I have spent the last 8 or 9 months purposefully networking. I have sent emails to people at work who are in security roles in an effort to find out more about what they did and how they got there. I’ve been pleasantly surprised that the vast majority have positively responded and agreed to meet virtually for a chat. Most people in infosec seem really happy to give guidance and encourage me to pursue my training and pivot. There have been a few gatekeepers, but I’ve learned a lot even from them. I’ve also connected with people via LinkedIn and had some email exchanges and video chats too.
For an introvert like me, it is absolutely exhausting. I don’t like putting myself out there, and I don’t have the highest level of self-confidence. I also don’t want to appear slimy or needy.
Given my relatively high rate of success in having these chats, I think I can safely give a bit of advice. Firstly, remember that you are asking for information, not a job. I have NEVER framed the conversation to be me pitching myself for a role. It was easier in the beginning, as I had no qualifications or experience and I was simply asking about pathways. As I’ve progressed through my training it’s become a bit trickier, but without experience I can still honestly present myself as a “newbie.” I ask for advice based upon what I’ve accomplished so far and where I want to be next. I ask for suggestions on entry level or “feeder” roles into the role they hold.
One strange thing I’ve noticed is it doesn’t take too long for people to become disconnected from the entry-level stage. A few years into a specialty, people tend to give suggestions for training that isn’t feasible for a newbie. If I had a penny for every time someone suggests taking the CISSP (which requires 5 years of infosec experience) I could have a nice meal out. I also hear people talking about SANS training (which is incredibly expensive) and when I mention price they’ll say something like “get your employer to pay for it.” Yeah, cos my employer will pay $10k for me to take a SANS course when I’m not currently employed in cybersecurity….
I also have been told on numerous occasions about how they (the hiring managers) are looking for enthusiasm and someone who can be trained, not necessarily the skills themselves. Several times I’ve heard “I can teach them how to use a tool” but they need to have the soft skills and attitude. Great, does someone want to tell HR that? Because they’re the gatekeepers that won’t let my resume through without the 5 years of experience!
I’m continuing to have these conversations with people in attempt to learn more and position myself for an entry level role. I’m quickly approaching the point where I will be actively searching for that job. One thing I seem to be struggling with a bit is striking the balance on presenting my current status. I’ve had a couple conversations where the people I’m talking to are telling me to go learn a skill I already have or take a training that is a lower level that what I already have. It’s tricky, because I don’t want to send a resume or sell myself like I’m asking for a job, but I also don’t want to walk into these conversations with the person thinking I’m at a more junior level of learning than I am. I had a conversation with a manager who runs a SOC. It was a warm introduction from someone I had reached out to, so I didn’t get a chance to give too much background on myself before we talked. He generously offered to let me shadow an analyst in his SOC for an afternoon. I took him up on it and had a great experience. When we spoke again, we had a short chat about the day and then he proposed the next step was to have me shadow a different analyst. Gotta be honest, I was a bit disappointed as I thought I had made it clear I was feeling ready to start pursuing a job. But I thought, this could be the next step towards a role, so I happily agreed. The manager sent me a couple of links for resources that we had chatted about. So far, so good. Then the manager sent me a couple more links; one to learn Python and another for an entry-level training program. I was disheartened. The training program was a lower level than the SEC401 I did a couple months ago. And he obviously didn’t know (but hadn’t asked) that I already had taken Python training. Although it was really nice of him to think of me and send me those links, it obviously showed that he wasn’t thinking of me as “ready” for a role, and didn’t know how much training and non-infosec experience I could bring. I debated, but finally decided I needed to respond to him and share a bit more about my background. I replied and told him I was already comfortable with Python and that I didn’t think the entry level training would build upon what I have already taken. I said I obviously hadn’t shared my full background with him, so I attached a resume. I haven’t heard back and I may have just burned a bridge, but better to do that than let him think I’m going to continue training for months and that I’m not ready for a job now.
Last weekend I did something I never would’ve dreamed of a year ago. I went to a local security conference by myself. Unfortunately I wasn’t able to attend the whole thing, but I went on Sunday. There were a couple of talks on cloud that I was interested in, and it was a chance to network in person. I had already bought the ticket, so there was really no excuse to back out (though you better believe I thought about it.) I went in, claimed my badge and bought a t-shirt, then went to the first talk. I introduced myself to the speaker before it started (I had connected with her on LinkedIn a few months ago after the local BSides conference.) I recognized one of the volunteers as someone I had spoken to at my work, but didn’t say anything. (I had seen her a BSides in the fall but was too chicken to say anything then either.) However, she recognized me and came up to talk to me! After the talk, I made myself go talk to the 2nd presenter. We had a chat and then it was time for lunch. I made my way to the restaurant in the hotel. There was a table with several people, including the two women I knew. When I sat down at an empty table, they invited me over to sit with them! We chatted a bit. Afterward, I attended more talks. I made small talk with some people but no real connections, but I kept praising myself for not running home or hiding. This was work for me! Finally, the last talk came. It was a cloud security talk, and I found it really interesting. At the end, the presenter asked if there were any questions, even though the talk had run late and the room was filling with people for the closing ceremony. He said “Any other questions? Does anyone want to know about how to get into cloud security?” Nobody raised their hands (and the AV guy was shutting down his laptop) so he said he’d be available outside the room afterward to talk to anyone. That was my chance! I left the room and waiting in the hallway. Then the closing ceremony began, and nobody came out. I waited around for a few minutes and realized that he was staying inside for the ceremony. I needed to get home, so I decided I’d connect with him on LinkedIn. And that’s just what I did the next day. I told him I had wanted to chat with him after the talk, but missed my opportunity. He connected with me and said he’d be happy to chat. I have a call set up with him for Tuesday. At the very least, I’m hoping to get some great advice from someone in the cloud security world on how to start my career path. There’s also a possibility that it could lead to more – maybe an introduction to someone, maybe a consideration for a role in the future, who knows? All I know is that I’m proud of myself for taking the initiative and trying to make connections with people.
So many people have told me it’s not what you know but who you know that gets you job offers. Hopefully that’s true, and if I haven’t met the one that’s going to help me, I will soon!
Robbi Clafton 