Hello! I’m writing this article to share my experiences in finding my first job in cyber security. More specifically, my first job in penetration testing. I wanted to share my experiences in hopes of motivating others who want to come into the cyber security field or already are applying to jobs in the field, as the field can be incredibly tough to break into.
I’ve broken the article down into a few sections. If you enjoy reading, I encourage you to read my background as my story shapes the ideals and beliefs I hold when providing my closing advice. You are welcome to skip the background and move right to the closing advice section as well. Either way, I hope you find some use from my experience and advice that you can utilize in your own interviewing experiences.
A few years ago, I was a decently paid accountant, living in the middle of nowhere Indiana and driving at least 45 minutes each way to work. My drive consisted purely of two-lane country roads where being late to work because of a tractor slowdown was often a valid excuse. While I was making a decent paycheck, I was unhappy. I left all of my friends behind to move for the job. To top it off, I was a city boy living in a very small city and working in an even smaller town.
To be upfront, I moved for money. Hell, I never even liked being an accountant. I was an accountant simply because it was a safe career choice that paid well in the long run. Growing up poor, making money seemed like a pretty good motivational factor for me. However, moving to the middle of nowhere for $55k/year probably wasn’t the best career choice I’ve made in my life. It was, though, the best decision I ever made in my life.
You see, that job made me realize how much disdain I truly had for accounting. I was working in a job field because it was safe, not because I loved it. I was living in the middle of nowhere, away from all my friends, and driving literally hours a day because it paid better. In hindsight, I realized it paid better because no one wanted to do it. To top it off, I had the manager from Hell and that’s being kind. I was her 8th accountant in less than three years and she only got one accountant. Let that sink in.
I was choosing my career path based on all of the wrong things. I wasn’t working at a job I loved, in a career field I loved, in a place I loved, nor making enough money to drown myself in enough booze to forget all of it. So, one day, I decided that enough was enough. I was done with accounting and I knew I needed to make a career change. I quit my job with almost no money to my name and moved out west on a whim.
In my heart, I truly had one passion and that was IT. I was, or so I thought, fairly computer savvy. I had been using a computer since I was four years old and was on Prodigy before AOL was really a thing. While in college, I always fantasized about changing into an IT or computer science field, but I never pulled the trigger. Of course, that would have made too much sense. It’s not often that we follow our hobbies and passions into a career, but the opportunity was always there for me. It just took a lot of time, and money, to realize it.
When I moved out west, I was fortunate enough to land a help desk job with a small, local Managed Service Provider (MSP) fairly quick. The pay? $41k/year, but I was so much happier. The job was seeking someone much more experienced and was offering to pay quite a bit more, but I convinced them to take a chance on me. I offered to take significantly less money in an effort to prove myself. Proving you are worth training, even if you do not meet the application requirements, might be the most useful tool you can have in an interview.
Because I was severely deficient in my IT skills, I used it as motivation to get better. Every night after work, I went home and studied. With IT, there is always something new you can learn and information is always changing, which is probably the best aspect of the career field. I love learning and IT has endless learning possibilities.
Within a couple of months, I received my A+ certification, which is considered one of the basic introductory IT certifications. I felt incredibly relieved to have a certification under my belt, but I remained hungry. Staying hungry is critical to career success. Setting goals for yourself is also important as it gives you something to strive for, something to be motivated about, and reasons to stay hungry.
Shortly after passing the A+, I set goals and mapped out a certification path for myself that would make me a better employee to the company I was working for. Within the next few months, I had my Network+ and Security+ certifications. Shortly after that, I got my Linux+ certification as well. I ran through my goal list, which were all introductory IT certifications, faster than expected and it was time to start exploring IT specializations.
At some point during my certification journey, I realized what I truly wanted to specialize in: information security. More specifically, I wanted to do ethical hacking/penetration testing and red teaming. I heard about the Certified Ethical Hacker (CEH) course and thought it was the coolest thing. You know, kind of like HR does when you’re applying to jobs, but the hiring manager just laughs at you? Yeah, it was like that.
I really didn’t know any better at that point. I saw the CEH as a way to bolster my resume and learn some hacking tools. It was the next logical certification, in my mind, to move towards the information security field. I was still new to the IT game and certification hungry. I had also moved up pretty quick at my company. I went from help desk to level 2 work and eventually to network administration work. This is still within the span of a year of my departure from accounting, just to keep a relevant time frame for you.
I was now making $51k/year as well, which was only $4k short of my previous salary in accounting. I was driving 10 minutes each way to work. I was living in the city. I was working in a career field I loved. Most importantly, I was happy and I was hungry.
Once I received my CEH, I made my intentions clear to my company that I wanted to specialize more in security. Being a small MSP, they were intrigued, but there just wasn’t room for me in that position. To top it off, there wasn’t enough network administration work for me, so I was primarily shifted back onto level 2 work.
At that point, I felt stuck. I had been working so hard to progress and felt my next logical step was a network administration position of some sort. I didn’t see a path into cyber security without some network experience at a minimum. The company was just not going to be able to offer me that. It felt to me as if I outgrew them.
At the same time, this was the company that gave me my chance. They took me in when I was an IT nobody, trained me, certified me, and made me confident in my skills. We were a small company, so everyone was really close and even friends outside of work. In fact, no one had ever quit the company in the seven years it had been around. So, the thought of letting anyone down was terrifying.
However, you have to do what’s best for you in life. What’s best for me was not staying in the same position and being complacent. I felt like my growth would halt if I could not get hands-on experience and continue to progress in my career. Working help desk was just not in my cards anymore. I made the decision to leave and never looked back.
Given my military security clearance and college degrees, I landed a network engineer interview with Sandia National Labs in April of 2017. While most may not realize it, this is a pretty big deal in New Mexico. Sandia is a highly regarded government agency that focuses primarily on nuclear research. They are also considered one of the best places to work in the country and are usually somewhere in the top 20 on that list.
I applied thinking that there was no way I would ever hear back. While my GPA in college was solid, I went to a small school that certainly wasn’t Ivy League caliber. Sandia was Ivy League caliber. Seriously, it’s not uncommon to meet employees from Harvard and Yale. There’s even a story about a custodian with a science degree, just taking any job he could to get his foot in the door. The difficulty of getting hired at this place is pretty high. Yet, somehow, I got in.
I applied and interviewed for a junior network engineer position. It was a very similar scenario to my first IT interview. I certainly was not qualified for the job, but I promised to learn. The position was Cisco heavy and my Cisco experience was pretty much zero. However, I was willing to learn whatever was needed to succeed in the job. Again, I proved that I was worth training, regardless of my background.
To my surprise, they offered me a limited employment offer of one year, with the possibility of extending that six times for seven years total. It was my foot in the door. To top it off, they offered me a senior network engineer role, which I did not apply for. They also threw $80k/year at me, which I later came to learn wasn’t really that much around there. However, it was a ton of money to someone who grew up poor and was making $51k/year at the time. I was incredibly happy.
As promised in my interview, I learned whatever was needed to succeed. I received my CCNA certification within my first month of employment. I also spear-headed several projects and created a training proposal for future training endeavors of the network team. I was making an impact pretty fast and it did not go unnoticed. Within a few months, I was converted over to a full-time employee and my contract life was quickly over.
At some point during my first few months at Sandia, I approached my manager about the need for cyber security in our division. We were, after all, in charge of networks protecting nuclear assets. While security measures were in place to protect our systems, I felt more could be done. I proposed creating a cyber security group within our division and my manager loved the idea.
Using this proposition, I requested that my manager send me to OSCP training. Through all of my research online, the OSCP certification seemed like the true way to get your foot in the door when it came to penetration testing and red team work. The end goal was to start an internal penetration testing team in my division that focused on attacking our networks while still in the design phase. My manager happily agreed.
At the same time, I had other motivations as well. A month or so prior, I happened to meet a Sandia employee that worked on the Sandia red team. This was by chance as he happened to live at the same apartment complex that my fiance at the time managed. He told her he did red team work and she knew I wanted to get into the field, so she set us up a lunch date. What a matchmaker!
During our lunch, I met with the employee and a co-worker of his, also on the red team. I was informed that they could always use help on their team and that if I was able to get my OSCP, I could likely come work for them. This seemed like an awesome opportunity. Now, it seemed as if I had options as well. I could work hard and develop an internal red team in my department, or if that fell through, I could potentially join an established government red team. I just needed to get my OSCP.
Using my new found motivation, I signed up for 90 days of OSCP labs and finished them (and the exam) in 45 days. I put in about 200 hours studying during that time frame. I was still very hungry to progress my career and wanted to do so as quickly as possible. Unfortunately, things do not always work out as planned.
My first punch to the gut was that my manager began to shy away from the idea of an internal cyber division. He was a brand new manager when I approached him and was very eager to see some of my ideas through. However, managers have managers and they aren’t always as eager, as I’ve learned. I was told that an internal cyber team would take at least two to three years to get accepted, if it even did. I didn’t feel like I could wait that long to break into the field, especially on an if and not a guarantee. Option A was out.
My second gut punch came shortly after. I applied to the red team at Sandia with my shiny, new OSCP certification in hand. I thought I was Charlie and the OSCP was my golden ticket. I was wrong again. I received a rejection letter from the manager telling me that my masters in computer information systems was not enough to garner an interview. The department only hires computer science, mechanical engineering, or electrical engineering majors per HR rules. Ouch.
Now, this is where Sandia is historically known to be backwards. In the past, Sandia has denied top talent because of their undergraduate GPA 30 years prior. What you were on paper meant everything to Sandia and while they planned to make changes to the rules, those have yet to happen. In my situation, I did not have the piece of paper Sandia wanted. It did not matter that I was motivated. It didn’t matter that I was hungry. Hell, it didn’t matter that I had the OSCP and some of their own red team was struggling to pass it. Those were the rules and there were no exceptions, unless I wanted to go back to grad school for three more years in hopes of an interview. Option B was out.
All that was left was Option C, leaving Sandia to find a role in penetration testing. When I expressed my desire to leave, I was told by friends that I was crazy. No one ever leaves Sandia. I asked online and was told I was too inexperienced and that I should stick it out in my role for at least two more years. I should mention, I have been at Sandia for nine months at this point.
I did not want to wait, especially years. Every year that went by was a potential loss in increased salary (penetration testers can easily make $100k+/year) as well as experience time lost and future earnings from that experience. I realized that there is a “pay your dues” attitude from many people in the IT community, but I was going to prove them wrong. It wasn’t going to be easy, but I was going to find a job in the penetration testing field.
The Application Process:
I tailored my resume for a penetration testing job and started mass applying. Early on in the process, I was faced with some sudden realities. The first reality is that there are quite literally no penetration testing jobs in New Mexico outside of Sandia. So, I knew that I would be forced to find a remote position or move.
Finding a remote position is difficult when you’re new to any field because it’s usually made for those who are more experienced and need less hand holding. I also personally feel like you can lose some serious hands-on training if the company does not have a good on-boarding process. Hands-on training was important to me as I was new to the field and required a good mentor to be successful.
Moving for me was also difficult. While I have no family ties to New Mexico, I was happily engaged to someone who did. In fact, I love my fiance’s family and think of them as my own. I approached her about the thought of moving and was given a very limited list: beach area preferred, North Carolina, Dallas, Austin, Denver, and no large cities (New York, San Francisco, D.C., etc.). Given that the majority of penetration testing work is in large cities, my search became that much more difficult.
Another reality I faced was that the OSCP was not a golden ticket into the penetration testing field. Some hiring managers treated it as if were just a pat on the back. I worked hard for that certification and realized quickly that experience was everything to most employers. Junior position? 10 years experience please. New to the field? Yes, you’ll need five years of coding in a language that has only been around for three years. The job postings were just as crazy as those you see in other fields. I was not surprised, but I had better expectations.
There were also a few qualities I wanted in an employer. I wanted the option to work remote with a good work/life balance. A lot of penetration testing jobs are moving away from the office environment. While I would be fine with going into a desk job, I have always been much more productive when working at home.
I also wanted an employer who was willing to train/pay for training. It is incredibly important to find a job that is willing to train you. A job that just throws you to the wolves or puts you in a sink or swim situation, was not a job that I wanted. It was important to me that there was emphasis on internal training as well as encouragement to pursue outside certifications, attend conferences, and even present at conferences.
Finally, I wanted to work with a company that serviced other companies as opposed to internal penetration testing work. In my opinion, working on external companies gives one an opportunity to see all different facets of security levels and exploits. You see something new almost every penetration test. Working internally for a company limits an individual to that companies tools and security levels. Your growth becomes severely limited.
With these thoughts in mind, I instead started applying to jobs that fit my criteria. I mainly used Ninja Jobs and LinkedIn, though I occasionally dabbled elsewhere. By being incredibly picky, I did not hear back as fast as some of my friends also trying to break into the field. I was not able to move anywhere and take anything, but I also did not want just any job. I wanted a job that met my criteria and that I could succeed in. This required incredible patience. Eventually, it led to some interviews.
The Interview Process:
My interviewing process was tedious. I got put through the ringer to say the least. What’s interesting is that the majority of my interviews actually came from recruiters, Slack connections, or internal HR recruiting instead of applications that I had put in. In order of quality, Slack connections seemed the best as you could ask your contacts questions about the job and get honest answers. It’s always important to network and people in the field are always willing to help a motivated individual break into cyber security. Next would be internal recruiters. While they typically could not pronounce half of the tools correctly or even my name sometimes, they were typically friendly and were direct hire.
Then there were the recruiters. Oh boy. If you’re reading this, I am sure that you have experienced the joy of recruiters at one point or another in your career. I had recruiters of all different types and personalities. While I have a lot of good recruiter stories, the first (and best) that comes to mind was a recruiter telling me that the job she wanted to put me in was “my dream” and that I was going to “make it wet”. She also proceeded to send me resumes of other people applying for the same job. Nope.jpg. I got away from her fast.
Most recruiters would e-mail me and call me about jobs that were three month contracts. I had one recruiter try to convince me to relocate on a three month contract with no guarantee to hire and no relocation bonus. Six months later, they are still calling me trying to fill that job. Most (not all) of the “contracts” are actually how recruiting companies get their pay. They get a cut of the first x months you work and the hiring company gets the benefit of trying you out without risking much. It’s the new trend unfortunately.
With that being said, not all recruiters are bad. Some are quite passionate about what they do. They also take the time to learn about the security field and what the certifications they’re asking for actually entail. My suggestion, if you’re going to use a recruiter, is to find one that is passionate about the field, genuinely interested in you, and gets paid x amount on your direct hire, instead of a contract scenario. It’s a much better situation for you.
My interview process came down to three potential jobs:
Job 1: I was contacted by a recruiter who really knew his stuff. He spoke highly of the company, worked closely with me throughout the entire interview process, and even practiced interviewing with me. He is what every other recruiter should mold themselves after. The job was a fully remote senior position with up to 20% travel for red team work. There was a solid work life balance and a strong encouragement to teach from the top. Training was never going to be an issue and it was a direct hire situation. The only downside is that the majority of the travel was local and I would have to move to North Carolina.
Job 2: I was contacted for this job by an internal recruiter. She was friendly and well-versed in the details of the job. The job was fully remote with almost no travel. The job would not require a move of any kind. The benefits were also amazing. They provided a 10% 401k match, four weeks of vacation to start, travel bonuses, free LASIK, a company retreat fully paid for you and your spouse, and much more. The downsides to the job were work/life balance (55 hours a week) as well as it was a senior position with no intentions on training. It was truly sink or swim. The other downside was that it was primarily web application penetration testing, which I had very little experience in.
Job 3: This job interview came from a personal connection on Slack. Otherwise, I never would have gotten my foot in the door. The job was primarily focused on PCI penetration testing and was also fully remote. It was at a senior level as well, but offered some valuable training from some well-known penetration testers in the field. In terms of training opportunities, this one was potentially the best just by the caliber of the team they had working for them. The benefits were okay and the pay structure was a bit odd. You were paid a base salary and then given a percentage of your client work. So, your paycheck would never be consistent and I felt as if you were practically penalized if you took vacation time. Another downside was that there was 40% travel, which is quite a bit.
The interview process for all three jobs was slightly different. Here is what each looked like:
Job 1: Initial phone screen with recruiter to see if I was a good fit. He forwarded me off to the hiring manager, who agreed to set up an interview. I had a one on one phone interview with the hiring manager that was highly technical, but impressive. For one, the manager was a former penetration tester who had his OSCP. You do not always get the chance to work for someone who knows exactly what you’re going through at a job. Another impressive detail was that he explained when I got a question wrong in the interview and why I got it wrong. I actually learned from an interview instead of guessing where I stood when it was said and done. My recruiter told me beforehand that he was very upfront and honest. The recruiter described a previous interview that he had where during the interview, it was decided that the applicant would not be a good fit for the team, but the manager still spent another hour chatting with him on potential career paths. I was impressed by his character.
I was offered a second, and final, interview on the spot for the following week. Before the second interview, I was asked to finish a personality exam and have a brief interview with HR, both of which went well. The final interview would involve a presentation of my choice, more technical questions, and a white board exercise that required critical thinking. When it was said and done, it was one of the more difficult interviews that I have had in my life. I’m not even sure that I got half of the questions right. However, I again expressed a desire to learn and succeed, if given the opportunity. Shortly after the interview, I received a job offer. It was clear they believed in me and I was beyond ecstatic.
Job 2: This job interview put me through the gauntlet. I had an initial phone screen with the internal HR recruiter which consisted of non-technical questions. It was more to gauge my interest and determine fit. Shortly after, she sent me a link to a hacking environment where I was tasked with attacking six machines in 48 hours. I was then given 24 additional hours to write a report. I spent the next two days hacking away and eventually popped all six machines. I sent off my report and heard back almost immediately that everyone was impressed. This led to an interview with the team.
The interview with the team involved a presentation of my report, followed by some technical questions. Similar to my other interview, I answered to the best of my abilities and was not afraid to say “I don’t know, but I’ll learn” when I did not know an answer. It seemed to go well overall and a meeting with the director was next. They asked if I could meet on short notice, so I assumed that an offer was coming in soon.
The meeting with the director was yet another interview, which they did not tell me. I was told it would be a short meeting, which made me believe he had to sign off on the team’s approval. It turned into another technical in nature interview and was done over phone camera (his request), so the quality was poor and it was tough to understand him. My takeaway from the interview was not a good one. He made it very clear that he thought I was weak in web application penetration testing and that if he offered me a position, they would not hold my hand. He expressed his concerns that given the work volume (55 hours/week), I would not have time to study outside of work to improve.
While I strongly believe an offer was in the pipeline, these remarks did not sit well with me. The job was not going to check the boxes I wanted to check. I needed some hand holding. I needed good training. I also wanted work life balance. It became clear that this job would not provide those necessities to me. I pulled my application and thanked them for their time.
Job 3: The job interview process started with a technical interview by HR. According to my Slack connection, the interview process would consist of five or so interviews over the course of the week. You meet with a couple of directors and meet with some of the team, all one on one, to gauge fit. My initial interview went incredibly well and I was offered a second interview on the spot. The issue was that the director would not be able to interview for three weeks as he was out of town on a project. Simply too much time would elapse and I had an offer pending.
I decided that I was taking my talents to North Carolina, sans a press conference. Job 1 checked every box for me and moving was a small price to pay when it comes to a fantastic opportunity to learn and to train with incredibly talented people. The opportunity to work on a red team compared to doing only penetration testing was too enticing to pass up as well. Overall, I stayed patient and got exactly the job I wanted.
If you’ve made it this far, I congratulate you for completing my novella. If you skipped to this section, that’s fine, I didn’t want you knowing my back story anyways. In all seriousness, I want to provide some takeaways from my experience in transitioning from an accountant to a penetration tester in hopes that someone along the way will find them useful. If I can leave you with any advice, it is this:
Always set goals for yourself and stay motivated. Do you want a certain certification? Set a date that you want to complete it by and find ways to motivate yourself. I would purchase exam vouchers and register for the exam on my goal date to motivate me. The cost of some of the certifications was also a motivational factor. The most important asset to your career success will be your ability to set and meet goals as well as always staying hungry.
Do not become complacent. At every stage in your career, you will find others who are happy with where they are at, though it becomes less and less as you move up. I noticed that my strong desire to learn outside of work was not always encouraged by my coworkers. Some even gave me a hard time about it and told me I was “no fun”. These coworkers were happy working in the same job and in the same role for 10 years. They were happy not getting certifications and advancing their career. You can be that way as well, but do not expect to succeed in information security with that attitude. Again, always stay hungry.
Never be afraid to apply to jobs you’re unqualified for. I used to be terrified of applying to jobs that I knew I was not qualified for. In my mind, I did not want to waste my time, nor the employers. However, job postings tend to ask for a ridiculous amount of requirements that the average person just doesn’t have. If the average person is shying away from these jobs as well, then the employer is just not getting a ton of applications. I say apply away. The worst that can happen is the employer doesn’t interview you and you can add it to your already growing rejection pile.
Be willing to admit you don’t know. I believe one of the worst mistakes someone can make in an interview is to attempt to BS an employer with an answer to a question they do not know the answer to. It is so much easier to admit that you do not know and that you’re willing to learn than to attempt to guess at an answer. You are not expected to know everything in an interview. No one is perfect. Being able to admit you aren’t will set you apart from a lot of candidates.
Be willing to prove yourself. This idea ties in with many of the above examples. If you apply for a job that you aren’t qualified for and it becomes clear in the interview, all is not lost. You need to sell yourself and who you can become in the interview, not just who you are now. Be willing to ask an employer for the opportunity to prove yourself and you will be surprised by the results. Plenty of employers are willing to take a chance on someone. Everyone has to start somewhere and chances are, the hiring team might see a little bit of themselves in you.
Determine what you want from a job and only apply to those that meet your criteria. My advice here is to not mass apply to a million jobs and see what bites. Have some patience and apply to a job that will be a great fit for your needs and the needs of the hiring company. There were opportunities that presented themselves to me along the way and I knew I had to decline. One tempting opportunity was an interview offer internally to Ernst & Young. As a former accountant, I knew their reputation was stellar, but I also know their work life balance was terrible. The name on the resume was not enough for me to budge on my criteria and you should hold the same standards. Find somewhere you can be happy with for a long time and make a career out of. Do not try to find your next stepping stone, but a potential place of permanence.
Surround yourself with like-minded people and be happy being the dumbest guy or girl in the room. Cyber security is an incredibly motivated and intelligent field. Everyone has to start somewhere. Everyone has been the new guy or girl. Find a Slack channel, Meetup, forum, or any other avenue that you can use to meet people in the field. You will find that people in these groups are always happy to guide new people into the cyber security world. It’s also likely that people in these groups will be significantly more experienced and just overall better than you at what you want to do. Embrace this. It is okay to be the dumbest person in a room because that means you have the most learning possibilities of anyone there. If you ever find a situation where you’re at the top, find another group where you’re not. Stay hungry.
Network, network, network. If there is one thing business school preached to me more than anything else, a lot about finding a job comes down to who you know, not what you know. Again, find a Slack, Meetup, etc. of like-minded people and use it as a networking opportunity. So many people will help you out if you’re just friendly and motivated.