Tips on Getting into the Cybersecurity Industry (Part 2)

Kevin Qiu
August 24, 2021

Al Yang

Well, hello, everyone. And thank you for joining us. If this is your first webinar with us, welcome. If you're a returning attendee, we're very glad to have you back again. So as always, feel free to feel free to pose any questions in the chat window or using the Q&A option in Zoom. We'll try to answer these questions right away or will definitely be on the lookout and talk to them at the end.

So today, we have two great panelists that will be sharing their knowledge and experience with cybersecurity recruiting. So our first panelist is Katherine Tanner. Katherine is currently the CEO of 3P&T security recruiting, a search firm that companies across the United States partner with to find talented information security professionals, from mid, to senior, to call it, executive levels. And she was previously a staffing partner with CyberSN, we who we spoke with during the last webinar.

And joining Catherine today, it will be our very own Kevin Qiu. Kevin is a director of information security at SafeBase and is overseeing our internal security program, and has a direct role in the future of our product. So prior to SafeBase, he was actually a consultant in the financial services world. And he helped start this security program at Jet.com which got acquired by Walmart and SeatGeek. I'm the CEO and co founder of SafeBase.

So let's get right into the discussion. So Catherine, you've been recruiting folks in this sector for quite some time now and have successfully placed candidates in all different types of companies across multiple different types of roles. Last time we covered in our last webinar a variety of topics at a fairly high level. But we found that folks were most interested in the qualification aspects of security recruiting. So I'll let Kevin jump right into some of those some of those topics.

Kevin Qiu

Yeah. And Catherine, so this is a question for you, this is somewhat of a new trend. So over the past 10 years or so, we saw that there was a rise in boot camps, technical programs that weren't full college degrees, where folks could attend classes, learn different things and jump straight into a job without having to go to college. And so one of the questions that we've heard is are these boot camps worth the time and the money? And how can folks get the most out of them.

Catherine Tanner

So for the boot camps, they're a great alternative to going and getting a four year degree, if that's not your thing, and not wanting to do that, or even, you know, getting a masters and that kind of thing. So they're great, as far as being able to give you kind of a running start, I guess, is a good way to say it.

However, I spoke with a few people in preparation for this. And ask them about their experiences at boot camps, and how prepared they felt going into the job. And the majority of the people said that there was still a lot of personal studying they needed to do, because it's more of like a, at least the the programs that they were in were more like a high level programs that kind of cover covered a lot. But they did say that the instructors were really willing to help out if they had questions, they could go to them, you know, and that kind of a thing.

But as far as like from an employer's point of view for boot camps, they don't, at least not the employers that I worked with, don't consider that work experience. So you can't for sure can't count that as part of your experience. I haven't found any employers that are okay with that. So that's my two cents on on that as far as that goes.

Kevin Qiu

Yeah. And so it's definitely not like a job, right. And so nothing really replaces the experience but in terms of the actual, knowledge that folks learned, and the topics covered, did you kind of get a sense that at least that was helpful, because obviously, these are very short programs, but there seems to be a lot of information condensed into that and much of it is directly tied to jobs, even if they aren't actually the job, right?

Catherine Tanner

Yes, exactly. Yes. And they found it very beneficial. And I think it It also gave them confidence even to apply because I think a lot of people are - I have found a lot of candidates especially either if they're just pivoting and getting into cybersecurity or maybe they just graduated, they're like, I don't know what to do, you know, I don't I don't fit all these qualifications or that kind of thing. So it did give them a little bit of more confidence to go ahead and just apply for positions as well.

Kevin Qiu

Yeah, because I think that it's actually not super easy to learn about security just from the internet, right. It's one of different topics, a lot of different terminology. And I think that, at the very least, the boot camps help folks to organize that in one place. And usually, the instructors are also former or current cybersecurity professionals. So they also learn from that level of experience and practicality. One question I also want to follow up with is, so let's say that folks do sign up for these boot camps, they go through it have a great time, what should their expectations be in terms of job placement and applications? So is it a case where you go through boot camp, folks automatically match you with a job, or do candidates still have to put in that work to apply the network to make really good resumes and apply on their own.

Catherine Tanner

So some boot camps do offer that employment placement arm of it, a lot of them do not. And so you still, excuse me, you still have to go ahead and, and network and reach out. And I'm always, that's always something that I recommend any way is, you're going to get your foot in the door by knowing somebody at the company. So you know, network with whoever it is that you know, whatever company it is that you want to work for, start reaching out to those people and, you know, telling them that I would love it if you could be my mentor, or you could, you know, tell me how I the best way to get in my foot in the door, that kind of thing. Yeah, I think that's a really underrated way of getting a job.

Kevin Qiu

Because the success rate isn't super high, because recruiters get tons of resumes all the time and getting a direct referral much easier. And one tip I would have for folks is it's definitely great to reach out to current employees of places you'd like to work at. And when you approach them, don't just go to them and say, hey, I'm really interested in getting a job. I would frame it that you're someone who's looking to break into the security world, you've spent a lot of time self studying, you've gone through a bootcamp and have a good, solid understanding of the fundamentals. And you're very interested in the company that they're working for. You like the stuff they do, and you'd love to just, you know, just have a chat about the experience. And then what I find is that most people, when they encounter more junior folks who are looking to switch in, are usually pretty helpful, as long as it doesn't seem like it's a very like parasitic relationship, where if there's someone who's actually really willing to learn, and is genuinely excited, and isn't just contacting you just to get a job, and then never talk to you again, right? People will help.

Catherine Tanner

I have that I found that too. And I spent a lot of time on LinkedIn, connecting and talking with people. And there's so many people out there that are way so willing to help those, you know, that are just getting into the industry, because they had people that help them, you know, and they just want they're just paying it forward. And so yeah, most of the time, I have not found people to be like, no, I'm not going to help you. So there's plenty of work to go around, that's for sure.

Kevin Qiu

Yep. As long as you're willing to learn, and are a nice person, people will probably help you, especially in this field. Everyone's still understaffed and if they see people that want to apply, I think most people will be like, I could always use help, right?

Catherine Tanner

Yeah.

Kevin Qiu

And so we've covered boot camps a bit. And I think a natural topic is in addition to boot camps, there are also the more traditional four year undergraduate degrees or even two year graduate programs that now have a focus in cybersecurity. So this didn't used to be super common, but now we're seeing schools like Carnegie Mellon and Georgia Tech have dedicated master's programs for security. For folks who didn't necessarily study cybersecurity in undergrad, but either have an interest or are transitioning into it from work. From your placement of candidates. Have you found that those master's degrees programs have provided value to them? Or do you think that maybe wasn't the best use of their time and money? Because obviously, they can be very expensive, right,  and take two years of your time. Sometimes they're full time, some night school, and so definitely not a small commitment to make, right.

Catherine Tanner

That's for sure. Yeah. And I have found that pretty much anybody that I've talked to that's gone to the master's or grad postgraduate route, have found it useful. And the other thing too, kind of going back to the networking is you're going to meet a lot of classmates and you know, especially if you keep those connections, active, I guess you could say, keep in touch with people that are your classmates because there may be an opportunity for you down the road to help them or they can help you. But I haven't heard, I have not heard hardly anybody say my master's was not worth it.

Kevin Qiu

Like you said if their undergrad had nothing to do with cybersecurity or information security or technology, that's saying something, right? Because a lot of these master's programs, the annual tuition anywhere from 30 to $50,000 a year. And so, if folks are saying spending almost $100,000, on a degree that's worth it, then it probably probably taught them a lot. And I think also, you get access to really good professors that either are like big into research, or have a lot of connections into industry. And so you do get a lot of advantages there. And the trade off versus boot camp is that it does take much more time than the boot camp and costs much, much more money. And one thing I will note is that a lot of the degree programs, there tends to be more of an emphasis on the academic learnings of cybersecurity, and they're not as directly focused on the job portion of it. Whereas the bootcamp is like, as a network analyst, this is what you need to do. Right? And another cool thing to mention about the the graduate degree programs is a lot of schools, especially the ones with engineering programs, they have cybersecurity clubs, where they have students who participate in the Capture the Flag events, go to conferences, and things like that. And so I think the community aspect of it is definitely there. And you do form longer lasting relationships than at a boot camp, because this is over one to two years versus two to three months. And so, obviously, there are pros and cons to each approach, but we just wanted to share some insight into them both, so folks can make a good decision.

So one other area that's kind of been more of a topic in tech world overall is, do people actually need a college degree to get a job in this field? And so I've worked with people that have had PhDs in security, some just kind of learned on their own, just graduated high school never went to college, and I found that there are good people and kind of all the different spectrums and love to kind of hear thoughts on the whole degree requirement, because it does become a problem for some folks. Right?

Catherine Tanner

Right. It does. Some, it seems like most job recs say bachelor's degree or equivalent experience.And so there are definitely jobs out there. I would say the only time that somebody would be a real stickler is an employer if they do consulting, and their client has that as a specification. But no, you can be a superstar cyber security engineer and you know, just graduated high school. So depending on how much effort in studying and that kind of thing that you put into it. And, you know, on the other side of the spectrum, I've met people that have master's degrees, not necessarily in cybersecurity, but you know, they are clueless. So, I would say, always ask if equivalent experience would be acceptable, and, you know, don't just automatically go, oh, that one says, I have to have a bachelor's degree, I'm out, you know.

Because one client that I'm working with right now is looking for a certain certification. And they also had on their bachelor's degree, as a requirement. And when I went and had a steering meeting with them, I said, Well, this person has a CISSP, but he doesn't have a college degree. And he was like, Oh, I don't care about college degrees. He's got the CISSP. And so you know, ask the questions, because the worst that they can say is, no, you really have to have that, you know, and then you can just move on, but, but it's so easy. And I don't know if that's coming from being a woman or not, but it's really easy to count yourself out. Oh, there's other people that are going to be so much more qualified, they're not going to look at my resume, because I don't have a college degree. You know, that kind of thing.

Kevin Qiu

Yeah, I think you're absolutely right. So LinkedIn does this funny thing, where for job postings, they tell you the number of people that have applied, it's almost like a way to either encourage you because it's a popular job or to scare you, because there's so many candidates. I don't think there's ever been a job where I went into it thinking I'm not going to get it. And so my point of view has always been, you know, why not apply? I'm pretty sure I can do this job. And the worst that will happen is I get a canned response saying thank you for applying, but we're not moving on or they don't reply at all.No one's ever gonna come to you and laugh at you and say, oh, you don't have this certification, you don't have this experience. Right? And yeah, I think that is a thing with like women in cybersecurity in particular, right? We see that most of the candidates are male, a lot of the female junior folks that I've talked to, they tend to be the type that like, reads very deeply into a job description and says, I don't have five years of this. I don't know this software, whereas a lot of the males are like, oh, I'll just apply and see what happens.

Catherine Tanner

Right, exactly.

Kevin Qiu

I'll learn on the fly. Yeah, exactly. Right. And I think that overall, we should encourage more women that are interested in this field to apply. And I think part of it is cultural. Probably all of it is cultural. And I think when I was at Jet, I must have interviewed over 100 candidates, and there was honestly only one female, that we encountered that whole time.And what we found out was the job descriptions that we had, we used this tool, it was using language that was very off putting to females, and it was more male oriented. And so I think recruiters overall need to do a better job with writing these job descriptions. But it's also on candidates to not be afraid of them either.

Catherine Tanner

Right, right. Yes, exactly. I completely agree. Yeah.

Kevin Qiu

And for our last topic, before we open it up to questions was, you mentioned a great acronym, CISSP. And so at the last webinar  we spoke about certifications at a very high level and how they're very role dependent, and the recruiter that we spoke to, she mentioned that there are over 700, like fairly, quote unquote, common ones, which is true. And so I think let's use a few minutes to think about or discuss the ones that are the most common for roles that people are looking to get right now. Because, of course, for every type of software, there is some certification, some training, but what are some of the big ones that you would recommend folks at least consider or look into, when they're first starting out?

Catherine Tanner

I would say the Security+ certification, Network+, if you're going down the networking route, those are two good ones to to get under your belt. I see a lot of the Certified Ethical Hacker certification, which I don't think I've ever had anybody actually asked for but but you know, having that certification obviously shows that, you know, at least the fundamentals of hacking and that kind of thing. The CISSP is probably the one that would be the most challenging if you're just entering into it, because you have to have five years of work experience to actually get the certification. But you can certainly be working on the the practice tests and things like that, as you're gaining that experience. So that way, when you hit your five year mark, you can do that one, but I would, I would say that's probably the CISSP is probably the biggest, or the most requested cert that I have looked at, unless it's like an offensive security positions. And of course, the OSCP, was it. Yeah, that's one, then that one is, some employers look at that one as that as even higher than the CISSP. As far as you know, if if somebody has the OSCP then it doesn't matter if they have the CISSP. So, but those are, those are probably the four biggest ones that I would say that I've seen employers look for.

Kevin Qiu

Yeah, because they're also ones that are, you know, very specific to AWS, or Azure GCP. And those are obviously good to have. But I actually wouldn't recommend folks necessarily start with those because they're very technology specific. And so if you end up at a job where you're going to use Azure instead of AWS, it was maybe it wasn't worth your time, getting the super specific cert.

And a lot of employers for the junior candidates, they actually have training budgets, where if there's some specific software that the company uses, they'll allocate some some funds so that those folks can become better at it so that they can become better employees. Right. And so the that's a word of advice, because the AWS ones there, I think at this point, there's probably 100 different ones and it can be hard to navigate. And yes the CISSP I think it is a problem because a lot of companies are trying to hire that first security person. But then a lot of candidates maybe are the more junior side and someone with three and a half years of experience, probably could do that job. If you're gonna cut them out because you don't have a CISSP I think the little short sighted. But again, it's it's due to recruiters just not having that information and experience. And so once again, just apply to it if you think that you can do it. And if the company seems like it's a great place, I would, I would just apply to it.

I actually don't have a CISSP, or any of the other certifications we talked about. This just happened to be because my situation was a little unique. I started out in consulting, managed to get a junior level job at a tech company. And in tech, the certifications tend to not be as common and people just people just focused on work and less on like the, the training and all that. And for better or worse, but I would say, candidates who don't have that prior experience, like having the very common certifications, it does help you stand out.

Catherine Tanner

Right, right.

Kevin QiuYeah. And so honestly, if, as a hiring manager, if you had two candidates side by side, that are basically the same, except for one had certifications and one didn't. The one with the common certifications is probably more likely going to get the nod right at the end of the day. Would you say so?

Catherine Tanner

I would say so. Yeah. Unless during the interview process, you can help yourself stand out by you know, like, during the technical interview that you are, you know, that you know exactly what you're doing. But yes, I would say just as a general looking, you know, sorting resumes, for example. Yes, that's, that's who's going to get the, the top priority.

Kevin Qiu

And since we have a bit of time left, in addition to certifications, what are some other kind of recruiter tips that folks can put on their resume to stand out, assuming they don't have that prior experience?

Catherine Tanner

Sure. Um, I would put your education at the bottom of the resume, put your work experience at the top. And just as a recruiter looking at a lot of resumes, that's helpful, because that's what employers are going to be looking for first, most of the time. And the other thing I would say is to if you can, if you've got the work experience, highlight what you have accomplished, where you're at, you know, how did you make, you being at that company, or in that role, make a difference to your company. Because if you can say, I helped, you know, reduce the vulnerabilities that were, you know, in the software, or in the network, or that kind of thing, by x percentage, that's going to stand out to an employer, and use these opportunities also to show that you'll go the extra mile, and that you're not just going to be punching in and punching out. And oh, that's not my job. I don't do that, you know, type of a thing, because, especially like you said, with smaller organizations, where people are, where they're trying to bring in their first security person, you're going to need to be a jack of all trades. And you're going to need to be able to wear a lot of different hats and be and be willing to do that. And just help out the team wherever you can.And employers are going to value that a lot. Sothat's what I have found.

Kevin Qiu

Yeah. And especially for folks that are maybe more on the pure IT side, by demonstrating that you went out of your way to work with the security team to learn about what they do to learn good practices from them, I would definitely put that on the resume to show that you were actively trying to work on this stuff at your current job even though it wasn't required of you, right.

Catherine Tanner

Yes, that's, that's excellent. Sorry, for all the batting. We just got to our house in Arizona, and our air conditioner's broken. Oh, no. Yeah. So we had to have the doors open. And it's like 90 degrees in here right now. But that's okay.

Kevin Qiu

Yeah, Al is from Arizona, actually.

Al Yang

I lived in Arizona for about a decade. And I can't imagine Arizona without AC.

Catherine Tanner

I'm a Seattle girl. So yeah, we're melting. But we've got people on it. So hopefully, it'll get fixed in the next week or so.Kevin Qiu

Well thanks for taking the time and providing us with with great knowledge.

Catherine Tanner

Oh, of course, I'm happy to.

Kevin Qiu

Yeah. And I think we have about three or four minutes left this, if any of the attendees have any questions. We'd be happy to take your questions now.

Al YangAnd we'll make sure that when we post these if there are any follow up questions from viewers or audience who who got a chance to look at this, we usually get quite a bit of traffic, any of those questions. If we can't follow up ourselves, we'll make sure to we include Catherine in the discussion.

Catherine Tanner

Thank you really quick, while we're waiting for somebody to ask a question. On certifications, I did a poll, well, not a poll, but I asked on LinkedIn, hiring managers, what their perspective was on certifications. And if that would make or break them interviewing somebody and across the board, it was no. It would not make or break them. So don't feel like if you don't have the certification, you shouldn't apply. Because like I said before, if you can prove that you know what you're doing, and you have the experience that's going to trump a certification without experience any day of the week. So I'm just, I just wanted to throw that out there.

Kevin Qiu

And attitude.

Catherine Tanner

Most important, yes, attitude. Huge, huge, huge. Yes. Great.

Kevin Qiu

And okay, it looks like I don't have any questions right now. So I think we can wrap it up. And, once again, thank you so much, Catherine, for joining us. Always great to have folks with your experience to share their insights. And hopefully, the attendees and future viewers of this webinar will get a lot of insight from it. And, of course, Catherine, do you want to talk a bit about your firm. We always like to give an opportunity to our panelists to promote themselves.

Catherine Tanner

You did a great, great intro for me. So we do we work with the companies, not necessarily candidates we're bringing from the company side. But yeah, we place mid to senior level cybersecurity across the US. And it's really, it's really satisfying to be able to help companies find the right people for those seats, because your business can't move forward if you've got the wrong people in the wrong seats. So it's been it's been it's been really fun. And I love it. I don't see myself doing anything else. Besides this, and I love I love being able to talk to the candidates and find out what their goals are. And you know, what their trajectory has been so far.

Kevin Qiu

Oh, we actually have one question. So one attendee asked, I'm interested in new career in governance, risk, and compliance. However, this seems to be a challenging field to enter any suggestions?

Catherine Tanner

That is a good, good question. Um, I wouldn't say that that is any more difficult than another cybersecurity or other information security roles. It's, you know, just reach out to people that, you know, you can say, hey, how did you get your foot in the door? What pointers can you give me that are that are already in those positions? So you know, and learn from them be an open book, and just, you know, let them know that, hey, I want to be where you're at? What do I need to do? You know, I'm willing to listen, can you give me some pointers? And that kind of thing?

Kevin Qiu

Yeah. And I think a one other tip that might be helpful is I think the term GRC isn't always super common. So when you're searching for roles, I wouldn't necessarily type that in if you get no results. Try compliance analyst, security risk analyst, compliance consultant, sometimes we see that too. So I would use some some wordplay there, because a lot of times the recruiters have the job open, but it's not the words that we're used to. And so you have to do a little bit of digging, right. That's what I see.

Catherine Tanner

Exactly, or that company doesn't call that position, a GRC. specialist or you know, whatever. So yeah, yeah.

Kevin Qiu

Yeah, that's the one of many problems with security. No titles are standard.

Great. And any other questions before we all sign off? Okay, awesome. All right. That being said, once again, thank you, Catherine. And thanks, everyone for attending. Hopefully, we'll see you all soon in our next webinar. Thank you so much. Have a great day. Bye bye.

Discover SafeBase

Learn how SafeBase has helped companies speed through security assessments and expedite deals.