Navigating the Cybersecurity Job Market: Challenges and (Potential) Solutions
Hi everyone,
It has been a while since my last blog. My life has changed a bunch over the years/months. I’d like to dedicate this blog to people navigating their way through the minefield/dumpsterfire that we know as “the cybersecurity job market”. As an individual who has chosen to go into cybersecurity about 4/5 years ago, I have made some observations about the paths that can be taken to form a full-fledged career in this industry. As you will read through this blog you will find a compilation of challenges that you will probably face when you decide to either make the switch to, or try to develop further in this industry.
Before I do that a couple of disclaimers apply:
- I am by no means a subject matter expert on career development. I’m just a dude with some personal experiences and thus a bias.
- In this post, employer names have been omitted, and rather displayed as categories of organizations. There is no need to rant about organizations or individuals. People are trying, and I deeply believe one should have the ability to remain doing so.
- Every person has their own unique interests/walk of life. This is not a “one size fits all”, but does have the potential to be widely applicable.
That said, let start listing the challenges.
Ch1: Getting hired
As many people, you find this industry (or elements of it) interesting. Though, it can be quite challenging to get hired for that one job that you see as the dream job. You look on linkedin for the vacancy, and see that 1000 people applied to the exact same role. Thats one good punch in the liver for someone who has 1 commit for their personal homeserver frontend fork xD
My first job in infosec was kind of an odd situation. I was not getting the level of knowledge I desired anymore from academia (ill try to make a blog about infosec academia one day). Thus, during the second year of my bachelors I decided to do 2 things;
- Do some hobby projects related to infosec in my personal time, and sometimes even during lectures that were not related but had mandatory presence (grumpy lecturer included).
- set out to find a job in infosec to develop my knowledge and professional skills in the field, while simultaneously monetizing my efforts.
At the time I was just about 18 years old, did not even have a fully developed prefrontal cortex to foresee consequences of my actions. Still dont, but I digress. I went to google a little, came across job listings of one of the more renowned Managed Security Service Providers in my region. They were looking for students that wanted to work in their security operations center on a part-time basis. It seemed like the ideal opportunity in my situation. So I spoke to a good study friend of mine in my class and we signed up for their hiring assessment after submitting my resume. We both got invited, did the technical test, which was really fun! Spoke to the employees working there, also good fun! Went home, couple of weeks later I got a job offer. Sadly my study friend didnt get one, which I found odd as he had way more experience in the field than I did. He tried again couple of months later, and did end up getting hired.
In a later stage we learned that the hiring criteria were not solely based on technical skills, but also the ability to verbalize threats to customers and general persona measurements. Long story short, we did some SOC shifts together while blasting german and russian techno and jazz songs, so happy ever after xD. After about 2.5 years of working at this place, I felt like I started to reach my max potential at the department. Was not able to pivot internally due to reasons I will list later in Ch2. So I decided to pivot to a different organization.
Now this I can not recommend this, but I resigned before I had a new job. I took about 3 months hiatus doing a bunch of stuff (mostly making an android based pokedex for my bachelors). Started to feel the need again for a job to fuel my Rubik’s complex and pay for my student loans while simultaneously giving me the freedom of work I so much desired. Found a small penetration testing company near the place I lived.
I knew the owner of the company as I reached out to him before when I was looking for an internship while I was in high school. At the time I was denied, due to the fact that I was 15 years old and thus not legally allowed to engage in legal constructs like non-disclosure agreements and whatnot. This was not a problem anymore as a 20 years old, so we talked. He was open to hire me on a part time basis in a free role as security researcher, and so I got hired. The company was about 4 people strong compared to the 500 of my employer before that.
Getting hired at this place wasn’t all to hard for a couple of reasons;
- I knew the owner of the company
- I had a decent track record in the technical and professional realm (got OSCP, a blog, active twitter, previous employer)
Though after working there about 7-8 months it became boring. I was doing a bunch of cool stuff with my amazingly skilled, but small pool of colleagues. But the organization expressed no direct desire to grow and expand operations and differentiate itself as a prominent player in the penetration testing/red teaming scene. So once again, I decided to do some job hunting. Dazed and confused I questioned myself about the best next step. Now bear in mind that I was not earning as much as I could. So it become a more prominent part of my search criteria.
Browsing the web once more I assembled my renewed resume, found a semi-government job in a financial institution as once again a security operations employee and applied. During the interview it became very apparent that the working member of said institution attempted to grill me with seemingly “complex” questions during the interview. Honestly, spending time on the internet researching malware in free time was enough to answer these attempts to make me nervous. So after the interview I felt good about myself xDDD. A couple of weeks later I got a call asking for a salary indication, which was a hilarious process of back and forth. But eventually resulted in my employment there.
Right of the bat I experienced that the topics during the interview where not at all applicable to the state the organization was in. For example; I was interrogated about C2 infra mapping while the majority of the internal network was not covered by our security monitoring solutions, detection was not detecting the most basic of attacks and the technical knowledge/drive to learn of the colleagues was subpar.
For about 6 months I took upon myself and 1 colleague I could find sollace with to do the following;
- Fix obvious false positives/true negatives in detection and develop more accurate detection.
- Fight with network admins to get visibility across crucial parts of the internal network.
- Educate and motivate colleagues on how to do their job.
Sadly most of the colleagues did not really catch on to the motivation efforts, network admins did not want to work with us and the detection, despite the increased quality were interpreted and analyzed incorrectly. So, instead of fighting against the tide, job hunt was on again. I did a bunch of stuff in my free time, that did not directly have anything to do with my job. And published parts of that. Some of the side projects were more useful than others. I brushed up my resume and sent it out to bunch of organizations of varying sizes and complexity, governments, commercial places and non-profit institutions. Some of the organizations were specialized in cybersecurity, while others did that on the side.
I believe I punched out around 50-60 applications in the span of 1 month, it landed me about 6 interviews. 1 I did not like due to their cybersecurity department being a relative low priority and the pay not being all to interesting to me. The other three I was really hyped about. I believe getting invited to the interviews was a balance of the following (does not apply to all, but is generally a good measure);
- Knowing people in the companies you want to work for, word of mouth goes a long way
- Style and keywords in the resume, try to tailor your resume based on keywords in the vacancies
- Previous experiences from tenures and personal projects help a lot
All in all, these three are somewhat of an “HR/recruitement-Bypass” as recruiters/HR personal tends to look at these from my experience. All in all for the remaining 3 interviews I did, I have got 3 offers. Some later than the others. All of the three are major international commercial companies in both IT in general and infosec. The differences were mostly geolocation and respective scopes/business strategies. All offers were ballpark similiar, and outright obscene amounts of money for a 22 years old still living with his parents.
I just chose the first offer that came in, there was no ulterior reasoning. I just wanted to escape the downwards spiral I was previously in. Im 6 months in to the job right now as a Threat Intelligence Analyst, I’m moderately happy. Get a bunch of money, have motivated and knowledgeable people around me and get to do stuff that most people cant. So all in all not a bad choice. Though there is still a long way to go, as I will discuss in Ch3. But first a brief recap on how to “Climb the ladder”.
Ch2: Climbing the ladder
When your occupation is approaching a dead end, it can be quite challenging to pivot to a role more suited for respective knowledge level or career goals. In my experience different organizations handle this differently. My first employer was kind of an odd situation. The employee retention, as with the entirety of infosec was quite high. Therefore, both internal and external pivotting to a different role was demotivated as much as possible by the end of my tenure there. Which is a shame, considering the potential of the place.
My second employer, well, it was 4 people large, where are you gonna pivot to except home :D The third employer, not sure you even want to stay there for longer than 6 months. Luckily I’m currently in a place where pivoting is motivated, as they understand that people have ambitions and consume information like no other. Imposing sanctions on growth will lead to rot, and by no means will increase job efficiency. That said, it is understandable why some management cultures panic. Infosec is a unique industry with its own intricacies, and not everyone is adjusted to the idea yet.
Also worth mentioning the absurd sense of entitlement to certain job titles. Or in different words, as that same study friend said; “age is the most accepted form of discrimination, most often applied in the job market”. Something that is very damaging in an industry, that quite evidently is young. I am convinced that it is easy to show up at your job every day and cash the check for a “principle distinguished servicedesk engineer” title. While its much harder to land a principle title as an 18 year old prodigy with 5 PPL bypass PoCs to their name (not me, not this skilled). In my opinion it is a skewed and dated idea that amounts of years experience = knowledge capacity. Especially since a title like junior, medior, senior, principle etc are tied to specific salary brackets, and title is often tied to something as arbitrary as age.
To counter things I have only found a couple of things to work;
- Be lucky with the type of employer you have
- Dont sell yourself short
- Make a name for yourself before you join the negotiation room
That said, I have been very fortunate to escape this issue at a young age. But I do understand people their complications with this as I will dive into Ch4. But first, a more granular overview of what in my opinion are the criteria to be happy with your job.
Ch3: Job satisfaction
Finding a well-rounded job is the biggest challenge you are gonna face. Landing a job is, with respect, not hard in infosec. But finding one that checks all the boxes, is like fighting Mike Tyson while you are untrained and intoxicated. In my experience there are a couple of pillars that form “Job Satisfaction”;
- Freedom of work; meaning being able to dictate your own research/work interests while simultaneously pairing that to your organization’s goal.
- Compensation Package; meaning, the money, the stacks, the green paper
- Longevity/stability; will I have a job if a new reorganization/round of lay-offs happens?
- Knowledge capacity; are my colleagues smarter than me?
- Growth opportunities; can I pivot to other roles if I dont feel like this anymore?
My first and second job fulfilled the following; Freedom of work, Longevity/stability, Knowledge capacity. My third job fulfilled; Freedom of work, Compensation Package, Longevity/stability. And my current job fulfills; Compensation Package, Longevity, Knowledge Capacity and Growth Opportunities.
4/5, that is nearly everything. As I hear you thinking, this is the challenge that I am currently facing, and you probably will as well. It is quite hard to get the perfect scenario. But to be honest, I feel more comfortable chasing the perfect position when I am 22, still live with my parents and no family that depend on me for various things. Currently I work in a customer facing threat intelligence role, meaning customer first, company interest second, analyst research interests third.
Currently I am trying to figure out how to get the 5/5. When you gain freedom of work, that would mean becoming a non-billable researcher. In a publicly traded fortune500 company, being non-billable is not always a desired outcome for management and shareholders. And therefore at risk of losing the Longevity/stability aspect of “Job Satisfaction”. If anyone has tips for this, let me know, im all ears :D
Ch4: Moral compasses
Navigating all these mines in the field is hard, especially on a young age where as eluded to; the brain still needs to develop to foresee consequences. A meanwhile famous example of being kicked around by the infosec job market issues is Essbee, also known as “the polar bear” or @817_756_43_19 on twitter (suspended account). This person is a very skilled researcher, previously employed by yet another fortune500 company with a prominent presence in cybersecurity. After a round of layoffs this researcher went down some layers of hell.
With as result, shifting through the gears of public lash-outs, publicly documented interest in working for adversarial governments, eluded in tweets to go into developing exploits and selling them with limited “know your customer” just to get back at their employer or because they were done with the current state of affairs in the job market. I am not someone to tell you how to live your life, furthermore I don’t blame this person for even considering this.
If we sum it up making malware for illicit use is lucrative to this day, both in a monitory sense, as the knowledge capacity aspect. The Growth opportunities for malware developers on the black market is basically growth in sales and individual knowledge. No real ranks/titles to charter. And freedom of work, well, you are your own boss so good luck have fun!
As with joining “adversarial governments”. I do not want to anger anyone, but politics in my opinion is a medium devised to split people apart. I believe that the term adversarial is relative to the place you are in, and interest that you have. I am not gonna advice you not to work for some CNE department, whether it be part of MSS, PLA, S32, CCI, JSCU or whatever really. Do whatever floats your boat.
RETQ
Now before you all run to your local SIGINT agency or start becomming a ransomware skid. I want to reflect on why you shouldnt. Personally I joined this field to solve problems, not create more of them. Though I do have an understanding for people that choose otherwise. After all, sometimes you have to break the old building down to build the skyscraper. I personally joined a place that supports things I do not directly agree with, I tasked myself with fixing problems within. As for the 2 other job offers that I got. I declined them, yet they are similar places. So during the declining process, I shoved forward friends that were stuck in their job for one of the aforementioned “job satisfaction” reasons, that I believe have similar morals. “solve problems, don’t create more of them”. They got hired, and are working there now to practice these beliefs.
With that said, I hope after reading this blogpost you have pointers on how to navigate the minefield. And are convinced to help people out whom are visibly struggling to practice their potential.
Godspeed, fear nothing!
- Yassir Laaouissi