EPISODE 59
FIVE THINGS TO KNOW BEFORE YOU GET INTO CYBERSECURITY

FIVE THINGS TO KNOW BEFORE YOU GET INTO CYBERSECURITY

About This Episode

In this episode, we learn about the five things you should know before getting a job in the cybersecurity industry.

First, we discussed what the reality is in terms of entry-level cybersecurity jobs. Even entry-level cybersecurity roles require previous experience in a related position. These include network administrator, system administrator, or auditor, and show employers you are ready to move into cybersecurity. Unlike many industries, there is no direct entry-level positions in cybersecurity, and this can confuse a lot of people and make it difficult to get their career started. To land an entry-level cybersecurity position, you will need extra knowledge and expertise before you can get hired.

Second, we discussed the relative importance of a cybersecurity degree in landing your first cybersecurity position. Contrary to popular belief, a higher-level education without any matching experience is not the key to landing your first position. In fact, in most cases, certifications are more likely to help you land an interview than a degree.

Third, we discussed the importance of experience in landing your first position. As a hiring manager, the three things that are evaluated are your experience, certifications, and degrees, in that order. We also discussed some ways for you to gain experience even if you haven’t landed your first position, yet.

Fourth, we discussed some realistic salary expectations for you to have when looking for your first cybersecurity position. Many new entrants to the cybersecurity industry have misguided expectations of the salary they can command in their first position. When determining your initial salary, employers will consider your experience, certifications, and degrees, as well as the location of the corporate headquarters, your local office, or your home office when making an offer.

Finally, we discussed some different jobs that exist in the cybersecurity industry world that go beyond penetration testing. For some reason, most new entrants to the cybersecurity industry believe that penetration testing is the only cybersecurity role, but that simply isn’t true. In the final part of this episode, Jason and Kip discuss some of their favorite cybersecurity roles that people can find as they enter the industry.

* There are no real entry-level cybersecurity jobs

* A cybersecurity bachelor or master’s degree is not essential to getting hired

* You must have some experience to land your first position

* You need to have realistic salary expectations

* There are more than just penetration testing roles in cybersecurity

 

What You’ll Learn

  • A more realistic view of the cybersecurity industry
  • What to expect in a typical cybersecurity role
  • What things hiring managers consider in hiring a candidate
  • How your salary is determined for a position
  • How to best position yourself to land your first role in the industry

 

Relevant websites for this Episode

Tags: Career, Salary, Experience, Degrees, Certifications

 

Other Relevant Episodes

  • Episode 49 – Why Entry Level Jobs Aren’t Really Entry Level
  • Episode 55 – Which Cybersecurity Certifications Should You Get?
  • Episode 58 – How To Get Hired With No Experience
  • Episode 13 – Landing Your Dream Cybersecurity Job
  • Episode 31 – All the Jobs in a Large Cybersecurity Organization


Episode Transcript

Speaker 1:       

                  Welcome to Your Cyber Path, the podcast that helps you get your dream cyber security job by sharing the secrets of experienced tiring managers and top cybersecurity professionals with you. Now, onto the show.

Kip Boyle:        

                  Hi, I’m Kip Boyle and Jason Dion is here with me and today we’re going to talk about the five things that you need before you get into cybersecurity. Hey Jason.

Jason Dion:      

                  Hey Kip. It’s great to be here again.

Kip Boyle:        

                  So, and we’re glad you’re here with us, everybody in our audience. And so there’s five things. So I think we should just dive right into them. And here’s the first thing that we think you really need to know. There are no real entry level cybersecurity jobs and that is a complete brain melting thing for me to say for a lot of people. There’s so much conversation online about how there should be entry level jobs and how come there aren’t ever entry level jobs. And recently I caught a post done LinkedIn where somebody was talking about how unfair it was and they were really railing on it. And so I jumped in and I said well, look, this is kind of like in the airline industry, there is such a thing as an entry level 747 job, right? All 74, sorry, all 787 pilots have to start somewhere. Right?

Jason Dion:      

                  Yeah.

Kip Boyle:        

                  And so that first 787 job is the entry level job, but you can’t just walk off the street and get it. You’ve got to build up to it. Right? You need like 25,000 hours of commercial flight time in order to be able to even qualify for that job. And so I put that in the comment and for a week and a half, I kept getting notifications from LinkedIn about people reacting to that comment. And I didn’t keep close track, but it seemed to me it was roughly split between half the people saying yep, that’s right. That’s the way I see it. Kip, I agree with you. And the other half of the people saying what’s your address? I’m going to put a flaming bag of poo on your doorstep.

Jason Dion:      

                  Well, I think it’s important when we talk about entry level jobs, right? Entry level means different things in different industries. When I started out and got my first entry level job, I got a job as a bag boy at a grocery store, right? That’s an entry level job. They could hire me and by the end of that first day, I was already doing useful work for them by putting groceries into bags and taking it to customer’s cars. That’s entry level, right? Cybersecurity is a little bit different. I can’t take somebody off the street, put them in the chair slap a name tag on them and say go ahead. You’re a SOC analyst. It doesn’t work that way. There’s extra knowledge you need, just like you can’t go and fly a Dreamliner 787 after your first day of flight school.

                        And I think people have a misconception with that and I think a lot of that, I actually place the blame on the colleges for this, because like to say oh, there’s all this huge demand for cyber security jobs and all these entry level jobs are available and they push people through to go get a bachelor’s or master’s degree. And then nobody wants to hire that person because they have no experience because they’ve never done anything in IT at all. And really when it comes to an entry level cybersecurity job, in my mind, that is usually going to be something like a system administrator, a network administrator, a help desk, a field service technician, something in the IT world where you’ve gotten some experience for a couple of years and then you move into this entry level cybersecurity job of being a SOC analyst.

                        Because as a SOC analyst, you have to understand how computers work, what normal looks like in the network, what normal looks like for the processes and your registry on the computer. And if you don’t know all that, you can’t be an entry level cyber security analyst. I think that’s where the big breakdown is with that myth of that there’s no quote real cyber security entry level jobs because there are, but they require some prerequisites to get into those jobs.

Kip Boyle:        

                  Yeah. Yeah. That’s right. I think the term entry level is as just an overloaded term. I think you put your finger right on it. People are using it in ways that are not true to the traditional definition of that, right? That I can get hired as a bag boy or I can be hired at McDonald’s and I don’t need to know anything. I just need to have some basic ability to show up on time for my shift. Right? Clean and presentable. So that term is absolutely overloaded and that’s kind of what I was trying to get at when I responded to that LinkedIn post was trying to explain that it’s different, but there’s so much about cybersecurity that just doesn’t translate. And this is something that we’re going to talk about in a moment in, the second thing having to do with bachelor’s degrees.

                        But before we do that, I want to tell everybody in the audience just a couple of things. So if you really want to unpack this idea here, we actually did that very recently in episode 49. So if you just go back to yourcyberpath.com/, is it just 49, Jason?

Jason Dion:      

                  That’s right.

Kip Boyle:        

                  Is that the way that worked? Yeah. Yeah. So just do that and you’ll be able to pull up that episode and you can listen to it and really kind of dig deep in there. The other thing I’d recommend is go to cyberseek.org and when you go over there, they have a career pathway. It’s one of the things that they offer. And when you go over there and click on that, you’re going to see exactly what we’re talking about. You’re going to see four columns of different types of jobs. And on the left, it’s going to start with feeder role. And then the next column over is entry level. So right there on the cyberseek.org website, which I think of as sort of like the master directory for what’s going on in the job market, right there it talks about exactly what Jason was just explaining.

Jason Dion:      

                  Yep, exactly. So again, it’s yourcyberpath.com/49. It’ll take you right to episode 49, which is why entry level jobs aren’t really entry level. All right. Our second one is that a cyber securities bachelor’s degree or master’s degree is going to guarantee you to land a job or you can get a certification and it’s going to be your golden ticket to employment. Now, really this is not true. You can get a degree at either a bachelor’s or master’s level and you can get a certification and it will help you get a job. Yes, but it is not going to be the golden ticket that’s going to automatically get you the job. What I always tell my certification students is the certification does not guarantee a job. Instead, it’s going to help you get the interview. And then when you’re in the interview, you can impress that hiring manager with your knowledge, your skills, maybe your experience, if you have it. And that’s how you’re going to get a job. It’s an invitation to the ball, it’s not a guarantee that you’re going to get a dance.

Kip Boyle:        

                  Oh, I love it. I love it man. Is there a glass slipper somewhere in this?

Jason Dion:      

                  If it fits, you get the job.

Kip Boyle:        

                  Yeah. Right. That’s right. If your foot can fit in the glass slipper, you get the job. That’s great. That’s great. And so, oh, I see this all the time and it’s actually tragic, Jason. It goes from what you said a moment ago, where you said that universities and colleges are telling people if you just get your bachelor’s degree, your master’s degree, there’s all these entry level jobs waiting for you. Well, I have met lots of people who have done exactly that, taken on tons of debt and they’re walking around like zombies because they can’t get interviews. The interviews that they sometimes get don’t go past the first one. And I feel awful for people who get themselves into the situation. And I think part of the misunderstanding here, and this goes back to my previous comment, that there’s a lot of rules of thumb in the broader economy, the United States that just don’t apply to cyber security.

                        But for the longest time, the kind of the trope was is that if you got a bachelor’s degree, that was like your guaranteed ticket to a middle class job. Right? And that any… That you could get hired and make a middle class income just by having a college degree. And that may be true in some parts of our modern economy, but it’s absolutely not the case here in cybersecurity, as you just said. So the conventional wisdom, just like with entry level jobs, just doesn’t really wash in this career field. And it’s awful that people have to discover that the hard way.

Jason Dion:      

                  Yeah. I think one of the biggest mistakes I see people make is not necessarily the bachelor’s degree, but I see a lot of people who go and get their bachelor’s and their master’s degree and they’ve never worked a day in their life at a regular job. So then they come up to me as a hiring manager and they’re asking for a job and they have a master’s degree with all that student loan debt. And so they’re looking for a first time job trying to make 80 to 100 or $120,000 a year and they have zero experience. They may have a couple of certifications, they have a master’s degree and they think that makes them qualified. And unfortunately, it doesn’t because for those level jobs, I need somebody with experience. And so for you to start at the beginning of that pipeline with a master’s degree is going to be way too little money for you and so you’ve kind of overextended yourself.

                        Where I see the benefit of degrees inside of our field is once you’ve had a job, you’ve worked for a couple years and you’re trying to make the move into management, that’s usually when we’re looking for that bachelor’s or master’s degree. If you want to be the SOC director, I’m going to expect you to have a master’s degree, but I’m also going to expect you to have five or 10 years of experience being a SOC analyst. And so if you have the degree with no experience, I’m not going to make you the SOC director. Similarly, if you have a degree and no experience, I may or may not be able to hire you on as an entry level SOC analyst, because at least you’ll have the knowledge and the background, but again, it’s going to be harder when you’re going against somebody who has three or four years in the field as a cybersecurity technician or security administrator or a network administrator to make that lead. So what is our third one, Kip?

Kip Boyle:        

                  Yeah. Okay. So wait a minute. Before we go onto the third one, can I just mention that we’ve got a couple of podcast episodes that people can listen to if you want to unpack this some more. There is more to say, but we’re not going to say it today. So if you want to go grab episode 55, which is a very recent one where we talked about which cybersecurity certificate you should get. And actually we have another episode, I mean, get in the way back machine Mr. Peabody because this goes back to episode number four, which is where we did a survey to find out what people’s big questions were about getting into cybersecurity. And this was actually one of the big questions, which a lot of people thought that the only way they could get into cyber was by having formal training, bachelor’s degrees, certifications. And so anyway, so we busted that myth.

                        But let’s yeah, let’s go onto the third thing that you need to know before you get into cybersecurity. And this one’s also very difficult. People really struggle with this, right? But you have to have experience or no one will hire you. And that’s just what you were saying, Jason, and this is a catch 22 for a lot of people and they complain and they get really bitter and they’re like well, the reason I don’t have experience is because nobody will hire me, but nobody will hire me because I don’t have experience. And oh, it’s awful. It’s really awful. But I’m sorry to say, it’s true. It’s absolutely true.

Jason Dion:      

                  Yeah. I mean, when we look at hiring somebody, right? There’s three things we’re looking for: We’re looking for experience, we’re looking for certifications and we’re looking for degrees. And we look at them in that order. Experience is paramount, but experience won’t get you the interview if you don’t have the certification that matches my ATS search criteria. And so we’re not even going to see your application in the hiring pile. So you need to have that certification to make it through the filter. But then when you go to that interview, it’s all about your experience and your experience is going to be asked about and it’s going to be show through your questions and answers you’re giving in that interview. And that’s really how you land the job. So it has to be this combination of those two things, right? And if you don’t have experience, there’s a lot of different ways you can work on getting experience. What are a couple of key ways you’d recommend, Kip?

Kip Boyle:        

                  Okay, here are the two top ways that I tell people: Number one, build a home lab. And in the past that meant going and getting physical hardware. Some people I know actually got a rack from a data center, right? An old surplus rack or something like that. And they would actually rack a router, a switch, a couple of servers, whatever and then they’d get a KVM switch so they could share one keyboard, one monitor and one mouse with all of that gear. And you don’t need to do that anymore. I do not recommend that anymore because everything’s going to cloud. So really what you need to do is still build that home lab, but do it in AWS or do it in as your, whatever cloud provider you think makes the most sense based on the employer that you’re trying to get your job with.

                        But that way you have a safe little sandbox. You can play with all this technology and you know what? You can blow it all up. Not a problem. You press a button and it just kind of goes right back to its default settings. It’s an nice, safe place to figure out how all this stuff works. And that’s a particularly good way to go about it when you’re trying to get your A+, your Network + and your Security +. Right Jason?

Jason Dion:      

                  Yeah. Most certainly. I use cloud-based labs in all of my courses at diontraining.com. So when students buy a course from us for A+, Net+, Security+, CISA, PenTest+, whatever it is, we have 40 hours of labs that are pre-built with different challenges in there for you to work through those things. So if you’re doing PenTest+, you’re going to be hacking into machines and learning how to throw these exploits.

Kip Boyle:        

                  Yeah.

Jason Dion:      

                  Then you should go off and build your own lab and expand on that knowledge even further-

Kip Boyle:        

                  Absolutely-

Jason Dion:      

                  … at a non-directed way. And I really think labs are a great way to show experience, especially when you’re sitting down with the hiring manager and they ask have you ever used Nmap to do a scan? You can say yes, I have. I scanned all these different servers machines and I saw these type of things in my cloud environment that I’ve built.

Kip Boyle:        

                  That’s right.

Jason Dion:      

                  And it shows you’re really going after it and you’re building experience on your own. So I think that’s a really good suggestion. You said they’re two, what’s the second one?

Kip Boyle:        

                  Yeah. So the second one is you need to volunteer. All right? Because here’s the thing. Cyber security skills are in short supply. You know that. That’s why you’re trying to break into this industry. Well, it turns out that there’s a lot of nonprofit organizations out there who absolutely could use your help, but they can’t afford to pay anybody or not very much in order to get this kind of help. So what a match made in heaven, right? You’re trying to learn something, you know something, you’re willing to study, you’re willing to put in the time. Well, these folks are just waiting for people like you to come along.

                        So think about a cause that’s important to you. Could be anything at all. Could it be have something to do with animals, could have something to do with the environment, could be some kind of a human services organization or religious institute. It doesn’t matter. Just something that appeals to you and then start going out there, making contact with decision makers in the types of organizations that you would like to contribute to and tell them hey, I’m learning cybersecurity and I see that you have a website. Can I help you make sure that that website is hack resistant or whatever it is they have. An email server or just take a look at them and just approach them and start someplace.

                        Now you may be turned down the first time you go because they don’t know you, but be persistent, be willing to offer references, be willing to start small so you can build trust. This industry operates on trust. That’s almost the fuel in the tank and trust is something that you got to build. Over time, you start small, you iterate and trust will grow from there. But that’s my second suggestion. What do you think about that, Jason?

Jason Dion:      

                  Yeah. I think that’s a great suggestion. One thing I was going to recommend is if you’re going to one of these organizations, for instance, your local church, your local church will probably say yes and let you do it. But if you try to go to the Red Cross, which is a nonprofit, but they’re a nationwide or worldwide nonprofit, they have their own cyber security folks. They’re not going to let you touch their network. So you’ve got to make sure you’re looking at the right size organization. If they have 50 or less employees, that’s probably the right organization for you to try.

Kip Boyle:        

                  That’s a great point.

Jason Dion:      

                  This other thing I recommend is that there’s a great organization known as CyberPatriot here in the United States. And they actually work with high schoolers and they have different teams of high schoolers who play in these capture the flag competitions of attack and defend and they’re always looking for mentors. So guess what? They’re not going to ask do you have a job in cybersecurity? They’re not going to ask what certifications you have or what degrees you have. If you want to volunteer and be part of the team and help mentor those folks, they will take you because every high school is trying to field a CyberPatriot team. And not every high school has a cybersecurity expert.

Kip Boyle:        

                  That’s great.

Jason Dion:      

                  So its a really easy way for you to get in and build the experience. And I could tell you when I see that on your resume, I know that you’re going out there and you’re doing attack and defend type things. You’re learning, you’re growing and you’re making use of that skillset. And that’s really going to help you in the job market. Yeah.

Kip Boyle:        

                  And I think the final thing I want to say about this is don’t don’t confuse experience that you are paid for versus experience that you are volunteering for. I’ve had people say to me well, I don’t have experience and then I’ll unpack a little bit what’s going on. Turns out they have a ton of experience, but they thought they had to be paid in order for it to count. No, absolutely not. So don’t let that stop you.

Jason Dion:      

                  Yeah. I mean, I personally did some volunteering with my son’s Boy Scout troop and there is a cybersecurity badge. So you can go to the local Boy Scout troop and say hey, I would like to help your guys earn their cybersecurity merit badge. And you’ll go through and basically it’s like studying for a certification and you’ll help the Boy Scouts do that and you’ll get experience for working with them for the next two months or so to get that badge.

Kip Boyle:        

                  And the Girl Scouts have the same thing.

Jason Dion:      

                  Yep. And if you want to learn more about this, we do have an episode. It was actually the last episode, episode 58, which was how to get hired with no experience. And here’s where we actually interviewed one of my students, Ed, who got a job with no experience and he was able to work his way up through connections, through networking and things of that nature. And by doing some of these things we’re talking about. So it’s definitely a great listen. If you didn’t listen to the last week’s episode, I recommend you go back and check that out. Kip, our number four I’m going to give is that salary expectations have to be in pair with reality. And I see a lot of people who have this expectation that they’re going to get their first cyber security job and they’re going to make $100,000 a year on day one. And that’s just not the reality for most people in most places here in the United States. What are your thoughts on salary expectations? How can people have a better realistic view on what they should expect to see?

Kip Boyle:        

                  Right. Yes. Well, first of all, you’re going to see a lot of crazy data being thrown around, especially by colleges, universities, boot camps, anybody who can make money by telling you that you can make a ton of money. So just first of all, bring some healthy skepticism to the party. Okay? Now, here’s the real challenge is that finding reliable salary data is extremely difficult. Salary data is going to vary based on geography, it’s going to vary based on the type of employer. So you could have the same job at two completely different organizations. Let’s say your job is cybersecurity analyst. All right? That job might pay $95,000 because it’s a mid-level job. And $95,000 might be say for a company that has some let’s say 700 employees or 1,000 or something like that. But that job at a much larger company that has 10,000 or 20,000 employees will probably pay more and that same job at a small organization with 100 people is probably going to pay less.

                        So what I always tell people is get clear on what kind of company and what industry you’d like to work in because industry matters too. If you go work in financial services, you’re going to get a different pay rate than if you work in the Department of Defense for a defense contractor or something like that. So just keep that in mind that you first have to be really, really clear on what industry, what size of employer. Okay. Then what you can do is you can go out to cyberseek.org. Big surprise. We mentioned that again. This is a really great website. If you go out to cyberseek.org, you can actually query their interactive map, which will give you all kinds of information about the types of jobs that have been offered over the past six months because Cyberseek is a backward looking data set.

                        So you’re not going to find jobs on there per se, but you’re going to see some trending information and you can then take that information and then you can pivot over to, for example, linkedin.com and their jobs function and then you can do some more research to find salary ranges. Episode 13 from a long time ago. I can’t believe we’re up to episode 59 now, but episode 13, I talk about how exactly to do that, how to get on cyberseek.org and find those salary ranges so that you can ground yourself.

Jason Dion:      

                  Yeah. And I think it’s really important to ground yourself here because I’m going to give you a quick story here, Kip, if you don’t mind.

Kip Boyle:        

                  Please.

Jason Dion:      

                  My first job as a college profess was actually at a community college up in Anne Arundel county at Anne Arundel Community College, which is up in Maryland. So in that college, we had a one year program where we got people their A=, their Network+, their Security+, their CCNA and a year of experience hands on in our lab. And then we would help place them into a job into three main companies. There were some in Northern Virginia, some in DC and then some in Anne Arundel county. Now depending on where those students took the job, the same job of being a cyber security analyst with the exact same experience, they came from having no experience to having four certs and a year of experience, they were getting hired between 40,000, 60,000 and $80,000 a year-

Kip Boyle:        

                  Wow.

Jason Dion:      

                  … for that first entry level job, which was awesome because they had no experience coming into this. Right? But this just shows you how there’s a huge difference just based on location alone. And based on if it was Northern Virginia, DC or Maryland, that made a difference. If they were in DC, they were making 70 to 80,000. If they were in Maryland, they were making 40 to 50,000. If they were down in Northern Virginia, it was 50 to 60,000. And it was really dependent on the company they went to and the location because DC was more expensive so they had to pay people more money. So it’s important to keep that in mind as well. If you’re going to work in Kansas or San Francisco, those are two vastly different salary ranges based on the cost of living in those areas.

Kip Boyle:        

                  Yeah.

Jason Dion:      

                  What’s our-

Kip Boyle:        

                  Well, I was going to say Jason, there’s one more wrinkle that I think we should mention for folks, which is because of the COVID pandemic and the quarantines, some companies are actually switching to workforces that are remote. Sometimes it’s all remote, sometimes there’s just large quantities of people who are remote and some people are still coming into the offices. And the kind of feedback that I’m getting on that is that some of organizations are actually trying to do kind of like a salary arbitrage, right? So they’d say like well, if you come work in the San Francisco office, we’ll pay you $200,000 a year or you can stay in Kansas city and we’ll pay you $150,000 a year or $120,000 a year or whatever because they know that a $200,000 salary isn’t going to go very far in San Francisco, but it’s going to go really far in Kansas city and so they feel like that gives them permission to vary the salaries based on where the person is located at.

                        Now, I don’t even want to unpack the question about, is that ethical? Is it fair? Is it legal? Whatever. I’m not trying to kind of go there. I just want to point out that’s kind of a new thing that I’ve never seen before. In the past, remote jobs were pretty much salary that… It was all pretty much the same across the board, but I’ve just noticed that some employers are starting to vary that, so. Right. So that’s four down, one to go. You’re ready for the fifth one, Jason?

Jason Dion:      

                  Yeah. What do you have for number five?

Kip Boyle:        

                  So the fifth thing that you need to know before you get into cybersecurity is that there are more than just network penetration testing jobs. Big surprise. I don’t know if you knew that. If you’re listening to this episode right now and you’re like yeah, I want to be a pen tester because that was the movie that I watch or whatever, the television show that I watch and that’s kind of mostly what you’ve been exposed to, well, there’s way more jobs than that. And then by the way, Hollywood also kind of lies to us. Sometimes pen test jobs are like 95% sheer boredom and 5% sheer thrills, but that it doesn’t change that much percentage wise because there’s a lot of time you’re going to spend just bashing your head against a digital wall trying to figure out how to get in. And every now and then, you’ll find something nobody else has found before. It’s going to be super cool. But the point is is that there’s a lot of other jobs out there that you should be considering. Right Jason?

Jason Dion:      

                  Yeah, most definitely. Right? I mean, I get this all the time when people ask me, should they go to CySA+, which is cyber security analyst, which is what SOC analysts get versus PenTest+, which is pen testing. And pen testing is cool. It’s sexy. It’s what you see in the movies. It’s the guy behind the keyboard hacking in and doing all sorts of cool stuff, right?

Kip Boyle:        

                  With a hoodie.

Jason Dion:      

                  But the reality is there’s four times as many security defense jobs as a SOC analyst than there are as pen testers. So there’s a lot more jobs and job opportunity on the defense side than there are on the red team or the attack side. The other thing is if you’re working in some place, it’s a high emulation environment, for instance, you’re working for a red team for a bank or the government and you’re trying to emulate a Russian attacker or a Chinese attacker or whatever, some kind of high level APT, that is probably the most boring job as a pen tester because you’re sitting there and you’re doing 90 hours of research to get your attack just so lined up so you can press the button and it’ll be over in 30 seconds and they’ll never see you coming, right? That’s when you’re trying to be an advanced nation state type hacker or a pen tester at that level of doing adversary emulation. It is really boring because it’s so much research.

                        And then the other side, if you’re doing this for a commercial environment, most of the time you’re spending your time doing the report after the engagement. And so if you don’t like report writing and writing out all these long reports and presenting them to the audience, pen testing is not going to be for you. What are some good jobs outside of pen testing that you see, Kip?

Kip Boyle:        

                  Oh my gosh. Well, there are actually way too many for us to cover here but I’ll name a couple and then I’m going to point you to an episode that began a whole series of episodes that we did. But there are… Gosh, you could specialize in vulnerability management, for example, right? You could be somebody who goes out and scans systems looking for systems missing patches, systems that are not configured correctly. And that’s a hugely important job. There’s actually quite bit of those types of jobs out there, a vulnerability analyst. And I try to encourage people who are just breaking into cyber security to get good at that job because not only are there a lot of those jobs out there, but that’s one of the few jobs that you can actually practice for really well in your home laboratory environment because you have everything need.

                        The only thing that I think might be a little difficult to emulate is some kind of a like enterprise patch management solution or something like that. But you definitely have all the scanning tools. You can get virtual machines for all your scanning targets. You can learn how to analyze the reports. And as I said, there’s a lot of need for that. But anyway, that’s top of mind for me. Do you have one that’s top of mind for you?

Jason Dion:      

                  So one of my favorite is actually malware analyst. It’s a lot of fun. If you like to be a kind of a code geek, you can go in and reverse engineer code, you can look at the binaries. You’re trying to undo what the bad guy did to try to obfuscate the malware. And I just find that to be a lot of fun. And it’s one of those things that it takes a higher skillset. So there’s less people competing for those roles. And so if you can prove to me that you can do that because you’ve experienced working on something like the Metasploit project or something like that, doing some of that volunteering, that would be able to get you into the door pretty easily because there’s not nearly as much competition for those roles because it does require a lot of skill and a lot of programing background. So that’s another one.

Kip Boyle:        

                  Right.

Jason Dion:      

                  It auditor is another one. I see a lot people coming in from a management position or accounting background, they can move into an IT auditor background and they can work if you’re really good with checklist and procedures. That’s another good one inside of the way to kind of step your way into the role. And I know you mentioned the episode, it’s episode 31 and it’s called all the jobs in a large cybersecurity organization. This was about a 10 to 15 part series. This was the first one is the overview, it kind of lists out all the jobs. And then each episode after that goes into one of those jobs and does a deep dive into it so you know what’s required, what it’s like and what is it’s like to be in that type of role on a daily basis.

Kip Boyle:        

                  Yeah. I think you should check that out. And we tried to make every episode in that series self-contained. There’s actually a place mat. Well, we call it a place mat, but it’s just sort of like an overview of the different services and the different teams in a typical large organization cybersecurity org and also in every one of those episodes, we invited a guest, somebody who has a significant amount of work experience in those areas that we reviewed. And so if you want to hear from a person who works in, for example, cybersecurity architecture, well, we have somebody in that episode who can tell you what it was actually like for them, how they got into it, how they got started, how did they move up in their career. So tons of value packed into each of the episodes in that series. So, okay. So those are the five things, right?

Jason Dion:      

                  Yeah. So those are the five things. So I’m just going to recap them again real quick. Number one, there are no real entry level cybersecurity jobs and you can look at episode 49 for that. We have number two, a cybersecurity’s bachelor or master’s degree will not guarantee that you’re going to land a job and no certification is really your golden ticket to employment. And this was an episode 55 or episode four. You can also go into tip number three, we were talking about you must have experience or no one is going to hire you, but you can’t get experience without getting hired. And that makes it a fun conundrum, right? Well, if you look at episode 55, you’ll see how one of our students did just that. They got hired without the experience.

Kip Boyle:        

                  58.

Jason Dion:      

                  And then we had… 58. Yes, 58. What did I say?

Kip Boyle:        

                  I think you said 55, but I wanted to make sure everybody knew it was really 58. Sorry.

Jason Dion:      

                  Episode 58, which was last week. And then number four, salary expectations. You need to understand, you’re not going to make 100,000 dollars a year on day one most likely and you need to make sure you’re pricing yourself right. Look at episode 13 for that. And then number five, there’s more than just pen testing roles and a lot of the jobs can be boring and even pen testing can be boring, but a lot of these jobs can be fun and it really is what you make of it. And that series began on episode 31 with a great overview. So that is our episode for this week. And if you like the show, we would really appreciate if you could jump on over to iTunes and leave a review. Reviews are really the best way to tell podcasts algorithm that you love the show and you want others to find out about as well. So I’d really appreciate it if you could take a moment and just leave a quick review. Thanks.

Kip Boyle:        

                  We’ll see you next time.

Speaker 1:       

                  Thank you for listening to this week’s episode of Your Cyber Path. Don’t miss an episode, press the subscribe button now. If you would like to learn more about how to get your dream cyber security job, then be sure to visit yourcyberpath.com where you can access the show notes, search the archive of our top tips and tricks and discover some fantastic bonus content.

 

Headshot of Kip BoyleYOUR HOST:

Kip Boyle
Cyber Risk Opportunities

Kip Boyle serves as virtual chief information security officer for many customers, including a professional sports team and fast-growing FinTech and AdTech companies. Over the years, Kip has built teams by interviewing hundreds of cybersecurity professionals. And now, he’s sharing his insider’s perspective with you!

Headshot of Jason DionYOUR CO-HOST:

Jason Dion
Dion Training Solutions

Jason Dion is the lead instructor at Dion Training Solutions. Jason has been the Director of a Network and Security Operations Center and an Information Systems Officer for large organizations around the globe. He is an experienced hiring manager in the government and defense sectors.