Suggestions for today’s aspiring cloud security engineers
I get questions like — How do I become a cloud security engineer? How did you get into cybersecurity? Are you hiring? Can you help me get a job in cybersecurity? — on social media a lot. I thought I would address them in this post as I don’t always have time to properly respond to each and every one and I find that I am repeating myself a lot.
Unfortunately, I may not be the best person to ask because first of all, I’m not hiring and if and when I do it likely won’t be remotely and not anyone I haven’t met in person. The same is true for recommendations. I also am not aware of who is hiring for cybersecurity positions as I tend to weed out that type of information since I am not looking for a job. I have limited time and am mainly seeking cybersecurity and cloud security research, breaches, and malware reports. I am not the best source and I provide hopefully better ones below.
The way I got into cybersecurity, as with many people my age, is likely much different than how a younger person today might pursue that career. You can read about how I got into tech here:
and how I got into cybersecurity here:
Those stories might not help someone who doesn’t want to spend 20+ years in software development and 10+ years running their own company, dealing with data breaches and security incidents before moving into the field of cybersecurity specifically.
I made a presentation for a college for people who want a job in cybersecurity. It’s a video that covers some of the different types of cybersecurity careers and some options for how to get trained in cybersecurity. I don’t think I adequately covered how to actually go about getting a job, so that is what this post covers.
The same principals in that video about cybersecurity apply to cloud security. You need to decide which aspect of cybersecurity appeals to you and that you want to work in and then pursue that particular path. It’s good to get a degree, certification, or training in all the different aspects of cybersecurity if you can so you can have a well-rounded understanding of things like network security, identity and access management, application security, compliance, governance, risk management, forensics and incident response.
Way too many people try to go straight into penetration testing. In my opinion, you’ll be better off if you first get a deep understanding of networking fundamentals, software development, identity and access management, operating systems, and how encryption works prior to diving in and testing for security bugs. People can grab a tool off the web and scan hosts and find bugs, but that’s not as useful as being able to reverse engineer problems and provide solid solutions to prevent the problem from occurring again in the future.
Training is always helpful and I definitely recommend it if you can afford it when learning new technology. But you can also learn a lot online through research and persistence for free. There are so many free resources including this blog, YouTube videos, and GitHub repositories that you can use to get started.
Consider whether you are overpaying for training. Some classes are very expensive. Consider your return on that investment (ROI). Take a look at your potential new salary and make sure you are not paying more for the training than you can recoup in a reasonable amount of time from increased income. Also, will that training actually help you get hired? Some training is better than others.
I started teaching a more cost-effective classes with no labs but that provide “homework” people can go back and do on their own time. How much of your the time you are paying for is you doing work yourself or waiting for others to complete labs vs. time actually learning from an instructor? My classes are only taught to organizations at this time but that may change in the future.
An organization trying to determine if training is cost-effective will be different from that of an individual. Organizations would consider the cost of the training compared to the cost of a data breach. And on that note, try to join an organization that will pay for your training. Even if you do not initially get a job in security — perhaps you get one on a help desk, in IT, or software development — if the company will pay for training that can help you get what you need to move into security.
Also, organizations may be willing to look at other internal departments for transfers into cybersecurity. If you start in one department, prove your worth, and earn the organizations and security team’s trust you may be able to transfer to security later. I actually did that at one of the largest banks in the US. I wrote about the topic of internal transfers and training here — to help organizations can look internally to overcome a cybersecurity professional shortage.
It seems to me that most cybersecurity professionals get jobs through word of mouth and personal recommendations versus someone getting hired with no connections over the Internet. I am not a hiring manager, so you should talk to one if you want to learn more about that.
But I do often recommend that people trying to break into cybersecurity attend local security-related events in their area to get to know people. You will have a much better chance getting a job from an established personal connection than someone you randomly contacted on the Internet. I saw a woman who gave a great interview on a podcast talk about how she went to local events and then over time eventually got a chance to break into cybersecurity in a new job.
There are many ways to meet and connect with other cybersecurity professionals:
Social Media: Follow and interact with people on social media — but make sure you have intelligent comments and information to share. Make useful comments that help people. Be careful with humor. Different people find different things funny that others do not. Some are good at it —others, not so much.
I once read a quote in the margins of my high school Latin book — Better to be thought a fool than to speak and remove all doubt. I am constantly trying to double check that what I have written is accurate by checking multiple sources. I still make mistakes and I appreciate when someone points those out in a private message. Try to make sure you are demonstrating intelligence not just jumping into a conversation to get attention. Perhaps start with a direct message if you’re not sure about a comment on a topic.
Don’t go off topic to prove how smart you are. So many times people make comments on my posts or social media that are not wrong, they are just off topic comments on something that doesn’t exist in my post or they completely missed the point. I feel like some people want to throw out an accurate comment that distracts from the post to demonstrate intelligence vs. having a meaningful conversation about a topic. Try to avoid that.
Also avoid reiterating what the post already said. Recommend that people read the post instead if you agree or learned something from it. Sometimes I quote a portion of a post that I find interesting so that others might be intrigued and go read the post for themselves.
Also beware that on social media, much of the misinformation out there has a grain of truth to it. That’s what makes it difficult to spot. Beware of that when jumping on the bandwagon and liking a post that seems to be refuting an article but the article has nothing to do with the comment — read the article or blog first. And make sure the entirety of the comment or comments are true before giving it a thumbs up.
Avoid outrage. Don’t feed the trolls. Ignore the noise. I’ve written about that in other posts already. Focus on learning, sharing, and contributing.
Double check new content. I have even been fooled by false stories in reactionary mode. Take the time to ensure the same information is coming from multiple reputable sources. Wait for all the information to come out on a new topic such as the latest data breach.
Be aware that some social media accounts have tricked cybersecurity researchers into “collaborating” with adversaries developing malware — so you need to be careful who you connect with and how much you share. This is why I prefer in-person connections. My social media connections have led to in-person connections at conferences and through training.
READ PROFILES before contacting people. I explicitly say what I am and am not interested in my profile on LinkedIn. When people contact me anyway regarding things I am not interested in it is clear that they did not even read my profile and they are generally spamming everyone. This results in an immediate spam report and block from me.
Meetups and local events: Meetups and in-person local events were stymied during covid but in-person meetups and events are slowly returning. When I was in Seattle I attended many meetups and started one of my own. Local OWASP chapters often run events and post them on meetup. I attended a cybersecurity happy hour run by a company that does hire cybersecurity professionals. I also attended some Infragard events which were open to the public and local Cloud Security Alliance (CSA) and the new team is chapter events.
Conferences: If you can afford to go to a conference that is a great way to meet people — if you partake in all the conference has to offer. When I first wanted to attend AWS re:Invent I had to pay my own way. AWS re:Invent is right around the corner again. I’ve spoken at events such as RSA, BSides events in multiple locations, IANS events, AWS re:Invent, AWS re:Inforce, Microsoft Build, OWASP, ISACA, SANS, and others.
One of my presentations made it to DefCon but I didn’t personally attend that one. Most conferences at least give you a free pass to speak and many will pay for travel and lodging and even pay you if they are really serious about getting good speakers. DefCon wasn’t offering any of that at the time, so I opted out as I had been traveling about every two weeks that particular year. But the cost is not that high, and it’s a great conference to get the some cool cybersecurity vibes. I wrote a book review on a book that explains how DefCon got started here:
BlackHat was held around the same time and tends to be a bit more corporate.
There are other really great conferences from what I hear but I haven’t attended all of them. I tend to focus on cybersecurity conferences that pay me to speak for the most part right now and some of the really big events — in person, not virtual that allow me to book my own travel. So my in-person events are limited right now. Find out what conferences will be in your area or travel to a larger one if you can.
Talk to people. If you go to a conference — talk to people. Talk to speakers after their presentation if you are interested in what they have to say. Many people want to schedule time to meet with me at a conference but I always tell them to come to my presentation and I’ll talk to you afterwards.
It’s kind of frustrating when people want to take up your time in a private meeting but don’t bother to come here what you have to say in a presentation — don’t be that person. If you want to meet with someone show up for their presentation and ask them to meet with you after the presentation rather than trying to book everyone’s time in advance and then not supporting their contributions to the event. Also be mindful that people are really busy and don’t always have time to meet with every single person who asks, but generally people will hang around and answer questions after their presentation.
Participate. Participate in event activities that allow you to interact with others in a technical capacity. One of my favorites was AWS Game Day. I joined a team when I had limited knowledge of CloudFormation and that day really helped CloudFormation click for me. You can read about that experience here:
Build Relationships. Don’t expect someone to spend a lot of time helping you after you interact with them once. Relationships take time. Help and get to know people and over time you will probably get kindness in return.
Demonstrate your value
I remember a young woman coming up to me and was outraged that people at her company would not transfer her or hire her in tech as she was “just as qualified” as anyone else. I am not sure what that particular person’s scenario was but how have you demonstrated your value and your ability to be a team player?
I wrote about about gaining respect here and some of the challenges I’ve faced in that area over the course of my career — and how it’s really not worth worrying about too much. Just keep moving forward. You’ll get to where you want to be eventually.
By the way, if you’re a woman in tech trying to get a better salary, I wrote about that too here:
If people don’t value you where you’re at, move on to a place where they do.
Blogs and GitHub Repositories: If you add value, it will be recognized over time, I have found. I am not sure I represent the general social media population, but I prefer to follow people on social media who post cybersecurity research. I don’t really want to see what you cooked or ate for dinner on social media I use for work (as opposed for the accounts I use for personal use — show me your tacos and your favorite restaurants over there!) I block keywords to weed out things I don’t find useful for my particular objectives on social media.
Note that other people are different. They like to post and see a range of topics and are not purely focusing on research on social media. I do post a personal tweet few and far between like the one I just posted of our dog. He tries to “help” me work.
I tend to post on cloud and cybersecurity research and development topics and how to stop data breaches. I am trying to write for people who may need cybersecurity training, to ask me a question on an IANS Research call, or hire me for a penetration test or assessment. I also, in general, want to help developers learn cybersecurity because I was a developer for over 25 years and still am, in addition to cybersecurity and cloud security.
Think about who you want to target with your social media presence and post things that will attract that type of follower. Demonstrate that you have the skills to perform the job you want.
Volunteer: If you attend a meetup or event, volunteer to help. Running a meetup is a lot of work. When I ran the AWS Meetup in Seattle in person we had to set everything up, get the food, prepare the room and the video equipment, and clean up afterwards. Some larger organizations have committees to support different aspects of the organization. Find out how you can volunteer to help out and you will definitely be appreciated and meet people.
Volunteer to help with programs that train kids in technology. Donate your time to a non-profit organization or offer reduced fee services to the cause of your choice. Try an unpaid intership if you can’t find paid work immediately. Do a different job on the side to pay the bills while you obtain real world experience. Psst. I’ve done that! It’s not as crazy as it might sound.
Talk to recruiters, HR professionals, and hiring managers. Make your inquiry to the right person at a company. Someone who works in software development or cybersecurity or who runs a company might not be hiring or even involved in the process. The people you want to contact are people who are actually advertising jobs.
Look at Job Advertisements. When I was a hiring manager, we used Indeed, the local newspaper, and other job boards to advertise jobs.
Tailor your resume to each specific job. If a job is looking for specific technical skills make sure your resume aligns with those particular skills. If you don’t have those skills, use your free time to learn them or try to leverage those skills in a project at work or on a volunteer project.
Meet people at companies where you want to work. Try to meet and get involved with people working at those companies, not a random blogger on the Internet like me who isn’t actually hiring or in touch with anyone who is. Besides that, I wouldn’t recommend someone I never met or worked with — especially for a cybersecurity position — as mentioned. If you work in a foreign country, get hired at companies that work with that organization as third-party consultants or contractors.
Build Trust. Cybersecurity is all about trust. Build trust with people who can get you jobs. Building trust takes time. As mentioned earlier you can start in another department and work your way in potentially.
What not to do…
Don’t spam people with links. Don’t send someone a random link to something you posted and expect them to retweet or repost it for you. I tend to repost things I find meaningful and hardly ever repost or even read something that is sent to me as spam I didn’t request.
Avoid asking for free training or consulting. People publish things online for free in hopes of getting paid work generally. I just wrote about that:
That’s because people need to pay bills, eat, and in general, earn a living. Be mindful of this when you send people questions about something they wrote. If it’s a short question that’s generally fine, but if you’re asking for consulting advice, training, or how to solve your own problems that’s probably crossing a line. Providing errors, inaccuracies, or typos is usually appreciated.
Asking for a job in your first message. I have a friend who worked at Microsoft who got particularly annoyed with this. So many people who heard her speak at a conference or read her blogs would ask her for a job for themselves or someone else. That is not going to get you a job — or get you on a person’s good side in many cases.
I also read one story by Jeff Barr where he tried to help someone get a job who ultimately became a stalker — so people may even be wary of you if you take this approach. I understand why people might try it, so no worries if you asked me for a job, but this generally is not going to be your best path to new employment.
Hopefully this post helps the person I wrote it for and anyone else trying to get a job in cybersecurity or cloud security. Good luck and happy hacking!
Teri Radichel
If you liked this story please clap and follow:
******************************************************************
Medium: Teri Radichel or Email List: Teri Radichel
Twitter: @teriradichel or @2ndSightLab
Mastdon: https://infosec.exchange/@teriradichel
Requests services via LinkedIn: Teri Radichel or IANS Research
******************************************************************
© 2nd Sight Lab 2022
Author:
Cybersecurity for Executives in the Age of Cloud on Amazon
Need Cloud Security Training? 2nd Sight Lab Cloud Security Training
Is your cloud secure? Hire 2nd Sight Lab for a penetration test or security assessment.
Have a Cybersecurity or Cloud Security Question? Ask Teri Radichel by scheduling a call with IANS Research.
Cybersecurity & Cloud Security Resources by Teri Radichel: Cybersecurity and Cloud security classes, articles, white papers, presentations, and podcasts
