Dave McColloughNov 20, 2022
Alyssa Miller 🛩️​   ​

So I just posted a number of #entrylevel #infosecjobs. My point isn't that I don't think people can search these out themselves.

Instead, I'm trying to highlight how jobs where the candidate pool will likely be entry level folks but the job description is poorly worded such that many will self-exclude.

Be brave, fuck the requirements section. If it sounds like a job you think you can do:

1. Tailor your resume. Don't lie but definitely highlight the correct relevant experience, skills, and/or knowledge you have.

2. Think about it like an elevator pitch. You have mere moments and few words to tell them why they NEED to hire you.

3. If you need someone to kick your #ImposterSyndrome in the ass, let me know.

Nov 19, 2022 at 7:15pmWeb
Show threadphamtqNov 19, 2022
@alyssam_infosec Thank you sooo much for doing this! Although the jobs aren't in my area, I know it'll help out a lot of folks starting out.
Show threadXavier Ashe Nov 19, 2022

I'm a hiring manager at a large US bank. Very often my peers post the job template given to us by HR. Very often the requirements don't necessarily apply. So follow @alyssam_infosec's advice and be bold. Find someone on the inside that can help you understand what they are looking for.

I'm willing to be your inside person at my company. See the toot below.
#infosecjobs #fedijobs
https://infosec.exchange/@Xavier/109372088738492909

Xavier Ashe :donor: (@[email protected])

@accidentalciso Hey everyone out there looking for jobs. I'm on the #infosec leadership team at a purple bank. Take a look at what we have posted. If you see something that interests you, send me a DM and I'll give you the inside scoop like which team it's on and what you can expect. Then if you like the job, I'll deliver your resume to the hiring manager. https://careers.truist.com/listjobs/?keyword=Security

Infosec Exchange
Show threadSniper BarbieNov 19, 2022
@Xavier @alyssam_infosec X, had wondered if you were still at T. Hope everything is working out since the merger.
Show threadXavier Ashe Nov 19, 2022
@Ladyred_6 @alyssam_infosec It's going pretty well. I didn't do so well in some of the re-orgs, but wait long enough and they will move everyone around again.
Show threadSniper BarbieNov 20, 2022
@Xavier @alyssam_infosec sounds a little challenging, that’s been happening for 3+ yrs now.
Show threadMatt FranzNov 19, 2022

@Xavier @alyssam_infosec It’s the job of the hiring manager to push back and rewrite the JD.

Even in financial services I was able to do this but it does take work, especially if recruiter is not dedicated to InfoSec.

In smaller companies, you usually don’t need to do this!

Show threadKrystleNov 19, 2022
@Xavier @alyssam_infosec it doesn’t matter though. Most places aren’t hiring at all even though they are posting ads. I’ve applied to over 200 jobs and nothing. I couldn’t even afford groceries because of it. I’ve just been eating rice for two weeks
Show threadXavier Ashe Nov 19, 2022
@theperch @alyssam_infosec We're still hiring. I personally have 3 (soon to be 4) FTE positions to fill on my firewall policy team.
Show threadKrystleNov 19, 2022
@Xavier @alyssam_infosec I’m in California. Where and what kind of positions are they? Do you have a link?
Show threadXavier Ashe Nov 19, 2022
@theperch @alyssam_infosec Here is the firewall position. I'm looking for someone with solid networking, routing, and VPN skills. Firewall policy experience is a plus. US residency is a must.
https://careers.truist.com/job/16962369/firewall-policy-engineer-atlanta-ga/
Show threadKrystleNov 19, 2022
@Xavier @alyssam_infosec thank u!
Show threadAlyssa Miller 🛩️​   ​Nov 19, 2022
@theperch @Xavier admittedly right now a lot of companies are holding off hiring until the new year. But many are also hiring now. I just helped get connect two people with hiring mangers last week, one was an entry level.
Show threadKrystleNov 19, 2022
@alyssam_infosec @Xavier right now I’m doing web design but it’s hard to get clients in this economy. I’ve tried applying to over 200 jobs and nothing.
Show threadJon Hatch  Nov 20, 2022
@theperch @alyssam_infosec @Xavier you could always jump over to web app pentesting. The cybersecurity field is growing and that skillset is in demand.
Show threadKrystleNov 20, 2022
@TH3R3P41RM4N @alyssam_infosec @Xavier I didn’t think of that it it’s a great suggestion. Thank you
Show threadJon Hatch  Nov 20, 2022

@theperch @alyssam_infosec @Xavier it’s what I do, so I’m a bit partial. Also look into bug bounties, portswigger.com, and getting yourself a virtualbox Kali vm and you’ll be cookin with gas.

The web security academy from Portswigger is a great place to learn webapp ( and it’s free). https://portswigger.net/web-security/learning-path

Last tip, do informational interviews and network. Throwing resumes against the wall and seeing what sticks will rarely get you a job. Going to OWASP/bsides/defcon groups and meeting folks in the industry will help you immensely. Here’s a thread I wrote on informational interviews if you are looking for a place to get started, (https://twitter.com/th3r3p41rm4n/status/1589825523718717441?s=46&t=kom6tM9sJfr2VrwJFoNfrw)

Feel free to reach out if you have any questions or looking for resources.

You got this! I believe in you!

Learning path | Web Security Academy

A step by step journey, from beginner to expert level, through the Web Security Academy - brought to you by PortSwigger. Create an account to get started.

Show threadKrystleNov 20, 2022
@TH3R3P41RM4N @alyssam_infosec @Xavier you’re amazing!!! Thank you
Show threaddarkblueNov 20, 2022
@theperch
I'm quite not sure if this could apply to you. But for me Headhunters worked quite well in my last job change beginning of the year. I'm now in a job position I would never have applied to by myself. A headhunter asked me to make a contact and introduce my profile to my new boss because she was seeing a hit in my cv to that position and now I'm quite happy with my new position and my salary.
@alyssam_infosec @Xavier
Show threadDoctorBobNov 20, 2022
@theperch @alyssam_infosec @Xavier @popehat was looking
Show thread💉💉💉💉 Sean Houlihane 🕷️🔶Nov 19, 2022
@alyssam_infosec It's so hard getting the requirements changed, even when the people we are actually interviewing (mid-career) don't meet a lot of them (and aren't necessarily the wrong people for the role).
Show threadSteve🏳️‍🌈Nov 19, 2022
@alyssam_infosec I sign off on all of our SOC and engineering hires, and this is absolutely true. Requirements sections are usually there to indicate some competency or understating. I don't usually care if you've acquired it via yrs in the workforce or from running your own home lab - in fact the latter usually impresses me more.
Show threadPanic! At The MastoconNov 19, 2022

@alyssam_infosec can you give an example scenario for #2? I think the "NEEDS YOU" is *exactly* what people with imposter struggle with.

very hard question to speculate on when folks have low self esteem

Show threadAmid FourNov 19, 2022
@alyssam_infosec Absolutely correct on all counts. Also, if you feel like you're lacking experience with something that interests you, read up on it anyway, then lab it out at home. If you can't, lab out something adjacent to it. That's a much better story than "naw, what's that?"
Show threadJae BochsNov 19, 2022

@alyssam_infosec There's a pervasive fear of hiring entry level infosec folks - it's a big impediment, not just for the applicants, but also for companies who are starving for talent.

As a hiring manager, I'm quite aware of how easy it is to manufacture the perception of work product, to have friends talk you up, etc. It can be a useful datapoint but rarely does that contribute heavily to the final decision.

What does contribute: being able to talk competently about concepts and techniques, the ability to transfer knowledge laterally between domains. Open source and hobby work also tends to speak for itself, both in terms of their motivation, and generally being able to see their raw output, rather than (gilded) descriptions of it.

Show threadJae BochsNov 19, 2022

@alyssam_infosec I can't stress enough the point of "transferring knowledge laterally between domains"..

This is the difference between "I have a bunch of experience unrelated to infosec" and "Here's all the other experience I have that will make me a better analyst/researcher/hunter/etc"

Show threadJae BochsNov 19, 2022
@alyssam_infosec @InfoSecSherpa is a superstar in this respect. Much ❤ for library nerds, we love having you on team infosec!
Show threadAlyssa Miller 🛩️​   ​Nov 19, 2022

@jb0x168 couldn't agree more, this was literally the topic of both my TEDx talk in 2021 and it's covered to great depths in my book.

The ability to identify core transferrable skills and be able to communicate them in a way that is understood credibly, is so crucial to landing a role in your first infosec job.

Show threadChrisNov 19, 2022

@alyssam_infosec I agree about the resume: one of the things I've seen most often is applicants not tailoring their resumes to the job.

A resume shouldn't be a list of everything you've ever done, it should be a list of the relevant skills and experience you have for the job opening.

It takes more work to customize a resume for each job application but it definitely helps it stand out!

Show threadMichael OlsenNov 19, 2022
@alyssam_infosec thanks for posting these, it's actually really helpful to have an infosec veteran say out loud "this is entry level". Coming from a place of never having had an infosec job, that can be really hard to tell... Gonna be circling back to this thread for a while!
Show threadDiffieHellmanStan (Tony)Nov 19, 2022
@alyssam_infosec Thank you for this. I'm completely new to cybersecurity and I've heard that while there's high demand the hardest part is getting your foot in the door.
Show threadDROP\ TABLE Hacker of EarthseaNov 19, 2022
@alyssam_infosec most importantly make friends
Show threadBriannaNov 20, 2022
@alyssam_infosec how can I tailor my resume if I truly don’t have any infosec experience? What can I be doing in the meantime to boost my resume experience?
Show threadAlyssa Miller 🛩️​   ​Nov 20, 2022

@brianna rather than try to lay it all out here, check out this talk I did at DefCon a few years ago that lays it and other tools out pretty well.

https://www.youtube.com/watch?v=i8IA0fdFfN4

Also, if you're interested, hit me up in DMs and I'll get you a free copy of my book that adds additional details and gives you some exercises for doing exactly this.

I hope that helps.

Alyssa Miller - From Barista to Cyber Security Pro - DEF CON 28 Career Hacking Village

YouTube
Show thread(((Dan Holzman-Tweed)))Nov 20, 2022
@alyssam_infosec Let me echo this! Job descriptions are written by HR, not by hiring managers. HR's metric is how few job descriptions they have to manage, not how accurate each one is.
Show threadAlyssa Miller 🛩️​   ​Nov 20, 2022

@holzmantweed I'm exhausted with managers blaming HR. Maybe this is your experience, but I've been a hiring manager since the early 2000's and have never not had input on the job descriptions for my roles.

Also, even if job descriptions are written 100% by HR in some companies with no opportunity from the hiring manager to influence, hiring managers in tech are, on the majority, ill equipped to actually conduct a hiring process. Little training is provided and there's way too much defaulting to trying to find "people like me".

Show thread(((Dan Holzman-Tweed)))Nov 20, 2022
@alyssam_infosec My experience includes HR making me take the multiple job descriptions I'd written precisely and consolidate them into one for associate, one for analyst, and one for specialist.
Show threadMrsG_Cyber Nov 20, 2022
@alyssam_infosec you are so right that people can’t find these for themselves. We’re urging people to get into cyber security and then they’re frustrated cause I don’t understand where the door is. Thanks for doing the hard work and sharing!
Show threadd0pp3l6ang3r  Nov 20, 2022
@alyssam_infosec Nice one. I do have bunch of them from various companies in my excel, just not posted yet, cos I am still reviewing them all myself to create a prioritised value for candidates.
I do see lot of em having unrealistic expectation, so i am dropping them from my list.
What has worked though from candidates POV, is asking for hiring manager and asking them in clear terms of expectation. If you think you think you can give your all, make it clear in Enlo’s terms that you will work “extremely hardcore” for it. I have personally hired select few who had 0 experience, and they got multiple promotions in a single year because of how good they were.
Show threadThe DoctorNov 20, 2022
@alyssam_infosec Might I also suggest posting them under #GetFediHired? That's usually how we do it around here, and folks actively monitor that hashtag if they're looking for jobs.
Show threadAlyssa Miller 🛩️​   ​Nov 20, 2022
@drwho done and thank you for the heads up.
Show threadThe DoctorNov 20, 2022
@alyssam_infosec No worries!
Show threadDavid GerhartNov 20, 2022
@alyssam_infosec interesting… really appreciate the aggression directed at requirements overcompensation. It never added up when I was recruiting. But as a veteran of the trenches? … way past “fake it ‘till you make it” … even skills don’t matter. Ageism is a terrible barrier.
Show threadRich GreenbergNov 20, 2022
@alyssam_infosec Great post!
Show thread0ddysseusNov 20, 2022
@alyssam_infosec
I got my LFCA cert in august and A+ on friday. Im almost 40 trying to get my first IT job so i can skill up for security work. I applied for 15 jobs yesterday and if i let the requirements stop me it would have been zero.
I cant imagine how difficult and intimidating this is for younger folks and it's so great seeing all the support and encouragement this community gives.
Show threadMissJackalopeNov 22, 2022
@alyssam_infosec ***RAISES HAND*** for impostor syndrome ass kicking! :D
Show threadAnt 🍩Nov 22, 2022

@alyssam_infosec couldn't agree more since this is basically how I landed my current position; couldn't offer all the skills they were asking for, but the ones I had I was able to really flex during the 1st interview as well as during the VM pentest demo on the final round of selection.

Just like you said, it's not about lying on the resume or anything like that, you just need to show that the skills you do have are just as valuable to them as the ones you think you're missing.

Show threadtr3ndki11Nov 29, 2022
@alyssam_infosec this toot also shows that many new folks just don’t have the contacts to find what they’re looking for efficiently, or even effectively. I know I take for granted that I know LOTS of people across various parts of the IT industry that have way better insight than I and are always happy to point me in the right direction. New folks don’t have that yet, so toots like this help get them connected to others that can help.
Plus, sometimes those of us that have been around for a minute might be able to reframe a situation for a newcomer that helps them to find alternatives they might not have come to on their own. It has nothing to do with how smart they are, or how hard they’re looking(lots of them are way smarter then me and work harder)…some knowledge just comes with being around for awhile. And new folks can’t speed up that process. But we can give it to them, and it costs us literally NOTHING to be helpful.
Show threadAlyssa Miller 🛩️​   ​Nov 29, 2022
@tr3ndki11 literally the wonderful thing about having a large platform to speak from is exactly this. Anything I can do to help folks connect with others is what I'm here for. I love my #infosec community and all I want for it is to make it better, stronger, and more enjoyable for all of us.