This is part I of a two-part series on finding a job in cyber security. Click here for Part II.
Many Roads Lead to Cyber Security

Like many IT professions that may seem to have a neat, tidy label, cyber security isn't actually a singlular job any more than, say, programmer or network engineer. Because cyber security reaches across the spectrum of IT, one cyber security position description may have very different requirements from another. Due to the wide array of tasks in the cyber security field, many factors and backgrounds can contribute to a successful cyber security candidate. 

For those searching for cyber security job, this is good news.

We would know. As a provider of integrated, secure enterprise solutions to the federal government, notably the intelligence and defense communities, cyber security is a core part of all our solutions, and staffing candidates to the demands of our customers means we spend a lot of time thumbing through resumes.

First, understand the above: Cyber security is a wide-ranging field with varying requirements and skill sets. It is a wide collection of disciplines reflecting the overall mission, using various methods and technologies to protect IT systems and data against compromise and attack. 

Specialties include a focus on information or network devices, or computer systems or software applications. Some cyber security professionals are process-driven, working on security policies and documents. Others are hardware-driven, configuring and modifying and maintaining a suite of hardware products to protect IT systems. Still others are software-focused, building Websites and applications that are resistant to external tampering and that deliver intended results and utilize protected data in a secure manner.

For those seeking to advance their careers, cyber security is a promising area; noticeable job growth is expected according to numerous job reports, opening the door both for existing IT professionals, as well as recent graduates.

And, because cyber security reflects the pace of technological change, it continues to change so that plenty of positions sit open waiting to be filled by qualified candidates.

So how do you become a qualified candidate rather than just a job seeker?

Match Your Cyber Search to Your Background Area of Experitse

For professionals already in the IT field, consider which specialty area of cyber security best matches with your background. Existing skills can be expanded and extended, and end-user knowledge of tools and processes can help prepare for a cyber security job working with them.

For example: 

  • • A software developer may not be qualified to be a cyber network engineer, but can surely work in such areas as penetration testing or application scanning or secure Website development. A software background is also needed for the esoteric skill of malware deconstruction.
  • • A security requirements analyst may not be qualified to perform dynamic code analysis, but may be able to configure secure firewall rules and handle firewall administration or perhaps construct disaster recovery or business continuity plans.
  • • Individuals who have a regulatory compliance or audit background may qualify to become part of a certification and accreditation team, or to conduct formal HIPAA audits if they have worked in the healthcare industry.
  • • Analysts familiar with business intelligence and mathematical model techniques can become integral parts of security incident response or breach investigation teams by providing unique perspectives.

Demonstrate Related Cyber Security Tasks, Not Broad Job Descriptions

If you have worked in IT and have some related cyber security experience, you may be wondering how to make the transition to a cyber security engineer and be able to make it past initial resume reviews. Obtaining one or more certifications is a good place to start, but do not expect hiring managers to beat a path to your door simply because you passed a test. There is some disdain in the industry for those who only have book smarts and cannot back up knowledge with relevant real-world experience.

Candidates always hear about customizing their resume for each position. What does that mean exactly? Go back through the tasks in the position descriptions and look for each and every instance where you did something cyber related in your own background. You may have been chief engineer on the deployment of a new IT infrastructure for a company, but what does that have to do with cyber security? Even if you believe the cyber security tasks do not have the importance of other related engineering tasks, focus on those. Ideally, each element of your resume should center on some type of cyber-related activity relevant to the position you are seeking.

For software developers, you may have used C and C++ and two scripting languages and targeted every variant of Web browser for your shiny new Web application, but did you perform any Web or application-focused security testing? Was your code scanned for common weakness enumerations? Did you address a hot issue, such as cross site scripting, to prevent malicious users and malware from hijacking your code or Website? Tasks like these, even if they seem smaller in comparison to the scope of your overall job, will make your resume stand out to hiring managers.

If you are a network engineer, make sure to include cyber-related tasks where you have hands-on experience. This can include things like building, editing and deploying firewall rules. Have you configured an intrusion detection system or an intrusion prevention system)? Have you run network tools or perhaps configured access control lists that define which users can access or modify specific applications or devices? Were you ever involved in some type of security incident resolution? Related experience may include such things as creating or updating security policies and developing a bring-your-own-device policy for an organization.

Be Certifiably Prepared

As highly technical positions exposed to a wide range of ancillary technologies, cyber positions typically require a bachelor's degree or higher. A recent study found that 76 percent of posted cyber positions required a bachelor's degree or higher with four percent requiring a master’s degree or higher. These degrees are often required to be in some sort of technical or engineering realm, but not always. There are multitudes of stories of individuals with non-technical degrees prospering in the wide open realm of cyber security and bringing a fresh perspective to jobs with rapidly evolving requirements.

Certifications are given by professional organizations and typically involve some mix of academic knowledge (passing a test) and professional activity (e.g., years of experience). Organizations have widely varying opinions of these programs some requiring certifications, others making them optional. The Department of Defense, in an attempt to bring a baseline of qualified individuals to its programs, has written a formal directive (DoD 8570) that mandates the level and type of certifications required to work in an information assurance capacity on their systems. A directive like that is not optional.

Four of the most highly regarded certifying organizations are:

1. (ISC)2 - International Information Systems Security Certification Consortium

(ISC)2, is a global, not-for-profit leader in educating and certifying information security professionals. The most frequent designation is CISSP (Certified Information Security Systems Professional). 

2. ISACA - Information Systems Audit and Control Association

ISACA is a global professional organization for information governance, control, security and audit professionals. The standards set by ISACA are followed worldwide. ISACA offers several professional certifications, industry publications and conferences.

3. GIAC – Global Information Assurance Certification

GIAC was founded in 1999 to validate the skills of information security professionals. The purpose of GIAC is to provide assurance that a certified individual has the knowledge and skills necessary for a practitioner in key areas of computer, information and software security. GIAC certifications are trusted by thousands of companies and government agencies, including the U.S. National Security Agency.  

4. ITIL - Information Technology Infrastructure Library

ITIL is a set of concepts and techniques for managing IT infrastructure, development and operations. ITIL certifications are managed by the ITIL Certification Management Board.

These tips will help you get your resume in line with hiring managers' expectations. Next week, part II of the post will provide job seekers with the do's and dont's of a resume.