EXXXtremly frustrated with Cyber Security Job search - What would you do?

infosecsinfosecs Member Posts: 48 ■■□□□□□□□□
I am a very strong willed person who believes a warrior is tested truly in battlefield.
However, even the toughest warriors doubt their mettle sometimes.
A brief Intro - I have lots and lots of experience in IT - Networking, Systems Admin, Technical Troubleshooting.
I also have well over 5 years experience in IT Security - secure device and OS configuration, Policy creation and enforcement, ITGC Audits, IAM, Vulnerability scanning/remediation, incident handling. I am well familiar with several well known tools and frameworks such as qradar, splunk, sailpoint, carbon black, cisco routers, firewalls, palo alto firewalls and so on.
CISSP and tonnes of other certs. I don't think soft skills are an issue at all....after all I was in workforce for years and years.
But despite all this I can't seem to find even a half decent job despite trying quite hard for past several weeks. The job market is certainly very hot, i get so many calls from recruiters telling me how impressive my exp and portfolio is but once I submit the resume, I either don't hear back or get an interview call which despite going very well (my impression) does not progress further. Mostly I see a sort of "fear" in interviewers' and recruiters' voice when they probe me if I would accept $95000.
To hell with 95, I am beginning to feel so frustrated that I wonder if should snap back and quote minimum wage will be more than satisfactory.
Seriously - I am getting terribly frustrated. Money is not the issue for me. I am well covered for years. but I feel my education, knowledge, certs are rotting away. I have been actively job searching for 3 months now. I have learnt a lot during my down time recently, lot sand lots of labbing, hands on exercises, courses etc. But I am losing steam now. I have to pick up something. Sometimes I wonder if I should forget about Cybersecurity altogether and rather get back into IT. perhaps leave cybersecurity career for another day or for never again.
Other times I think I should apply for any cybersecurity job be it in helpdesk or sales.
So what would you do in my situation? (Assuming you can assured of income well above min wage even if you don't do anything for next two years)
Hide most of certs and experience, try for entry or low level cybersecurity jobs?
or keep trying for few more weeks or months?
or get back into IT and start again at 75K?

Comments

  • Jon_CiscoJon_Cisco Member Posts: 1,772 ■■■■■■■■□□
    Job hunts take time to find the right fit. If you are prepared financially I would continue to pursue the position you desire. A lifetime of experience does not disappear in 6 months.

    Good Luck!
  • DZA_DZA_ Member Posts: 467 ■■■■■■■□□□
    infosecs wrote: »
    But despite all this I can't seem to find even a half decent job despite trying quite hard for past several weeks. The job market is certainly very hot, i get so many calls from recruiters telling me how impressive my exp and portfolio is but once I submit the resume, I either don't hear back or get an interview call which despite going very well (my impression) does not progress further. Mostly I see a sort of "fear" in interviewers' and recruiters' voice when they probe me if I would accept $95000.

    Job hunting takes more than several weeks unless you're really lucky and manage to snap up a position pretty quickly. Most of security job positions that my colleagues have held is through their personal networks. Then again, everybody's personal networks are different. Based on your experience, you're thinking that 95k is too low? I am not sure what area you're in but for the area that I am in, 95k is probably more than what most InfoSec professionals are being paid in the field in the Canadian city that I'm in. I would hold your ground on your self value, I wouldn't go any less unless you're either desperately trying to break into the cyber security. Alternatively, if you're single, would it be possible to move another city? Keep your head up and be persistent. Good luck with your job hunt.

    Cheers,
  • infosecsinfosecs Member Posts: 48 ■■□□□□□□□□
    DZA_ wrote: »
    Job hunting takes more than several weeks unless you're really lucky and manage to snap up a position pretty quickly. Most of security job positions that my colleagues have held is through their personal networks. Then again, everybody's personal networks are different. Based on your experience, you're thinking that 95k is too low? I am not sure what area you're in but for the area that I am in, 95k is probably more than what most InfoSec professionals are being paid in the field in the Canadian city that I'm in. I would hold your ground on your self value, I wouldn't go any less unless you're either desperately trying to break into the cyber security. Alternatively, if you're single, would it be possible to move another city? Keep your head up and be persistent. Good luck with your job hunt.
    Cheers,
    DZA --- I really appreciate your words of encouragement. I am sure you must have faced the same ridiculousness during your job search in Canadian job market that I am going through now.
    And No, I don't think 95 k is too low, on the contrary I am ready to step down several notches if need be. But no one even seems to assess my skills and ask me if I can start at lower salary. Income is not the important issue for me, getting more experience in a pure cybersecurity role is. I don't mind being "beat up" in the interviews. The pity is there is no assessment, no feedback so I can't even figure out what the heck is needed.
    And I know for sure I am not alone in this situation.
    I worked so hard to acquire the cybersecurity skills, often going way out of my league to work on them. I also studded my portfolio with so many cybersecurity certs one after the other, paying $XXXXX from my pocket. But all those years and years of self-study, taking up extra work in office, online courses, lab work, live instructor led study and $xxxxx that I spent seem to matter nothing. I am most resentful about the utter waste of talent rather than money which I am sure I will make up in Networking or Business pretty soon.
    Jon_Cisco's comment that "lifetime of experience does not disappear in 6 months" is very true. Unfortunately the the enthusiasm and hope I had for cybersecurity seem to be drifting away. This is no way to encourage more people to this field.
  • Tekn0logyTekn0logy Member Posts: 113 ■■■■□□□□□□
    infosecs wrote: »
    A brief Intro - I have lots and lots of experience in IT - Networking, Systems Admin, Technical Troubleshooting.
    I also have well over 5 years experience in IT Security - secure device and OS configuration, Policy creation and enforcement, ITGC Audits, IAM, Vulnerability scanning/remediation, incident handling. I am well familiar with several well known tools and frameworks such as qradar, splunk, sailpoint, carbon black, cisco routers, firewalls, palo alto firewalls and so on.
    CISSP and tonnes of other certs.

    Have you gotten a resume review on Monster, Indeed or Dice? I just found out (I sofa king...) that you should NOT use headers/footers on your resume since the robot that reads them in sometimes mangles your doc and discards. I dumped headers/footers and was night and day the number of emails. One sign that something was amiss, I just received an email: "Dear Aws"... Next was to limit way-back experience to two bullets.

    How new are your certs and security experience? I had a long conversation with a headhunter and she basically told me that all the certs or at least Sec+ and CEH don't amount to a hill of beans unless you have recent experience. And she stressed recent.

    I feel your pain. Time is running out for me as well. Wife is going to make me take a job at McDonalds if I don't do something soon...
  • DZA_DZA_ Member Posts: 467 ■■■■■■■□□□
    Ah - Clarity. When you mention a pure cybersecurity role, that sounds very specific like malware analysis, threat hunting, incident response, which in that case requires a specific certification. Based on your response, the discussion really becomes what you have spent acquiring vs to what you're actually doing as a future job An ROI on the items you spent (time & money) leading up to a future cyber security position.


    For me, I'm not directly related in cyber security but I'm building my own personal portfolio of items that will allow me to make the jump when I see the opportunity; certs, security related projects, business acumen, etc. For others, they want that return quicker like yourself. I recently had been connected with a resource who works in the Cybersecurity Intelligence Centre (SOC?) here at the organization because one of my connection was able to introduce me to this individual. Again, this is all stemming from personal networks. I have been recently approached over the last 6 months by a few members of the enterprise to join their team (security related) based on my security credentials and my reputation on the project that I am currently am on. I can't make any jumps just yet due to the nature of the project that I have been assigned today. Start networking in your local security meetups as that always gives a good start to expanding your circle of finding cyber security positions.


    May I suggest using a headhunter to assist with your job search to find those specific requirements you're looking for or as you mentioned earlier, find the a junior role that has more of the cyber security elements that you're looking for. Patience is what you need.
  • N7ValiantN7Valiant Member Posts: 363 ■■■■□□□□□□
    Tekn0logy wrote: »
    Have you gotten a resume review on Monster, Indeed or Dice? I just found out (I sofa king...) that you should NOT use headers/footers on your resume since the robot that reads them in sometimes mangles your doc and discards. I dumped headers/footers and was night and day the number of emails. One sign that something was amiss, I just received an email: "Dear Aws"... Next was to limit way-back experience to two bullets.

    How new are your certs and security experience? I had a long conversation with a headhunter and she basically told me that all the certs or at least Sec+ and CEH don't amount to a hill of beans unless you have recent experience. And she stressed recent.

    I feel your pain. Time is running out for me as well. Wife is going to make me take a job at McDonalds if I don't do something soon...
    Never use Monster.

    They'll spam your emails with job applications for Walmart, McDonalds, etc. I think I got one for FedEx or the Post Office once. Pretty sure I submitted an IT resume.
    OSCP
    MCSE: Core Infrastructure
    MCSA: Windows Server 2016
    CompTIA A+ | Network+ | Security+ CE
  • tripleatriplea Member Posts: 190 ■■■■□□□□□□
    I was in the same boat at the beginning of the year, except 17 years IT experience and certs inc a few security certs, no CISSP.

    It took me around 6 months to get a job in an InfoSec area.

    The biggest stumbling block for me was my previous job title. Can I ask what yours is? ( I suspect the eyeball mark 1 to the hiring manager finally got me through rather than HR/filter software )

    AAA
  • LonerVampLonerVamp Member Posts: 518 ■■■■■■■■□□
    Just some minor feedback from someone who doesn't know you except for a few posts on a message board. :) I appreciate the strong-willed part, but hopefully you don't say that or put that forward in person. It immediately makes me think you pick fights with people or will be a problem to manage.

    Five years in IT Security is pretty nice, and "lots and lots" after that? I understand this posting isn't a job interview, but is that lots and lots when compared to someone new, or someone like me over 40...? I don't quite understand the part about 95k...is that low for you? In my area of the US, that's a serious role. Entry level would be around 35k, give or take. For security, a bit more, but that's harder to find positions for.

    You talk about whether you should go down to 75k or minimum wage....that seems like a big jump? Are you ok? Is it possible some of the frustration and possibly desperation is coming through in interviews?

    I'd continue to look at and hone your 1) resume, 2) linkedin, 3) interview process. Recruiters, if no one else, should be able to give you feedback. Often, it's not a matter of you not having the right answers or creds. Sometimes 2+ people who are all just fine for a position apply for a spot that only 1 can be chosen for.

    Anyway, sounds like you have plenty of good experience and passion. It shows, and it'll reward you as you push forward. Sometimes you just need a little patience. Any area meet-ups of places to network to get a leg up in the hiring process?

    Security Engineer/Analyst/Geek, Red & Blue Teams
    OSCP, GCFA, GWAPT, CISSP, OSWP, AWS SA-A, AWS Security, Sec+, Linux+, CCNA Cyber Ops, CCSK
    2021 goals: maybe AWAE or SLAE, bunch o' courses and red team labs?
  • paul78paul78 Member Posts: 3,016 ■■■■■■■■■■
    LonerVamp wrote: »
    Just some minor feedback from someone who doesn't know you except for a few posts on a message board. :) I appreciate the strong-willed part, but hopefully you don't say that or put that forward in person. It immediately makes me think you pick fights with people or will be a problem to manage. ...... Sometimes you just need a little patience. Any area meet-ups of places to network to get a leg up in the hiring process?
    ^^ Great advice.

    @OP - it could take you up to a year to find that perfect job. The job market may seem hot but for certain roles, it's also pretty competitive.
  • gespensterngespenstern Member Posts: 1,243 ■■■■■■■■□□
    LonerVamp wrote: »
    Just some minor feedback from someone who doesn't know you except for a few posts on a message board. :) I appreciate the strong-willed part, but hopefully you don't say that or put that forward in person. It immediately makes me think you pick fights with people or will be a problem to manage.

    That's actually a real issue. The corporate world doesn't like people with low agreeableness as they tend to insist on their arguments and are often willing to fight for their agenda. They also tend to disrespect the management if they don't find the management worthy of their respect. That poses a problem, especially for weaker teams and weaker and less proficient management, as it is typically preferred to have it slower, but more steady.

    I personally have agreeableness close to zero and more than one interview went downhill after it became clear to the interviewers. My problem with that though is I perform even worse, if I suppress my natural personality in favor of being more agreeable. I don't win the interviews, plus I then hate myself for being such a pussy on interviews I don't win anyway.

    People with low agreeableness are typically more successful on their own, as business owners. Or as top managers. Good examples are Elon Musk types or early Bill Gates (but not the late one which has turned 100% soy).

    On the other hand, if hired, I tend to be very successful and beneficial for the teams I'm on as I'm more willing to fight with other teams and higher management to get things done for the team I'm on, but, I guess it's not always clear that the situation will develop this way and not some other. That's the force of change and for ambitious projects it is a requirements that someone pushes it through the old culture.

    Plus, this trait is very useful for an auditor role, as auditors often have to defend their findings in a hostile environment (as the team being audited doesn't like that and typically wants to present themselves in a better light). The auditor who backs off on every fight and lets things slide under pressure from various business angles favoring functional requirements over non-functional (which security requirements are) is what leads to a breach eventually, guaranteed.

    I still manage to get hired sometimes though, it just takes longer to shop. Typically this happens when the CISO or other people understand the need for a person with low agreeableness on their team and take a risk.

    But I admit that it is a hurdle. LonerVamp may very well be on point here on why the OP struggles.

    On the bright side, on average, people with lower agreeableness earn more than people with higher. It pays off to say no more often than not.
  • jeremywatts2005jeremywatts2005 Member Posts: 347 ■■■■□□□□□□
    Dude send me a PM and I can send you over a bunch of my contacts. I am totally flooded with Senior and Specialist positions in IR and InfoSec Over the US. I am not even looking but for sure it wouldn't be those because next level for me is Director no laterals for this guy.
  • infosecsinfosecs Member Posts: 48 ■■□□□□□□□□
    Tekn0logy, DZA, N7Valiant, triplea, LonerVamp, paul78, gespenstern
    I would like to thank all of above for posting in this thread.
    I have taken a look at my Res and luckily I don't have headers and footers. Yes the ATS is quite stupid sometimes but judging by the number of calls I get, I don't think that is the issue.
    And having worked in Engineering and sales and for well over 15 years in Networking and Tech Troubleshooting IT roles, I am sure I don't have the strong head personality. Strong Will is the right word instead of strong head but I do get along very well, infact much better than others.
    The issue seems to be that every employer is looking for specific skillset and not willing to budge a bit lower if all check-boxes are not ticked. There is no desire to even discuss training for the missing skills, some of which I can acquire on my own even before joining. instead of working with a candidate to bring up the skillset, employers prefer to wait for months and keep on re-posting same job.
    triplea mentioned - It took me around 6 months to get a job in an InfoSec area. This is exactly what I have seen as well and was hoping to avoid. My previous job title is certainly a deal breaker as it did not include "security" in it but I was hoping hiring managers would be able to see past it.
    So, it looks like everyone is suggesting to have patience. I can certainly wait a bit more but need some encouragement to upgrade my skills even more during this period. Perhaps I should start looking for some sort of volunteer work to stay "awake".
    jeremywatts2005 - Thank you so much for your offer to help. A little encouragement goes a long way when one is depressed. I am hoping to get a a break within next 2 months in Canada, if not, it will be time to explore options in US.
    I wish this industry was lot more open and willing to engage with folks who are ready and eager to learn more. Just wishing for ideal candidates is not going to help.
  • paul78paul78 Member Posts: 3,016 ■■■■■■■■■■
    @infosecs - would you mind clarify the type of role you are seeking? It sounded from your previous posts that you already work in infosec. As you looking to do something different in infosec? You also made a comment about "wish this industry was lot more open and willing". What industry do you work in? Or are you trying to find a job at a security company? Certain regulated industries such financial services and healthcare value infosec a bit more than perhaps advertising or manufacturing industry. Which industry background do you come from? In my experience, I found that having the specific business industry domain knowledge goes a long way.
  • LionelTeoLionelTeo Member Posts: 526 ■■■■■■■□□□
    i get so many calls from recruiters telling me how impressive my exp and portfolio is but once I submit the resume

    I am wondering what is your job searching strategy like since you mentioned about working with recruiters. Did you try searching directly with employers, or set up job email alerts and review them daily? While recruiters can have good positions, they operate in the market to serve the interest for their organization which is an additional consideration over than going direct. If you are on recruiter reference, may also be competing with candidates who are interviewing directly and therefore affecting your affordability. If you are not searching it correctly, you may be missing out a great deal of the market. After dealing with my fair share of recruiter, i realize that some recruiter can really do more harm than good to getting you hired. Respectively, good recruiter with strong connections can also help you by sending your resume directly to the hiring manager.

    If you need help with resume, please feel to reference this.
    https://www.youtube.com/watch?v=UP-S9rvAYYo&t=58s
  • shochanshochan Member Posts: 1,014 ■■■■■■■■□□
    CompTIA A+, Network+, i-Net+, MCP 70-210, CNA v5, Server+, Security+, Cloud+, CySA+, ISC² CC, ISC² SSCP
  • gkcagkca Member Posts: 243 ■■■□□□□□□□
    infosecs wrote: »
    I am hoping to get a a break within next 2 months in Canada, if not, it will be time to explore options in US.
    Where are you located in Canada? GTA and Ottawa seem to have great job market, particularly for Info Sec.
    "I needed a password with eight characters so I picked Snow White and the Seven Dwarves." (c) Nick Helm
  • infosecsinfosecs Member Posts: 48 ■■□□□□□□□□
    paul78 wrote: »
    @infosecs - would you mind clarify the type of role you are seeking? It sounded from your previous posts that you already work in infosec. As you looking to do something different in infosec? You also made a comment about "wish this industry was lot more open and willing". What industry do you work in? Or are you trying to find a job at a security company? Certain regulated industries such financial services and healthcare value infosec a bit more than perhaps advertising or manufacturing industry. Which industry background do you come from? In my experience, I found that having the specific business industry domain knowledge goes a long way.
    paul78 - I am looking for roles that a mix of Tech and Consultative such as Audit, Risk Management, TRA, GRC, Network Security design, Device Configuration etc. I am open to most roles except the ones that require deep packet inspection or intensive pen testing or reverse engineering etc. I worked in IT and on infosec side my exposure was mainly towards Vulnerability Scanning and Remediation, Incident Handling, Perimeter Security Device Config, Systems hardening, Network Security and ITGC Audit etc.
    Most of initial attempts to work were directed towards Insurance companies, banks etc. but realized that they are too structured / regulated and dont seem to be open to hire someone with no financial institution experience.
    When I said Wish this industry was .....what I mean is the cybersecurity industry in general. All I have found so far is that employers are looking for specific skills and not willing to evaluate candidate deep enough to see the potential and whether candidate can fit the bill with a bit of TLC. This has been my experience across some other sectors as well including consulting companies. Almost 12 out 16 / 17 interviews I had were traditional and same old useless kind of interviews - Introduce yourself, what is your past experience, what were you doing blah blah. All of them were simply too good, no tech questions, no tricky questions to tickle my brain. Only the last 3/4 interviews were good and I do have high hopes from them. These were the ones that not only asked me technical questions, but also questions that went 2 steps beyond what I did or could answer. I felt that I was being probed, but only a bit. I think an interview without deep probing is a waste of time and more of a formality to walk the applicant out of the door.
    Hiring in cybersecurity is way too uptight, it needs to be loosened a bit if more people are to be allowed in. Other than that the only trend I have seen so far is that most companies are trying to groom and hire students.
  • infosecsinfosecs Member Posts: 48 ■■□□□□□□□□
    LionelTeo wrote: »
    I am wondering what is your job searching strategy like since you mentioned about working with recruiters. Did you try searching directly with employers, or set up job email alerts and review them daily? While recruiters can have good positions, they operate in the market to serve the interest for their organization which is an additional consideration over than going direct. If you are on recruiter reference, may also be competing with candidates who are interviewing directly and therefore affecting your affordability. If you are not searching it correctly, you may be missing out a great deal of the market. After dealing with my fair share of recruiter, i realize that some recruiter can really do more harm than good to getting you hired. Respectively, good recruiter with strong connections can also help you by sending your resume directly to the hiring manager.

    If you need help with resume, please feel to reference this.
    https://www.youtube.com/watch?v=UP-S9rvAYYo&t=58s
    LionelTeo
    Thanks for the youtube link. I dont think resume is a big issue, I have worked on several iterations of of it and it seems to garner fair amount of calls. I apply to jobs posted on portals like wowjobs indeed etc. However some applications to jobs that seem to match my past experience very well never progress beyond the application. Others get back to me with odd questions like how much %age of my day was devoted to risk management or how many computers, devices & servers I had to audit during my assignment as if I can step up the game yet clear most infosec and IT exams first time.
    Oh, please dont get me started about recruiters. I made mistake of posting my phone number on my resumes and was driven up the wall by as many as 8-10 calls everyday. Was asked same kind of stupid questions by peeps who are technically as clueless as one can be. Then they want to conduct a skype interview. Then their "manager" wants to interview me. WTH? Why not forward my resume to employers to garner interest in the first place? Technical Questions by HR were the worst of all. I don't spend waste time with recruiters now and either decline outright or forward my resume with a note that they will hear back from me only after employers has shown interest.
    I mostly concur with everything that Daniel M. has mentioned at https://danielmiessler.com/blog/the-problem-with-cybersecurity-hiring/
    Employers keep on claiming that they are not finding right candidates yet don't seem to understand one simple thing - This is the problem, not the solution. Focus on finding the solution....innovate, do your home work. Prepare to explore the candidates to see the potential.
  • infosecsinfosecs Member Posts: 48 ■■□□□□□□□□
    gkca wrote: »
    Where are you located in Canada? GTA and Ottawa seem to have great job market, particularly for Info Sec.
    GTA. And yes lot of demand, lot of jobs. But employers want the perfect "ready to deploy" candidate.
  • Jon_CiscoJon_Cisco Member Posts: 1,772 ■■■■■■■■□□
    I doubt there was ever a time in history when people didn't feel employers only wanted people with experience and so it was impossible to get a job.

    The reality is that no person on earth was ever born with experience. So we can conclude that every single person ever employed was given an opportunity at some point in there career. I realize that it is hard to see that perspective when looking for a new opportunity but it is an important point to remember.

    My only recommendation is to be persistent. I will be in a similar situation next year when I attempt to change careers. I don't know how it is going to work out yet but I know the basic formula for success is to keep putting yourself out there.
  • LionelTeoLionelTeo Member Posts: 526 ■■■■■■■□□□
    infosecs wrote: »
    LionelTeo
    Thanks for the youtube link. I dont think resume is a big issue, I have worked on several iterations of of it and it seems to garner fair amount of calls. I apply to jobs posted on portals like wowjobs indeed etc. However some applications to jobs that seem to match my past experience very well never progress beyond the application. Others get back to me with odd questions like how much %age of my day was devoted to risk management or how many computers, devices & servers I had to audit during my assignment as if I can step up the game yet clear most infosec and IT exams first time.
    Oh, please dont get me started about recruiters. I made mistake of posting my phone number on my resumes and was driven up the wall by as many as 8-10 calls everyday. Was asked same kind of stupid questions by peeps who are technically as clueless as one can be. Then they want to conduct a skype interview. Then their "manager" wants to interview me. WTH? Why not forward my resume to employers to garner interest in the first place? Technical Questions by HR were the worst of all. I don't spend waste time with recruiters now and either decline outright or forward my resume with a note that they will hear back from me only after employers has shown interest.
    I mostly concur with everything that Daniel M. has mentioned at https://danielmiessler.com/blog/the-problem-with-cybersecurity-hiring/
    Employers keep on claiming that they are not finding right candidates yet don't seem to understand one simple thing - This is the problem, not the solution. Focus on finding the solution....innovate, do your home work. Prepare to explore the candidates to see the potential.

    Ahh okay, at least the issue is not with the resume. Let's try not to get into frustrations and breakdown the situation into smaller bits and understand where the pan point of the issue is. I don't know how job finding with other IT Sector is, but Cyber Security sector is a little more troublesome because of the influx and diversity of the candidates which makes it highly competitive.

    I do like to help, but let us lay down a common understanding on job hunting which compromises of 3 areas - the resume, job hunting strategy and interview. Since you did mentioned on frustrations with getting interviews that is not of interest with you, perhaps the issue lies with the job hunting strategy? That being said, after looking back on your initial post, I took noticed that you started looking for Cyber Security jobs only 3 months ago. Positions that opened this period are usually only due to back-filling. Have you considered to look only after Feb since Feb to July is the golden period for new positions to open after financial year assessment? Also, have you setup multiple daily job alerts on multiple search strings? Based on my experiences with job finding, having daily job alerts help me the most to find multiple good openings during my last transitions.
  • LonerVampLonerVamp Member Posts: 518 ■■■■■■■■□□
    infosecs wrote: »
    My previous job title is certainly a deal breaker as it did not include "security" in it but I was hoping hiring managers would be able to see past it.

    This is often a problem, especially so for someone trying to move from a strong IT background to security focus.

    Feel free to Google this topic, as it has plenty of discussion in and out of our industry, but look into changing the title of your positions to reflect the work you did. If you managed security devices and tools like a security admin, call yourself that on LinkedIn and possibly on your resume.

    The main crux of the discussions tend to come down to titles really not meaning much outside of the company you worked for. "SysAdmin" or in one of my cases "Network Analyst" only made sense for that company, but to everyone else, I was a Systems/Security Admin/Engineer. I wasn't even the network guy! (It is seriously some personal effort to also change that mentality, to see that I did security all those years, and not necessarily just as part of my duties!)

    This should also be reflected in other areas. In LinkedIn, make it part of your tagline and top-level summary. You can also be far more creative in your titles here. For the resume, make sure your objective statement reflects this and your skills and job descriptions very much support the slight adjustment you make to titles.

    And for sure make sure your cover letter and/or any introductory emails set this tone.

    Just make sure that you are never outright lying or inflating your background, that you're just more accurately portraying your skills and experience, and that any reference check feedback is compatible with your changes (for instance calling previous employer will reveal a different title, but if it's close enough, it's close enough).

    Security Engineer/Analyst/Geek, Red & Blue Teams
    OSCP, GCFA, GWAPT, CISSP, OSWP, AWS SA-A, AWS Security, Sec+, Linux+, CCNA Cyber Ops, CCSK
    2021 goals: maybe AWAE or SLAE, bunch o' courses and red team labs?
  • paul78paul78 Member Posts: 3,016 ■■■■■■■■■■
    infosecs wrote: »
    paul78 - I am looking for roles that a mix of Tech and Consultative such as Audit, Risk Management, TRA, GRC, Network Security design, Device Configuration etc. I am open to most roles except the ones that require deep packet inspection or intensive pen testing or reverse engineering etc. I worked in IT and on infosec side my exposure was mainly towards Vulnerability Scanning and Remediation, Incident Handling, Perimeter Security Device Config, Systems hardening, Network Security and ITGC Audit etc.
    Most of initial attempts to work were directed towards Insurance companies, banks etc. but realized that they are too structured / regulated and dont seem to be open to hire someone with no financial institution experience.
    When I said Wish this industry was .....what I mean is the cybersecurity industry in general. All I have found so far is that employers are looking for specific skills and not willing to evaluate candidate deep enough to see the potential and whether candidate can fit the bill with a bit of TLC. This has been my experience across some other sectors as well including consulting companies. Almost 12 out 16 / 17 interviews I had were traditional and same old useless kind of interviews - Introduce yourself, what is your past experience, what were you doing blah blah. All of them were simply too good, no tech questions, no tricky questions to tickle my brain. Only the last 3/4 interviews were good and I do have high hopes from them. These were the ones that not only asked me technical questions, but also questions that went 2 steps beyond what I did or could answer. I felt that I was being probed, but only a bit. I think an interview without deep probing is a waste of time and more of a formality to walk the applicant out of the door.
    Hiring in cybersecurity is way too uptight, it needs to be loosened a bit if more people are to be allowed in. Other than that the only trend I have seen so far is that most companies are trying to groom and hire students.

    Yeah - if you are targeting cybersecurity industry vs other industries with the type of work that you want to do, I'm not surprised that it's taking you some time. That could be pretty niche. Plus the cybersecurity industry is pretty small (USD$140 Billion was an estimate that I saw) compared to other industries like financial services (USD$135 Trillion) or even media and entertainment (USD$1.9 Trillion).

    You're going to be competing with people that have cut their teeth in industries that deal with cyber security issues who are looking to work in a cybersecurity company or a consultancy. Most cybersecurity companies are pretty focused on their product or service so I would expect them to want people with those specific domain expertise.

    BTW - if you are targeting consultancies which seem appropriate for the type of work you want to do, the interview process is similar to what I would do too. It's a lot of soft-skills because I really care about how someone represents the company and I found that I can learn a lot about someone from the way that they represent themselves.
  • infosecsinfosecs Member Posts: 48 ■■□□□□□□□□
    I have been avoiding MSSPs so far like a plague. I had a nasty experience at my last work place but I guess I should have explored MSSPs at least a bit and not just guessed that they are all boiler room ops.
    "You're going to be competing with people that have cut their teeth in industries that deal with cyber security issues who are looking to work in a cybersecurity company or a consultancy. Most cybersecurity companies are pretty focused on their product or service so I would expect them to want people with those specific domain expertise. "" - You are absolutely right on this one paul78. If only I had jumped ship earlier, it would have been a cakewalk.
    However, what depresses me is the fake hype of cyber security skills shortage. I understand that some don't have the expertise and exposure that is needed for some functions fo a job but come on ...we all start from somewhere. Someone who can master some of the toughest exams in the infosec world or those who have worked in IT for 10-15 years do deserve a chance. May be they are not worthy of six figures but are they not worthy of even 50K?
  • paul78paul78 Member Posts: 3,016 ■■■■■■■■■■
    infosecs wrote: »
    I have been avoiding MSSPs so far like a plague. I had a nasty experience at my last work place but I guess I should have explored MSSPs at least a bit and not just guessed that they are all boiler room ops.
    Is there a reason why you don't want to work in infosec for a company that's not in the cybersecurity industry? You probably will have broader options.
    infosecs wrote: »
    You are absolutely right on this one paul78. If only I had jumped ship earlier, it would have been a cakewalk.
    Jumped ship from what? No one can predict the future (at least I don't think so) so you never can really tell - it could be better, it could be worst. Hang in there.
    infosecs wrote: »
    However, what depresses me is the fake hype of cyber security skills shortage. I understand that some don't have the expertise and exposure that is needed for some functions fo a job but come on ...we all start from somewhere. Someone who can master some of the toughest exams in the infosec world or those who have worked in IT for 10-15 years do deserve a chance. May be they are not worthy of six figures but are they not worthy of even 50K?
    It probably depends on what the role is. I suspect that for some companies - especially security companies that do specialized work, it's probably difficult to find certain skillset and talent.
  • JDMurrayJDMurray Admin Posts: 13,091 Admin
    There is usually very little opportunity to grow your SecOps career in most MSSPs. People who like a routine, daily grind that changes very little year-to-year are usually happy as a tier-1/2 analyst in an MSSP. Those looking for more learning and challenges will move on to a non-MSSP situation after a year or two. I have interviewed a LOT of MSSP analysts looking for a more challenging and growth-expanding SecOps opportunity in my SOC team. Because there is little opportunity for MSSP analysts to actually learn about the systems and events that they are monitoring, most don't make it past the first round.
Sign In or Register to comment.