Answering "How do I get my first role in Cyber Security?"

Background

During 2021 and 2022, I provided free support, mentorship and career counselling to over 100 individuals wishing to break into the cyber security industry in Australia. Despite mainstream media, boot camps and universities regularly broadcasting that there is a cyber security skills shortage, and that you can become a professional in “just 24 weeks”, it hasn’t been made clear that the shortage is of experienced professionals, and not entry level candidates.

In history, cyber security was not a domain of knowledge that could just be studied as a bachelors degree and broken into immediately. It was typically a speciality that professionals would end up in after extensive experience in an operational or information technology roles. In the present day, students are completing bachelors degrees, and attending boot camp courses with the expectations that finding a role will be simple and easy. This is just simply not the case, and has resulted in many students still struggling to find a role in the industry, even 2 years after they have finished their studies.

There are an abundance of cyber security graduates applying for a small amount of entry level roles every year, and standing out in the crowd can be difficult. This article aims to address the most common question I am asked, “How do I find my first role in Cyber Security?”, with recommendations provided based on my own, and my colleagues perspectives. The expectation is not that all of the techniques discussed below are required to be implemented, but selecting a few will prove useful. They are not ordered for any particular reason.

Recommendations

#1 - Subscribe to and regularly review the latest cyber security news.

As technology is always changing, it’s necessary to keep up with cyber security legislation (e.g., the new critical infrastructure bill), vulnerabilities (e.g., log4j), breaches (e.g., the colonial pipeline attack) and threat groups (e.g., Lazarus). You don’t have to know everything, but you should be able to converse freely with potential employers about these topics. You can bookmark some of the following sites to review regularly:

• IT News Australia
• The Hackers News
• Krebs on Security
• This Week In 4n6
• Project Zero

#2 - Build a home research Windows Active Directory lab.

You must be knowledgeable with Windows Active Directory environments in order to become an information security professional. A virtual home lab can be constructed on your desktop PC without the need for various physical components. This lab will be where you may put your skills to the test, as well as quickly create and deconstruct virtual infrastructure, and essentially act as your playground for testing and learning.

In addition to setting up this lab, you should consider writing a one-page document about the architecture of the environment, which you could include on your resume as a personal project. By creating this home lab, you are proving to prospective employers that you are familiar with the environments that modern organisations use to support their business processes. It also demonstrates that you have hands on, real-world experience with Windows Active Directory, rather than just conceptual knowledge based on your studies.

#3 - Complete an information security writing course.

The ability to write an information security report and properly presenting findings is an essential skill that many cyber security graduates overlook. It’s difficult to demonstrate your value if you can discover information security risks, but can’t articulate or communicate them effectively to the appropriate stakeholders. In my team, we typically put new hires through Chris Sander’s course to assist them with developing their report writing skills. His course focuses on the following four modules:

• Module 1: Telling a Story
• Module 2: Writing Penetration Testing Reports
• Module 3: Forensic Writing
• Module 4: Most Common Writing Mistakes This course will be especially beneficial to overseas students for whom English is not their first language. Find out more information on the course here.

#4 - Begin studying for an esteemed industry certification.

It is highly recommended to begin studying for an esteemed cyber security industry certification. Depending on which domain of knowledge you wish to specialise within, there will be different certifications that you can complete, at varying levels of difficulty. Paul Jerimy maintains a website with a detailed security certification roadmap which is very useful.

A great place to start for all recent cyber security graduates is to prepare for the Certified Information Systems Security Professional (CISSP) exam by ISC2. This is a course that is known to be “a mile wide and an inch deep”, meaning that there are a variety of security domains covered in the course, but only at a foundational or intermediate level. To obtain the full certification you must have 5 years of experience, however you can still sit the exam and pass to obtain the title “Associate of ISC2”, which will still hold significant weight when discussed with potential employers.

This course is seen as very challenging, and categorised as “expert level” by industry professionals, but is definitely obtainable for recent graduates that can commit time to studying it over 3 to 6 months. The industry likes to put this certificate on a pedestal, but the reality is that the content is not that difficult, it just takes a huge commitment of time to study and sit the exam, due to the large quantity of domains covered. You might find it easier to complete as a recent graduate, compared to an industry professional, as you will have more time in your schedule to fast track your learning and prepare for the exam.

#5 - Complete an internship or work integrated learning placement.

Completing an internship can be a great opportunity to develop industry specific skills, gain real world work experience, and establish professional network connections. Many organisations in Australia offer internships, or work with Universities to offer Work Integrated Learning (WIL) placements. These are typically unpaid and are for a short period of 8 to 12 weeks, but may account for credit units/points in university courses. Students should reach out to their university course coordinator to determine if a WIL placement function exists, and determine eligibility criteria. In Perth, Western Australia, the following universities offer Work Integrated Learning placements:

• Edith Cowan University
• Curtin University
• Murdoch University
• University of Western Australia

#6 - Volunteer or network at a local industry event.

Finally, networking will be an essential tool to grow in your professional career. Networking is not only about trading information, but also serves as an avenue to create long term relationships with mutual benefits. This article by Forbes explains very well the importance of networking, and I highly recommend you read it. Recent cyber security graduates should consider volunteering at or attending any of the following events in Perth, Australia:

• Students of Cyber Industry Connect Events
• Second Thursday Of The Month (STOTM) Club
• SecTalks Perth Meetups
• BSides Perth Conference
• Australian Information Security Association (AISA) Sec Conference
• Western Australia Capture The Flag (WACTF)