Risk
10/30/2013
07:49 PM
Mark Aiello
Mark Aiello
Commentary
100%
0%

Looking For A Security Job? You Don't Need To Be Bo Derek

7 tips to convince a hiring manager that you're a perfect fit.

After my last column, I received tons of great feedback (thanks, Mom) and lots of questions. There was a common, and somewhat Catch-22-like, theme: How does one find a security job without security experience? And how does one obtain security experience without a security job?

The cybersecurity industry is immature but growing rapidly. There's no standardization of job titles or classifications -- an "Information Security Analyst" and an "Information Security Engineer" might perform the same functions for two different companies. Is cybersecurity different from information security? There are as many opinions as there are ways to spell "cybersecurity" (or cyber-security or cyber security or Cyber-security).

So how do you obtain a security gig for which you're not a perfect "10"? Here are some tips for landing the job of your dreams even if you're more a Dudley Moore than a Bo Derek.

Tip 1: Read the job description closely. Now read it again, and ask yourself this question: "What does this company need someone to do?" Not, "What does it need someone to have?" Then decide whether or not you can do whatever "it" is. Now comes the difficult part: You have to prove it, in writing and in person (or over the telephone), and that requires getting a foot in the door. Draft your resumé and cover letter to focus on why you can do the job that's advertised. When you're not a Bo Derek, you really need to broadcast the other qualities you bring to the table -- you're a hard worker, ethical, you live close by, you have industry-specific knowledge or experience, perhaps you know someone who works at the company or an industry superstar who will provide a glowing reference, or maybe you can pass a background check that would make a proctologist blush.

Tip 2: Avoid human resources. HR professionals are expected to recruit a variety of skills and cannot possibly understand the details of what makes one person more qualified than another. Unfortunately, the majority of the time, it comes down to a keyword search match -- a game of concentration. It's extremely difficult to stand out from a pile of electronic submissions unless your experience (resumé) includes all or a majority of the keywords called for in the published job description. Don't waste time throwing your resumé into that black hole unless you're a Bo Derek.

Tip 3: Appeal directly to the hiring manager. Seems logical, but it's not always easy. Be a detective. Use LinkedIn, Twitter, Facebook and Google to find out who is the likely hiring manager and send her a note. Remember Tip 1 -- if you can do the job, you have to be able to prove it in writing. So do it. Write an email, make it brief (and grammatical, please). Explain in broad strokes why you are the one for the job. Ask for the opportunity to speak in person or on the phone for five minutes. Hone your "elevator pitch," because if you can convince someone in five minutes, you will earn another five, then 10, then an in-person interview, then a job offer.

Tip 4: Use a laser, not a shotgun: Have you seen the future? Well, I have, and in the future the weapon of choice is a laser. Scattershot approaches are out; if you want to succeed in your job search, become the laser. Block out distractions. Focus on what you want and why you're qualified. Select the opportunities that are of the most interest to you, and customize communications that will get you in the door. And when you fail (because you will fail) learn from it and refine your approach. Ask for feedback. Eventually you will succeed.

Tip 5: Live the dream. Don't just dream it. Become part of the cybersecurity community where you live. Join the local ISC2 chapter, ISACA, ISSA, InfraGard or your local Security Meetup Group. You will meet people, network, make friends, and learn about companies and opportunities. Motivational guru Harvey Mackay says, "All the technology in the world will never replace a positive attitude." Show this side of yourself and you will be amazed at the results. Some people will see the value in a positive attitude and the desire to break into an industry.

Tip 6: Ask and you might receive. Know how to get a date with a Bo Derek? Ask. What do most (all) people do when they look for a new job? They wait to be asked (read: look for a job posting). Don't waste your time. Use your new contacts in the industry to find a company where you want to work. Do your homework about its systems, culture and challenges, then target that org for an opportunity. Explain to a potential boss why you're someone he should get to know. There are plenty of job opportunities that are not advertised or that are not yet approved because the hiring manager is waiting for the right candidate or frankly too busy to begin the process. So make the first move. Remember Tip 1? Make the pitch that you're someone he should speak with. Remember, as Wayne Gretzky says, you miss 100% of the shots you don't take.

Tip 7: Say yes. If someone accepts that your experience is less than perfect and still offers you the opportunity to move in the direction you want to go, take it. Remember, the Bo Derek candidate does not exist, and neither does the perfect job. As long as you'll be learning, give it a shot. Take a risk. Obtain some experience. Absorb as much as you can from the opportunity while proving the company right for having taken a chance on you.

And if you're a hiring manager, remember what happened at the end of 10: Dudley Moore's character realizes that Bo Derek is actually not so perfect after all. She didn't have the right attitude. Consider giving a shot to someone with a desire to learn and a good outlook.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Mark Aiello
50%
50%
Mark Aiello,
User Rank: Apprentice
11/5/2013 | 12:58:03 PM
re: Looking For A Security Job? You Don't Need To Be Bo Derek
Great and Good luck.
Also, let's connect through LinkedIn. Send me an invite at mark.aiello@cyber360solutions.com and I will accept. Maybe I will be able to help sometime in the future.
mak63
50%
50%
mak63,
User Rank: Apprentice
11/5/2013 | 12:34:41 AM
re: Looking For A Security Job? You Don't Need To Be Bo Derek
I know exactly what you mean! But the way, thanks for the websites on Tip 5. Worth to check it out. There's a non-profit near by where I'm gonna follow Tip 6, and make the first move.
No, I won't wear a blonde wig. ;)
Mark Aiello
50%
50%
Mark Aiello,
User Rank: Apprentice
11/4/2013 | 9:12:39 PM
re: Looking For A Security Job? You Don't Need To Be Bo Derek
True. But at least you will have a good head start.
Mark Aiello
50%
50%
Mark Aiello,
User Rank: Apprentice
11/4/2013 | 9:10:36 PM
re: Looking For A Security Job? You Don't Need To Be Bo Derek
Hi Marcello. You caught me. I never even gave Brad Pitt consideration. Once I had the vision of Scarlett, I couldn't think of much else.
mak63
50%
50%
mak63,
User Rank: Apprentice
11/4/2013 | 8:48:09 PM
re: Looking For A Security Job? You Don't Need To Be Bo Derek
A remake with Scarlett Johansson? We can only dream...

You know, I remember Bo Derek very vividly, but I can't recall anything about the movie.

Also, why not mention someone like Brad Pitt as well for the female hiring managers?
Mark Aiello
50%
50%
Mark Aiello,
User Rank: Apprentice
11/4/2013 | 12:01:28 PM
re: Looking For A Security Job? You Don't Need To Be Bo Derek
Hi Kelly. That is a pet peeve of mine. Like "capable of working independently or as a part of a team". LinkedIn is a great resource. There is an incredible amount of information available if you are willing to do a little digging.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Strategist
11/3/2013 | 6:10:33 AM
re: Looking For A Security Job? You Don't Need To Be Bo Derek
Additionally, many hiring managers simply want someone who can do the job -- but HR then pressures them into or imposes upon them arbitrary "qualifications". E.g., 5 years doing blah-blah (particularly laughable when said technology has only existed for, say, 6 years).
Kelly22
50%
50%
Kelly22,
User Rank: Apprentice
11/1/2013 | 8:41:43 PM
re: Looking For A Security Job? You Don't Need To Be Bo Derek
I completely agree with your point on job descriptions, Mark. Pretty much anyone can be a "team player" or "multi-tasker," and perform administrative tasks, which many job descriptions ask for. When it came to positions like those, I personally liked using LinkedIn because users often post their job duties and give a genuine idea of what they did.
TerryB
50%
50%
TerryB,
User Rank: Ninja
11/1/2013 | 5:44:41 PM
re: Looking For A Security Job? You Don't Need To Be Bo Derek
You are obviously talking about big companies if you have a "security group". I would agree there is something they could do at entry level. I'm talking about bringing someone in to lock down your extranet site. You really want someone with a "good attitude" and no other track record doing that?
And Joe, while your premise that anyone can learn on job is theoretically true, some jobs you just can't make mistakes to learn from. I'm a developer, if I had a dime for every piece of code I ever wrote that didn't work the first time, I'd be buying Bill Gates mansion. In security, you may learn something after someone hacks in and steals your credit card info but you won't be around to learn from it. At least not at that company.
And lawyers can afford to make mistakes to learn from, it's someone else that will pay price for that. You'll be on to next client, who know nothing about your mistake. Little comparison to someone employed by a business for a career, like IT outside of consulting.
Becca Lipman
50%
50%
Becca Lipman,
User Rank: Apprentice
11/1/2013 | 3:17:14 PM
re: Looking For A Security Job? You Don't Need To Be Bo Derek
Guilty of the Googling. As for tip #2, easier said than done. HR will come for you eventually.
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2037
Published: 2014-11-26
Openswan 2.6.40 allows remote attackers to cause a denial of service (NULL pointer dereference and IKE daemon restart) via IKEv2 packets that lack expected payloads. NOTE: this vulnerability exists because of an incomplete fix for CVE 2013-6466.

CVE-2014-6609
Published: 2014-11-26
The res_pjsip_pubsub module in Asterisk Open Source 12.x before 12.5.1 allows remote authenticated users to cause a denial of service (crash) via crafted headers in a SIP SUBSCRIBE request for an event package.

CVE-2014-6610
Published: 2014-11-26
Asterisk Open Source 11.x before 11.12.1 and 12.x before 12.5.1 and Certified Asterisk 11.6 before 11.6-cert6, when using the res_fax_spandsp module, allows remote authenticated users to cause a denial of service (crash) via an out of call message, which is not properly handled in the ReceiveFax dia...

CVE-2014-7141
Published: 2014-11-26
The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and crash) via a crafted type in an (1) ICMP or (2) ICMP6 packet.

CVE-2014-7142
Published: 2014-11-26
The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (crash) via a crafted (1) ICMP or (2) ICMP6 packet size.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?