Part Two: Who Am I?
What leads someone into this field as a second career choice?
In case you missed it, this is the second part in my series, "The Truth and Lies of Seeking an Entry-Level Cybersecurity Job." Read Part One here which also contains the Prologue outlining my intentions for this series of articles.
Why Write About Failure?
Before I delve too deeply into the dynamics of the entry-level information security world, I believe it's important to share a bit about myself and how I approached my career transition. This is crucial because I hope that by writing about it, I can help someone else new to this journey learn from me and maybe adjust their own course accordingly based on what they learn. I also hope that reading this might prompt some reflection from others on how they approach considering entry-level roles and how they pursue hiring for them. For those who might critique my approach and reasons, trust me, I already do plenty of that myself. Hindsight has been painful and clear, and I remind myself that I did the best I knew how, as someone not having had extensive exposure to the IT and corporate worlds.
I'm also writing about my experience because while it's easy to read about the successes in career transitions, I think that too often we don't have a chance to examine failures. The therapist in me has learned the importance of sharing about failure. Time and time again, I would meet individuals who came to me with the deep shame of their failures, only for me to smile and comment on how I had a handful of other people as clients who had experienced that same failure themselves. They were all feeling that same corrosive shame in isolation. In the predominant Western culture, we know that failure breeds shame incredibly easily. Shame retreats best when we confront it with vulnerability rather than isolation (Thanks, Brene Brown!). As I've failed to succeed in this career change, I've felt myself sinking further and further into that same shame. So, in part, I also decided to write about it for my own sanity and mental health, and so that hopefully others realize they aren't alone in their struggles. If my writing does help you in any way, please let me know; it would mean a lot to me.
The Backstory
I decided to transition into cybersecurity after more than a decade as a practicing marriage and family therapist. What sparked the journey is a story in itself, but in short, I was diagnosed with colon cancer in 2021, and that kicked off sincere existential reflection about my life and a realization that I wanted to move in a new direction career-wise. It’s an off-beat angle of approach, to be sure, but as a lifelong nerd and technologist and a longtime spectator of the information security field (mainly from Twitter and listening to various con talks), I found myself gravitating towards it in my free time as my pursuit of choice. Putting aside all the snark of the infosec veterans out there, why not do something you love as your day job?
My early-stage career change activities were more about research and reflection. What were people saying about their roles? Did they like their work, what did they not like? Beyond observations and dialog on social media, I reached out and spoke with some practitioners and got their insights and feedback. Seriously, if I have one bit of advice for newcomers, it’s to form connections with the people in the field. Make friends, and ask questions. For the cost of a gift card to their local coffee shop or the price of a good meal, I’ve gotten expert perspectives, invaluable mentorship, and solid strategies for how to approach my new career path.
I also tried to absorb the infosec ecosystem around me. In the past, when I'd gotten to an article that was over my head, I had backed out and shrugged my shoulders unless I was deeply interested in what it was about. Now, each time I tried to challenge myself to do the digging to learn what was being talked about, and to understand the nuance. Having a wide breadth of knowledge in the counseling world was absolutely invaluable and satisfying to me as a small-town counselor, and I figured that renaissance man approach would be good here in infosec as well.
So around the middle of 2022, my career change started in earnest. I closed my private practice I had run for over a decade and started trying to retool to find a spot in the information security field. My initial pursuits were into the blue team side of things. I felt that as a small-town counselor with a specialization in addiction and domestic violence, I was well-suited for the psychological strain of responding to incidents, managing customers' emotions, and in general handling any aspect of crisis response work. Not to mention that the heart of effective counseling was being analytically minded and having the persistence to tease out solutions to puzzling problems.
Education and Training
Education-wise, I already had a BS in Psychology and an MS in Marriage and Family Therapy from solid institutions, and I didn’t see the need to pursue a formal degree as a pathway for employment. This seemed to be well-aligned with what I knew of the educational backgrounds of other successful infosec practitioners and my gauge of the industry’s general value towards having a CompSci or Infosec degree. I had excellent college-level writing skills and advanced graduate training in analysis and assessment, and thus, more formal education didn’t seem to offer anything I couldn’t get via training and certificates. While I still hold to this advice for those seeking a secondary career change, I will say that I have frequently drooled over the many intern opportunities available to students at virtually every cyber and tech company. I thus threw myself into the cybersecurity education ecosystem. I tried to find a good mix of high-quality and affordable trainings while avoiding scammy low-quality stuff and high-priced high-quality trainings like SANS.
In seeking out trainings, I had two objectives, mainly. I wanted to fill in my gaps of understanding, and second, I wanted things that made sense to put on a resume. As a side note, I was initially put off towards certs as many people I talked to shared a dim view of entry-level book learning certs like the CompTIA Security+ and such, so I focused on hands-on learning and trainings.
For those who don’t know, Antisyphon Training is an utterly fantastic resource for learning in the field. I got to sit at the feet of great folks like John Strand as I learned the basics of working in a SOC or how to get up to defensive mischief with honey ports or clever use of canary tokens. These were not scammy fly-by-night trainings; these were heavy with practical labs and taught by active practitioners. I was drinking from the fountain of experience and not some cheap imitation! I took a veritable laundry list of trainings from Antisyphon as well as others of similar quality. I decided against heavy involvement in sites like Try Hack Me and others, not because they weren’t valuable for learning, but rather because I felt I would learn more by creating my own home lab and practicing there. I’m not going to dive into that subject too much other than to say that choice was a mistake in hindsight. While I did indeed learn a ton setting up home labs both physical and virtual, sites like Try Hack Me and Hack-the-Box have grown a great deal in formalizing your efforts with them into lines on your resume; whereas no one has ever asked me about anything I’ve done in my home lab. I learned a lot in my home lab, but it’s been a poor translation onto my resume and in recruiters' eyes.
Hands-on Practice and Certs
Speaking of hands-on practice, I was also given an incredible gift of participating in live 30-hour training on a high-fidelity corporate network with others as we hunted for badness on the network. That training, Network Defense Range, put on by my friends at Recon Infosec, was a pivotal moment for me. I was not just aspiring to be a SOC analyst; I WAS a SOC analyst. Granted, at only two months into this journey, I was a crappy one; I was a noob who was out of my depth, and I was looking over so many proverbial shoulders to get anywhere. But it was accessible, and I was doing it! I used Arkime to review network traffic, I learned to comb through endless log entries that had been ingested into Kibana, and I got to witness the god-like power of Velociraptor on end-point machines. I was elated to dig through logs chasing process creation events and then parsing the PowerShell commands the malware executed. I also hashed email attachments and developed IOCs to hunt for badness across the network. Those moments, early on in my development, showed me that I could do the work I was trying to learn about, and that filled me with tremendous resolve and motivation. Eric Capuano, and Whitney Champion deserve special mention here; they have given so much to me I can’t even begin to express my appreciation. The people are the best part of this field.
After my initial round of trainings, I started shifting (reluctantly I’ll admit) to earning some relevant certs, in my case the CompTIA Sec + and Cybersecurity Analyst +. Certs are a thorny issue for early career folks, and I was fully aware of the debate. In my case, I was glad I earned them, as they added some formalized recognition of my knowledge and development, and not having them had always left me with nagging doubts along the line of “if I’d just earned a cert, maybe I wouldn’t have been rejected from that job application.” However, I’m not sure they’ve done anything to boost my application strength as my before- and after-hiring results are indistinguishable. Something else I’ll note is that blue team applied certs, ones that test in hands-on ways, do not exist insofar as I am aware of. Whereas, on the red team side, there are many certs that evaluate applied skills, thus carrying a great deal more weight on a resume.
Other Activities
I also did my best to leverage my people skills, and I’ve been incredibly humbled by the people who have helped me along in this process. I reached out on various social platforms for advice and support and tried to engage in interesting dialog there as well. Looking back on my communications, I received close to 50 acts of individual service and advice from folks in the field, such as resume review, virtual meetings about their work or getting into a career, coaching and mentoring, and so much more. I’ve also had countless social media contacts with others in the field sharing words of encouragement, entry-level job postings, and advice and wisdom. So many people have empathetically and selflessly helped me, and I couldn’t have grown half as much or as fast if it weren’t for the collective goodness of the people in the field who have continually been so generous. Just yesterday, a veritable luminary in the field offered me 20 minutes of her time and connected me with resources in her network, all just to help a nobody like me get into the field. The people of information security are the best part of it. Interwoven in the cracks of all this work was my time spent working my way through excellent content from solid people and orgs in the field, like TCM Security, Michael Taggart, David Bombal, and more. I worked meticulously to homogenize my hobbyist’s patchwork understanding of technology and security into something that was respectable and cohesive. I volunteered at Cactus Con and attended some other small local events and tried to show I was interested in the community. I also volunteered with a cybersecurity-focused non-profit composed of physical and information security professionals that help those in domestic violence or cyberstalking situations get specialized help to secure their physical and digital safety. My work there helped me get hands-on technical exposure, as well as building the start of a career transition into my resume. The work was, of course, more than just a line on a resume, but that’s beyond my scope today.
Applying for Jobs, or “The Great Silence”
So, after all that effort at career development, and sporting a respectable work history that included various leadership roles and distinctions, I thought I would be a reasonably appealing candidate for an entry-level role somewhere. Looking back on my job application notes, my first formal job application was on September 27th of 2022. The application was for two analyst openings on weekend and night shifts respectively. I was so excited; I had come from a world where my degree, and later my full clinical license, had meant that I always received prompt and enthusiastic responses from those I applied to. However, I had much to learn about the harshness of corporate job seeking, and infosec job seeking, in specific. Looking back, I can't even find a canned rejection email from the corporation. I’ve written about my training and job preparations as distinct topics, but in actuality all these activities overlap and interweave. In reality, after the Network Defense Range training, and the bulk of the AntiSyphon trainings, I started setting regular weekly goals for job applications and educational content. One thing I've always prided myself on since my early grad school days was my time management. I made solid weekly training and work plans, and charted out mid- and long-term goals as well. All the time I expected the call that would change my life, and as the year dragged on that call didn't come, and the infrequent interviews didn't pan out, I started to adjust in earnest to better market myself. After the first 20 or 30 applications returned with little results. I committed to only applying to places where I had meaningful insider contacts to refer me directly to a hiring manager, or barring that where I had been directly encouraged by an employee to apply. I was done bashing myself against the stone wall of indifferent automated hiring systems. I was committed to only working with humans! Certain jobs proved too tempting to withhold myself from, but I am nevertheless proud that I've mostly stuck to that commitment and tried to work smart by sticking to high-quality referral sources for the vast majority of my applications.
As of my writing this, my spreadsheet shows a tally of 154 cybersecurity and IT jobs that I have applied for, of which I have secured 11 interviews by at least the hiring manager. Which puts my response rate at about 7.2%. This does not include the additional volume of 20-30% more jobs that I either reapplied when my resume had significantly changed, or that were enough of a duplicate position at a company for me to lump them under one application entry. As for when I did get an interview, sometimes I got incredibly close (I love you GreyNoise!) and sometimes it ended with a politely worded rejection that highlighted that while they found me likable and knowledgeable, they had found someone with more experience. I also won’t share the embarrassing flubs I made in interviews, the questions I didn’t know and the one really painful interview where it was clear I had been invited because of who had referred me rather than the strength of my own resume, and for which I was hopelessly out of my depth for the role. I knew I was not a golden candidate to be snapped up like a rare commodity, and I expected to have to struggle mightily to recast myself into a radically different field. However, I have spent more than a year now throwing myself against this iron-bound door of information security in a quest to just budge it open enough for a toehold, anywhere, so I could get a start in the field.
When it became clear that it was going to be extremely hard to break directly into a cybersecurity analyst role, I started pivoting to opportunistically apply to other infosec roles that seemed well-suited to my people- and psychological skill set, such as customer success and support roles, threat intelligence, and even several types of mundane administrative assistant roles at infosec organizations to just start getting traction somewhere. Along the way, I grew numb to hearing people talk about how they were receiving upwards of 400 applicants for a single job posting.
Conclusion
And that leads me to today, and why I've decided to write all this down. I'll own that I'm surely not a golden candidate who should have just been a walk-on hire. However, with over a decade of solid leadership-infused work history and extensive experience running my own business, and as a person with a graduate education and a demonstrated zeal to break into a new career field, I'm flummoxed that I really don't have anything to show for over a year of work.
What really burns me, however, is that I'm coming from an incredible position of privilege and opportunity. I have had the time, money, and stability to set out and pursue my own course in this career transition on a near-full-time basis. So many others have much less and work much harder to get what they have, and they are also crashing against that same iron-bound door of starting an infosec career. So I've become increasingly energized around why this is so and what the solutions are, and frankly, why this is even a problem with the hundreds of thousands of information security jobs in need of filling that we all keep hearing about.
I hope you'll join me for Part Three, The Chasm Between Entry-Level Applicants and Entry-Level Jobs
Thank you for sharing your journey with us Micheal. It's very insightful and helpful for those of us, who want to transition into cyber security as well.
Your story is relatable in so many ways and prepares ones mind for the possible challenges before living the dream.
I know you will eventually make it. Your positive attitude and determination will eventually pay off. The fact that you have not given up yet. Shows you have passion for information security.
I am enjoying your writing 😁. Good luck on your journey as I continue to be invested in how the story will end. I am rooting for you💛