This article was originally posted on my Medium account. It has been reproduced here for your viewing pleasure.
How I made it into InfoSec
And why my journey is not yet over…
Prologue:
Before we get started, I should probably share a bit about me. I’m in my early 20s, 6' tall tech nerd, with a proclivity towards steak & cheese subs and penetration testing. I had 4 years of IT experience (at the time of this writing) and I’m an avid gamer, with Space Engineers being the game of choice at the time of this writing. I also am learning to DM for D&D and Pathfinder, a rewarding if frustrating prospect as of late.
Act 1: The Search
When I started my search for work in cybersecurity, I didn’t know where to start. I applied to anyone who had a position even remotely related to my skillset. Penetration Tester, SOC Analyst, Cybersecurity Analyst, you name it I probably applied to it. Every single application either didn’t get a response, or received a generic rejection letter.
Truth be told, I wished I had received a rejection letter rather than nothing at all in most cases. Not getting that initial closure of ‘Hey the position is filled’ was the worst thing because in your mind you are holding out for any kind of response.
It was clear that my ‘spray and pray’ approach to finding work in the field I want wasn’t working. I didn’t have the recognition to be known by name, I didn’t have someone inside a company to help boost my application, and I didn’t have a referral.
Now, if you look at my LinkedIn Feed, you can tell I’m all about cybersecurity. I have a passion for the cybersecurity field and I’ve got the pentesting bug like most early professionals. My feed wasn’t always like this though. I was pretty quiet on LinkedIn, and I had anxiety when I wanted to work up the courage to start connecting to people. This however would soon change.
Act 2: The Grind
While I was busy leveling up my wisdom and intelligence stats in reference to penetration testing, I also started to study for my Security+. I made my first post about it, and received few likes but no responses. While I didn’t care too much, if at all about the social standing amongst my peers, it did make me wonder if this was worth doing.
I started to dig into TryHackMe, a great pentesting platform for both beginners and experts alike. I started posting almost daily whenever I completed a room on TryHackMe. I was able to reach the top 1% in January and felt great. I wanted to share this with others. To this day, I still maintain a 1% ranking though I haven’t gone in in a while.
I started to share my achievements on LinkedIn. My courses, my LinkedIn Learnings (I do recommend these), and of course, my Security+. This was the first half of my success formula, though.
The other half was connecting to anyone who would give me the airtime to talk to them. I connected with students in cybersecurity, friends of friends, and companies.
I gave my LinkedIn profile a facelift, revised my summary, corrected my job history, and dug into the culture. I slowly was building up some momentum and starting to feel energized socially.
I had never felt this way before, having been an introvert for my entire life. I was not used to this feeling of acceptance and belonging that I felt.
First Miniboss: The Exam(s)
Act 3: Onwards and Upwards
What became the tipping point was my overwhelming success with the Security+. My face showed the lack of sleep, but the long sleepless nights and early mornings to study were well worth it. I was elated. I was on top of the world. I not only passed the exam, but I CRUSHED it. I completed the exam in less than an hour and scored within the top 9%, easily an A. Fired up by this, I set my sights on the next exam I wanted to add to my wall of certs.
That target was the AZ-900. I wanted to cover my cloud base, and for the price of FREE for attending two days of Microsoft-certified virtual training, I couldn’t say no. I completed this exam in about the same time and was happy to share.
Additionally, at the time of this writing, I now hold an eJPT and have set my sights on the eCPPT next and an OSCP next year.
Not a bad track record for someone who only finished high school. I sincerely think if I can do it, you can do it 100% percent.
Act 4: Approaching the Boss
After getting these certifications, I was suddenly contacted without warning by a company that I hadn’t heard of. The CISO (Chief Information Security Officer) of this company had reached out to me. Me! I was equal parts suspicious and elated. I was always warned that if something seems too good to be true, it probably is. Sound advice if I’ve ever heard it.
Throughout the process, I had interviews over Teams. In terms of the interview process, it was relatively easy. I felt confident, and the interview was more of a conversation than my previous experience of being interrogated by my last employer. I got some exciting feedback each time, and through iterative feedback and course correction, I was able to pass the interviews quite well.
I wish other companies I had interviewed with had that same interview style. Providing feedback to the applicant is infinitely valuable. It allows the applicant to tailor their responses to the company and the interviewer more thoroughly.
“You interviewed well, but I would recommend getting yourself a collared shirt for the panel
interview.” — My interviewer, now current supervisor
Panel. Interview. To say that I thought crap had rocketed fanward was an understatement. I have never been good at public speaking, and now I had to speak with 2-∞ individuals in pursuit of a job that I still couldn’t believe was on the table.
I still didn’t have a collared shirt in my inventory or a carriage to take a commute down the local armorer. I dead-sprinted to Ye Olde Second-Hande Shirt Shop (I didn’t have a carriage of my own yet) to acquire a dress tunic blessed with Charisma in preparation for the interview. With a quick iron and a shower, it was go time.
Equipped with my broken glasses held together with Pink Tape of Mending, My Charisma blessed shirt, and my Brown Slacks of +2 Constitution, it was time to face the final foe in the battle for the job. This was the interview that would make or break my prospects and determine if I would reign victorious or run home with my tail between my legs and probably be found crying into a bowl of peanut butter ice cream.
The burning question, of course, was “Why me?”. How had I, someone who hadn’t had any (professional) experience in the industry, given a shot at what appeared at the time of this to be a dream job?
The answer shocked me. Please note this is a synopsis of the conversations that had occurred up to that point and not a direct quote.
“The reason we picked you was because of the passion you show. Cybersecurity is your passion, and you display that. Talking to you, I can see that you have the chops to last here, and I think this company is the place you will succeed. We hope to see you grow, whether with the company or without, and hope to learn from you just as much as you learn from us.” — My supervisor’s manager.
Act 5: Bringing home the loot
Looking back on my success, I looked back at how far I’ve come. I passed two exams (now 3) and took the top 1% spot-on in an arena in which I initially thought I had no business. I was put through over six interviews in pursuit of this job, and I did all of this while working a 40-hour job overnight (plus overtime) and helping my roommates find work. I’ve always had to keep many plates spinning, and I had done so in perfect order this time. I finally had the job. I had done it.
I had won.
Epilogue
Let's go over a few things of what kicked the snowball down the hill and allowed an avalanche of success to spring forth:
If I hadn’t stayed active on LinkedIn (or be social in general), I probably wouldn’t have received the invite, I wouldn’t have been on anyone’s radar, and I probably wouldn’t be working where I am now. Being active, making connections, and reaching past my comfort zone to start talking to people and speaking my mind will pay dividends. I sincerely think that my customer service training from many jobs now vastly contributed to my success.
Next thing, the interviews. Here are a few bullet points:
Appearance is important. Dress for the job you want, not the job you have. Comb your hair. Shave your face. Take care of yourself. Don’t do what I did and show up with a plain tee-shirt, especially if it's from one of your older employers. That wasn't good.
ASK QUESTIONS AT THE END! The last thing you want to do is say you don’t have any questions for the interviewer once they’ve asked you theirs. In my opinion, it gives off the air that you weren’t listening actively.
If you aren’t familiar with a concept, be honest with the interviewer. They can’t help you if you lie to them.
Finally, I will share the questions I asked at the end of the final interview. This is the last hurdle where you can royally screw yourself up, so pay attention:
First, I ask a question tailored to the interviewer. In my case, I was talking to the CTO and CIO, so I tailored my questions appropriately. I asked about the future of IT for the company in terms of security (since I was applying for a cybersecurity job). You will want to tailor this question to your industry. This is the ‘Future’ question.
Next, I asked a question as to how my role will help propel the company to succeed in Question 1. I could have asked a culture-fit question here but decided not to, as the culture fit interview had taken place well before this point.
The big question I asked at the end:
“Based on our conversation today and the feedback from the other interviewers I’ve spoken to, is there anything that is leaving you with hesitancy with hiring me for the position?”
Taken verbatim from the conversation, this is one of the scariest questions. It's a gamble, and it can fall flat pretty hard. In this case, you are asking for direct feedback from the interviewer about your performance and any shortcomings they may see. They will give you an answer, and it may not be the answer you want. This gives you one last chance to fight for the job and address any concerns they may have.
It would help if you never were afraid of asking for feedback from the interviewers. They can’t provide you feedback if you don’t ask. To say I was scared was an understatement, but I powered through and reached for the stars. I got the job. I secured my future.
Final tip: Do not lie on your resume. You will be found out, whether that day or years into your employment. It isn’t worth it.
Connect with me, connect with others, make friends and start posting! You never know who will see your work. Good luck, fellow cyber adventurers. You will need it.
I originally wrote this article on LinkedIn on March 19th, 2021. It's now April 18th, 2022, at the time of this writing, and I’m still happily employed and can’t wait to see what we do next.
I love comments and feedback. Please tell me how this article made you feel and how it can be improved.