Entry Level Cybersecurity Career Advice From a Hiring Manager

I have been in the cybersecurity profession, before it was called cybersecurity. I hired lots of people, including entry level employees, and I thought I would at least try to provide some practical advice into how to get your first job in #cybersecurity. Frankly, a lot of this is not going to be what most entry level people might want to hear.

I make it no secret that I think that the "influencers" giving "Career Advice" who tell people that they don't need degrees, certifications, experience, etc. are full of crap. They tell would be professionals that the only thing they need to do is follow the influencer, like all their posts, and post a lot themselves. That sounds awesome. Again though, it is complete BS. These influencers tend to be professional influencers or in junior roles, and frequently underemployed, if employed at the time at all. Sure, if this sounds good to you, you deserve what you get.

As a disclaimer, I've hired dozens of people without degrees and certifications. One of my most senior and favorite deputies didn't have a degree or a certification. I didn't care as he was able to do the job better than anyone I ever met. I have no bias for credentials, if I know a person can do the job.

Who Gets "Entry Level" Cybersecurity Jobs

Whether or not entry level job descriptions state experience, certifications, degrees, or whatever are required, the fact is that you will be competing against people with experience, certifications, programming skills, and degrees. For example, I was hiring SOC Level I Analysts. The only statement of qualifications required was familiarity with basic computing principles, such as protocols, alerts, etc.

The people hired however had several years of experience as a Network Operations Center analyst or on a Help Desk, college degrees (and occasionally a Master's degree), a combination of both, were recommended by another SOC analyst, etc. One person didn't fit into this category, but my SOC manager was randomly mentoring them and they did a lot of work setting up a home lab and teaching themselves pentesting. While we didn't seek out this level of experience, except for the fact that we wanted to establish a career path for the NOC, there were plenty of applicants who had well beyond the basic requirements. For all entry level cybersecurity positions, there are likely going to be many applicants who have more than the basics.

I might be admittedly lucky as I am in a region where there is a high concentration of colleges, government agencies, etc. I never had to keep statistics on this, because the clear majority of hires were women or people of color. They were the best applicants at the time. Generally, there seems to be qualified people for entry level positions in most locations.

You Don't Need to Know How to Program; But Willful Ignorance is Unacceptable

As I said, I never required any skills that were not critical to the job. However, I will cut out anyone who is proud that they don't possess helpful skills, but could. You don't need to know how to program for many cybersecurity positions, however it is incredibly useful to know. As I mentioned, there are plenty of people who want to break into cybersecurity who know how to program and have other skills.

You can download Python for free and walkthrough basic training. You can find free courses for basic certifications. You can buy books, watch YouTube videos, etc. This doesn't just apply to programming, but to networking principles, incident response skills, cybersecurity, etc. as well.

You don't need to know these things, but if you ever hear someone telling you to be proud of something that you can learn but don't, run. If it's a helpful skill, there's no reason you shouldn't consider at least learning the basics.

Entry Level Doesn't Mean No Prerequisites

I see a lot of people fanning outrage on social media, because some job announcement claimed to be entry level, but had prerequisites. Entry level for a given profession varies. Accountants need at least a degree. Some accounting firms require a Masters degree, so that entry level accountants have at least the minimum number of credits to get a CPA. On the extreme side, a medical doctor needs 20 years of education and years of experience for their first full position.

Many companies require a Bachelor degree. Some companies require certifications. These are legitimate requirements.

Consider that sometimes the prerequisites are not required for the job itself, but for internal policies, or to potentially narrow down an already large applicant pool. Also know that many employers believe that a degree doesn't just come with a base of technical knowledge, but enhanced expectation of "soft skills". Knowing how to write and otherwise communicate, as well as having a broader understanding of business and other subjects, is an expectation of a degree.

Either way, if they exist, they exist, and if you don't like it, don't apply for the role.

The Fewer Credentials You Have, The More Expendable You Are

One reason that most companies require more skills and credentials than just the minimum required for the entry level position is because they don't just want to hire a technician, but someone who has the credentials for a future in the company. Degrees usually imply better communications skills, eligibility for management training programs, etc. If your claim is that you're qualified for the current position, great. There are typically a lot of applicants similarly qualified, but have the credentials for something at a higher level.

Many employers also consider the relatability with other departments that do have requirements for college degrees. Lately, there are layoffs and while companies might want to keep the lowest paid employees, which are usually those with fewer credentials, people with more credentials can more readily be moved around.

It is also worth noting that with the proliferation of machine learning, it is the positions that are traditionally held by the people with the fewest credentials that will be replaced my ML. People with advanced understanding of math, computer science, data science, etc. will be the most resilient to the rollout of ML enabled automation.

Why There Might Not be Entry Level Roles

A lot of people think that all companies should allocate certain cybersecurity openings to entry level personnel. In theory that sounds great, however when you have junior people, you need to ensure that you have the people with the time to mentor them. With staffing cuts, this is not always possible. Even without staffing cuts, your people might not have the time to provide proper training and mentorship. More important, many people are not great trainers and you need oversight of training, which is an extra layer of complexity for already short staffed cybersecurity programs, that already need capable people.

If You Don't Get that Entry Role, Go Cybersecurity Adjacent

Some people think that if they don't get a cybersecurity role at the start, they are a failure. Honestly, few people ever get the ideal job on the first try. It can be to your benefit to not get a cybersecurity role on your first shot. When people ask why I am personally good at cybersecurity, I tell them it involves years in development, software testing, configuration management, systems and network administration, etc. I was able to secure things, because I was already familiar with the technology and functions.

Look for roles that are Cybersecurity Adjacent. These are roles that may involve some cybersecurity tasks, but either way, they give you valuable technical and/or other skills that will be useful to a cybersecurity career. Those roles will likely help you more in your career than a cybersecurity specific position.

Networking is Still Important

Social media is clearly not the primary strategy to prepare yourself for a position. However, professional networking will always be important. If you engage with people, be sincere. People typically know when you are just trying to use them, instead of being sincere about the engagement. I have used social media to sometimes get my own positions, as well as find positions for others.

Likewise, recruiters will use LinkedIn to find potential candidates. So be able to put your best foot forward. List your certifications, degrees, etc. Hiring managers and recruiters may also look at your profile, if you are in contention for a position.

After awhile, it is likely that all positions you will get will be due to professional networking. Just know however that whoever refers you for a job is putting their reputation on the line, and you need to make sure that you really fit a potential position well.

So What Do You Do?

By now you should assume most of my guidance. I recommend that you look at job announcements that you want to fill, and see what qualifications they are consistently look for. Then determine which credentials you can reasonably obtain and figure out how to get them. If you want a career, you should be willing to work for it.

Find internships if you're in college. Volunteer where they might need cybersecurity or technical support. Take courses. Learn to program. Set up a home network and lab.

And in the worst case, there is absolutely nothing wrong with getting a cybersecurity adjacent position. That is how I and probably millions of other people got our cybersecurity positions.

#cybersecurity #cybercareers #job