Practical guide to landing your first CyberSec job as a fresh grad



My plan to land my first cybersecurity job was a promising one, I just had to acquire cybersecurity skills and apply to my favourite company to get hired. It wasn't until I applied to all top companies in earth, moon & mars that I realized even getting shortlisted for an interview can be a daunting task.

This was back in January 2017, I was at complete rock bottom, had 0 offers in hand and knew nothing about job hunting. Fast forward 8 months later, I had at least 7 job offers in hand and was starting my career with a Big 4 auditing firm, but most importantly I had learnt the methods & principles required for a victorious job hunt. Till this day I still use them to land myself interview opportunities with top companies such as Facebook, Microsoft, Amazon, HackerOne etc.

Students come from different backgrounds and it is very difficult to generalize a job-hunting approach for all but to cover the majority of the strategies I would consider the approach from the perspective of a worst-case scenario (Candidate who can't get opportunities in cybersecurity through college placements and knows zero people in the industry who can give a reference).

The approach


Decide the area of work & gain skills

Going for a job hunt only makes sense if you have acquired sufficient skills required for your desired role. You should do enough research about the types of roles you want to apply and the requirements they have before starting your job hunt process.

Most of the entry-level cybersecurity roles would require you to have a general cybersecurity & computer science knowledge. Here's what a role looks like from Linked job search if I put the filters "Cyber Security Engineer | Experience: Entry Level"


Although it is not mandatory, It will be a very good decision if you select a specialized domain you want to pursue within cybersecurity early on, that way you can start building your profile around that area and it will be easier for you to make career decision once you move ahead from the trainee role. Some of the common domains are mentioned here.


Decide the type of companies you want to work for

In general, there are two types of companies, Consulting (Deloitte, EY, PwC) & Product based (Unilever, Boeing, Sony). In consulting firms, you will typically work on short term projects and get numerous opportunities to do a variety of work. Whereas in product-based firms you will be working on securing a single or handful of products, which will enable you to specialize in one single domain and increase your depth of knowledge. (This is how things work in general but don't be surprised if you experience something different)

With this you should also decide if you would like working with startups & mid-size firms or large scale companies, the interview & job application process at both these places is slightly different (We'll cover more later). No category of companies is good or bad, the deciding factor should be the choice of work, which is personal to you.

Gain experience if you can

The goodness in internships is that the requirements are not that demanding and it's pretty easy to get one (unless applying at top companies), you just need to be aware of the opportunities floating around and apply at the right times.

This filter on LinkedIn jobs would be the bare minimum you can do to look for opportunities. Just keep that Job Alerts button turned on.


Prepare your resume

At the beginning of my career, I had the most visually appealing resume you would've ever seen, so good that it would put designers to shame, It was one of those enhancv/resumebuild.com resumes with pie charts, bar graphs etc. Guess how many jobs it landed me? . . . Zero.

There were 2 major reasons why that resume didn't perform well:

Content:

The same way painting your Toyota bright red won't make it Ferrari, using great looking templates won't make your resume top-notch (*Unless applying for a design role). Content is the king and it will be the deciding factor for getting an interview opportunity or not. The wrong way to approach resume creation is to download a template and fill it with your details; the correct way is to decide the content you want to put in your resume and select a template which is the best match for that.

To understand the basics of resume creation here's a good resource Create Your Resume for Google: Tips and Advice and if you are ready to put additional effort you should definitely read The Google Résumé.

To get you started, here are the key takeaways from these resources that will make your resume top notch.

#1  Focus on impact
Not all activities you did within cybersec is worthy of putting in your resume; when describing a task or project, always focus on the impact you had. How does "I am an active bug bounty hunter" sounds vs "As a bug bounty hunter I identified high severity IDOR issue leaking PII information of over 1 million user base".

#2  Use action words
If you haven't heard about them before you should definitely check this out. But in a nutshell, action words demonstrate your strengths, highlights & puts a focus on the impact. Achieved, Implemented, Collaborated are few examples of action verbs.

#3  Customize resume based on the job description (Previously linked Google resume tips video describes more about this)

#4  Describe with metrics & facts
You might have the best web app sec skills on the planet and just write "Has good knowledge about OWASP Top 10" on your resume. Meanwhile, on the other hand, the candidate who just started learning web apps yesterday will also write something similar.

What differentiates your skills from others? what reason did you give recruiter to choose your profile for an interview over the others?

Your skill set should be quantifiable which will give a realistic idea about where you stand, for instance, I have this bullet point on my resume "Accomplished rank 32 in comparison to 400+ participants in Facebook CTF by completing web app security challenges". This isn't the best accomplishment in the world but draws a realistic picture of where my skill set lies when compared with others. (If you had instances where you performed amazingly well you should definitely put them in, but if you don't have then it won't hurt to put your above-average performances)

You will be surprised to know that employers are generous enough to understand that the skill set of a fresh grad can't be compared with an experienced professional and would consider above-average performance as a good sign. (Tip: Wherever possible you should use the formula Accomplished [X] in comparison to [Y] by doing [Z] to describe the activities you did; that way you can make the activity measurable)

Additional Note: If your career profile has some weak points like tier 3 college, no internships, non-cybersec degree etc you should focus more on the accomplishments, they can definitely fill the gaps. Few ideas of accomplishments you can gain are: Participate in a CTF, do a certification, present in reputed conferences, write a research paper, do bug bounties, contribute to open source cybersecurity projects, build something etc.

ATS Compatibility:

If you haven't heard about ATS before and were having a hard time deciding the best graphical template for your resume, let me make it easier for you, during initial screening your recruiter won't even see your resume template.

Once you apply on a career portal, what happens in the background is that your resume is processed by an Applicant Tracking System which extracts the contents out of your resume, scores it (on a scale 1-100), and displays it in a nice dashboard.

Here's what your application looks like in WorkDay ATS. (Notice content from the resume is populated in the dashboard?).

Note: Images are of low quality because I cropped them from a product demo video, I'll try to replace them once I find better ones.

Another aspect is the scoring mechanism, all candidate resumes will show up as a sorted list (high to low score) and a recruiter will only screen the resumes on first few pages, if you score higher you have better chances of getting screened (Ever wondered why your application at Google never got reviewed?)

Now your hacker mindset must be making you think about the exploit.py, how to score higher? let me tell you whatever ideas you have in mind will mostly be valid (Using the same keywords as job description, Keyword frequency etc) but don't get too caught up with this; resume screening is a very minor step in the interview process and you will eventually have to interact with real humans.

Scored & sorted resumes in WorkDay

Finally, a word of caution, visually impressive resume templates typically don't perform well with ATS, to show you a real example I just picked up an email template from Google page #1 Resume Builder and scanned it with another page one ATS, the results tell us that the ATS failed to parse the resume properly.


Because of this exact same problem, I've completely ditched visual email templates, all I use is a plain word doc with a couple of subheadings, bullet points, white background and black font, it does not look as bad as you might think and gets parsed very well, for the below example I landed the interview by only applying through career portal (no referrals). I won't call myself lucky to get shortlisted out of a couple thousand candidates, I did spend all that time learning about ATS :)


Tip: A resume customized for a specific job description will appear more relevant to the recruiter and will also score higher within ATS.

To summarize, You should know common pitfalls of graphical resume templates and try to strike a perfect balance between making your resume human-readable and ATS parsable. Once you have your resume prepared, you should try it against a couple of freely available ATS tools to see if it's parsable.

Start applying (Job hunting strategies)

#1  Applying via career portal:
This is the most obvious way to apply for a job, the things to note here are that the success rate of getting shortlisted by applying on career portal of a large scale firm is very low and you need to care about the ATS compatibility & score.

In comparison to this, the success rate of getting shortlisted by small & mid-sized firms is pretty high (if you meet the job criteria) and you don't have to care much about ATS; since the volume of resumes they receive is low, they would typically review all resumes manually.

Also, wherever you apply be ready to get ghosted; some companies might not send you a rejection email at all. If you don't hear back within a month or so consider it a dead lead.

#2  Conferences & Career Fairs
I never knew how amazing CyberSec conferences can be for getting job opportunities until I attended one. First of all, there will be plenty of companies which will have a trade booth where you can walk up to and discuss career opportunities. I had an experience where a company was running a small CTF challenge, I performed well in it and later on discussed career opportunities, it went well I got an interview. Don't believe me? here's POC.png 


Secondly, the open culture in these conferences will provide you with opportunities to interact with other people, you can make very good professional connections who can refer you to very good companies if you play your cards right (Does my FireEye referral sound impressive enough, to make you believe in this strategy?).

#3  LinkedIn Spam:
Remember how I told you to customize your resume for every job role? this method breaks all the rules we had set earlier, during my job hunt I was asking every cybersec professional out there for opportunities and was applying on all the job postings on LinkedIn. What I discovered was that the success rate of this approach is extremely low and it's not worth it. At one point of time, I had applied literally to hundreds of open positions and my inbox was so flooded with rejection emails that I mistakenly ignored the one's which wanted to proceed with my application, thinking it's another rejection email. :facepalm:


With that being said it does not mean that this approach doesn't work, it's just that the approach is very aggressive & less productive. It's better to stick to the other strategies which convert well.

#4  Applying via relevant job posts on LinkedIn:
This is probably the most productive approach amongst all, the strategy is to search for specific keywords on LinkedIn and find relevant entry-level roles.

The search for the keyword "we are hiring cybersecurity graduate" leads me to the following post, these posts are usually created by hiring managers or recruiters and typically don't gain a lot of popularity. You will have to compete with another 15-30 candidates who also noticed the same post; which is a lot better than competing with a couple thousand on a job portal.


Ever felt left out thinking about the fact that you know 0 people in the industry who can refer you to a company? well, use the same strategy to get referrals. All you need to do is convince someone ready to refer, that you have the matching skills for the role.

It worked well for me once I had already gained some experience but it's doable even without having any experience (great achievements in CyberSec can fill the gap).

Note: You should definitely be qualified (or overqualified) when you ask a complete stranger to do you a favour and give you a referral.



Alice in the wonderland :)


#5  Passive Job Hunting
This might sound counter-intuitive, but if you can build a good career profile you might not need to apply at all. All you need to do is put your accomplishments on LinkedIn, mention in the Title/Profile Pic/Job Preferences that you are open for work and stay a little active on LinkedIn.

At least that's how I managed to get most of the interview opportunities, and a chance to work with the best manager ever :)


Prepare for the interview

Typically the majority of companies have a technical cybersecurity round and a behavioural round  (With exception to top tech firms, I explained their interview process here in detail)

You can check out this compilation of interview questions to prepare for the technical round; you will probably get asked similar questions. And for the behavioural rounds, you will be evaluated based on your ability to work as a team, eagerness to learn new things & ability to resolve conflicts, you can check out this resource to get an idea about these kinds of interviews.

Evaluate & accept the offer

While evaluating an offer you should always check Glassdoor for a rough estimate about the median salary for your role in that specific area, if your offer is at the lower end of the range you can definitely negotiate. Also if you are in a situation where you have multiple offers from an almost similar type of companies your decision should be based on how compassionate your hiring manager is. Starting your career with an amazing manager will help you unlock great opportunities.

Doing the job


Finally, remember the key to success is grit and taking accountability of your own actions, you possess all the strength you need to make your own future. All the best with your job hunt :)

Amit Sangra

Author & Editor

Amit is a Security Engineer acknowledged by Google, Apple, Microsoft, eBay, Intel and other top companies for reporting security issues in their web services.

1 comments:

 
biz.