Risk
10/30/2013
07:49 PM
Mark Aiello
Mark Aiello
Commentary
Connect Directly
RSS
E-Mail
100%
0%

Looking For A Security Job? You Don't Need To Be Bo Derek

7 tips to convince a hiring manager that you're a perfect fit.

After my last column, I received tons of great feedback (thanks, Mom) and lots of questions. There was a common, and somewhat Catch-22-like, theme: How does one find a security job without security experience? And how does one obtain security experience without a security job?

The cybersecurity industry is immature but growing rapidly. There's no standardization of job titles or classifications -- an "Information Security Analyst" and an "Information Security Engineer" might perform the same functions for two different companies. Is cybersecurity different from information security? There are as many opinions as there are ways to spell "cybersecurity" (or cyber-security or cyber security or Cyber-security).

So how do you obtain a security gig for which you're not a perfect "10"? Here are some tips for landing the job of your dreams even if you're more a Dudley Moore than a Bo Derek.

Tip 1: Read the job description closely. Now read it again, and ask yourself this question: "What does this company need someone to do?" Not, "What does it need someone to have?" Then decide whether or not you can do whatever "it" is. Now comes the difficult part: You have to prove it, in writing and in person (or over the telephone), and that requires getting a foot in the door. Draft your resumé and cover letter to focus on why you can do the job that's advertised. When you're not a Bo Derek, you really need to broadcast the other qualities you bring to the table -- you're a hard worker, ethical, you live close by, you have industry-specific knowledge or experience, perhaps you know someone who works at the company or an industry superstar who will provide a glowing reference, or maybe you can pass a background check that would make a proctologist blush.

Tip 2: Avoid human resources. HR professionals are expected to recruit a variety of skills and cannot possibly understand the details of what makes one person more qualified than another. Unfortunately, the majority of the time, it comes down to a keyword search match -- a game of concentration. It's extremely difficult to stand out from a pile of electronic submissions unless your experience (resumé) includes all or a majority of the keywords called for in the published job description. Don't waste time throwing your resumé into that black hole unless you're a Bo Derek.

Tip 3: Appeal directly to the hiring manager. Seems logical, but it's not always easy. Be a detective. Use LinkedIn, Twitter, Facebook and Google to find out who is the likely hiring manager and send her a note. Remember Tip 1 -- if you can do the job, you have to be able to prove it in writing. So do it. Write an email, make it brief (and grammatical, please). Explain in broad strokes why you are the one for the job. Ask for the opportunity to speak in person or on the phone for five minutes. Hone your "elevator pitch," because if you can convince someone in five minutes, you will earn another five, then 10, then an in-person interview, then a job offer.

Tip 4: Use a laser, not a shotgun: Have you seen the future? Well, I have, and in the future the weapon of choice is a laser. Scattershot approaches are out; if you want to succeed in your job search, become the laser. Block out distractions. Focus on what you want and why you're qualified. Select the opportunities that are of the most interest to you, and customize communications that will get you in the door. And when you fail (because you will fail) learn from it and refine your approach. Ask for feedback. Eventually you will succeed.

Tip 5: Live the dream. Don't just dream it. Become part of the cybersecurity community where you live. Join the local ISC2 chapter, ISACA, ISSA, InfraGard or your local Security Meetup Group. You will meet people, network, make friends, and learn about companies and opportunities. Motivational guru Harvey Mackay says, "All the technology in the world will never replace a positive attitude." Show this side of yourself and you will be amazed at the results. Some people will see the value in a positive attitude and the desire to break into an industry.

Tip 6: Ask and you might receive. Know how to get a date with a Bo Derek? Ask. What do most (all) people do when they look for a new job? They wait to be asked (read: look for a job posting). Don't waste your time. Use your new contacts in the industry to find a company where you want to work. Do your homework about its systems, culture and challenges, then target that org for an opportunity. Explain to a potential boss why you're someone he should get to know. There are plenty of job opportunities that are not advertised or that are not yet approved because the hiring manager is waiting for the right candidate or frankly too busy to begin the process. So make the first move. Remember Tip 1? Make the pitch that you're someone he should speak with. Remember, as Wayne Gretzky says, you miss 100% of the shots you don't take.

Tip 7: Say yes. If someone accepts that your experience is less than perfect and still offers you the opportunity to move in the direction you want to go, take it. Remember, the Bo Derek candidate does not exist, and neither does the perfect job. As long as you'll be learning, give it a shot. Take a risk. Obtain some experience. Absorb as much as you can from the opportunity while proving the company right for having taken a chance on you.

And if you're a hiring manager, remember what happened at the end of 10: Dudley Moore's character realizes that Bo Derek is actually not so perfect after all. She didn't have the right attitude. Consider giving a shot to someone with a desire to learn and a good outlook.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Page 1 / 2   >   >>
Greg MacSweeney
50%
50%
Greg MacSweeney,
User Rank: Apprentice
10/31/2013 | 3:18:34 PM
re: Looking For A Security Job? You Don't Need To Be Bo Derek
Great column. Although, 75% of millennials reading this article have no clue who Bo Derek is, (they are all googling her right now) LOL.

Tip #2 is a great point, although finding the hiring manager is sometimes extremely difficult.
Mark Aiello
50%
50%
Mark Aiello,
User Rank: Apprentice
10/31/2013 | 5:07:37 PM
re: Looking For A Security Job? You Don't Need To Be Bo Derek
Thanks Greg. Glad you liked it. I guess the Bo Derek reference shows my age. Maybe Hollywood will do a remake with Scarlett Johansson.

LinkedIn is a great resource for finding a hiring manager. Not perfect but 99% accurate. Go #RedSox
TerryB
50%
50%
TerryB,
User Rank: Ninja
10/31/2013 | 5:38:13 PM
re: Looking For A Security Job? You Don't Need To Be Bo Derek
I'm not sure your doing anyone any favors here, Mark. Besides the unqualified guy who is hired to handle your computer security that is. If there is one place where you don't someone learning on the job, it's security. Is there really a entry level job in security, except maybe reviewing IDS logs?
Mark Aiello
50%
50%
Mark Aiello,
User Rank: Apprentice
10/31/2013 | 5:50:15 PM
re: Looking For A Security Job? You Don't Need To Be Bo Derek
Hi Terry. Every experienced professional began their career without experience. I would not recommend hiring someone with no experience to lead your security group but I do recommend hiring a combination of knowledge and attitude. Knowledge does not always equal experience.

And yes, there are lots of "entry-level" jobs in security. What's wrong with accepting a job to review IDS logs? If you are good and have a good attitude, it will lead to other opportunities. Not everyone can start at the top.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Strategist
11/1/2013 | 2:29:46 AM
re: Looking For A Security Job? You Don't Need To Be Bo Derek
Tip 1 is apt...but too bad HR staffers and hiring managers often forget it themselves.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Strategist
11/1/2013 | 2:32:03 AM
re: Looking For A Security Job? You Don't Need To Be Bo Derek
There are very very very very few jobs that can't be mostly learned on the job, even if you didn't go to school for it (including, if State Bars didn't mostly forbid it, mine -- attorney).

I'll take the dedicated quick study over the guy that looks good on paper any day.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Strategist
11/1/2013 | 2:33:57 AM
re: Looking For A Security Job? You Don't Need To Be Bo Derek
Of course, you may not be able to contact them if you're not in their network.

So perhaps the lesson is to use LinkedIn to find the hiring manager, then use Facebook or some other platform to touch base with them. (And even Facebook, now that it has introduced Graph Search, duplicates many LinkedIn search functions -- in some ways better than LinkedIn does.)
Mark Aiello
50%
50%
Mark Aiello,
User Rank: Apprentice
11/1/2013 | 1:39:05 PM
re: Looking For A Security Job? You Don't Need To Be Bo Derek
Hi Joe. "I'll take the dedicated quick study over the guy that looks good on paper any day." From your lips to the Hiring Managers ears. I agree.

You are correct re: Tip 1. It is exactly why one must control their own message. It is important to figure out what needs to be done and then draft a response that explains why you are qualified. Lots of "job descriptions" are not descriptive. With many positions, individuals can use social media to locate who was employed in that role previously and see if it is possible to figure out what they did.
Becca Lipman
50%
50%
Becca Lipman,
User Rank: Apprentice
11/1/2013 | 3:17:14 PM
re: Looking For A Security Job? You Don't Need To Be Bo Derek
Guilty of the Googling. As for tip #2, easier said than done. HR will come for you eventually.
TerryB
50%
50%
TerryB,
User Rank: Ninja
11/1/2013 | 5:44:41 PM
re: Looking For A Security Job? You Don't Need To Be Bo Derek
You are obviously talking about big companies if you have a "security group". I would agree there is something they could do at entry level. I'm talking about bringing someone in to lock down your extranet site. You really want someone with a "good attitude" and no other track record doing that?
And Joe, while your premise that anyone can learn on job is theoretically true, some jobs you just can't make mistakes to learn from. I'm a developer, if I had a dime for every piece of code I ever wrote that didn't work the first time, I'd be buying Bill Gates mansion. In security, you may learn something after someone hacks in and steals your credit card info but you won't be around to learn from it. At least not at that company.
And lawyers can afford to make mistakes to learn from, it's someone else that will pay price for that. You'll be on to next client, who know nothing about your mistake. Little comparison to someone employed by a business for a career, like IT outside of consulting.
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

CVE-2014-7292
Published: 2014-10-23
Open redirect vulnerability in the Click-Through feature in Newtelligence dasBlog 2.1 (2.1.8102.813), 2.2 (2.2.8279.16125), and 2.3 (2.3.9074.18820) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter to ct.ashx.

CVE-2014-8071
Published: 2014-10-23
Multiple cross-site scripting (XSS) vulnerabilities in OpenMRS 2.1 Standalone Edition allow remote attackers to inject arbitrary web script or HTML via the (1) givenName, (2) familyName, (3) address1, or (4) address2 parameter to registrationapp/registerPatient.page; the (5) comment parameter to all...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.