Plenty of career changers pivot toward cybersecurity with great ambitions. They have goals to quickly become managers, then executives, then CISOs. Maybe they seek to become world-class penetration testers or forensic investigators. The ambition is laudable. However, these goals are dependent on landing that—often elusive—first cybersecurity job.
The endeavor is a spin on the classic question, “How do you get a job without experience and how do you get experience without a job?” The short answer is that you just need to get your foot in the door somewhere. You don’t need to find your dream job. You need to find a job that allows you to gain real-world experience. You can leverage that experience to pursue roles—internally or externally—which support your longer-term career goals.
Large Organization, Less Sexy Role
Big companies with large cybersecurity teams have a lot of specialized roles. Some of those roles sound really exciting and thus get a lot of applicants. Roles like Red Team penetration testers are highly sought after. Other roles, like Third-Party Cyber Risk Analyst, don’t naturally draw the same volume of applicants. Those less pursued roles can be your entry point.
If you find a cyber role, which is perhaps a bit less technical or operational, you can get your foot in the door. Generally, you’ll be eligible to apply for other roles internally after 12 months. In that time you can further develop your knowledge and skills. You can complete additional training and certifications. You can develop your internal network and your understanding of the organization’s cybersecurity processes.
You don’t need to find your dream job. You need to find a job that allows you to gain real-world experience.
If you do it right, when new, more exciting positions become available, you’ll be an attractive candidate. External candidates always come with an element of risk. Hiring managers are judging them based on their resume and a handful of interviews. As an internal candidate, who has effectively proven herself or himself, you remove many of the unknowns. Thus you can backdoor your way into some really exciting roles in large organizations by going after the less attractive roles first.
Small Organization, Less Pay
There are plenty of small organizations, which are struggling to recruit for cybersecurity roles. These companies are not household names with multi-million dollar cybersecurity budgets. They are often small- to medium-sized enterprises (SMEs). They may not be able to compete with large corporations in terms of compensation, but they can offer a wide breadth of cybersecurity experience.
It’s natural to want to obtain the most exciting cybersecurity job right out of the gate. It’s great, if you can accomplish that for your first cybersecurity job.
Rather than being siloed in well-defined teams, SMEs allow you to gain experience across cybersecurity domains. Organizations will smaller cybersecurity teams and budgets need their people to do more with less. They need to be clever generalists with a curiosity, which spans multiple domains.
Work a couple years in a SME and you’ll pick up a range of experiences and skills, which will make you an attractive job candidate. You’ll be able to pivot to more specialized roles in well-funded organizations.
Find the Low Hanging Fruit
It’s natural to want to obtain the most exciting cybersecurity job right out of the gate. It’s great, if you can accomplish that for your first cybersecurity job. It’s tough though… especially for career changers. It’s okay to go after the low hanging fruit. Get a cybersecurity job that’s less sought after in order to get your foot in the door.
Once you have the first cybersecurity job, continue to self-educate, gain valuable experience, then pivot to a cybersecurity role, which better satisfies your ambitions. As cybersecurity demand continues to grow, more organizations will seek experienced cybersecurity professionals in the coming years. Get some experience and you’ll find yourself in demand.