My Cyber Security job search experience so far - Wish I had known this earlier.

I started applying for Information Security Analyst jobs about a month ago. Here are some of the take aways summarizing my experience. YMMV
1. There is absolutely no shortage of cybersecurity talent. That is total hogwash. For every job, they are getting lots of applicants. Yes, the market is hot, quite a few jobs are being posted but most of these are senior level jobs. How many entry level security jobs being posted have you seen?
2. Large number of resumes being fed through ATS, recruiters, HR mean there is very little chance of getting the resume to the hiring manager. One needs to spend lot of time to customize the resume to the job requirements.
3. Filling out the details from resume on company site/ portal is PITA. Wastes another 15-30 minutes.
4. most cyber security jobs are looking for senior roles with 5+ years of solid and deep experience, havent come across any that mentioned skills shortage or that employer is willing to train or that they are looking to onboard people with networking Adminstration skills. I guess employers are hiring from within for entry level jobs or going after soon to be graduates.
5. Recruiters are totally hopeless. Each job is thrown to a shark franzy of 3-7 recruiters who then have very short window of contacting candidates with right buzzwords. One job post will often require in multiple emails, VMs, phonecalls. Different recuiters often offer slighly different hourly rate. Some of them claim to be personal friends of hiring managers (YAWN). once resume is forwarded, you might have to fill out more forms incl contracts, skills matrix.
And then..
Crickets.
6. Employers don't even bother determining what skills you have mentioned on resume because they are looking for very specific skills and hands on experience for their job posting. If the hands on experience and job requirements dont match 80%, you might as well enjoy your time flying a kite rather then wasting it submitting resumes.
6. Getting high profile certifications like cissp, cisa dont help much other than getting past HR. Even if short term contract or low wages job requires low key skiils, no one gives a damn about the fact that you were able to mount a successful, multi hour battle covering huge domains of knowledge to grab your certs. To them either you have worked with a specific product or tool for specific amount of time in a specific setting or you simply are not worth it. Your enthusiasm for the infosec, your uncommon aboilities to grasp new technologies quickly, your domain of knowledge....nothing of that matters at all.
7. I have come across many cissps, ceh and sec+ cert holders who have been looking for jobs for more than 4 months. It seems like 6-7 months is the average to find a half decent cyber security job, if one lucks out.

So much for the so called skills shortage and so many million information security positions remaining unfulfilled

Find more posts tagged with

Comments

CIO

Where are you located and what's your background?

NotHackingYou

Senior level cyber security analyst here, can agree with some of what you have said. The ATS / online applications are a black hole for your application.

LordQarlyn

And yet, according to some here at TE, hiring managers all across America are sobbing at their desks, lamenting why oh why can't they find even just one American to fill the cybersecurity job, even after that offer truckloads of training that no one takes or when they do they just goof off.

On a more serious note you are right, almost every job I've been on the other side has had plenty of applicants, most of them easily qualified. Our issue has been cleared people not qualified. Indeed that's why ATS are being used, because there are so many applications that there was a need for some way to filter out. Unfortunately everyone knows ATSs are flawed. My most successes came from finding out the hiring manager and getting in contact with him or her.

TeKniques

As a hiring information security manager in the private sector I'll just say that the skill quality of people claiming to be "security" professionals is below average in my opinion. When I ask a simple question like "Can you describe behavior that could be an indicator of compromise on a network?" I get the deer in the headlights look and rambling answers. Further, I don't care if you claim to be an expert in Splunk (for example) ... what I want to know is if there is a limited amount of gigabytes available for the Splunk license; what data do you find relevant from a log source that we should care about for security?

I realize these are anecdotal examples from my own experience, but truthfully if you're good at what you do and can show your value you'll get a job in security.

NetworkNewb

CIO wrote: »

Where are you located and what's your background?

Their last post on a topic like this definitely showed some red flags in their "background".

http://www.techexams.net/forums/jobs-degrees/129928-my-action-plan-need-some-advice-insight-experienced-infosec-professionals.html

infosecs wrote: »

I have 15+ years of experience in IT (server admin, networking, helpdesk, trouble shooting, systems analyst) and 8 years experience in information, cyber, physical and network security; 8 years being part of 15+.

infosecs wrote: »

I have several certifications including CCNP (security), CEH, Sec+, N+ and CISSP.
What I dont have is lot of infosec experience on my resume nor do I have infosec related job titles. Nor do I have exposure and hands on experience of managing security devices like Firewalls, IPS, IDS etc. or SIEM etc. I never did any projects, security or IT.

Basic85

IT must be a very saturated field, way too much competition!

Danielm7

I'll only agree with the application systems being annoying. As for tons of talent, nope. I look to hire security folks occasionally, the talent pool I see is usually pretty sad. I've had other divisions in my company say it's taking them 6-8+ months to find a reasonable security hire each time, usually on the longer side. Just because a bunch of people who don't have the right skill set all want to work in security, doesn't mean there are a bunch of people qualified for the job who are unemployed.

infosecs

CIO wrote: »

Where are you located and what's your background?

Toronto. Several years in Networking, Trouble shooting, IT security, Risk Assessments, Vulnerability scanning and remediation, IAM, Physical Security. I am trying for GRC roles.
I wish I had some tough technical interviews but so far all interviews I had were to ascertain what I did in the past, not what I can do.

GeeLo

It depends on where you live. I know it's not a happy thing to think about.. but "moving" to another location where the jobs are, may be the answer.

You may be able to use job sites like "monster" to get some metrics in which city close to you, may yield more jobs for junior infosec roles vice senior.

As for recruiters, 100% agree with you.. been there, and seen that. Many of them do not have any I.T. skills and go solely on keyword searches against your resume. I've also seen many of therm lacking ethics and integrity.. especially following up with you in regards to jobs. They may have you and three other people going for the same job.. it's just the "quick" money that they can get for a successful candidate.. that is the only thing they care about.

You may find somewhere that is looking for a 3rd shift in a security operations center (SOC), and even though that sort of "graveyard" shift may not be what you want.. you may be able to get sort of job easier.. and it may be just the "foot in the door" that you need.

my 2 cents.

DZA_

infosecs wrote: »

Toronto. Several years in Networking, Trouble shooting, IT security, Risk Assessments, Vulnerability scanning and remediation, IAM, Physical Security. I am trying for GRC roles.
I wish I had some tough technical interviews but so far all interviews I had were to ascertain what I did in the past, not what I can do.

Are you referring to Toronto, Canada? I'm in Toronto. If it's the same city then they're quite a bit of entry level information security analysts positions out there in the market. I do agree that it's hard directly applying into the position and the best way to get to entry to mid-level security is through networking. I'm luckily enough that I got into one of the larger Canadian banks for one particular role and they're flexible on career development so once you spend some time in your current role, you're able to move horizontally into another department. So far since I've started working for this bank, I have been poached twice internally for two different security roles and it hasn't even been a year yet.

infosecs

Danielm7 wrote: »

I'll only agree with the application systems being annoying. As for tons of talent, nope. I look to hire security folks occasionally, the talent pool I see is usually pretty sad. I've had other divisions in my company say it's taking them 6-8+ months to find a reasonable security hire each time, usually on the longer side. Just because a bunch of people who don't have the right skill set all want to work in security, doesn't mean there are a bunch of people qualified for the job who are unemployed.

Danielm7 you are absolutely right about positions lying unfullfilled for months. The question is why? The plan B for any employer in any other field is to train someone who has some of the required skills and the capability to acquire the missing ones.
So why cybersecurity employers are not willing to talk to applicants and judge their capabilities rather than just reject resumes and wait and wait..?
is it because the job is not a must have and not much harm or benefit is expected to the organization if it remains unfullfilled?
I don't see this happening with critical sysadmin or networking or even tech support jobs.

infosecs

TeKniques wrote: »

As a hiring information security manager in the private sector I'll just say that the skill quality of people claiming to be "security" professionals is below average in my opinion. When I ask a simple question like "Can you describe behavior that could be an indicator of compromise on a network?" I get the deer in the headlights look and rambling answers. Further, I don't care if you claim to be an expert in Splunk (for example) ... what I want to know is if there is a limited amount of gigabytes available for the Splunk license; what data do you find relevant from a log source that we should care about for security?

I realize these are anecdotal examples from my own experience, but truthfully if you're good at what you do and can show your value you'll get a job in security.

One possible reason for this is the extra ordinary emphasis placed on the certifications. The other reason is employers often promote people from inside and merit is often not the best criteria for selection. As the old saying goes, it is not what you know, it is who you know.
Sadly it seems to be the case in cybersecurity.

mzx380

To the OP
#4 answered is the best answer to your frustration in the field.
Cybersecurity is a hot field right now and companies have a need for skilled professionals immediately. If you were a company with an urgent need for resources, it would make sense to hire people with existing knowledge rather than giving that person a leash to grow.

The only way to gain CS experience if you don't have it is to:
1) Get certs /education if you don't have it
2) Get your hands on as many security tasks as possible in your non-sec role
3) Highlight those key tasks on your resume
4) Adjust as needed for each job

That last one is important. You have to do the dance in terms of updating your resume each time if you want to get paid

my .02

JDMurray

infosecs wrote: »

1. There is absolutely no shortage of cybersecurity talent. That is total hogwash. For every job, they are getting lots of applicants.

The "shortage" refers to actual hires, not actual applicants. Most of the applicants I see are not qualified for the jobs they are applying for. That is how the "qualified skills shortage" is being determined.

infosecs wrote: »

6. Getting high profile certifications like cissp, cisa dont help much other than getting past HR.

7. I have come across many cissps, ceh and sec+ cert holders who have been looking for jobs for more than 4 months. It seems like 6-7 months is the average to find a half decent cyber security job, if one lucks out.

Certs only get you a first-round interview. Once you have engaged the interview team, only your experience and presentation counts.

jwdk19

I see tons of soc positions available in my state (NC), in the Charlotte or Raleigh areas . Not just from staffing agencies.

To name a name a few companies; Wells fargo, Xpo logistics, Bank of America, BB&T, Verizon, Red Hat

My problem is location. Gotta move closer to the metro areas 😆

Syntax

The issue is that the cybersecurity field is so broad that it is a challenge to find a security position that "fits" for you and a prospective employer. As someone who came from a IT/technical background and spent several months looking for his first InfoSec job, I definitely understand your frustration. I also feel that many organizations don't actually "get" security as well as they think they do. They may not communicate their requirements as well as they should because they're unsure what type of role they're looking to fill exactly. This creates frustration for both sides of the issue.

PsychoData91

@OP Like JDMurray (and maybe others.... I skimmed) mentioned Certs with no DIRECT EXPERIENCE are just going to get you a first round interview, maybe, MAYBE an on site.

What I DO get the impression of if that you might be trying to pass yourself off as a heavy experience (I'd call 8+ years heavy/senior) candidate, and not something more associate grade.
I would say Entry, but CISSP, CEH, CCNA Sec together are a pretty good mix of certs. That plus the IT experience should get you past that, I'd think.

TL;DR, if I was Hiring manager and I saw someone with no "Security Experience" claiming REAL security experience, I'd toss it and the rest of the resume out as a lie/hyperbole.

IME recruiters can be great for someone like me. I dont study well or pass tests well, and only have an associates degree. A recruiter will gladly talk to me on the phone where I get a mini interview with the recruiter and get to "apply" my skills and help them get a feel for where I can be a great fit, even though I dont have a better degree or more than a few years experience. And my resume MIGHT ACTUALLY make it through to the hiring manager because I had a good impression on the Recruiter, even though I would have been filtered by HR or ATS if I had applied directly.

That being said, I've also had recruiters try to get me to pull **** like "Oh you worked with Windows Server in School too, right? That'd 4 more years of Windows server Experience! *they change number on resume* " which is blatantly false. What I've done in these cases is take the interviews, but be honest with my work and school/lab experience. I mean... the rec was the one who changed it, and it's still an interview...

Like Syntax said, another problem is the broadness of the field, but it all gets lumped together so much.
I told a friend I was looking at switching from IT to a CyberSec role if I could find one. I have 4 Years of HelpDesk/and 3 years of System Admin experience with some minor security focus since 2014, some security certs, and interested in learning. he sent me Senior Pentesting/Webapp roles. Lol I'm not REMOTELY ready for something like that. But he didn't get that

UnixGuy

infosecs wrote: »

6. Employers don't even bother determining what skills you have mentioned on resume because they are looking for very specific skills and hands on experience for their job posting. If the hands on experience and job requirements dont match 80%, you might as well enjoy your time flying a kite rather then wasting it submitting resumes.
...

I have personally experienced that when I was trying to get into InfoSec (when in my second InfoSec job), where I was asked for specific options in Splunk & active directory.

I don't know how much you know and what certs you hold (you haven't listed them next to your username), but you said you're looking into GRC...that shouldn't require tons of technical experience. Keep your head up and keep applying, numbers games

infosecs

DZA_ wrote: »

Are you referring to Toronto, Canada? I'm in Toronto. If it's the same city then they're quite a bit of entry level information security analysts positions out there in the market. I do agree that it's hard directly applying into the position and the best way to get to entry to mid-level security is through networking. I'm luckily enough that I got into one of the larger Canadian banks for one particular role and they're flexible on career development so once you spend some time in your current role, you're able to move horizontally into another department. So far since I've started working for this bank, I have been poached twice internally for two different security roles and it hasn't even been a year yet.

Yes, TO, Canada. This is pretty much what I have discovered so far - banks are hiring from each other and as result there is quite a bit of mobility among infosec workers. Sadly it also means an outsider stands hardly any chance of getting in. Unfortunately for me, networking wont deliver the results now, it is something that has to be cultivated over the years to bear fruition.
However I have not seen any entry level infosec jobs, except may be two. if possible please let me know where did you see them.

infosecs

JDMurray wrote: »

The "shortage" refers to actual hires, not actual applicants. Most of the applicants I see are not qualified for the jobs they are applying for. That is how the "qualified skills shortage" is being determined.

Certs only get you a first-round interview. Once you have engaged the interview team, only your experience and presentation counts.

True. I was hoping for bias in my favour due to certs but there are so many cert holders and experienced professionals in the cybersecurity market now that the golden time must have passed 10 years ago.

infosecs

Syntax - you nailed it right, it is such a wide and deep field now that it is just overwhelming for a new entrant. Very difficut to know it all well enough to apply to any job ad. And to top it, the employers seem to pile a wish list of skills they need in an employee.
mzx380 - yes it does seem like one needs to spend considerable time in crafting a resume as per job requirements and be selective in applying for jobs. Trying for jobs whose skillset is way too far is going to be a needless waste of time.
UnixGuy - yes this is what I was hoping for that i will be quizzed for the depth of my knowledge about GRC but instead the focus, so far, has been on specific kind of experieence in specific industry blah blah. I will try a bit more and if it seems like a lost cause, will accept a job with smaller players and hope to jump ship at appropriate time.

meni0n

Keep your chin and something should come up. I'm in the Capital and sometimes look at TO postings to see what's available. I've seen some entry level but most are looking for 5-10 years. Recently talked to someone that does recruiting and he said most places are starved of qualified folks.

Daneil3144

You state you have experience, your post history states otherwise...

infosecs wrote: »

What I dont have is lot of infosec experience on my resume nor do I have infosec related job titles. Nor do I have exposure and hands on experience of managing security devices like Firewalls, IPS, IDS etc. or SIEM etc. I never did any projects, security or IT.

Also, you keep stating physical security. What is that? A Guard in a prison?

MeanDrunkR2D2

Infosec is not an entry level role to be fair. Sure, you can get an entry level infosec role, but usually you will have other IT experience to build off of so you understand the pieces that are involved and how they work together. Some will luck out and find an employer willing to hire a new grad or someone with little/no IT experience but that isn't as common as someone who has worked on projects/jobs that tie into those roles.

gespenstern

Yes, everything you said I find to be true, looking from the other side of the screen. Even rather mundane positions we try to fill attract tons of very good candidates with both experience and education/certs.

The shortage is there, but it's for 15+ years experienced CISSPs with Ivy League infosec degrees and security clearance willing to work for peanuts 9 to 5 in the office. The rest is bull$hit.

N7Valiant

I think the problem here is that infosec should, as a practical matter, be a field for experienced IT professionals to transfer into.

Whether you're blue team or red team, you don't want a wet behind the ears college kid being trusted with the security of your entire company if he doesn't have a good foundation of understanding of those systems/networks. Likewise maybe it's not a good idea to trust someone who learned Kali Linux in a classroom with penetrating your systems without breaking something critical.

This is why I think some colleges/universities are preying on people out of high school when they open the doors to infosec and usher you in without more of an IT work experience requirement.

snokerpoker

I agree with this 100%

volfkhat

N7Valiant wrote: »

This is why I think some colleges/universities are preying on people out of high school when they open the doors to infosec and usher you in without more of an IT work experience requirement.

Nailed it!
OP didnt wake up one day & declare "There's shortage of people in the InfoSec market".

But Rather,
this is a half-truth being perpetuated by Entities that directly benefit from people buying into the Hype...

$:\$

McxRisley

As some have stated, it really depends on where you live annnddddd also a few other things sometimes. In my area we cant even find qualified tier 2 people let alone security people. But then again, most security people dont want to move to cornfield USA and make slightly less than they would in a city somehwere on the coast. I am the exception to both of those though lol

askpaul82

i love that, thanks for the Info