This is written for all the new folks coming into the industry, whether you’re just starting or finished university recently, my goal here is to provide some context on whats the situation in the market and give you some tips to help land your first role. I’ve been a hiring manager for over ten years, the last six years of which being in big tech and the time before being primarily in the government and defence sectors.
Landing Your First Role
It doesn’t take long searching around Google or tech news websites to find out there’s a skills shortage in infosec. In recent years there’s been plenty of news articles and studies done by the places such as the UK, USA, and independent security groups such as ISC2 outlining this fact. If you spend even a few minutes looking for jobs on pretty much any job site you’re likely to find a whole plethora of jobs available for all manner of cyber roles…. but of course, there’s a catch.
Almost all of these roles are for experienced engineers, usually 2+ years of experience.
Companies (shortsightedly) want to hire people who provide value immediately and don’t often see the value of training up brand new staff and getting them into the industry. Now, this seems way more pervasive in security because of the skills you are expected to have to do the role effectively, most companies want security engineers who are not only skilled in networking, programming and cloud technologies but also be domain experts in security on top of that which is a lot to ask from someone with no direct experience in the industry.
Now this isn’t to say there aren’t grad roles for security, there is a decent amount available but also know that another path into this career is starting with IT, Network Engineering or Developer Roles and then transitioning into security once you’ve got a year or two experience.
What Places Hire Interns and Graduates?
This isn’t an exhaustive list by any means, but it’s to give you a good idea of what sort of places hire grads and interns so you can narrow down your search effectively.
- Big Tech - Google, Apple, Meta, Amazon
- Unicorn Tech - Salesforce, Atlassian, Uber
- Defense - Raytheon, Boeing, BAE Systems
- Government + Public Sector - Intelligence Agencies, Government Departments, Telecoms Providers
- Consulting - PWC, Accenture, Deloitte
- Security Vendors - Crowdstrike, SentinelOne, Cisco, McAffee
What Type Of Roles Are Available?
Cybersecurity has all sorts of roles available, including specialist roles like people who focus on industrial control systems or car security. Although most roles for graduates are going to be one of the following:
|SOC Analysts||Working in a security operations centre. This will often be working on a detection and response team where the juniors are more commonly responsible for the response part. Triaging tickets and investigating potential incidents.|
|Digital Forensic and eDiscovery Analysts||Often working for police forces, intelligence agencies and consulting firms. Doing forensic imaging and analysis on digital evidence for use in court.|
|AppSec Engineers||Generally be working on application-level problems. Helping developers fix security issues in their code through vuln scanning, manual testing, bug bounties and other techniques. Heavily focused on OWASP top 10 and software development.|
|Enterprise Security Engineers||Focused on the internal side of companies looking at networks, endpoints, SaaS and logging. Usually, this involves working with IT teams and building out zero trust architectures.|
|Risk & Compliance||Focused on auditing environments ensuring companies can pass SOC2, ISO27k, HIPAA and other compliance frameworks. This area is often also responsible for ensuring that risks are mitigated or accepted like ensuring companies have good disaster recovery procedures in place.|
|Red Teaming + Pentesting||I’ll be honest with you here and say that there are very few roles available for red teamers in general, let alone graduates. For the grad roles that do exist there will likely be a lot of applicants as red teaming is one of the more popular areas of security. A lot of people I know have gotten into red teaming by first going into a SOC role and then making the transition afterwards.|
What Do We Look For
Any job is going to be wildly different, there’s a whole bunch of factors that are going to determine how many people apply and the type of people that apply. In my experience grad roles attract the most applicants, not only will you get this year’s graduates but also last year’s grads who are still looking as well as people looking for role and craft changes. In my government roles, it was pretty normal to get around 10+ graduates in London applying for each role. In Atlassian, we would regularly get around 60+ graduates applying to each available role so the competition is pretty fierce.
Hiring managers aren’t necessarily looking for someone who can smash out projects from day one, but we want someone who can grow into their role relatively quickly and thrive with a little guidance. What you generally need to do this is at least foundational knowledge of security, the ability to work in a team and the ability to drive your own work. Some basic project management and communication skills wouldn’t go amiss here either but that’s generally stuff that you can work out on the job. No one piece here is more important than the rest, you need a bit of all of them but the place where I often see candidates struggle is on the foundational security knowledge part.
Getting Your Application Noticed
In most companies there will be a screening step by a recruiter, they will go through and choose the best candidates and send the hiring manager through the candidates with the best profiles. This part is more of an art than a science. Most of the time for grad roles a hiring manager is going to only have time to scan applications and they’ll look in more depth at the ones that stand out to them. Each hiring manager is going to look at different things so there’s no chasing perfection here but the goal is to stand out in order to get yourself an interview. a few things you can do to potentially increase your chances are:
- Use a simple format. Most people won’t care for complex designs using Canva or Adobe outside of UX roles and the formatting can sometimes mess with the resume filters. I highly recommend plain Microsoft Word templates or something like Awesome CV. This one highly depends on the hiring manager and the role though, some may like this kind of thing.
- Try your hand at some CTFs, this is a super-easy way to get into security and even if you don’t feel ready to do any proper tournaments there are platforms like TryHackMe and HackTheBox that you can easily do no matter your situation.
- Show your passion. I want to hear about the interesting things you’ve done with technology on your resume, tell me about your home network project, outline your thesis, or tell me about CTFs you’ve done. These things are a good talking point for me to bring up too during interviews.
- Showcase your work. Telling me about the interesting things you’ve done is good but showing me the actual thing is better. It’s super easy these days to start a blog, write posts on Medium, link to your GitHub, throw up a YouTube video of you reverse engineering something and then throw a link on your resume.
- Side projects, hobbies and jobs. Personally, I like to hear about them even if they aren’t related to security in any way. I once hired an intern who was super passionate about audio, he did AV work on the side and it made him stand out against other candidates because you could actually tell he enjoyed hacking at stuff.
- Try your hand at Bug Bounties on platforms like Hackerone and Bugcrowd, even just getting 1-2 small bugs on these platforms is a really good talking point.
- Join (or start) a security club at your university. Candidates from UNSW Sydney who joined the CSESoc always stood out amongst the rest in Sydney.
I would say 70% of the candidates I’ve hired did at least 1-2 of the above so I would strongly recommend it.
Now assuming you pass all of the above you may be given a take-home assignment. This is something I absolutely hate but is a requirement in many companies for these sorts of roles to cull down the application numbers. It might be coding questions, it might be security architecture but essentially it’ll be marked and the scores entered into your profile. Don’t worry about this section too much, most hiring managers in security do not care about the score at all but do the best you can.
Hiring is different everywhere you go but you can generally expect the following.
- Recruiter Screen - Just a triage interview usually to make sure you pass the basics.
- Hiring Manager Interview - This will be about your resume, your experience, and very open-ended questions.
- Technical Interview - Usually asking security questions and talking about technical problems.
You may also have these depending on the role and the company:
- Coding Interview - It May be a full coding interview similar to developers, might just be a quick coding question tacked onto the technical interview. Often it’s a basic algorithm problem or something like “sort this network log file and search it”.
- A “Values” Interview - Talking about working in teams and your personal experiences. Usually done to weed out the “Brilliant Jerk” types who might pass a technical interview but can’t work in a team. A bit of research on the company values and mission is a good idea here but the overall idea is to inform the interviewer that you can work in a team and deal with potential disagreements in a good way.
I’m only going to talk about the hiring manager interview and the technical interview here as there are plenty of amazing guides and services like LeetCode online for how to pass coding interviews.
Hiring Manager Interview
This one is relatively easy, all a hiring manager wants to know is that you can
- Work in a team
- Know the basics
- Have a growth mindset
Look at the job ad for the role you applied for and try to tailor your experiences to the expectations of the role. Often it will just be questions about your internships, your university studies and your passions. They might also throw in a couple of light questions about security in there too just to weed out candidates from going to the next step. This is also the best time to ask questions about the role as this is much of you interviewing them as it is them interviewing you.
This is the interview where most candidates fail and this ties back to what I said earlier where generally the expectations of security grads are high, This is both because if you don’t have a grasp of the basics it’ll take you too long to get up to speed but also because there are often very passionate people in this industry who applied to the role and do know these topics.
Now I can’t tell you every question an interviewer might ask, some (bad) people just ask rapid-fire questions like “what is XSS” for a whole hour. Good interviewers might ask a few of those types of questions but will also go into longer-form questions, potentially giving you a scenario where you are expected to explain potential security problems with a design and suggest fixes.
The questions are going to heavily depend on the role you applied to as well, AppSec interviewers aren’t going to ask you if you know how to acquire forensic evidence, SOC analysts aren’t going to care if you know ISO audits but there are a few common things it helps to know regardless of the role you apply to.
- The OWASP Top 10 - You should know this in and out, you should be able to explain topics like injection and XSS in at least a conversational level of detail. If you can detail how to fix these issues from happening that is also a big plus.
- Basic Web Topics - Especially focused on HTTP(S) and PKI. A common question is to explain the process taken when visiting a website as it allows a candidate with the knowledge to go into depth on DNS, Web Protocols and PKI infrastructure.
- Incident Response - What do you do in the case of a breach? What is your course of action when detecting something?
- Networking Basics - Often the interviewer will provide you with logs and ask you to explain what’s going on, often it’s “Pick the malicious command and explain why”. If you know basic networking and understand different terminal commands like remote shells this one is usually easy to spot.
- Operating System Security - A question I personally like to ask is asking someone to secure a CEO’s laptop, fresh from the factory. Most candidates can often get the basics like disk encryption and passwords but not too many can go into hardware protection like SecureBoot or obtaining system logs to monitor for compromise.
- Encryption - hashing, network encryption, disk encryption, symmetric and asymmetric are all common topics.
- Authentication and Authorisation - This one I’ve found is difficult for grads as it’s not a common topic in universities but being able to explain the difference between AuthZ, AuthN and the types like basic auth, API tokens, OAuth etc.
- CIA Triad - Be able to give a short breakdown of confidentiality, integrity and availability.
- Common Attack Types - Be able to explain the common attacks such as SQLI, credential stuffing, MITM, Denial of Service etc. If you can explain how to prevent them that’s a big plus.
Now, this isn’t to say you need to know all of the above in and out, nobody is expected to know everything, especially at grad level. If you don’t know the answer just be honest and tell the interviewer, if you know the absolute basics try your best though. I once had a candidate who didn’t know anything about AuthZ or AuthN but managed to tell me an example of where OAuth was used and made some good assumptions about single sign-on based on the name that we ended up hiring.
Diversity, Equity & Inclusion
Before I end this blog one thing I want to talk about is diversity in security. Diversity has never been particularly balanced when it comes to tech but cybersecurity is just slightly worse than the average, though it has been improving in recent years. Recent estimates say that only 24% of the security workforce are women which means in small teams there is a very real chance of there being absolutely no women on the team. This statistic is similar across other categories too such as people of colour and neurodiverse folks too.
One recommendation I have for people in this category is to join your local DE&I groups. I can’t stress how useful it is to build a network of like-minded people but it’ll also give you insight into which companies put focus on diversity in their workforce and which ones don’t. One added benefit you’ll get from these groups is that hiring managers will often source from these groups specifically to address imbalanced teams.
Groups I’ve known people to join are:
This industry needs fresh talent coming into it. I’ve had the pleasure of working with some amazing grads and interns over the years and I want to make sure we keep getting a slate of new ideas and great new people coming in. Good luck with your applications and hopefully this blog was useful to you!
If you have any questions about this feel free to contact me, I’m happy to answer where I can.