Risk
10/30/2013
07:49 PM
Mark Aiello
Mark Aiello
Commentary
Connect Directly
RSS
E-Mail
100%
0%

Looking For A Security Job? You Don't Need To Be Bo Derek

7 tips to convince a hiring manager that you're a perfect fit.

After my last column, I received tons of great feedback (thanks, Mom) and lots of questions. There was a common, and somewhat Catch-22-like, theme: How does one find a security job without security experience? And how does one obtain security experience without a security job?

The cybersecurity industry is immature but growing rapidly. There's no standardization of job titles or classifications -- an "Information Security Analyst" and an "Information Security Engineer" might perform the same functions for two different companies. Is cybersecurity different from information security? There are as many opinions as there are ways to spell "cybersecurity" (or cyber-security or cyber security or Cyber-security).

So how do you obtain a security gig for which you're not a perfect "10"? Here are some tips for landing the job of your dreams even if you're more a Dudley Moore than a Bo Derek.

Tip 1: Read the job description closely. Now read it again, and ask yourself this question: "What does this company need someone to do?" Not, "What does it need someone to have?" Then decide whether or not you can do whatever "it" is. Now comes the difficult part: You have to prove it, in writing and in person (or over the telephone), and that requires getting a foot in the door. Draft your resumé and cover letter to focus on why you can do the job that's advertised. When you're not a Bo Derek, you really need to broadcast the other qualities you bring to the table -- you're a hard worker, ethical, you live close by, you have industry-specific knowledge or experience, perhaps you know someone who works at the company or an industry superstar who will provide a glowing reference, or maybe you can pass a background check that would make a proctologist blush.

Tip 2: Avoid human resources. HR professionals are expected to recruit a variety of skills and cannot possibly understand the details of what makes one person more qualified than another. Unfortunately, the majority of the time, it comes down to a keyword search match -- a game of concentration. It's extremely difficult to stand out from a pile of electronic submissions unless your experience (resumé) includes all or a majority of the keywords called for in the published job description. Don't waste time throwing your resumé into that black hole unless you're a Bo Derek.

Tip 3: Appeal directly to the hiring manager. Seems logical, but it's not always easy. Be a detective. Use LinkedIn, Twitter, Facebook and Google to find out who is the likely hiring manager and send her a note. Remember Tip 1 -- if you can do the job, you have to be able to prove it in writing. So do it. Write an email, make it brief (and grammatical, please). Explain in broad strokes why you are the one for the job. Ask for the opportunity to speak in person or on the phone for five minutes. Hone your "elevator pitch," because if you can convince someone in five minutes, you will earn another five, then 10, then an in-person interview, then a job offer.

Tip 4: Use a laser, not a shotgun: Have you seen the future? Well, I have, and in the future the weapon of choice is a laser. Scattershot approaches are out; if you want to succeed in your job search, become the laser. Block out distractions. Focus on what you want and why you're qualified. Select the opportunities that are of the most interest to you, and customize communications that will get you in the door. And when you fail (because you will fail) learn from it and refine your approach. Ask for feedback. Eventually you will succeed.

Tip 5: Live the dream. Don't just dream it. Become part of the cybersecurity community where you live. Join the local ISC2 chapter, ISACA, ISSA, InfraGard or your local Security Meetup Group. You will meet people, network, make friends, and learn about companies and opportunities. Motivational guru Harvey Mackay says, "All the technology in the world will never replace a positive attitude." Show this side of yourself and you will be amazed at the results. Some people will see the value in a positive attitude and the desire to break into an industry.

Tip 6: Ask and you might receive. Know how to get a date with a Bo Derek? Ask. What do most (all) people do when they look for a new job? They wait to be asked (read: look for a job posting). Don't waste your time. Use your new contacts in the industry to find a company where you want to work. Do your homework about its systems, culture and challenges, then target that org for an opportunity. Explain to a potential boss why you're someone he should get to know. There are plenty of job opportunities that are not advertised or that are not yet approved because the hiring manager is waiting for the right candidate or frankly too busy to begin the process. So make the first move. Remember Tip 1? Make the pitch that you're someone he should speak with. Remember, as Wayne Gretzky says, you miss 100% of the shots you don't take.

Tip 7: Say yes. If someone accepts that your experience is less than perfect and still offers you the opportunity to move in the direction you want to go, take it. Remember, the Bo Derek candidate does not exist, and neither does the perfect job. As long as you'll be learning, give it a shot. Take a risk. Obtain some experience. Absorb as much as you can from the opportunity while proving the company right for having taken a chance on you.

And if you're a hiring manager, remember what happened at the end of 10: Dudley Moore's character realizes that Bo Derek is actually not so perfect after all. She didn't have the right attitude. Consider giving a shot to someone with a desire to learn and a good outlook.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
Mark Aiello
50%
50%
Mark Aiello,
User Rank: Apprentice
11/1/2013 | 1:39:05 PM
re: Looking For A Security Job? You Don't Need To Be Bo Derek
Hi Joe. "I'll take the dedicated quick study over the guy that looks good on paper any day." From your lips to the Hiring Managers ears. I agree.

You are correct re: Tip 1. It is exactly why one must control their own message. It is important to figure out what needs to be done and then draft a response that explains why you are qualified. Lots of "job descriptions" are not descriptive. With many positions, individuals can use social media to locate who was employed in that role previously and see if it is possible to figure out what they did.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Apprentice
11/1/2013 | 2:33:57 AM
re: Looking For A Security Job? You Don't Need To Be Bo Derek
Of course, you may not be able to contact them if you're not in their network.

So perhaps the lesson is to use LinkedIn to find the hiring manager, then use Facebook or some other platform to touch base with them. (And even Facebook, now that it has introduced Graph Search, duplicates many LinkedIn search functions -- in some ways better than LinkedIn does.)
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Apprentice
11/1/2013 | 2:32:03 AM
re: Looking For A Security Job? You Don't Need To Be Bo Derek
There are very very very very few jobs that can't be mostly learned on the job, even if you didn't go to school for it (including, if State Bars didn't mostly forbid it, mine -- attorney).

I'll take the dedicated quick study over the guy that looks good on paper any day.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Apprentice
11/1/2013 | 2:29:46 AM
re: Looking For A Security Job? You Don't Need To Be Bo Derek
Tip 1 is apt...but too bad HR staffers and hiring managers often forget it themselves.
Mark Aiello
50%
50%
Mark Aiello,
User Rank: Apprentice
10/31/2013 | 5:50:15 PM
re: Looking For A Security Job? You Don't Need To Be Bo Derek
Hi Terry. Every experienced professional began their career without experience. I would not recommend hiring someone with no experience to lead your security group but I do recommend hiring a combination of knowledge and attitude. Knowledge does not always equal experience.

And yes, there are lots of "entry-level" jobs in security. What's wrong with accepting a job to review IDS logs? If you are good and have a good attitude, it will lead to other opportunities. Not everyone can start at the top.
TerryB
50%
50%
TerryB,
User Rank: Ninja
10/31/2013 | 5:38:13 PM
re: Looking For A Security Job? You Don't Need To Be Bo Derek
I'm not sure your doing anyone any favors here, Mark. Besides the unqualified guy who is hired to handle your computer security that is. If there is one place where you don't someone learning on the job, it's security. Is there really a entry level job in security, except maybe reviewing IDS logs?
Mark Aiello
50%
50%
Mark Aiello,
User Rank: Apprentice
10/31/2013 | 5:07:37 PM
re: Looking For A Security Job? You Don't Need To Be Bo Derek
Thanks Greg. Glad you liked it. I guess the Bo Derek reference shows my age. Maybe Hollywood will do a remake with Scarlett Johansson.

LinkedIn is a great resource for finding a hiring manager. Not perfect but 99% accurate. Go #RedSox
Greg MacSweeney
50%
50%
Greg MacSweeney,
User Rank: Apprentice
10/31/2013 | 3:18:34 PM
re: Looking For A Security Job? You Don't Need To Be Bo Derek
Great column. Although, 75% of millennials reading this article have no clue who Bo Derek is, (they are all googling her right now) LOL.

Tip #2 is a great point, although finding the hiring manager is sometimes extremely difficult.
<<   <   Page 2 / 2
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0640
Published: 2014-08-20
EMC RSA Archer GRC Platform 5.x before 5.5 SP1 allows remote authenticated users to bypass intended restrictions on resource access via unspecified vectors.

CVE-2014-0641
Published: 2014-08-20
Cross-site request forgery (CSRF) vulnerability in EMC RSA Archer GRC Platform 5.x before 5.5 SP1 allows remote attackers to hijack the authentication of arbitrary users.

CVE-2014-2505
Published: 2014-08-20
EMC RSA Archer GRC Platform 5.x before 5.5 SP1 allows remote attackers to trigger the download of arbitrary code, and consequently change the product's functionality, via unspecified vectors.

CVE-2014-2511
Published: 2014-08-20
Multiple cross-site scripting (XSS) vulnerabilities in EMC Documentum WebTop before 6.7 SP1 P28 and 6.7 SP2 before P14 allow remote attackers to inject arbitrary web script or HTML via the (1) startat or (2) entryId parameter.

CVE-2014-2515
Published: 2014-08-20
EMC Documentum D2 3.1 before P24, 3.1SP1 before P02, 4.0 before P11, 4.1 before P16, and 4.2 before P05 does not properly restrict tickets provided by D2GetAdminTicketMethod and D2RefreshCacheMethod, which allows remote authenticated users to gain privileges via a request for a superuser ticket.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.