Deciding you want to change careers is a big decision, and figuring out how to do it can be challenging.
How do people do it? Is there a magic certificate I can get, or maybe there's some AppSec God I can offer a blood sacrifice to?
Before you put on the ceremonial headdress and sharpen the knives, let's talk about ways to help you achieve your goal.
I hate to break it to you, but there is no "magic formula" that will 100% get you a job, but as an employer/manager, I thought I could share some insight.
Whilst I have written this in the context of AppSec, many of the principles will apply elsewhere.
Before you jump in do some research.
When you make that initial decision, don't fire off your C.V to any job posting that has the word security in it.
Security is a very broad term. Blindly send off applications and you may find yourself getting invited to an interview, but it may be for a doorman at the local nightclub (The one with the sticky floor that smells of stale beer).
Not only could you end up stopping fights and shouting "geeerout of my pub" like the late Barbara Windsor, but you could also miss or mess up some perfect job opportunities.
Don't get me wrong it's great to get excited but to be successful there are some things you're going to need to need to do first.
Is the role right for you?
As we've discussed already, there are many different career paths you can take and not all security roles are the same. To get the right one for you invest some time into investigating the role and understanding if it's something you want to do.
Ensuring the role is right for you is just as important as demonstrating you are right for the role.
As an employer/manager I want people that want to do the job. I want to feel that energy and enthusiasm from the minute we start the interview, you can't do that if you don't know what you're getting excited about.
Think about this. You tailored your CV to fit a role, you start to realise that this job isn't for you and suddenly you get the following question.
Tell me what attracts you to the role the most?
Crap .. you just stare at them like a rabbit in the headlights not knowing what to say, you know you need to say something but all that comes out of your mouth is "errrr.... Security".
This scenario can happen in any interview but it's best to keep the occurrences to a minimum if you can.
What exactly can you do to help you understand the role better?
Reach out to people and talk
A great way to impress is to show that you fully understand the role and are excited about it. Before you interview, reach out to people already doing the job and see if it's for you. Now is the time to ask those questions you think are silly and awkward because there is no pressure and you will get honest feedback.
Don't be afraid that people won't respond. Yes, people are busy, and some won't respond, but you will be surprised at how many do.
When you reach out, show interest in what they do, and don't just ask, "what do you do?". Get a good conversation going. Ask things like "What have been your biggest challenges?" and "how did you overcome them?".
People love to talk about things they are passionate about.
Trust me, AppSec will never be the topic of conversation when you are on a night out or at a party (how exciting would that party be though eh?). We don't get many opportunities to discuss what we do, so when someone takes an interest in our passion, it's like all our Christmases have come at once!
Even if you find out AppSec is not for you, at least you can sleep well at night knowing you have made someone's
Get some core skills
Bursting at the seams with enthusiasm and excitement is great, but there are some things you have to know about and understand.
Every AppSec program is different and people work in different ways so get your head around the main principles of AppSec.
To help you take a look at my previous post "AppSec simplified". In this post, you will learn about how an AppSec program works and what is important to its success.
Investigate the tools and process, understand what they do and how it all links together.
Not getting noticed?
Some believe you need to be certificated up to the eyeballs and have one year more experience than your actual age to get noticed. The reality is this isn't true, and sometimes you are not getting seen because you're trying too hard or just taking the wrong approach.
Introducing the dreaded HR firewall
When you apply for a position, there is an HR "firewall" that you need to pass through. The first people to see your CV wont be the hiring manager. In most cases, it will be the non-technical HR team operating to a job specification.
If you want to "bust through the firewall and access the mainframe" (lame movie hacker quote) you need to make sure that the content of your CV and cover letter is tailored specifically to the role.
Keep it simple but informative
It's very easy to go full-on tech waffle but resist temptation and keep it high-level, and informative. For example, maybe highlight:
- Relevant problems you have identified
- The root cause
- How you fixed it
- The benefits you saw
Unless explicitly asked to, save your "Rijndael Managed" and "CryptoServiceProviders" for the interview as it will make a great discussion point during the interview.
Prove you are a rockstar in the making
Having a certificate on your wall that says you can play the guitar is great but jumping on stage and rocking people's world is better.
What am I talking about?
There seems to be a massive dependency on Certificates with candidates. Yes, they demonstrate that you have invested time and effort into a subject and have a good understanding, but that isn't enough to put you at the top of the pile.
Whilst I don't want to discredit certificates IMO having my world rocked is definitely preferable to looking at a certificate on a wall, so keep that in mind.
Setting up personal projects, and influencing security decisions in your workplace prove that you understand the role and that you can make a difference.
One engineer I employed had no commercial security experience whatsoever. He worked in I.T support and wanted to start a new career. He reached out to me to learn about the role and walked away full of ideas. A few months later, a position opened up, and he applied.
To my delight I saw the following:
"I identified the risk of vulnerable components in the software we develop. I investigated Software Composition Analysis (SCA) solutions and raised this with the senior developers. SCA is now being used in the teams to protect the software."
Amazing! He took on board our discussion, he looked at things he could influence and made a positive impact. Needless to say, he got the job.
Other ways to improve your AppSec appeal.
Some of you might not be in a work environment where it's possible to do this or don't have funds for expensive courses. Don't worry. There are other ways you can boost your AppSec appeal.
Inexpensive, interactive platforms like Hack the Box or Try Hack Me have lots of relevant content and allow you to track and evidence your learning. Snyk and Secure Code Warrior have options to learn about secure coding
The best bit is they are either FREE or only cost about the same as a couple of beers a month (or half a beer if you live in London)
Seize the moment, opportunity is out there.
There will no doubt be people reading thinking "this guy is off his head there's no way you can get a job in cyber just by doing this".
Wake up people there is a massive skill shortage in cyber security we need bums on seats!
This skill shortage was evidenced in the UK by a cringe-worthy campaign several months back (I wonder if Fatima got that job).
Employers and managers (like myself) have realised we need to flex requirements, or we won't be able to fill the positions.
Shortage or no shortage, you can't roll up, say "I love AppSec", and expect the job to be yours you need to put in the work.
Security is all about managing risk. Having something is better than having nothing, especially in this climate. There is an argument to say you can't have inexperienced people working in security, but no decent manager or employer will put inexperienced staff in high-risk situations.
As an employer/manager, I have employed several engineers without commercial experience. They have been gradually introduced into the program and given plenty of time to learn and develop. Yes, it's hard work to start, but the results have been phenomenal!
You don't need 100 certificates and years of experience to break into this industry, but you do need to understand the role and demonstrate some key skills.
Not every employer will share my perspective on cross-applying experience and knowledge, but I think it's vital that you know some do.
Whatever you do, don't give up and good luck in your journey!