How to ask for career advice in cybersecurity
The right way to go about it.
The field is pretty crowded with “how to break into cybersecurity” comments, posts, courses, and even companies. But I still get quite a few questions toward this end so thought it made sense to put together my own thoughts on it.
Specifically, I am going to focus on the right way to request career advice (or related things) from others.
Thanks for reading Deploying Securely! Subscribe for free to receive new posts.
I have a standing offer to mentor veterans seeking to break into the field or technology space more generally (and have even developed a semi-automated workflow for it) and I wanted to add even more structure to the process. But this post applies more generally and I hope it will be useful to others out there.
So if you are trying to break into cybersecurity or advance your career, I have the following recommendations:
Pick a concrete area rather than just “cybersecurity”
This is especially a problem for military veterans who are used to being a “jack of all trades.” A conversation with someone you don’t know about a vague desire to have a job in cybersecurity is not likely to a) be productive or b) even happen.
Thus, I would strongly recommend you pick a specific career goal like:
Security Operations Center (SOC) analyst
Governance, Risk, and Compliance (GRC) expert
And while it’s good to aspire to be a Chief Information Security Officer (CISO), if you are reading this post then that is probably not a realistic first milestone for you.
If you don’t know what these things are, then find out (see next section!).
Use free resources
There is an incredible amount of free content out there to help you along your path. I won’t compile a list here, as many others have done so. But the only limit is your imagination. And if you are a veteran there is a dedicated community specifically for you.
Some paid courses are worth it. But if you are strapped for cash the well of free material will never run dry.
Show your value
There is a ton of work to be had on platforms like UpWork and Fiverr. It’s not especially glorious, but it will give you a place to start. And while making money is good, the key thing you will want to get is client testimonials and recommendations.
“Social proof” is incredibly important. If you are go-getter with the approval of others, hiring you will seem like much less of a risk.
This leads me to my next point:
Have some sort of portfolio
Whenever people come to me for advice, I always ask to see their GitHub, blog, or personal web site.
Not many people have these things.
Because the monetary cost is usually zero or close to it, the only barrier to entry for having one of these is how hard you are willing to work. And you should be able to understand why that is something potential employers or mentors are interested in.
But I am just getting started! What should I write about?
Document your journey along the way. I am absolutely certain that by sharing your knowledge as your career advances, you will provide valuable insights to others.
Everyone will be better for it:
Those later in their careers will see how thoughtful, inquisitive, and dedicated you are. And they are more likely to hire you as a result.
Those earlier in their careers will be able to avoid some of the mistakes you have made and accelerate their development. Maybe you might even hire them one day!
Post on social media
Unless you are already active on Twitter, I would go to LinkedIn first as it is by nature a professional networking platform. You should:
Post snippets from your blog documenting your learnings.
Curate content from industry articles, white papers, and leaders in the space.
Make incisive comments or ask intelligent questions on other people’s posts (there is such a thing as a dumb question, so Google or ChatGPT it first if you have doubts).
Have a good LinkedIn profile
This is pretty key and it amazes me when people don’t. If I don’t understand what you do (or want to do), I am probably going to navigate away from your page very quickly.
Make clear these things in your profile:
What type of role (singular, not plural) you are you seeking.
What experiences have equipped you for this new role.
Evidence supporting the above statement.
If for some reason you don’t have a personal web site, you should at least have your testimonials and recommendations here.
Pass obvious tests
If you ask me for career advice and I have never met you before, I will usually give you what I consider to be an obvious test. For example, I may ask you:
For feedback on something, like my vulnerability management course.
To challenge or correct something I have written in my blog.
Simply to complete this form to schedule a meeting.
You pass the test by doing what I asked; you fail by…not.
The lifetime pass rate for those making initial contact with me hovers around 10%. It amazes me that people are able to compose a message asking for something but then fail to complete even the most basic of follow-ups.
But the good news is that this is a feature rather than a bug of the way I handle mentorship. If someone has the determination to break into a career field, none of the above should pose any challenge whatsoever. If it is too difficult, then I don’t especially want to spend time mentoring that person as success is not likely.
And unlike hazing rituals, these exercises benefit each of the parties. They both get to learn something or better prepare for a potential live discussion.
Have clear questions if you end up speaking with someone
If someone gives you the time to share his experiences, then you should have a detailed series of topics that you want to discuss. A general “get to know you” chat is going to be of low value to both parties and you shouldn’t expect the counterparty to prepare in advance.
Better yet, send questions of your own ahead of time and make clear that you aren’t expecting written answers, but just want to guide the conversation.
Be professional during live conversations
This is simple stuff but I feel like people still need reminders to:
Research the person you are speaking with and the company (if appropriate).
Actually show up (no-showing or cancelling last minute without a true emergency is likely to be a permanent mark against you).
Be on time.
Don’t ask dumb questions (see above).
Take notes on action items.
Finally, if you are making a request of or accept an offer by the counterparty to do something on your behalf, then it becomes doubly important that you take all necessary follow-on actions. I don’t personally think a “thank you” note is that important but it certainly wouldn’t hurt.
This is where you really need to focus:
Asking for a referral when applying for a job and the other person asks for your resume? Send it!
Want an introduction to someone else? Then you absolutely must follow through on the connection.
Since there remains a massive talent shortage in the security world, we need fresh blood in the industry. I take mentorship and training very seriously, and want to meet up-and-comers who have a lot to offer the profession. And serious people who want to advance their own careers will need more junior folks to take over their duties as they move up the ladder.
Make sure you are prepared and have exhausted all potential avenues before asking others for their time and energy, though. It will reflect well on you and increase your likelihood of success. If you approach mentorship as a way to build a mutually-beneficial relationship, you will have no problem getting the advice you need.
I hope that you find Deploying Securely useful. If so, here are some more resources that can help:
1. My free, risk-based vulnerability management (VM) email course. Use it to build the foundation for a quantitative VM program in 5 days.
2. The Deploy Securely VM SOP. A template for running a program developed from years of real-world experience, it will save you huge amounts of time and effort.
3. Check out StackAware’s 0 → 1 vulnerability management offering to get immediate assistance in building your security program.