Getting Cyber Security job after doing busniess

infra444

Hi everyone,

I am a new to this forum but my problem is a unique one (I guess) , I have been in IT industry for about 15 years , started as a network engineer in an ISP and left as a network administrator, but for the last 9 years I was working for a family owned business which is basically to sell technical gadgets online (on amazon ebay) or export them to potential buyers around the world , for last few years this business is going down very fast and I decided to return back to a job and choosing cyber security , I do have around 4 year's experience of pen testing vulnerability assessment and GRC in my family owned organization.

for the last 10 months I study hard and passed A+ NETWORK+ SECURTY+ CISSP CISA CISM CRISC certifications , I also have BS Computer engineering and MS networking degrees , and I am confident that I know my stuff but unfortunately because I have not worked for a big organization for a long time and was working for family owned business, somehow I am not getting a chance to get a job and frankly speaking there was not so much work to be done about cyber security in our organization so I myself think I lack that experience which people think I should have after having certs like CISSP CISA CISM and CRISC, I need only one chance to prove that I can do all these things because I don't get so much experience simply because I don't get a chance not because I cannot do my work and even if I cannot do something (which is impossible to know everting) I can try to get a solution from researching online or other ways.

for last 4 months I am trying to get a job in cyber security and I don't care even if I get an entry level job but the problem I am facing is that I am not getting calls for entry level jobs because they think I am overqualified and for management mid to senior level positions I do get calls but most of the employers don't want to hire me and take a chance because I don't have their level of so called experience which they expect from me after having CISSP CISA CISM AND CRISC (e.g for experience they ask me for cyber security related projects which I have done but I don't have much to tell them).

I am now frustrated and heart broken and need guidance from experience member's on this forum that what should I do in this scenario ?

thanks in advance to all who try to help me in this position

scaredoftests

get into a systems engineer position. You are bound to do some cybersecurity. get your experience that way. That is how I got some. Build a lab at home...

kabooter

If you think you are applying for a low level job, don't put all your resumes down on the table. Its up to you how and when to play your cards so play wisely. You can easily get into a technical analyst position based in Sec+ cert, may be add CCNA to your credit.
You must have handled some security incidents in your networking career, bring them to forefront.
I am in a very, very similar situation as yours and am trying quite hard to overcome lack of experience in some domains. I am infact paying from my pocket to gain more hands on experience. I will be more than happy to share some insights and methods with you. Please PM me your number or email address. (You will need at least 10 replies before getting PM rights) Or you can post your contact information here.

soccarplayer29

This might sound odd and it feels weird saying it, but maybe leave off some of your more advanced certs on your resume when applying to entry/mid positions. Because you have the CXXX certs employers might think you're too expensive or are only taking the position as a stop gap and they'd have to replace you quickly as you move up to another position given your more advanced knowledge/skills.

Also, I second the suggestion to build a home or virtual lab--where you can perform simulated "projects" which gives you something to talk to in the interviews and additional validation of your skills.

Because your work experience isn't the typical career path some hiring managers probably don't get it so just keep applying away! Try networking at happy hours or local events (ISSA, ISACA, ISC2, etc.)--you'll learn some more about the industry and rub shoulders with tons of people who work in departments with talent shortages.

infra444

soccarplayer29 wrote: »

This might sound odd and it feels weird saying it, but maybe leave off some of your more advanced certs on your resume when applying to entry/mid positions. Because you have the CXXX certs employers might think you're too expensive or are only taking the position as a stop gap and they'd have to replace you quickly as you move up to another position given your more advanced knowledge/skills.

Also, I second the suggestion to build a home or virtual lab--where you can perform simulated "projects" which gives you something to talk to in the interviews and additional validation of your skills.

Because your work experience isn't the typical career path some hiring managers probably don't get it so just keep applying away! Try networking at happy hours or local events (ISSA, ISACA, ISC2, etc.)--you'll learn some more about the industry and rub shoulders with tons of people who work in departments with talent shortages.

I was also thinking about this certs taking off strategy , about the home lab I already have a pretesting virtual lab for about a year and I do paly around with it but do you think employs do really think of this as a project ?

Danielm7

So the family owned business was for selling items on ebay and amazon but you did 4 years of GRC/Pentesting/vuln assessment? How many employees?

The masters degree and cert choices definitely puts you in an odd position for an entry level job. People assume you already have 4-5 years actual security experience. You say you did with the current workplace, is that easily understandable by people looking at your resume?

What kind of roles are you looking for? You mentioned entry level, but pen testing, analyst, compliance? Passing those certs in that time frame is impressive but doesn't mean you know how to do the job either. If you were going for an analyst role, if someone gave you an PCAP and asked you to dig things out of that, are you comfortable doing that? Same for any other type of role you're going for. The cert list screams auditor and management, I'm curious what type of job roles you've been applying for.

Maybe it's just a resume problem too?

beads

Danielm7 wrote: »

So the family owned business was for selling items on ebay and amazon but you did 4 years of GRC/Pentesting/vuln assessment? How many employees?

The masters degree and cert choices definitely puts you in an odd position for an entry level job. People assume you already have 4-5 years actual security experience. You say you did with the current workplace, is that easily understandable by people looking at your resume?

What kind of roles are you looking for? You mentioned entry level, but pen testing, analyst, compliance? Passing those certs in that time frame is impressive but doesn't mean you know how to do the job either. If you were going for an analyst role, if someone gave you an PCAP and asked you to dig things out of that, are you comfortable doing that? Same for any other type of role you're going for. The cert list screams auditor and management, I'm curious what type of job roles you've been applying for.

Maybe it's just a resume problem too?

You are correct his experience by no means matches his experience and resume in general making his story a bit hard to sell. Drop the higher end certification like the CISSP, keep the lower to mid level certs that would match your experience to the same level as your applying. Since we are centering on those C level certs... Are you applying for network security, risk management/GRC or audit positions? Each of these certifications target very different positions. Narrow your choice of certs to positions that make sense for the position in general. Guessing your resume looks like your ready to apply for nearly anything in security. Want to turn off a prospective employer with too many generalized certs? That's the best way to accomplish that mission.

The other hidden problem is your coming out of a small organization, likely with a "slightly" inflated title like 'Director", "VP" or even manager of suchandsuch. Drop the title to the same level position your applying. If your applying for an engineer role then your resume should likewise indicate your working for a much smaller organization looking for a lateral move to a larger organization. Its a much easier sell for people to accept than hiring the big fish in a small pond to be a smaller fish in a bigger pond. Really, I came out of a small family (wife and I) shop and it was brutal. Before joining the ranks of the 'Mom and Pop Shop' I was a CIO for a 200 million dollar organization riding roughshod over nearly 60 people. See the disjunct? I had to consult my way into a couple of years of penance for my small biz sins before landing a full time gig with a underflated title but all the responsibilities of a CSO. Yeah, I give presentations and interface with everyone from the Board of Directors to dockworkers. Don't ignore contracts and consulting gigs if you have the chops this is likely your best avenue to bigger and better things.

Many people have been bitten by hiring certified people with little to no experience and gotten burned. Proving to prospective employers otherwise is challenging to say the least. Above is my best advice on the subject and its from personal experience.

Once bitten, twice shy.

- b/eads

infra444

I have already setup a virtual lab for pentesting for last 6 months and working in OSCP too

infra444

soccarplayer29 wrote: »

This might sound odd and it feels weird saying it, but maybe leave off some of your more advanced certs on your resume when applying to entry/mid positions. Because you have the CXXX certs employers might think you're too expensive or are only taking the position as a stop gap and they'd have to replace you quickly as you move up to another position given your more advanced knowledge/skills.

Also, I second the suggestion to build a home or virtual lab--where you can perform simulated "projects" which gives you something to talk to in the interviews and additional validation of your skills.

Because your work experience isn't the typical career path some hiring managers probably don't get it so just keep applying away! Try networking at happy hours or local events (ISSA, ISACA, ISC2, etc.)--you'll learn some more about the industry and rub shoulders with tons of people who work in departments with talent shortages.

I have setup a home virtual lab for pentesting and also attending ISACA local events for last 3 months , even meet the chapter president but no luck

infra444

Danielm7 wrote: »

So the family owned business was for selling items on ebay and amazon but you did 4 years of GRC/Pentesting/vuln assessment? How many employees?

The masters degree and cert choices definitely puts you in an odd position for an entry level job. People assume you already have 4-5 years actual security experience. You say you did with the current workplace, is that easily understandable by people looking at your resume?

What kind of roles are you looking for? You mentioned entry level, but pen testing, analyst, compliance? Passing those certs in that time frame is impressive but doesn't mean you know how to do the job either. If you were going for an analyst role, if someone gave you an PCAP and asked you to dig things out of that, are you comfortable doing that? Same for any other type of role you're going for. The cert list screams auditor and management, I'm curious what type of job roles you've been applying for.

Maybe it's just a resume problem too?

at max we have 12 employees, I have applied to all levels and I agree it can be a resume issue too due to mentioning all certification for every job

Danielm7

So you want to be an auditor, manager pentester?

infra444

now a days I am looking for virtually everything in cyber security as bagger's cannot be choosers , also can you please explain what you mean by resume problem ?

infra444

Danielm7 wrote: »

So you want to be an auditor, manager pentester?

yes anything related to cybersecurity will work for me

infra444

kabooter wrote: »

If you think you are applying for a low level job, don't put all your resumes down on the table. Its up to you how and when to play your cards so play wisely. You can easily get into a technical analyst position based in Sec+ cert, may be add CCNA to your credit.
You must have handled some security incidents in your networking career, bring them to forefront.
I am in a very, very similar situation as yours and am trying quite hard to overcome lack of experience in some domains. I am infact paying from my pocket to gain more hands on experience. I will be more than happy to share some insights and methods with you. Please PM me your number or email address. (You will need at least 10 replies before getting PM rights) Or you can post your contact information here.

let me post 10 replies and I will PM you

thanks

Danielm7

infra444 wrote: »

yes anything related to cybersecurity will work for me

You missed my point entirely. It was that you're just all over the place, it's easy to say you'll take any job in security when you already have a reasonable amount of experience and took the security+ and want to get your foot in the door. Instead you took the CISM, CISSP, CISA, CRISC and are working on the OSCP.

At a max 12 person company it's hard to imagine you actually did 4 years of GRC, VA and pen testing, especially for what sounds like product fulfillment. If I saw the resume it just wouldn't add up to me. I'm not trying to be harsh but just honest. As I said before, with a master's degree and almost every higher level but non technical certification and questionable experience it would be really hard to pin down where you'd fit. It should be entry level but the a lot just doesn't fit.

Maybe post your sanitized resume here so people can help you out? Maybe go for something like a more skills based resume where you can highlight what you've learned? But, make sure the skills listed aren't just what you've studied on paper for the last 10 months but things you actually know how to do.