Change is good but make sure you are prepared

Starting a career in Application Security?

AppSec Jul 3, 2022

Deciding you want to change careers is a big decision, and figuring out how to do it can be challenging.

How do people do it? Is there a magic certificate I can get, or maybe there's some AppSec God I can offer a blood sacrifice to?

Before you put on the ceremonial headdress and sharpen the knives, let's talk about ways to help you achieve your goal.

I hate to break it to you, but there is no "magic formula" that will 100% get you a job, but as an employer/manager, I thought I could share some insight.

Whilst I have written this in the context of AppSec, many of the principles will apply elsewhere.

Before you jump in do some research.

When you make that initial decision, don't fire off your C.V to any job posting that has the word security in it.

Security is a very broad term. Blindly send off applications and you may find yourself getting invited to an interview, but it may be for a doorman at the local nightclub (The one with the sticky floor that smells of stale beer).

The wrong kind of security

Not only could you end up stopping fights and shouting "geeerout of my pub" like the late Barbara Windsor, but you could also miss or mess up some perfect job opportunities.

Don't get me wrong it's great to get excited but to be successful there are some things you're going to need to need to do first.

Is the role right for you?

As we've discussed already, there are many different career paths you can take and not all security roles are the same. To get the right one for you invest some time into investigating the role and understanding if it's something you want to do.

Ensuring the role is right for you is just as important as demonstrating you are right for the role.

As an employer/manager I want people that want to do the job. I want to feel that energy and enthusiasm from the minute we start the interview, you can't do that if you don't know what you're getting excited about.

Think about this. You tailored your CV to fit a role, you start to realise that this job isn't for you and suddenly you get the following question.

Tell me what attracts you to the role the most?

Crap .. you just stare at them like a rabbit in the headlights not knowing what to say, you know you need to say something but all that comes out of your mouth is "errrr.... Security".


This scenario can happen in any interview but it's best to keep the occurrences to a minimum if you can.

What exactly can you do to help you understand the role better?

Reach out to people and talk

A great way to impress is to show that you fully understand the role and are excited about it. Before you interview, reach out to people already doing the job and see if it's for you. Now is the time to ask those questions you think are silly and awkward because there is no pressure and you will get honest feedback.

Don't be afraid that people won't respond. Yes, people are busy, and some won't respond, but you will be surprised at how many do.

When you reach out, show interest in what they do, and don't just ask, "what do you do?". Get a good conversation going. Ask things like "What have been your biggest challenges?" and "how did you overcome them?".

People love to talk about things they are passionate about.

Many thanks to all the donating people,
Do you want to talk AppSec ... really?

Trust me, AppSec will never be the topic of conversation when you are on a night out or at a party (how exciting would that party be though eh?). We don't get many opportunities to discuss what we do, so when someone takes an interest in our passion, it's like all our Christmases have come at once!

Even if you find out AppSec is not for you, at least you can sleep well at night knowing you have made someone's day year!

Get some core skills

Bursting at the seams with enthusiasm and excitement is great, but there are some things you have to know about and understand.

Every AppSec program is different and people work in different ways so get your head around the main principles of AppSec.

To help you take a look at my previous post "AppSec simplified". In this post, you will learn about how an AppSec program works and what is important to its success.

Investigate the tools and process, understand what they do and how it all links together.

AppSec simplified - Four core principles to get you started
Starting an application security (AppSec) program can be a daunting task. Find out how to use a simple set of priciples to build a successful program that can evolve into a thriving security culture.
Don't limit yourselves to the examples in the post. Do some research about alternative processes and tooling. Being able to make comparisons and suggestions will go down well.

Not getting noticed?

Some believe you need to be certificated up to the eyeballs and have one year more experience than your actual age to get noticed. The reality is this isn't true, and sometimes you are not getting seen because you're trying too hard or just taking the wrong approach.

Introducing the dreaded HR firewall

When you apply for a position, there is an HR "firewall" that you need to pass through. The first people to see your CV wont be the hiring manager. In most cases, it will be the non-technical HR team operating to a job specification.

If you would like to support my work, visit (20% goes to charities)
Beware the HR firewall

If you want to "bust through the firewall and access the mainframe" (lame movie hacker quote) you need to make sure that the content of your CV and cover letter is tailored specifically to the role.

Keep it simple but informative

It's very easy to go full-on tech waffle but resist temptation and keep it high-level, and informative. For example, maybe highlight:

  • Relevant problems you have identified
  • The root cause
  • How you fixed it
  • The benefits you saw

Unless explicitly asked to, save your "Rijndael Managed" and "CryptoServiceProviders" for the interview as it will make a great discussion point during the interview.

Prove you are a rockstar in the making

Having a certificate on your wall that says you can play the guitar is great but jumping on stage and rocking people's world is better.

What am I talking about?

There seems to be a massive dependency on Certificates with candidates. Yes, they demonstrate that you have invested time and effort into a subject and have a good understanding, but that isn't enough to put you at the top of the pile.

Whilst I don't want to discredit certificates IMO having my world rocked is definitely preferable to looking at a certificate on a wall, so keep that in mind.

Prove you are a rockstar!

Setting up personal projects, and influencing security decisions in your workplace prove that you understand the role and that you can make a difference.

For example:

One engineer I employed had no commercial security experience whatsoever. He worked in I.T support and wanted to start a new career. He reached out to me to learn about the role and walked away full of ideas. A few months later, a position opened up, and he applied.

To my delight I saw the following:

"I identified the risk of vulnerable components in the software we develop. I investigated Software Composition Analysis (SCA) solutions and raised this with the senior developers. SCA is now being used in the teams to protect the software."

Amazing! He took on board our discussion, he looked at things he could influence and made a positive impact. Needless to say, he got the job.

Other ways to improve your AppSec appeal.

Some of you might not be in a work environment where it's possible to do this or don't have funds for expensive courses. Don't worry. There are other ways you can boost your AppSec appeal.

Inexpensive, interactive platforms like Hack the Box or Try Hack Me have lots of relevant content and allow you to track and evidence your learning. Snyk and Secure Code Warrior have options to learn about secure coding

The best bit is they are either FREE or only cost about the same as a couple of beers a month (or half a beer if you live in London)

If you contribute to any security blogs or groups, it's always worth mentioning, as it will show you have a keen interest.

Seize the moment, opportunity is out there.

There will no doubt be people reading thinking "this guy is off his head there's no way you can get a job in cyber just by doing this".

Wake up people there is a massive skill shortage in cyber security we need bums on seats!

This skill shortage was evidenced in the UK by a cringe-worthy campaign several months back (I wonder if Fatima got that job).

Go Fatima you can do it!

Employers and managers (like myself) have realised we need to flex requirements, or we won't be able to fill the positions.

Shortage or no shortage, you can't roll up, say "I love AppSec", and expect the job to be yours you need to put in the work.

Security is all about managing risk. Having something is better than having nothing, especially in this climate. There is an argument to say you can't have inexperienced people working in security, but no decent manager or employer will put inexperienced staff in high-risk situations.

As an employer/manager, I have employed several engineers without commercial experience. They have been gradually introduced into the program and given plenty of time to learn and develop. Yes, it's hard work to start, but the results have been phenomenal!


You don't need 100 certificates and years of experience to break into this industry, but you do need to understand the role and demonstrate some key skills.

Not every employer will share my perspective on cross-applying experience and knowledge, but I think it's vital that you know some do.

Whatever you do, don't give up and good luck in your journey!


Scott Mitchell

Experienced AppSec leader and enabler. I have progressed from being "the security guy" to creating and leading a global security program. Sharing knowledge and learning from others is my passion.