After my last column, I received tons of great feedback (thanks, Mom) and lots of questions. There was a common, and somewhat Catch-22-like, theme: How does one find a security job without security experience? And how does one obtain security experience without a security job?
The cybersecurity industry is immature but growing rapidly. There's no standardization of job titles or classifications -- an "Information Security Analyst" and an "Information Security Engineer" might perform the same functions for two different companies. Is cybersecurity different from information security? There are as many opinions as there are ways to spell "cybersecurity" (or cyber-security or cyber security or Cyber-security).
Tip 1: Read the job description closely. Now read it again, and ask yourself this question: "What does this company need someone to do?" Not, "What does it need someone to have?" Then decide whether or not you can do whatever "it" is. Now comes the difficult part: You have to prove it, in writing and in person (or over the telephone), and that requires getting a foot in the door. Draft your resumé and cover letter to focus on why you can do the job that's advertised. When you're not a Bo Derek, you really need to broadcast the other qualities you bring to the table -- you're a hard worker, ethical, you live close by, you have industry-specific knowledge or experience, perhaps you know someone who works at the company or an industry superstar who will provide a glowing reference, or maybe you can pass a background check that would make a proctologist blush.
Tip 2: Avoid human resources. HR professionals are expected to recruit a variety of skills and cannot possibly understand the details of what makes one person more qualified than another. Unfortunately, the majority of the time, it comes down to a keyword search match -- a game of concentration. It's extremely difficult to stand out from a pile of electronic submissions unless your experience (resumé) includes all or a majority of the keywords called for in the published job description. Don't waste time throwing your resumé into that black hole unless you're a Bo Derek.
Tip 3: Appeal directly to the hiring manager. Seems logical, but it's not always easy. Be a detective. Use LinkedIn, Twitter, Facebook and Google to find out who is the likely hiring manager and send her a note. Remember Tip 1 -- if you can do the job, you have to be able to prove it in writing. So do it. Write an email, make it brief (and grammatical, please). Explain in broad strokes why you are the one for the job. Ask for the opportunity to speak in person or on the phone for five minutes. Hone your "elevator pitch," because if you can convince someone in five minutes, you will earn another five, then 10, then an in-person interview, then a job offer.
Tip 4: Use a laser, not a shotgun: Have you seen the future? Well, I have, and in the future the weapon of choice is a laser. Scattershot approaches are out; if you want to succeed in your job search, become the laser. Block out distractions. Focus on what you want and why you're qualified. Select the opportunities that are of the most interest to you, and customize communications that will get you in the door. And when you fail (because you will fail) learn from it and refine your approach. Ask for feedback. Eventually you will succeed.
Tip 5: Live the dream. Don't just dream it. Become part of the cybersecurity community where you live. Join the local ISC2 chapter, ISACA, ISSA, InfraGard or your local Security Meetup Group. You will meet people, network, make friends, and learn about companies and opportunities. Motivational guru Harvey Mackay says, "All the technology in the world will never replace a positive attitude." Show this side of yourself and you will be amazed at the results. Some people will see the value in a positive attitude and the desire to break into an industry.
Tip 6: Ask and you might receive. Know how to get a date with a Bo Derek? Ask. What do most (all) people do when they look for a new job? They wait to be asked (read: look for a job posting). Don't waste your time. Use your new contacts in the industry to find a company where you want to work. Do your homework about its systems, culture and challenges, then target that org for an opportunity. Explain to a potential boss why you're someone he should get to know. There are plenty of job opportunities that are not advertised or that are not yet approved because the hiring manager is waiting for the right candidate or frankly too busy to begin the process. So make the first move. Remember Tip 1? Make the pitch that you're someone he should speak with. Remember, as Wayne Gretzky says, you miss 100% of the shots you don't take.
Tip 7: Say yes. If someone accepts that your experience is less than perfect and still offers you the opportunity to move in the direction you want to go, take it. Remember, the Bo Derek candidate does not exist, and neither does the perfect job. As long as you'll be learning, give it a shot. Take a risk. Obtain some experience. Absorb as much as you can from the opportunity while proving the company right for having taken a chance on you.
And if you're a hiring manager, remember what happened at the end of 10: Dudley Moore's character realizes that Bo Derek is actually not so perfect after all. She didn't have the right attitude. Consider giving a shot to someone with a desire to learn and a good outlook.