put everything on one resume, put all the relevant terms for in as much depth as you can for that one specific skill set. And really dig into and use as many keywords as you can. A good way to kind of tweak your resume, make sure that that depth is there, and that all those keywords are there is just look at a job description. Look at your target ideal job, look at what terms they use, look at what tech stack they have in that job description. And if there's anything that you've worked with there, or any action words that you can use the things that you've done, within that specific discipline of security, this make sure that it's repeated as many times and you say it a bunch of different ways as possible in your resume. And then maybe don't include some of the stuff that isn't necessarily applicable to that specific silo security or that specific job.
Yeah, yeah, you're not on the LinkedIn pages of the company that you're actually applying to look at the managers page or someone that might be on the team and see what they've got on their page that they're actually doing. Because most of these pages, these job descriptions are a lot longer than they probably need to be. They have plenty of their own fluff as well. So yeah, it's a five minute investigation that might actually lead you to figure out specifically exactly what you need to focus on like pizza. Good point.
Yeah, that researches So so paramount, I mean, any job that you go after you should be doing that amount of research, I would say, looking at the company page, you can do a Boolean string in LinkedIn and search for people with that job title or that skill set. So you can go to the company page, and then it'll list their employees and click on that, look at all the employees and then filter that down by those keywords, you want to target and easily find somebody who's either in that role or has that skill set in that organization.
Those are all great points, little little ons, if you will, on a separate skill. I'm going to read a question from toothbrush. I hopefully I said that right. And I feel like this addresses a question that I get quite often. So it seems like a a wide one. His specific question is about, you know, starting a career from India. But what I would like you guys to kind of talk about because I think it'll encompass his question is for international individuals looking to get into cyber or they are cyber and come to the United States through different meanings. You know, what, what kind of, what are you seeing? What kind of advice would you give? What what are the challenges perhaps that they're encountering, especially if it's for remote work, which is quite, you know, popular right now, frankly, so
I can tell you that that's the conversation, I've had a lot of discussions around, whether it's with clients, or it's with potential candidates. For example, in India, you know, that that's a that's a hub for a lot of offshore work. And you can it's a, it's a completely different culture for a lot of people in the sense that the way people might grow their careers, there is quicker, in some ways and different. You have a lot of people trying to get a lot of jobs, there are a lot of low paying jobs accordingly. And that's where that's why the jobs get shipped over there. And to phrase it that ways, it sounds very negative, but there's actually very good work getting done. And companies as they face situations like this now, I mean, they are looking at different options. If I'm, if I'm living in another country, I'm looking at companies that have global presences, I'm on LinkedIn, I'm looking for people that are currently working in India for specific companies, and I'm messaging all of them. And I'm saying, Hey, how did you get that job? What are what are the career growth opportunities there, and I think people that are really trying to, to grow their their careers, anywhere in the world, you know, taking deliberate steps, trainings, certifications, making it clear that I am a cybersecurity professional, even if it's aspiring the remote side of things, you have to find a network with recruiters with companies that you know might have certain work visa flexibility, work authorization flexibilities that takes some research, and it changes. And I mean, that's a topic of discussion that we're you know, we have to talk about a lot recently, just from a government perspective. But that's it's definitely manageable and doable. And it's something that I would expect to potentially increase in opportunity over the next couple of years, especially since you look at I think the number they throw around 3 million vacancies, but really, that's mostly not in the United States. And so most of these vacancies are not in the United States. I think it's like 570,000, or something of them are in the United States. So we're talking 84%, really, of the jobs are not here, that is there. So, you know, I think, you know, it's kind of the same methodology, Pete and I've been talking about, you have to be putting in some extra effort to network and research and find out where can I be looking to have the highest ratio of success? Potentially?
Yeah, and go on after this. So I want to kind of go one, one back and forth, just because we're getting a lot of questions I want to make sure we get to, but please, please respond to the international question yet. So
so the issue really is how the US treats work authorizations, it's so tough to get an h1 B, there's a lot of system in in at the end of the day, even if your remote out of a different country, chances are the employer here in the US will want you to have a US work authorization. And really, that's the biggest hurdle I think. And so one thing that you can do, and this is what I see a lot of people do is and this is most common from what I've seen with like Joe said, global organizations that have a presence in say, India, and then also the US has seen a lot with consulting firms. So consider going to work for like the Big Four consulting firms, their large global companies, they do a lot of business in India, they do a lot of business in the US. But if you get on board with a company like that, you're able to work in your home country. And then once you build some experience, that company is more likely to go ahead and sponsor your visa to come work in the US So that's one way to do it versus trying to find a company that'll just hire you. Without having worked with you before. It's much easier to get employed with the company and then have them transfer you from one country to another. So that that's definitely the route that I would take, if I were in that same situation.
Yeah, that's a great point, they do have those deep pockets in connections to be able to, you know, you know, once you're on the inside, it's always easy to kind of move around. So the next question I want to ask, we're getting a lot of variations of this question. And I'll throw one or two up. But essentially, we're seeing a lot of girls who work in it are their SIS admins. Or they're a PM, but it seems mostly like they're technology based professionals who want to pivot into security. And in some instances, their their it experiences and being counted when they're trying to meet minimum requirements of years of experience for InfoSec. Sometimes they just don't know, you know, how do you how do you pivot in there. So if you guys could speak to what you're seeing or how you advise your clients, as candidates who are going from it wanting to transition into a cybersecurity role.
I would say first and foremost, wait, now is not the best time to be trying to make a career transition. It's really not there's there's a ton of people looking right now that say, have been in security for five or 10 years, that aren't trying to do a career transition right now, the whole COVID thing, it's, it's really kind of turning the world on its head. So I would say you know, first and foremost, continue building your skills on as much as you can with your current employer. If you're in it right now, try and get as many, you know, security oriented duties as you can, so that, you know, you can add those things to your resume. Also, you know, do security meetups, hang out with security people talk to security, hiring managers through LinkedIn, just network and do everything that you can to kind of get yourself embedded in the world of security and start building relationships. So the long term, you're more likely to define a career in security, when hopefully things pick up and start looking a little bit better from an economic standpoint. But it can be done right now, just know that there's a lot, a lot, a lot of people looking, and you're going to have to contend with a lot of other folks that are looking, I've been looking at job postings recently, and there's hundreds and hundreds of people applying those single job posting. And for any human being, it's almost impossible to go through every single one of those applications and resumes and actually review them on a deeper level than just a quick glance. So really important right now, especially more than ever to really break through the noise. And then I would say bide your time to try and build experience, try and build your resume and again, get those security keywords in your resume, that's going to be the biggest thing. So if it's if you've worked on it role, but had security responsibilities, just make sure that you really focus on the security aspects of those jobs.
Yeah. And so as a follow on to that question, for you, Joe, a couple people here who are trying to make that transition. I've got a couple here where they're, you know, Anthony says that he's built a home lab, and he's trying to get certs. But he's still not trying to still not breaking in. We have another one here from Alex, who says he wants to know, of going through a boot camp that specifically focused on security is the right call, as far as you know, standing out and giving him that kind of, you know, produced experience, if you will. So what are your thoughts about kind of using those as techniques?
Yeah, well, I think that's a great, these are great questions. And I don't think that there's one answer, because I think some people are going to be great test takers, some people are going to be great at being interactive, some people would prefer to be left alone and just study. You know, come T TAs, security plus, for example. I remember getting that when I first started working here just to read through it. And I was like, this would be pretty quick for someone to figure out that I don't want to do this stuff. And I think that there's a lot of training out there. That's cheap, accessible, there's a lot of free stuff right now stands offers free stuff. I know that there's an OWASP thing out there, there's free trainings out there that really expose you to different elements of security that you think you might be interested in, and want to transition to that you can be putting in the investment with very minimal money, as much time and at the place that you want to go. And if you're really hustling, you know, talk to people that have come from similar backgrounds as yours that have similar interest or approaches soft skills very much matter. You can go get certain types of professions, but you may have a ceiling based on what you are capable of or prefer to do when it comes to actually relationship management and talking with people or hey, I just want to be behind my keyboard and I don't want anyone to know that I'm not actually the cartoon picture in my LinkedIn profile or whatnot. I think think though that things like boot camps and meetup groups, I'm part of a really awesome Meetup group called the QC cities here in Charlotte, that is a bunch of guys and women that are trying to or have been pretty early in their offensive security careers, and they just knowledge share all day, they have hacked the box, they're on Discord, they are just an awesome group of people with humility checked at the door, or egos checked at the door and their knowledge sharing. And I think getting involved in groups like that can be an incredibly inspirational move that makes you solidify your feelings, hey, I want to keep going through this like, and now you've got a support system, you've got people looking out for you. If you're just applying or you're just, you know, reading things online, I think you're limited in what you're going to be able to know about yourself, honestly.
Yeah, I appreciate that. So we've only got a few minutes left, I knew this 30 minutes was going to go too fast. And there's so many great questions from the audience and stuff. But I do want to give you guys an opportunity for, you know, final thoughts. I feel like you talk to, you know, the people in this audience, you talk to people just like them day in and day out, you know, if you want to give some final parting words, and maybe if there's a way, if you want to continue to connect with you, maybe the best way to do that social media, email website, whatever. Let let them know, because this is this is the community.
Awesome. Yeah, I would just say, if you guys want to follow up after this, certainly happy to answer any questions that you might have. Or if you need more advice. Me I can, our company can be found at InfoSec hires.com. I'm also on LinkedIn, a lot of connections, so should be pretty easy to find. I'll just say that, you know, in general, when seeking a job in security, it, you need to figure out what other people aren't doing and do that. Because again, there's hundreds of applicants to a single job on LinkedIn. You know, if you're able to one click Apply to something, the easier it is to apply for something, the more people are going to do it. And so the harder something is to apply for, the less people are going to do it. So consider that when you're looking at the percentage of jobs that you might be likely to get track down hiring managers on LinkedIn, track down people in your target position on LinkedIn. Ask them about how they got into the field, if they have any advice, try and reverse engineer your career that way, find somebody in your target position and ask them their best advice to try and get into that position. Don't just go out there and apply it to hundreds of jobs at a time because yes, it's easy to do from a volume standpoint, but it may not necessarily be the most effective way.
Yeah, once again, Pete, you nailed it, man. I can say I talked to a lot of people that are really active applicants. And I tell them, hey, we're going to partner together, we're going to do a lot together, much of it's, you know, really going to come from what you asked me to help you with, but we have a 1% rule, we're shooting for a 1% success rate, we're going to try 100 things together. And I don't think we're going to be upset if 99 of those don't work if we actually get a job together. But what I tell people and really what I live by with my own job is don't go to sleep until you feel like you've deliberately and intentionally done something proactive and productive to increase your chances. Maybe it's adding more content to your LinkedIn page, revamping that resume and saving in a different files. Like Pete said, it's networking. Actually, if you get on LinkedIn for an hour, I don't think that you'll go very long without seeing me or Pete commenting or dialoguing with people all over the world. And you never know what can come out of that. I see people literally just commenting congratulations on everybody's pages. And I've reached out to them to say hey, I don't know if I'm gonna have a job for you. But I'm absolutely willing to help you. Just because that's awesome. To see that kind of positive energy. There could be a hiring manager out there that that does that. So I invite you to reach out to me, Pete, anybody at my company hunts source, we can be found at hunt source.io. And my email is just J. Hutton at hunt source.io. If you reach out to me, you're going to get my time. And I'm sure he would say the same thing. So I think collectively, we just want to see the cybersecurity community get stronger to where we're not talking about the gaps. We're talking about the strength.
Yeah, thank you. Great group parting words. Really appreciate you guys taking the time today. Thank you for attending and watching the live stream. A lot of great information coming out. So next week, if you are interested, we have a surprise live stream. This is going to be the last but I'll be speaking with Brian Hokulea talking specifically about how to be successful for individuals that are basically a one person cyber shops I know there's a couple of people in the audience who are in that situation. He's going to talk to us about how to effectively communicate to senior level how to get funding to do projects and how what skills you need to focus on first really, basically accessible in that role so be sure to check that out so special thanks to Pete and Joe and you know thank you everybody and until next time yep thanks thanks guys
all right