Getting a Job in Infosec: From Noob to OSCP to Hired in 434 Days

This is a bit of a clickbait title but first, I am bad at titles and, second, I did indeed switch into from a software job into the infosec world (and pick up my OSCP along the way in X days.

I have helped others get started in the cybersecurity field before, and hope to do more of that with this post. Since cybersecurity is an applied field, the more diversity and cross-domain knowledge we have, the better!

This is an incredibly long (7500 word) post that roughly 20% on how I got into the cybersecurity field, and then the remaining 80% on how to turn this into a broad strategy to help you get into cybersecurity that basically works by reverse engineering what sounds interesting.

Of course, what worked for me might not work for others, but I tried to make this broadly useful as possible.

My story lol 😌

Some people fall into this industry, I definitely did not.

While I’ve been on computers since a very young age (hello fellow millennials), I did not have a particularly tech-y childhood. Once I did get into the tech field, some pretty bad imposter syndrome that kept me away from security even after I was interested.

I majored in electrical engineering, focusing on embedded systems (after getting a music degree, lol). I’ll talk more about college majors w.r.t. infosec in a minute.

I worked as an electrical engineer for a bit, and then did other software work (web, mobile, IoT, desktop) when the original planned projects fell through. I also helped run a software meetup group which exposed me to organizing events, and introduced me to a lot of cool software folks in the Midwest.

After a few years in this job, I was interested in security but didn’t know how to get into it, and generally felt like I was too stupid to meaningfully participate (imposter syndrome :/ )

Cryptography nerd

But anyway, a few years into this software job, I read “The Code Book” and got super interested in cryptography (lol neeeerdddd). I was trying to teach myself Rust at the time, and tried implementing some of the classical ciphers in the book. This was one of many unsuccessful attempts at learning Rust (Rust evangelical task force, I appreciate you but please do not contact me about this).

While the Rust portion was a failure, I incidentally found a use for my new nerd skills via this online “quiz” by USCC, which is a government program that helps get people educated in Cyber™️. Lucky me, that particular year’s quiz was cryptography focused.

I didn’t originally know this, but scoring well enough on the quiz meant an invite to a cybersecurity bootcamp (I almost didn’t go because wHaT iF I LiKeD iT tOo MuCh).

I went to the bootcamp, learned a ton about cybersecurity via 4 day-long classes hosted by SANS instructors, and then did a CTF. I absolutely loved the CTF. I was instantly hooked. I shared contact info with the other campers and we continued CTFing on weekends, remotely. We were terrible at it for a long time, but eventually started getting better.

Nearly a year after this, it turned out I did like this security thing too much, and decided to leave my current job without another job lined up, and without a specific path into the industry. I realize this is not an option available to most people, but I saved up money to take time off before job searching.

Leaving software

The original plan was to take a few months off, focus entirely on certifications, and then job search in earnest. What actually ended up happening was taking a year “off” while freelancing 20-30 hours a week to pay the bills, and doing certifications, CTFs, and self-taught learning in the mean time.

This year “off” started shortly after my first Defcon. I was dazzled by a lot of the speakers and compiled a list of bios that I thought were really cool, and used that to reverse engineer my way into infosec.

On my list was Security+, embedded systems experience, and OSCP.

• I did Security+ first, which is a very broad but shallow certification. If you are “good at exams” then this one is probably quickly within your reach; but either way I recommend doing online quizzes until you feel confident. I did this one in the first couple months after I left my software job.
• I continued going to conferences and meetups, mostly the cheap and local variety. For example, BSides tickets are very affordable, and most conferences post their videos online afterwards if you cannot attend (doubly true now that COVID-19 has forced most groups to meet virtually). I’m in the Midwest, which is not a particularly infosec-heavy area.
• A lot of the pen testing job listings required an OSCP. This certification was considerably more effort than the Sec+ certification but I really enjoyed doing the labs. I had to extend my lab subscription several times. It took me 90 days to get to a level where I felt confident enough to take the exam, with roughly 35-40 of the lab boxes rooted. Almost all of the material was new to me because, as I said, my background had almost no security in it (and you might notice it had very little networking in it either). The exam was absolute hell though, I think I slept 3 hours total.
• During this year, I was also participating in CTFs nearly every weekend… not all weekend but I was exposing myself to CTF challenges every week. At the time, it didn’t feel like it was adding up but it definitely was.

Job searching

My top job pick (Grimm) also required embedded systems experience. As an EE, I had experience building and troubleshooting them, but not hacking them. Grimm specifically asked me to try some of the Microcorruption challenges so I did the first 18 (out of 19) and wrote up a blog post for each one. I also participated in a lot of Michigan meetups that Grimm folks either attended or contributed to in some way.

Some of the places I interviewed were kind of intense. One place had a 24 hour (!!!) evaluation similar to the OSCP exam, which did not well at all. Failing that was a pretty rough experience, but as with CTFs, you gotta pick yourself up and keep going.

About a year after leaving my previous job, I was hired by Grimm as a security researcher on the CyberPhysical systems team and have been there ever since.

The interviewing process

By the time I was hired, I had known the team for the better part of a year via meetups and conferences. It wasn’t like there was a switch that flipped on where all of a sudden, I was eligible. Instead, they knew me, I had demonstrated interest and skills over time, and they finally had an opening. I’ll admit that most people do not have such a flexible interviewing timeline but the slow burn approach meant that they had already (implicitly) interviewed me over time and I had a huge advantage over other applicants when the position opened up.

Okay, cool story… how does this help me?

This post is about helping you get a job in infosec, so let’s get to it.

First let’s acknowledge that job searching sucks. I have not met anyone who enjoys doing it, and it feels pretty unnatural to most folks. In software, there are entire websites centered around helping you study for interviews. While I understand their intent, I don’t like the idea of “studying to pass the test” and optimizing purely for the job search process.

We’ve all got limited time and energy so let’s try to focus in on the important parts, reverse engineer a strategy from what sounds cool, double up on useful skills, and then represent that effort as best we can during interviews.

The strategy

1. Narrow down the infosec field to a few specific sub-areas
2. Find job roles or resumes within the areas you’re targeting, and identify the most important requirements
3. Make sure you’ve got the basics down in programming, networking, and any niche-specific areas you’re interested in.
4. Determine which certifications (if any) are necessary and make a plan to tackle them.
5. Take the non-formal requirements and find ways to get experience through self-taught technical learning.
6. Help others with your newfound knowledge and make things better for others in the industry, and double-dip on this by demonstrating “soft skills” at the same time.
7. Learn how to put your hard work to use while interviewing
8. Get u a job

Narrow down the field

Your goal in this section is to narrow things down to assess which broad areas are interesting to you, and then narrow the list down a couple areas.

When someone says “I want to get into infosec/cybersecurity” my first question is, which area(s) in infosec?

Because there are tons of different areas within the cybersecurity field. Red team, blue team, compliance, pen testing, industry-specific areas (car hacking, industrial control systems, medical devices), cryptography, and so on.

If you don’t know what you like, that’s fine! Nothing like testing things out:

• CTFs: my favorite. CTFs are hacking competitions with challenges from nearly every area of infosec. Here’s my blog post for more info.
• Go to conferences (virtually, for now). Security conferences often have “villages” for different areas of infosec, for example, Car Hacking Village or Aerospace Village. Since a lot of conferences are still virtual because of Covid-19, that means opportunity for you to safely check out different groups for cheap or free!
• Reach out to people on Twitter. Yes, Twitter is full of drama and jerks, but Twitter is also full of cool people, and some of them will help you out. The caveat here is that you ask intelligent questions. So “I want to get into infosec” is not a good question but “what should I look into if I want to learn more about hardware hacking” is a good question.
• You might know people locally or online that are in specific fields. Ask them about their jobs and what they like/dislike.
• Capitalism; sometimes your job prospects are determined by what opportunities are around you. 😐 If you are, for example, in an area with a lot of medical industry work, then your likely future employers are going to be in the medical field.

Your decision in this section doesn’t need to be set in stone, but you’ll make things a lot easier on yourself if you have a general idea of what is interesting and also what you know you want to avoid.

Reverse Engineering a path into your desired field

Your goal for this section is to take the list of industries and drill down into specific jobs that appeal to you, then make a list of “requirements”.

You narrowed things down from all of infosec to a few industries/areas. Now let’s shop around for some cool sounding jobs and see what it takes to get into those roles.

Finding cool people and jobs

Earlier I mentioned that I went to Defcon and made a list of people whose jobs sounded cool. I read the bios of talks I was interested in, and note of the bios where I thought “wow I wish I had this person’s job / career history / research role” and dumped those into a notes doc. Of course, speaking at Defcon != entry level, but seeing all of these bios let me pattern match how people got into cool jobs, and helped me reverse engineer how I might get a cool job too.

You can do the same thing with job postings. You should know that most job postings have way more “requirements” than what’s actually required, but they can still be useful for this step. Same approach here, I found some jobs (maybe 5-10) that sounded cool and dumped the requirements into a document.

Where do you find job listings? From the earlier section, you probably watched some talks or saw people on Twitter. Pull up the websites of the sponsors or speakers and look through job listings. That can give you an idea of what other job titles to search for.

These jobs might not still be open by the time you are ready to apply. That’s okay, we’re just looking for a blueprint.

Pattern matching

Between these two approaches, what keeps showing up? Certifications? Help desk experience? Industry-specific domain knowledge? Certain languages or skillsets?

Try to keep the order of requirements from each job post intact, this will help you figure out what keeps rising to the top. Most requirements are not hard requirements but the point here is to identify things that have outsized influence and focus on these in later sections of this blog post.

When I was looking for pen testing jobs, I found that OSCP kept showing up. So that went on my list of things to tackle. It also appeared across multiple listings so I felt that, if I was unable to get a job at one company, I would not have wasted any time by focusing on that certification.

Note that some of these requirements are going to be very industry specific. Government jobs, for example, might require specific certifications more than commercial roles.

Get your foundations in place

Your goal here is to assess your programming and networking skills. Write down the skills you already have with a description of how you’ve applied them (at work, side projects, self-taught learning), and identify what you still need to learn and make a plan.

With some exceptions, it is incredibly useful (and dare I say required) to have some sort of technical background. This does not have to be a formal background. There are some “cybersecurity” degrees offered now, but this is still very new. I don’t think any of my coworkers have a cybersecurity degree. A lot of folks I know have tech degrees, such as in engineering, IT, or CS.

If you don’t have one of these, that doesn’t (necessarily) mean you need to go back to school. But you will need to need to demonstrate that you have the necessary skills (and if possible, show some kind of cross-industry relevance).

In general, I’ve found that infosec people have one of two backgrounds: programming, or networking.

Programming

You don’t need to be a programming genius, but showing proficiency in the area(s) you want to get into will help your prospects and future learning a lot.

• Interested in web pen testing?: how about some HTML and JS and maybe some SQL
• Embedded systems: you’ll probably want to know C or C++
• Red teaming: Python, bash scripting

So, where do you learn this? There are a lot of free online courses, you do not need to pay for this. My approach is to take a beginner guided course such as a free Codecademy course. Then, I try a small project to grow my skills (emphasis on SMALL, something you can get done in a weekend. do not fall prey to Side Project Syndrome). For example, maybe you write a C program that demonstrates some basic web socket idea, or you write a script that scrapes the provided URL and returns a list of links from the HTML.

Remember that your end goal is (probably) not to be a programmer but to get into infosec, so focus on getting to a level of understanding where you know what to Google, and you’ve “learned how to learn”. Being able to ramp into a new skill is very useful. Figure out what approach is useful for your brain and make note of it.

If you have never programmed before, you might need more guidance (this might also be available online for free but I am not up-to-date on this). I love everything that I’ve read from No Starch Press but I’m sure there are other resources too.

Networking

The length of this section is going to make it obvious that this is not my forte. But this is equally as useful in infosec, and I think can also be learned through some basic primers, and then some hands-on IT experience. Bonus points if you had help desk experience.

How much is enough?

In either of these categories, it’s difficult to judge whether you’ve learned enough. But when you get to the Learning section later, try to gauge whether you are getting stuck more on understanding the code/networking part or the applied security part. That will give you an idea if you need to work more on foundational concepts.

While more knowledge is of course useful, you do not need to master both of these to get into infosec. In my experience, most people are strong in one and have a basic (or greater) understanding in the other.

Niches

Depending on what you want to get into, there might be other foundational skills that are a bit out there. For example, my team at Grimm does car hacking. So car experience, like doing your own maintenance, rally car racing, or car modification is a big plus. Other examples include PLC experience for an ICS job. This is not necessarily a replacement for programming or networking experience, just to point out that there are some edge cases.

Credentials and Certifications

The goal here is to identify the most useful certifications for the jobs you are targeting, validating that these are required, and then getting the certs.

Looking through our compiled list of requirements, are there any certifications?

As I’ve already alluded to, there are not many formal credentials in infosec compared to other industries. Cybersecurity-specific college degrees are still fairly rare, and certifications have largely filled that void.

Much has been written about certifications. Let me just say that as a woman in tech, I have noticed a lot of cis white dudes getting the benefit of the doubt where others have not. Of course, this is frustrating to me, but for the purpose of this blog post, my takeaway is to “backstop” all of your resume points. If I say that I have experience in $topic on my resume? You can find it in a certification I’ve earned, on my GitHub, or on my blog, or in a talk I’ve given. Maybe I’m being overly paranoid or doing unnecessary work, but I make a point to back up everything with receipts.

If you are brand new to the industry, CompTIA’s Security+ certification is a good beginner cert that is affordable and can open some doors. CEH is useful for DoD jobs.

If you want to work in formal government settings, requirements for certifications are likely to be actual requirements instead of nice-to-haves.

While I believe that certifications are important especially for underrepresented groups, do not get certifications for the sake of getting certifications! Like a college degree, this costs you time and money, and you want to be sure this isn’t better spent elsewhere.

If you are unsure, ask around in security groups (discussed later) to get a better idea of how it might apply to your situation. Once again, asking good questions is key. Ask specifics like “I’m interested in this forensics role for $bigCorp and am thinking of going for $certName. Is anyone in a similar role that could give me feedback on whether this is a good choice?” instead of just “should I get my $certName”. Likewise, I’ve seen people share their certification progress, as well as encouragement and resources in security groups.

With a few exceptions (like OSCP), certifications are not demonstrative of hands-on experience. So you’re gonna have to get that elsewhere.

Learning, Learning, Learning

Our goal here is to prioritize the most valuable non-certification requirements in our job listings, and then identify ways to teach ourselves the information. As you go through this, keep an updated list of what you’ve learned.

Now we’re on to the fun part of our compiled list, which is the domain knowledge that these jobs are looking for.

Note: I do not like the show that you're passionate OUTSIDE of work bullshit thing that the tech industry does. A lot of the below recommendations do require effort outside of your normal job and while I know that is difficult for a lot of folks who have other life obligations, I do not currently have a better suggestion. Where possible, try to align this with things you already do (school/etc groups).

The lack of standardized credentials in infosec is both good and bad, because it’s essentially a “create your own learning path” adventure. This can be daunting, and also time-consuming.

Most of infosec, like the tech industry in general, suffers from gatekeeping, particularly in the hiring process. For example, how can you get experience if you can’t get the job to get experience? We’re going to go for the next best thing, which is teaching yourself (this section) and sharing with others (future sections).

Earlier, we identified the sorts of skills or requirements that might match jobs that you are interested in. Before we get into how we’re going to pick up those particular skills, let’s clear up a few things:

• I am not suggesting that you become a carbon copy of other people in those roles. Figure out the “must haves” (probably networking or programming, maybe a certification or two, and then skills in a particular domain) and tackle those, and then spend the rest of your time exploring.
• This should not be a drag. Yes, you might work through some difficult problems, but if you are really dreading something, take a step back and ask yourself if you’re on the right path or if there’s another area that might be a better fit.

Since you already have an idea of what you’re interested in from the prior sections, look for those topics in the following sections (for example, a car hacking CTF, or a book on web pen testing, or a course on blue teaming).

• CTFs: once again, my favorite. These can be a bit uneven in terms of difficulty level but they’re available online (easy access for people), free, and are a great way to work with other people. And yes, do CTFs with other people! It’s way more fun and you end up making friends and meeting people in the industry.
• Contributing at your current employer: Wouldn’t it be great if you could get paid to develop your security skills? Maybe your current employer has opportunities for you to do security-flavored thing, such as implementing some authZ/N stuff on your dev project or helping with audits.
• Reading: While some tech books can go out of date quickly, there are some classics that are still very useful. I highly recommend Hacking: The Art of Engineering to start with if you are on the pen testing / red team side and are totally new to hacking. And you can’t go wrong with No Starch Press.
• Hands-on Learning: there are ton of cool Twitter posts, blog post walkthroughs, and GitHub tools. Why not try some of these out for yourself? You might need to buy some hardware but it’s a great way to learn, and a ton of fun. You can go through someone else’s walkthrough and/or just play. (keep it legal tho)
• Online courses: there are quite a few online courses, such as The Cyber Mentor’s program, Cybrary, Pluralsight, etc. I haven’t done many of these but the structure can be very beneficial to new folks.
• Open source contributions: not gonna lie, this idea kind of intimidates me. But if you find a tool or framework that was useful to you, see if they have any open issues that need help, or documentation. Yes, documentation is boring but if you suffered through finding the answer to something, you might as well share it (whether on their repo or in a personal gist).
• Twitter: Twitter has a lot of folks who share infosec news, commentary on current events, proof of concepts, cool videos, resources, and so on. Twitter is a mixed bag, but try to steer towards the people with awesome punk rock / DIY spirit.
• Slack and Discord Groups: there are lots of groups focused around different topics, “villages”, tools, CTFs, CTFing groups, and geographic areas. You should be able to find village websites through the Defcon website, or search through twitter. These groups are full of experienced industry people, and these people post job listings as well. This is a great chance to get around the resume pile, and to ask questions about the specific company/team you’re applying to.

While it’s important to have a plan (as you created earlier), you don’t need to stay on that singular path the whole time. A lot of stuff in a given cybersecurity domain has usefulness in other domains, so don’t turn down something that seems interesting just because it’s not on your list.

If you find something you’re really passionate about (say, Bluetooth) you might become the “Bluetooth Person” in a future pen testing role, even if that wasn’t in the original job role.

Legal Disclaimer

For the love of god please keep it legal if your goal is to get a job. I’m not trying to moralize, it’s just that we (tragically) don’t live in the 90s anymore.

In this vein, I don’t recommend any kind of freelance pen testing, because of the legal risk. You may be able to improve security at your current employer, or help with IT in a group you’re currently involved in, like a church or community center.

Give Back

The goal here is to take each thing that you’ve taught yourself (or maybe certifications you are working on, if it’s something you can share) and turn it into something that makes the field better for others. Keep updating your self-learning list, and add details for each thing on how you’ve applied or shared it.

You just taught yourself a whole bunch of new stuff. Why not share it? This will helps you solidify your own knowledge, help others, and creates proof of what you taught yourself.

I’m not suggesting that you make the next $fancyNameHere open source tool or to create a whole framework from scratch.

But there are plenty of things you can do that will be immensely useful to yourself, and to others:

• If you teach yourself something and it takes a long time for you to learn it because there are no resources (or the resources available aren’t great), make a blog post or video to help out the next person.
• Find an open CTFing group and help newbies work through challenges, and/or team up with someone and work on something new to both of you.
• You figured out how to get a tool working on an OS not mentioned in the docs. Make a gist, video, or open a PR to the repo with your findings.
• Volunteer at conferences or meetups, whether this is logistics, IT support, creating CTF challenges, managing speakers, etc.
• Share useful articles, resources and news to groups you think might benefit, and connect people to others they might benefit from.
• If someone made a tool or did a talk you enjoyed, send them a message saying as much.
• If you made a tool, consider sharing it on GitHub.
• If you find yourself repeatedly looking up a given topic (say, NoSQL injection) and write up a guide for yourself, consider sharing it in some manner, such as GitHub.
• Take ideas that you’ve learned and present a short talk to local school groups or meetup groups. Or if speaking isn’t your thing, make a blog post.

Note: when commenting on other people’s stuff, please ask yourself first if they asked for the type of feedback you’re offering.

Note2: you might think that if everyone takes this advice, it will no longer work. I suppose this is true, but conferences and meetups are always short on help, repos are always behind on issues, etc. The likelihood of our industry being oversaturated with too many helpful solutions is, uh, low.

Imposter syndrome hits a lot of us pretty hard and it can feel difficult to believe that you have something important to add when there are all these l33t h4xx0rs out there making ATMs spit out money. Not to get all cheesy on you, but you do have something to contribute. Maybe you’re funny, or are good at coming up with metaphors (god knows I am not), or you have some kind of arcane weird knowledge that would be useful for the community? Maybe you’re great at illustrating abstract concepts? Maybe you’re empathetic, or you’ve faced unique challenges, or you simply have a different way of thinking? All of those things help new people understand important concepts, and when there are more ways of thinking and explaining things in an industry, that can help bring others in and make it a more welcoming and knowledge-full place.

Even if you’re a total newbie, you have a useful perspective. A lot of folks who have been in the industry for a while do not see the gaps in the same way you do (have you ever listened to someone who explains things in a way that assumes you already know everything about the topic?)

You don’t need to turn EVERYTHING you learn into a blog post / whatever, but aim for maybe one or two things per area you want to have proof of proficiency in.

So: write, volunteer, answer questions, participate in conversations, work on CTF challenges together, fix issues, help out other people. And even if exactly zero people read your blog post or watch your video, trying to help others is good for you mentally, and it also helps solidify your knowledge. You will not believe how many gaps there are in your understanding of a topic until you try to explain it in-depth to someone else.

And it also helps you…

Demonstrate “Soft Skills”

The goal here is to take each of the things we’ve learned and turned into something useful, and figure out how this “counts” towards the non-technical requirements.

You probably noticed that some of the job requirements weren’t technical, but instead fall under the category of “soft skills” (which of course is a pretty shitty name for something that makes up the entirety of how we actually share our ideas with other people).

Chances are you’re a tech person who finds it easier to focus on technical skills rather than soft skills. And it probably sounds like I’m adding another thing onto your to-do list. But you’re likely already demonstrating soft skills in the “give back” section, so let’s take note of that.

Why this is important

Soft skills are not some kind of flowery HR bullshit, they are actually useful for your job. While I’d like to imagine that my job is like this:

It’s more full of explaining to the client what is going on and how to fix it. I get to find cool vulnerabilities, but it does me or the customer no good if they don’t “get” it and fix it.

And even if you’re a l33t h4xx0r who doesn’t interface with customers directly, you still need enough soft skills so that people can actually understand how l33t you are.

You’ve probably got some specific non-technical requirements in your job requirements doc, and you should focus on those first. But I’ll talk generally about speaking, writing, and managing people/time.

• Speaking: most people hate this, and I understand. But this doesn’t have to be mean huge crowds. You can give talks at local meetup groups, record your own videos, and so on. True, most companies aren’t hiring for your speaker skills, but giving talks means you can represent yourself and your ideas well, and can get the company name out at conferences. Find CFPs (call for proposals) here.
• Writing: less daunting than public speaking for sure (you can probably tell I like writing, as this blog post is a fucking novel). Writing demonstrates your thought process, how good you are at explaining ideas, the quality of your writing, your interests and level of understanding, and that you’re willing to write things. All of these are useful for report writing, so keep that in mind if report writing appears on your requirements doc. There are also variations on writing, like these useful guides
• Teamwork: If you volunteer for events, you’re probably an okay person and can talk to other people, or at the very least, you can accept instruction from other people. Cool. Did you try CTFing and join up with another group? Congrats, you’re demonstrating some level of teamwork.
• Managing time: Busy parent/etc? You probably have to work pretty hard and keep on top of your shit to get stuff done. Maybe you can even estimate how long things take you and create a schedule for yourself! That’s very useful.

We all hate the “what are your weaknesses” question, but if soft skills are legitimately a weakness for you, then pushing yourself in this area (while giving back) gives you a solid interview answer.

Networking

Your goal here is to join communities and meaningfully contribute, both to grow your skills and to meet people.

If you’re like me, you probably recoiled a bit at the word “networking” because it sounds, well… slimy. How do you make it non-slimy?

Put yourself in the shoes of a manager trying to hire someone new. You’ve put up a job posting and you know you need to find someone who has the technical chops, who won’t ruin the team vibe, and that can be trusted to do the work. You get dozens of resumes back… so, who are you going to choose?

It is a rough game being just another resume in the pile. I’m sure you’re aware of the incredibly depressing stat that most managers only look at a resume for ~6 seconds.

Managers want a sure option, and teams want to have cool coworkers. It’s hard to telegraph all of that through a single piece of paper (although I’m sure you’re a cool and talented person!). So the way to get around this is networking.

This is essentially “who you know” but before you roll your eyes at it, I am not suggesting that you go to events and hand out your business card and brown nose in hopes that someone will give you a job later.

What I am suggesting is that you meaningfully contribute to the community throughout your learning and job search process. People take notice of those who help out and participate, and in my experience, opportunities go disproportionally to these folks.

The infosec world runs (largely) on the contributions of individual people. Yes, there are big companies throwing expensive and boozy Defcon parties but there’s also a lot of open source tools and community-run conferences. A huge part of infosec is people coming up with cool ideas and then bootstrapping it into reality (ex: all the Defcon villages are community-organized).

I’m once again suggesting the “give back” ideas from the previous section, while emphasizing that helping other people in the infosec community naturally means that you’re going to start meeting other people, and that it also makes you a desirable job candidate.

It might bother you that your resume won’t be judged solely on its technical merits. But you do the same thing–if you’re getting something to eat, do you opt for a restaurant you already know or one that a friend recommended, or do you look through every restaurant in town from scratch? (I know, the metaphor’s a bit stretched). I’d bet that you’ll go with the more sure option 9 times out of 10, and your interviewer will be no different.

If you’re participating in these security groups, and they know you as a person who participates and helps out, and who’s looking for a job, most people will want to help you out. In Slack and Discord groups, this means seeing job postings before they’re widely shared, and getting to ask one-on-one questions of the person who posted it. Same thing for local meetup groups, where someone might refer you directly to a hiring manager. You might even get tips about jobs that aren’t publicly advertised at all, or not advertised yet.

You still need the technical chops to do well at the job, and you still need your resume to convince HR, so don’t think you can skip the certifications and learning portion. But going through the job search process with social proof ($employee met you and can vouch for your involvement in security groups) makes things a lot easier. The interview will probably be more chill too, since you’ve front-loaded a lot of the effort in proving that you’re a good hire through your helping and participating.

So, no feeling slimy or attending “networking events” with business cards. Just genuine participating in groups that share your technical interests, where you’re able to learn and give back.

And all of this is way easier than just applying to job postings that you have no prior connection with.

Interviewing

I realize this is going to make me sound insufferably square but you can (and probably should) practice your resume and interviewing skills.

While the previous sections might make the interview process less intense, depending on the size of the company, you might be interviewing with people you haven’t met before. Either way, you want to make sure you’re prepared.

Resumes

You’ve likely got a bunch of new skills to add to your resume now anyway, and these folks can help you represent yourself well. Consider putting your self-taught learning, blog writing, etc. in an extracurricular section.

A lot of conferences have (free, online) resume “villages” now. Take advantage of them! This is likely a good way to get on people’s hiring radar, too.

Interviewing

As for the actual interview, you didn’t come all this way to get certifications, do extracurricular learning, practice soft skills, etc just to flunk your interview. You worked hard, so let’s demonstrate your effort well!

• Find a list of commonly asked interviewing questions.
• For each question, practice by yourself. (I suppose you could practice with a friend but why not just practice by yourself and then admit it to no one). You probably monologue in your head anyway, so just switch into interview answering mode for a bit.
• You’ve got your list of things you taught yourself, certifications, how you gave back, groups you participated in, and soft skills. See if you can reference one thing in each of your answers. You’re not trying to do the spoken version of keyword stuffing (you don’t need to hit every point in your answer), just practicing answering in a way that backs up your claim with a specific example or two. Talking about factual things that happened is way less cringey than describing yourself in abstract, flowery language.
• Maybe during your actual interview, you’ll come up with a really slick answer. But if divine inspiration fails you, you’ve got specific examples to fall back on that reflect well on your knowledge, your soft skills, and your contributions to the community.
• You are not trying to rehearse canned responses. Our goal here is to get some reps answering questions so you’re not trying to answer for the first time with an audience. Yes, practicing interviewing questions is awkward, but it’s less awkward than yolo’ing it for the first time in front of strangers.
• I have interviewed a lot of people, and while I can only really speak for myself, I completely understood if someone seemed nervous or tripped over their words during the interview. It’s such a bullshit setup! So I’d forgive any nervousness and instead focus on their intent.

Here’s what I mean by “backing up your answer with something you’ve done”:

• Why are you interested in this job? “A few months ago, I was going through Defcon videos on youtube and saw this one on medical devices by $name, and thought it was pretty cool… [then found $company somehow]” or “I went to $meetup and met $employeeName there, I asked them about your company and …”
• You’re a “self-starter” or dedicated or however else you want to describe yourself because: you planned out your own damn certification plan and did it despite being a busy mom/dad/whatever
• You’re interested in the field: and you can show it because you can rattle off some specific talks or CTF challenges you worked on (even if you didn’t solve it). You’ve got a bunch of write-ups that you shared, too.
• You might not have requirement ABC but: you learned thing XYZ on your own so you’re pretty confident you can learn ABC as well.
• If you are asked technical interview questions, this is not necessarily a pass or fail thing. A lot of on-the-job stuff is new, so it’s not like you’re starting this role with 100% knowledge of everything. If your interviewer isn’t a jerk, they’ll give you the same benefit of the doubt, but _you need to give them something to work with. Maybe you can say “I haven’t worked with $thing before but usually my approach is to draw out a diagram with inputs and outputs, and then…” Do not lie to them. If you know nothing about the topic, you should be honest about that but maybe you have an example of another thing you learned from scratch.

Interviewing is a pretty contrived situation. And, a lot of people struggle with talking themselves up because we’re taught not to brag about ourselves. But hiring is a financial/business decision. So, give them some examples so they can pattern match against their job requirements and let them decide from there. If you’ve put in the work, might as well represent it well and increase your bargaining power in the job process. Getting paid more is diversity work, gurl.

Cover letters

I’m officially square now that I am talking about cover letters. I don’t think that cover letters are needed for most cases, but they are great if you are doing something like switching industries. Otherwise, it might look like this person (with little to no security background) applied to the wrong job. But you don’t want to half-ass this.

Google “cover letter template” and use the middle sections to describe what you’ve been working on (again, from your list). Call out parts of your background that might be relevant (worked in retail? great, this person can be customer-facing). If appropriate, this letter can be an official cover letter or pared down into an email body to jog the member of anyone who offers to forward your resume.

Disclaimers

I am but a single person so of course, this will not be representative of all hiring experiences. But I hope it will be somewhat useful.

Other disclaimers about getting into infosec:

• There’s a lot of toxicity in the field. This is true in all industries but seems to be more noticeable in infosec, I’m not sure why. But I’ve done alright gravitating towards the non-douchey people.
• There’s strong drinking culture, which can be rough if that’s not your vibe or is against your belief system.
• Infosec can sometimes be psychologically difficult. Working in the industry, you’ll find that a lot of things are broken, and the companies in question are apathetic or outright hostile when asked to fix things. Seeing this happen over and over again can really get to people, which is why it’s important to support each other and also to take care of yourself.

Strategy Recap

Our cybersecurity career roadmap, altogether:

1. Figure out what broad area(s) you want to go into
2. Reverse engineer the role(s) you want: based on interests, local options, etc
3. Get your foundation: programming or networking. You don’t want to be clueless in either, but work on building up some expertise in one or the other in a way that will help you.
4. Determine what formal credentials you need (if any) and make a plan to tackle those
5. Build up knowledge through experiential learning.
6. Give back and support others through whatever method best suits you
7. Practice your interviewing so that your hard work doesn’t go to waste.
8. Get paid to hack!

Best of luck! 🍀