Tips on Getting into the Cybersecurity Industry (Part 1)

Kevin Qiu
July 22, 2021

We recently hosted a conversation with Deidre Diamond, Founder and CEO of CyberSN, a full-service job-seeker and recruitment partner for cyber security. During this webinar we address common topics around the job hunting process for entry level security candidates, including the different types of roles that employers are looking for, the value of certifications and certificate programs, and CyberSN’s upcoming job marketplace launch.

Transcript:

Al Yang

So first of all welcome. And we're really excited to have you join us on this talk this afternoon. We have two great panelists that will be sharing their experience around cybersecurity recruiting for folks that are new to the industry. So if there are any questions for those who have joined live, you know, feel free to post questions in the chat window. We also obviously have questions prepared.

As a bit of intro on Deidre, one of our panelists, has over 25 years of experience in technology and staffing. She's the founder of CyberSN, a company that was started to remove the frustration in job hunting process for cybersecurity for both candidates, and employers. She is also the founder of Secure Diversity, an organization dedicated to helping all people, especially women, with career opportunities in cybersecurity. Prior to this, she spent several years in software management and sales.

So in terms of Kevin, Kevin is the Director of Information Security at SafeBase, and is overseeing our internal security program, as well as having a direct role in the future of our product. Prior to joining SafeBase, he was a consultant in the financial services world and helped start the security program at jet.com And SeatGeek. And I am the CEO and co founder of SafeBase, really excited to be able to be the moderator here. So let's just jump right into it. Deidre, you've been recruiting in this field for a long time now. We've all seen the headlines about the massive jobs shortage in this sector. And even though there's a lot of interest from candidates, so our goal with this conversation is to hopefully help our audience bridge this gap.

Deidre Diamond

Yes, thank you for having me. I'm super thankful that gentlemen like you to exist that want to help solve this problem, too. So ready to go.

Kevin Qiu

Yeah. And so Deidre, I think one of the first problems that folks have is there are so many different job titles in security. And so especially if you're still in college, or you're looking to transition into this industry, it might be difficult to kind of pinpoint which types of jobs descriptions should I be looking at? Which ones Am I qualified for? So we'd love to have you just do a walkthrough of what common roles are and, you know, kind of what employers are looking for and which ones junior folks should be kind of honing in on?

Deidre Diamond

Yeah, yeah, this is a huge, huge problem that we have, right, so I'm going to share my screen I want to share with you all, what, how vast this is. So as Kevin just said, you know, so we're short 500,000 folks here in the US, or short two and a half million all over the world. And we're constantly seeing folks seeking to get into the cyber security space, and they don't really know what role they should go for. And so they're out there sort of going for them all, if you will. And the response on the other side of the fence is, well, they don't know like, you know, the people interview them, they don't know what they want to do. So it's not a good fit. And so this has been bothering me for a very, very long time.

And I'm super excited to say that what you see in front of you is a picture of what we're launching on July 31, which is taking the functional roles that we developed years and years ago that started in the 20s and mapping them to these 10 categories, and then be each one of these, so for instance, this is defense, each one of these 13 defense roles is is defined in a way that shows exactly what these roles are, what you'll be doing, what the environment's like, what kind of money you know, I'll show you in a second, what kind of money you'd make, what kind of certs go along with that type of role. So for instance here, this is a security engineer. Sorry to be scrolling, and it shares exactly the overview related titles and then here's the career pathing. Right, so what we've, what we've got going on right now is a massive problem of aligning people to roles and responsibilities that want to come into the marketplace. And so what CyberSN had to do years ago just to match people with experience, we had to create these categories.

But what I've found is be able to provide it in a career center is going to be key to these new folks coming in. So it's vast, it's the, you saw the 10, categories, 13, just in defense, all different titles, all different roles. And people don't know that data.

Kevin Qiu

Yeah, and so, you know, like, some of the more common ones that folks might be familiar with, like one is, like SOC analysts. So for those of you who aren't familiar, a lot of people start their cybersecurity career in what's known as a security operations center. And so these are folks who are looking at logs, looking at security tool alerts, and things like that, to see if there's anything in the environment that is worth investigating. So this is a really good way to start your career, because you end up being exposed to a lot. And it's because there is a whole ton of data. It's also real live data. So if you've been practicing in labs, or taking university courses, you know that a lot of that is kind of simulated, and you really don't learn a lot of the core concepts until you see it in action. And so the first time, you see actual malware is on someone's laptop, at a company that you work at, then it starts to become a lot more real, right. And it's not just this tutorial that you're you're kind of looking at.

And, you know, another very common role that we've seen for junior level folks is pen testing, right? So this is very common in online tutorials, you know, you can download Kali, there are lots of labs out there, a lot of universities kind of tailor folks in cybersecurity programs to be pen testers. And so that's a very popular starting option. So very attractive to junior candidates, because the pay is usually great. And if you like travel, there's a lot of opportunities to work with consulting companies who do pen tests for companies all around the country, sometimes the world, and you learn a lot. And you're almost always paired with a more senior pen tester who can kind of show you the ropes and teach you all these different tools. And you know, kind of like with the SOC analyst stuff, when you get your first domain admin on a real live company network. It's a very different feeling than if you just complete a lab that was designed to be completed, right? Real life, there's no shortcuts or answers. And so it's very exciting.

And the other kind of third area that I've seen, a lot of folks start in is a security analyst role where you're part of like a blue team, meaning you help defend a company's network and infrastructure. Almost always, you're also paired with more senior folks who can kind of teach you not only technical things, but also things about the business. Now, why is it so important that you have this role, why there's like a team and things like that.

And kind of the last big area that a lot of folks also started in is like the audit world. So as some of you may know, compliance is a big thing in security. And so what some folks do is they join audit firms are compliance firms and where you're supporting, a cyber security audit of a larger company. And this is also a really good way to expose yourself to a lot of different departments, a lot of different technologies and things like that. Because once you start a cybersecurity audit, you'll learn that it involves a ton of departments, and you're not just dealing with security folks, you're talking to HR, you're talking to finance talking to marketing. And so these kind of hats are really good ways to get started.

And I'll hand it back over to you.

Deidre Diamond

Yeah, I agree. You know, I was showing the security specialist, which is the security analyst is really the entry point. For almost every role. You mentioned, pentesting, there are a lot of people, here's the security analysts that get in and start with pen testing. But that's really the only you know, in terms of the technical roles, those are really the only two entry points. And then as you mentioned, you know, compliance is a big piece of, you know, what's happening in the marketplace, but really, from, you know, from defense and response, you've got and build those are your highly technical roles along with research, right, and the rest are potentially less technical. So for instance, in sales, it's possible that those folks are less technical. I used to run a sales engineering, the group and I was certainly, you know, don't consider myself extremely technical. And so and yet, there's a lot of sales engineers that are really technical.

So it, you know, the bottom line is this as an analyst, it's the best way to start. You get to see everything sort of and it's really the place that people bring people in other than pentesting. And then compliance of course, you can get entry level. But in research, you can get an entry level but the rest it's just really isn't entry level. Yeah. It's, uh, educating people requires experience. So far. So yeah, I think you laid it up extremely nice. You know, it's nice to recognize that you know, how to move through these roles, which is really important.

Kevin Qiu

Yeah, so so Deidre, what are some, like career paths that you've seen? So you mentioned folks start from security analyst, and sometimes they end up in very different areas right after from where they started?

Deidre Diamond

Yeah, isn't that interesting. So a security specialist and security administrator, you can go many different ways, this PKI professional, which is becoming very, very popular, popular, we know IAM  is very popular, right? Data loss prevention, vulnerability, threat, cyber analyst work is over here. So you know, you've got cloud security, security, engineering, cyber threat. So really, while an analyst can start here and move either way, and the specialists are sort of, you know, entry level analysts, if you will, these are experienced analysts. So you tend to see this sort of security administrator really being at the hub, understanding how security works. So it's a quite fascinating, we're seeing people move all over the place. And that's one of the things I love about this industry, is that we see a lot of people moving into other roles quite often.

Kevin Qiu

Yeah, great. And I guess the next question is also related to the entry level is those certifications that are a big part of the security world, on LinkedIn, people's resumes, all these different certs. And so one thing that I hear frequently is folks are unsure of which ones to kind of focus on, at least in the beginning. So we'd love to hear your thoughts from a recruiter perspective on what you think about that.

Deidre Diamond

Yeah, let me show you something. So this is, this is crazy. So what I think about that is sorry, is this is 350, something certs that we've deemed the most sort of utilized certifications, and we're mapping them to all those positions. So in the career launch on July 31, it'll be there. But the point is to say, it really depends on the role. You have to start there, you really have to start with what is the role that you're looking to get, and then the certifications and the trainings can can apply. And that's also something I see. And so you know, this is super scary. But you get the point of how many there are. There's actually 700 and something according to my security team that did all of this data.

And so, really, it's about picking the role first, and then then those will really help the person. I've seen lots of people take certs and classes, and they don't know what role they want. And then they're not utilizing them. Because they could also be very expensive, right? In addition, yeah, way too expensive. I mean, you mentioned Secure Diversity. One of the things I'm taking on over there is making sure that we can get security training affordable or no cost, because what's affordable in education?

Actually, knowledge ought to be free as far as I'm concerned. And so I'm working towards that. But you are absolutely right. I mean, 5, 10, 20, 25, 30, 40, $50,000 are the range of all these different certs. And the higher you get, the more expensive they are. And that's a big problem, which is why we have that barrier, we have the economic barrier.

Kevin Qiu

Yeah, and one thing to note is so the CISSP is a very common one that you see next to people's names. And that one, you're actually not even allowed to get until you've spent four or five years in the industry, right. And so a lot of confusion about that. And I know for pentesting, OSCP is a big one, CEH is big one. But let's say you want to be a SOC analyst, there's a bunch of GIAC ones. If you want to do cloud security, there's like CCSK, some kind of like you mentioned, it's very highly role dependent. And so folks should try to narrow that down. And is that graph available on your website?

Deidre Diamond

Yeah, well, not today. All of this will be available July 31. Today, on our website, you can still you can certainly see all the 45 categories and all the job titles associated. There's over 700 job titles these days. You know, and we've scraped all jobs posted out in the world and paid attention to all that data in the US, I shouldn't say the world, excuse me, but, you know, it is very, very hard for anybody to, you know, get the experience and the certifications typically at the same time when they're just joining and so you know, that I get asked a lot. Which one should I do first? Should I try and get into a company and get experience? Or should I go get that cert. I just tell people just do both at the same time, you know, don't choose focus on getting both, as long as you know what you want to do.

Kevin Qiu

Yeah. And sometimes when you first get a job, depending on the employer, they might actually tell you, you know, join now! We will actually sponsor you and for continuous learning, like if you want this cert, just get started with us now, because we need somebody and we'll help you self study and train you, right?

Deidre Diamond

Yeah, yeah. Yep. Somebody gave a question. In here. Oh, sure. Yeah, that's a good one. What functional knowledge should I know before I enter a SOC analyst role? How beneficial? Would it be working with SIEM platforms like Splunk, Elastic, Elk? Elk is open source? I think it's a, you know, would be awesome to have that experience. That's the challenge is typically people coming out of school don't have experience with what a SIEM is? And how to recognize things in a SIEM. So I think our education systems are starting to catch up. And that's starting to change. So I would say yes, if you can get your hands into that, without a doubt. What do you think Kevin? Yeah,

Kevin Qiu

I would say, especially the open source ones, once you've kind of worked with one SIEM, you understand the concepts, and it's not too difficult to transition to a new one. One thing to note is Splunk is great. I love Splunk. But they're very expensive. So unless you can get a student license, or your university has some sort of license for it, it might not be a great one to practice on. So the ELK stack is great, because you can just set it up in like a VM and whatnot. But yeah, for a SOC analyst role, if they've seen that you can, you know, day one, you're ready to go, you know how to search and all that they'll definitely put you at an advantage, right? Yeah.

Deidre Diamond

Yeah. Yeah. Without a doubt. I mean, that's the number one challenge is not having experience with the tools that they use every day, whether it's the same tool doesn't matter, like you said. Great.

Kevin Qiu

Yeah. And so in addition to, labs, and certifications, I also want to call out pretty underrated resource in our sector, which is mentorship. So I know that anyone can go online and do a lab or take a certification. But for me, my personal growth has come from mentors who have been in the field longer than me and teaching me. And so what are some available resources that folks can use to be paired up with someone who's an industry veteran, just to learn more from like, a practical standpoint, not just textbooks?

Deidre Diamond

Yeah, that's a that's a good one. So a couple of things. One is, you know, you got to put yourself out there and find yourself someone and not give up. Not everybody can take new mentees, I know that I can't most of the time, you know, take new ones, but there's people out there looking to be mentors. I know that most people that go to industry events are there to support in the community more than, you know, looking for something for themselves. If there's seasoned professionals. So I always recommend going to local events or online events.

And, you know, really reaching out to people and asking them to be a mentor. Definitely don't ask somebody to be a mentor if you don't know what you want to do, or you're not sure, you know, like, do your research and figure that out first. But I'd also tell you that groups in focusing on secure diversity like WiCyS, which is women in security, they they offer a whole mentorship program and they're international. And I support them and have been supporting them for years. They do a great job of offering mentorship, again, that is for women. So you know, unfortunately, there isn't something I know for sure for men. Other than get out there to these events, you know, go to these events. There's so many wonderful people, they're looking to help people.

Kevin Qiu

Yeah, and so there are also dedicated websites, kind of like the WiCyS's of the world. There's one called Battleship. I know folks a few folks are mentors there. So Lisa just mentioned ICMCP does mentorship. There's another platform that I was on for a little while called Mentorcruise, that has a bunch of cybersecurity mentors. And, you know, one thing that you can do is, people really feel attached to their universities and colleges. If you find someone who has been in cybersecurity for a while, went to your school, and you have a rough idea like hey, I think I want to go into pentesting, here's what I've studied so far. I Would love to have like a coffee with you or just a zoom chat one these days. More often than not, they're probably going to say yes, right? As long as you come prepared saying with a clear goal and you're not just someone who's just like I want a job right? If you're if you seem like you're willing to learn, most people will try to help you right?

Deidre Diamond

Yeah. Oh, for sure. And if you are employed, look in your own organization, that's a nice place to look to. In maybe other teams could be in your same team. But yes, I've ever heard of that. The one you mentioned, Kevin, Battleship Security. I think that's the name. Yes. It's something like that. Yeah. check that one out.

Kevin Qiu

Yeah. And okay. And I think Deidre this is is the last topic for today. So there there's an issue of a lot of recruiters that unlike you, aren't used to recruiting for security folks. They don't necessarily know the right terminology to look for, or they might expect too many certifications. What are some ways folks can either change their resumes or other strategies to get these recruiters' attention?

Deidre Diamond

Yeah, this is the big one. So, you know, the whole taxonomy that you saw that we started building back five years ago, and started in the 20s, you know, job taxonomy was for this reason. I could not get, you know, matches quick enough, my recruiters couldn't pick up the all 45, you know, job responsibilities and understand them inside and out. So I had to really build this taxonomy and then build the job building technology that we have. Then the profile building technology we have. So it is that big of a problem. And, you know, building platforms and technology is expensive. I would have never done it had I not had that problem originally. And then I realized, well, shoot, the whole world has it. So, you know, a couple of things.

One is I'm hoping that, you know, once the world understands that this is here, for them, that will go away that we don't have to have recruiters that don't understand this. But number two is, you know, organizations themselves, hiring managers in positions like yourself, Kevin, cannot allow the HR departments to have recruiters do the screening. You just keep. There's no. Anybody who's doing that today, you've already missed people you could have hired without a doubt. And so I think it really the, you know, hiring managers have to really step in. They have to make sure these recruiters can speak the language. If they can't speak the language, get them the technology, you know, build your jobs with the right taxonomy. It really, it's, it's not easy. I mean, literally, we could not make matches in a timely fashion that made any sense. And we would not be able to be who we are today as the largest cyber staffing firm doing the kind of volume business we're doing without that job building and profile building, highly resume building technology.

So it is now available to the world. July 31. And I'm hoping that it changes the game because it's painful for cyber professionals, or even entry level people to talk to somebody that doesn't understand what they do. And then try to place them in a job and screen them for jobs? I mean, that's the worst part, like they're screening. So you don't even get to the hiring manager. I mean, that's for those that have experienced that are job searching, it's a nightmare. And those that are entry level, they don't even usually get on the call with the recruiters. It doesn't, you know, it's pretty rare that they do anyhow.

But if they do, it'll be worse.

Kevin Qiu

Yeah, and kind of the last thing I have to say about this topic is, if there's a company that you're really interested in working in, try to find the security team folks, either on Twitter or LinkedIn. Just reach out and say like, hey, I'd love to chat with you for 10 minutes about your job. I want to see how it is. Maybe they'll like you. And maybe they'll do a direct referral. Right?

Deidre Diamond

I agree. And yeah, and to your point apply to every job. These jobs descriptions mean nothing. You just said, you just said that they put CISSP on entry level. And meanwhile, you have to not only have five years experience, you have to have somebody in cyber sponsor you to get that. So it's ridiculous. And so don't even I tell people all the time, unless it's my job. On CyberSN's platform, do not care about what those words say, if it's close enough, or, you know, semi close, apply, because you don't have another choice. The job description means very little.

Al Yang

Yeah, and I'll say this, this is a time check. And I want to share some of my perspective. So I actually don't have a cybersecurity background like the folks on the call here. But you know, at SafeBase, we built a tool to help companies streamline their security assessment workflow, which means we're working with cyber security folks. We sell to Information Security Managers and CISOs. And we've talked, I've personally talked to hundreds of folks at this point who are at different levels of different companies, all in information security, and I would say that diversity couldn't be wider. Right? And that just goes to show and it's not like you need to be a specific type to be successful. I've seen CISOs who have come from very unique background and might be very technical to not technical at all.

And at the end of the day, it's a people business, it's relationship building, and it's about building trust with each other. So if you have the right intention, and if you have the organization in mind, I think it is a field really for for anyone who, who wants to get it. And that's just a personal observation. And you know, even when CISOs are working with each other, you know, through through SafeBase, right? Because what we do is a company wants to evaluate another company to see if they're trustworthy. At the end of the day, they're looking at the human behind the security program. They're saying, can we trust these people who are putting together this security program? Let me go on their LinkedIn to look at their background. Do they have relevant experience? Or what are the things that they're posting and or liking. These all matter. And that's just a personal observation. So I really wouldn't say there's any sort of specific barrier.

Don't feel like, Oh, I don't have this. I can't do well, I think, basically, what you've shared today really opened my, my perspective as well.

Kevin Qiu

Yeah, thanks. And we have two questions that I'd like to answer just before we wrap up.

So first one is, would you say the majority of jobs in the industry right now are blue team roles. I'm stuck in the middle of choosing whether or not I want to go into red team or blue teaming. What advice would you give to someone who's in that particular position? Currently leaning towards being a pentester? Okay, so yeah, I would say the majority are blue team roles right now, because companies are responding to big events, like, say, SolarWinds. They want to keep their own house in order. And the nice thing about pentesting, red teaming is you can always hire an outside firm, to do assessments for you very easily. And so the focus usually isn't on getting a red team person or a pen test person first.

However, I would say like, if you really like pentesting, and really like, like, doing fun exploits, writing exploits, breaking into things, it's definitely I would say, like a very fun job for a lot of people, whereas blue team, you know, like, technically, I'm blue team and not to say that it's boring, but it feels like more of a job and less like have like a puzzle where there's like an end goal in mind of domain admin, or finding resources, right. And so I would say, being a pen tester, as your first job is probably actually better than the other way around, because you're gonna see that there are real issues in the real world, and that the configuration best practices that everyone talks about, people don't actually follow them. And then when you transition out of pentesting to the other side, everything's gonna start making more sense. And you're like, this is why I'm making all my s3 buckets private. This is why we're encrypting all this at rest. This is why we have MFA. It's almost like, for me, it's like, if you go to MBA school, without actually working, a lot of that stuff, you're not going to understand why they're teaching you that until you really see it right.

And so by doing the pentesting, seeing actual live issues, the blue team is going to be a lot more rewarding, because even though you're not going to get a pat on the back where someone's like, thanks for finding domain admin, you're going to know internally that yes, what you're doing is actually really impactful. And even though there's no headline saying, you know, you stop this attack, you are stopping a lot of attacks indirectly. And that's extremely valuable.

And so second question, I have also heard stories about alert fatigue, yes, this is absolutely a thing, I think Deidre, you've probably seen this with most people in the SOC analyst type of role, they usually cycle out after a year or year and a half. And there's nothing wrong with that. It's just because it's very stressful job. These SOC managers, they understand this. And sometimes companies, they'll rotate their analysts into a blue team role or into a pen tester role or something else, and then rotate them back. Some people also just switch companies just to see something new. And if you see a lot of SOC analysts, you look at their LinkedIn, they usually only do it for about 12 to 18 months, then they do something else.  They might go back to it because it's very, not sustainable to look at logs all day for that long. Deidre, would you agree?

Deidre Diamond

Yeah, the sock analyst role is continuing to evolve based on technology, right? So the more automation we get, the better those roles are. One thing to recognize that there's level one, there's level two, and level three, and it's the eyes on the the glass is usually the level one. And so I know many security leaders that are really working on automation to get rid of that. So I don't think it's long lived. Both things. To the security leaders and the product companies. And yet it's supposed to be that you move up, you know, into the analyst to an analyst three, where you're really, you know, doing more threat hunting, you know, as you get to the third level, so it again, depends on the size of the org, in terms of what a SOC analyst really means.

But if it's an operation center, and there's shifts, and it's 24 by seven and all these things, it's typically 1, 2, 3. And if you stay at one yeah, that's gonna be terrible, but most people move from level one to level two and a year or so and they keep going and if you're in a place that you, yeah, and if you're in a place that's not giving you that support to move from one to two to three, get out, because you will burn out yeah, it's not the right place.

Kevin Qiu

And that's not to say that any one SOC analyst is just bad at their job. It's just the type of work does that to human right and there's nothing wrong with it?

Deidre Diamond

No, no and any and all of us want to learn and be challenged and move into harder and harder things to do. So it only make sense that we move through that role pretty quickly and or eliminate it through automation and have more threat detail, you know, focus and vulnerability focus, you know. Excellent.

Al Yang

I think that's time. Maybe just one last word from Deidre and our panelists, how do we get in touch? What's next? It sounds like you guys are launching something exciting on the website.

Deidre Diamond

Yeah, for sure. July 31, new digital presence for CyberSN that is a career hiring center. All the data that we have made digital so that people can self serve and what we're calling Pwn their own careers. And trademarking that because it's really what this is about. We can't rely on organizations to grow us. We need to rely on ourselves, which is why I'm thankful that people like yourself are bringing this to the forefront because we as individuals, we need help on how to navigate this. And so yes, it's all July 31 will be at your fingertips. Excellent. Thank you so much. Thank you. Thank you.

Al Yang

Again, thank you for joining everybody. We'll record this and publish this on our blog, and hopefully we'll have more of these in the future. Thank you. Bye, everyone.

Interested in a career in cybersecurity? Check out CyberSN's new Marketplace, a space where the cybersecurity community can come together in one place and access all the information they need to accelerate the success of their careers, businesses, and society as a whole!

Stay tuned for Part 2 of this webinar series!

Begin building your Trust Center today.
Creating your own Trust Center is easy, and getting started is free.