Navigating Cybersecurity: Q&A Session with Marc
In this special episode recorded outdoors, Marc answers listener questions about breaking into the cybersecurity field. Topics include gaining practical experience without an IT background, the importance of certifications, essential soft skills, networking strategies, handling job rejections, and making a career transition into cybersecurity. Marc provides practical advice on how to stand out in interviews, tailor your resume, and continuously improve your chances of landing a cybersecurity job. Resources and contact information are available in the show notes.
00:00 Introduction and Format Change
00:29 Question 1: Gaining Practical Experience in Cybersecurity
03:31 Question 2: Importance of Certifications
06:46 Question 3: Crucial Soft Skills
09:26 Question 4: Standing Out in Job Interviews
12:33 Question 5: Networking in Cybersecurity
15:59 Question 6: Handling Rejection and Improving Applications
22:35 Conclusion and Final Thoughts
---
I do hope you enjoyed this episode of the podcast. Here are some helpful resources, including any sites that were mentioned in this episode.
--
Sites Mentioned in this Episode
--
Find subscriber links on my site, add to your podcast player, or listen on the web players on my site:
--
Support this Podcast with a Tip:
--
If you have questions for the show, feedback or topics you want covered. Please send a short email to marc@bytesizedsecurity.show with the Subject line of "Byte-Sized Security" so I know it's about the podcast.
Connect with me on TikTok: https://www.tiktok.com/@bytesizedsecurity
Today's podcast is going to
be a little bit different.
2
:And an outdoor recording studio.
3
:And I want to take some
Q and A's from listeners.
4
:So I grabbed about six
of the best I could find.
5
:And if you want to send a question and
it's Marc MARC at ByteSized Security
6
:Dot show B Y T E sized security.show.
7
:So I'm going to have my assistant
read off each question, and then
8
:I'm going to attempt to answer it.
9
:So without further ado, Let's go.
10
:What's the question.
11
:Number one.
12
:Gabi: Thank you Marc.
13
:Here's our first question.
14
:What are the most effective ways for a
beginner to gain practical experience
15
:in cybersecurity, especially if they
don't have a formal I T background?
16
:So the most effective ways for beginner to
gain practical experience, especially if
17
:they don't have any formal it background.
18
:Get that formal it background.
19
:You don't have to have it
to get into cybersecurity.
20
:There's.
21
:Divisions and areas that you could
go into, if you're a good at legal
22
:or document writing, technical
writing, working with people
23
:like security awareness training.
24
:But if you don't have any formal
it background, It still would
25
:be helpful to get yourself.
26
:Something.
27
:And I'm not saying a help desk job.
28
:But it does help.
29
:Explain cybersecurity principles.
30
:When you do have an it background,
some of the best people I know.
31
:In cybersecurity.
32
:Have extensive it backgrounds.
33
:It could be from architecture.
34
:To help desk to software development.
35
:It doesn't really matter, but they
have an understanding of network and
36
:computers and technology, and then they
can apply that easily to cybersecurity.
37
:It's hard to secure a network if
you don't know what a network is.
38
:It doesn't mean you have to go into
help desk, but if you don't have
39
:that formal it background, Take
some classes, take some courses.
40
:Look for volunteer opportunities
in your local community, where
41
:you can start to develop that.
42
:Not everything has to be a formal job.
43
:You could be working in a
completely different industry.
44
:And still figure out some different
ways to get yourself some.
45
:It knowledge in order to get
yourself into cybersecurity now.
46
:That sounds a lot.
47
:Easier said than done.
48
:I'll give you that there's hundreds of
people looking for cybersecurity jobs.
49
:The do have extensive it backgrounds.
50
:So.
51
:But it can be done.
52
:And if you do want to do that, I
don't think you should give up,
53
:but it was difficult enough for
me to make a lateral transfer.
54
:I can imagine that if you don't
have any it experience how difficult
55
:it would be, that being said.
56
:Governance risk and compliance GRC.
57
:Which is not easy.
58
:But those people that I've worked with
do not have extensive it backgrounds
59
:at all, but they're very good at policy
writing, policy, reading documentation.
60
:Legal putting together presentations.
61
:So if you have those types of
skillsets, You don't necessarily have
62
:to have a formal it background to get
into a division of cyber security.
63
:So there's, there's other options.
64
:They may not be a pen tester.
65
:But there's a lot of other things you can
do in cybersecurity, if you're really good
66
:at educating people and you understand.
67
:The culture of security.
68
:Culture of security awareness.
69
:You could develop training
for a particular company.
70
:You could easily come in as a
learning management developer,
71
:into the cybersecurity area to
help train your employees up on it.
72
:And you wouldn't have that.
73
:Quote, formal it background.
74
:Next question.
75
:How important are certifications like Comp
TIA Security+ or C I S S P when applying
76
:for entry-level cybersecurity positions?
77
:For entry-level well,
for entry level CISSP.
78
:Should not be entry-level.
79
:Um, However.
80
:I do know that I've seen job
descriptions that look to be
81
:entry level and they want a ton of
experience and your, you know, years
82
:of experience and they want to CISSP.
83
:That's ridiculous.
84
:Um, that's just somebody who doesn't
know how to write this job description,
85
:or they don't know what they're
looking for, or they just want to hit.
86
:Everything under the sun.
87
:It doesn't really matter.
88
:They just want to grab.
89
:Anything they possibly can.
90
:So that that's.
91
:Not good.
92
:But the comp Tia security plus
honestly that I know certificates
93
:get, you know, hit or miss yay or
nay people like them that don't.
94
:That's exactly the one that
I took, I did the comp Tia
95
:security plus out of the gate.
96
:Um, it was hard.
97
:But I did have that.
98
:It background.
99
:I was able to stay for, it
took a couple of months.
100
:Pass it.
101
:And one of the nice things about it is.
102
:On job applications, they're looking for.
103
:Particular certifications.
104
:And so you just kind of hit
that right out of the gate.
105
:It just gets you past an
applicant tracking system.
106
:And I think if you can do that, I
think that is probably your best bet.
107
:As far as different
certifications, I always preached.
108
:On this podcast or my tech talk series.
109
:If you're going to go for certs
and now they are not the end.
110
:All be all.
111
:But if you're going to go
for certifications for.
112
:You know, Different jobs.
113
:Look at the job that you're applying for.
114
:Or jobs that you're applying for
and see if you see a pattern and
115
:then go for those certifications.
116
:So for me, I did see comp
Tia security plus, oh, a lot.
117
:And I saw a lot of ISC
squared on there as well.
118
:Um, I went from comp Tia security
plus got my cybersecurity job
119
:and then studied for the CSSP.
120
:And I really don't intend to
get any more certifications.
121
:I just will keep getting.
122
:Uh, continuing education
credits for those.
123
:And just leave it at that.
124
:But for entry level.
125
:You know, if it.
126
:If there is an entry-level position
and there are some, although they're
127
:rare, take a look at what they're
looking for and then go for those.
128
:But don't look for certifications
that require five years of
129
:experience like the CSSP.
130
:Because that makes absolutely no sense
for it to be an entry-level position.
131
:So.
132
:I don't know that I would put
an importance level on them.
133
:I just wanted to check
as many boxes as I could.
134
:To get past the recruiter.
135
:That's basically it.
136
:Right.
137
:I mean, if you've got 10 applicants
that come in and this job requirement
138
:says nice to have security
plus, and you don't have it.
139
:Do you really want to be number 11?
140
:Would you rather just make that cut
from whatever system is looking at?
141
:You know, how much, how much
of a matches this person?
142
:That's all.
143
:But it's not the end.
144
:All be all experience.
145
:How you handle yourself, your level of
professionalism, what you can bring to the
146
:table, your attitude, all those things.
147
:How do you fit into the culture?
148
:Way more important than certification?
149
:Hands down.
150
:Next question.
151
:What soft skills are crucial
for success in cybersecurity,
152
:beyond technical knowledge?
153
:Curiosity.
154
:Curiosity.
155
:Um, I w I don't want to
use the word self starter.
156
:I would say someone who.
157
:Could.
158
:Take an idea.
159
:And just be able to figure out a
lot of that stuff out on their own.
160
:Meaning.
161
:You're going to do searching.
162
:You'll go into forums.
163
:You'll use AI, you'll chat with coworkers.
164
:You'll be able to take a particular.
165
:Problem.
166
:And come up with your own solution.
167
:You're not someone who needs
to be told every step of
168
:everything that you have to do.
169
:Right.
170
:It's self-discovery cybersecurity
is a lot of curiosity.
171
:Self discovery.
172
:Doing things on your own.
173
:Figuring things out.
174
:I know these are all buzzwords
and keywords, but honestly, If
175
:there's a problem with the system
and you're the person that needs to
176
:fix it, or you have to investigate.
177
:Some kind of suspicious potential threat.
178
:Or, you know, fix one of your CASB
products or, you know, work with.
179
:Work on a browser or something.
180
:You've got to be able to take that from.
181
:Not very much information and, and
follow that all the way through.
182
:So.
183
:If you're someone who needs to be handheld
and I want to, I don't want to know
184
:exactly everything I'm supposed to do.
185
:I want my boss to tell me
everything every step of the way.
186
:Cybersecurity is gonna be really difficult
because it's just, you think computer
187
:and technology is changing all the time.
188
:Cyber attacks and technology
is changing all the time.
189
:Two years ago, there wasn't
really, you know, phishing
190
:emails and all that was a joke.
191
:Um, it's not so much of a joke anymore.
192
:Because the landscape has changed.
193
:You've got AI.
194
:You've opened up.
195
:Um, really good English speaking
abilities or any other language speaking
196
:bellies now to craft really great.
197
:Emails to.
198
:You know, exfiltrate or infiltrate
data and hack and all this kind of
199
:stuff and the landscape changes.
200
:And so that soft skill.
201
:Curiosity, self discovery.
202
:Ability to not know everything and
rely on other, you know, work with your
203
:coworkers on how to solve these problems.
204
:It's going to be huge and that's.
205
:That's a hard thing to teach.
206
:You can teach people technical skills.
207
:I've seen this on LinkedIn all the time.
208
:You can teach somebody technical
skills, but it's really hard
209
:to teach people soft skills.
210
:That's more of a learning thing.
211
:How do I be a better listener?
212
:That's a lot harder to do than,
Hey, how do I become better at.
213
:Python programming or something.
214
:So those, those are my soft skills.
215
:How can I stand out in a cybersecurity
job interview, particularly if I'm
216
:transitioning from a different career?
217
:So I transitioned from it.
218
:Windows, SharePoint, world.
219
:Into cybersecurity.
220
:And I found it very difficult because
a lot of times initially on my resume,
221
:people would see that and they're
like, oh, you're you're SharePoint.
222
:Your windows.
223
:And it was difficult to get
away from that perspective.
224
:Until I completely revamped my resume.
225
:To focus more on the cyber security
things that I did in my previous jobs.
226
:And I crafted my resume to be the
person I wanted to be instead of
227
:the person that I was or had done.
228
:If that makes any sense.
229
:Right.
230
:If you want to be in cybersecurity.
231
:And someone's looking at your resume.
232
:They're going to want
to look at someone who.
233
:Has those has that particular
skillset, as opposed to somebody who
234
:doesn't, but just really wants to get
in and they're passionate about it.
235
:Right?
236
:You hear a lot of passion.
237
:But if you want to stand out in
that job interview, What is it
238
:that you can bring to the table?
239
:If an, if an employee has something
that they need to fill a gap.
240
:You've got to be able to provide
the technical skills or at least
241
:showcase that you could learn.
242
:All right.
243
:That you could learn this.
244
:And that you, you fit into the culture.
245
:And that, that one I hate the most
because I don't know what that means.
246
:How do you fit into the culture?
247
:Right.
248
:Um, you don't.
249
:Gut instinct, you know,
if you're going to fit.
250
:Just be yourself.
251
:I mean, you hear that a lot, but honestly,
If you go into a culture where you're not
252
:comfortable day one and you don't like it.
253
:You probably aren't
going to last very long.
254
:So standing out for me was crafting my
resume and highlighting the things that
255
:I'd done, sort of tooting my own horn and
saying, Hey, here's the things I've done
256
:in cybersecurity that I can help you, or
that I've got the skillset that you need.
257
:To be able to do this.
258
:And.
259
:There are a lot of skills
in your previous job.
260
:That.
261
:We'll transition into cyber security that
you don't think will, for example, Um,
262
:I did a lot of videos previously in, in,
before when I transitioned careers, I did
263
:a lot of learning videos, just on my own.
264
:Nobody asked me to do it.
265
:I used Camtasia and I just
made videos on SharePoint.
266
:And how did you certain things
and it became really popular.
267
:And I point to that is that is
how I transitioned that particular
268
:skillset into cyber security awareness
training, because I was good at making
269
:videos, communicating with end-users.
270
:Drafting up emails and materials and
getting people on board with training.
271
:And that is something I'd be
interested in doing at your company.
272
:And guess what they had a need for that.
273
:And that's what I still do today.
274
:Security awareness training.
275
:As far as I know, we're
relatively secure Yami.
276
:But my point is you will have skills
in your previous job that you don't
277
:think transition into cybersecurity
and they absolutely do so you need to
278
:figure out what is it that I've done
that I think I can bring to the table.
279
:That's going to make it.
280
:Something I can do for this company
that relates to cybersecurity.
281
:You will have those
skills do not discount.
282
:Uh, those transitional skills that
you have, everything is not technical.
283
:It doesn't have to be.
284
:What's the best way to network
and build connections in the
285
:cybersecurity community as a newcomer?
286
:Uh, I love this one.
287
:It's the best way to network
and build connections in the
288
:cybersecurity community as a newcomer.
289
:So I went to, I went to RSA.
290
:Which is, uh, a local, huge
local show here in the bay area.
291
:And I went to that for two years,
uh, prior to actually getting
292
:into the industry because you can
basically get a free expo ticket.
293
:If you have any vendor contacts, you know,
anybody, or you look online, whatever.
294
:And it's not very expensive,
even if you don't.
295
:And I just went to the show and I
walked this, I walked the floor.
296
:I spent two days walking around,
talking with different vendors,
297
:getting into the industry,
getting, understanding the tools.
298
:What different products are out
there, what people are doing,
299
:listening to the bud buzzwords
and the vibe that was going on.
300
:You know, taking every opportunity
to attend any of the parties that
301
:these vendors would have like, oh,
we're having a happy hour at five.
302
:If you meet us at such and such.
303
:And it was a networking event, a bunch
of people, I didn't know anybody.
304
:And industry.
305
:I didn't know anybody
at any of these events.
306
:I just went.
307
:And got myself out there and attended the,
this particular cybersecurity conference.
308
:And that was instrumental in
getting me into the industry
309
:that I wasn't already in.
310
:And there are a ton.
311
:Of free or low cost.
312
:Cyber security conferences
that you can go to.
313
:And I'll link that in the show notes is
actually a site that's, um, very good.
314
:It's got all different countries and
cities and genres of cyber security
315
:that you can sign up for alerts.
316
:And then we'll tell you about different
events are happening, not just meetups
317
:and stuff, but actual conferences.
318
:You know, small, large, whatever.
319
:Some are free, some are not.
320
:And you should just attend those.
321
:That was a great way for me to build
up a connection and get myself into.
322
:I get myself into the
cyber security community.
323
:When I didn't have any experience in
it when I didn't know anybody in it.
324
:And I wasn't currently working
in industry, I would say that
325
:is the best and biggest thing.
326
:You can do.
327
:Get yourself into some
cybersecurity conferences.
328
:You know, even if they're online, I
know that's not going to be as good.
329
:But even if they're online,
It's a good way to just start
330
:getting yourself in there.
331
:I just, I just went to BSides Vegas.
332
:Not.
333
:Three weeks ago.
334
:And my ticket for the two day event.
335
:It was a hundred bucks.
336
:That is such a cheap.
337
:Conference ticket.
338
:And besides is all over the
world, it isn't just in Vegas.
339
:It's, it's all over the place.
340
:They have conferences at different areas.
341
:You could look it up.
342
:But it's such a cheap
ticket for what you get.
343
:And you're networking with people who are
literally in the trenches, working in the
344
:industry that may be able to hook you up
or help you out with jobs or anything.
345
:I was standing in line and
I listened to this girl.
346
:Talk about.
347
:How she was.
348
:You know, taking these courses and classes
and doing all this stuff on the side,
349
:she really wanted to be calm pen tester.
350
:And the person that she was just
chatting with was like, Hey, we're
351
:looking for people to do that.
352
:You know, drop me your
contact information.
353
:I'll see what I can do.
354
:And maybe we can hook you up.
355
:Or if I know someone.
356
:That.
357
:You're not going to get that.
358
:Elsewhere.
359
:That, that that is the kind of stuff
that you want to build connections.
360
:As a newcomer when you're just talking
with people and it gets you out there
361
:and start talking about yourself and what
you want to do with people that you don't
362
:know, which is uncomfortable for some.
363
:And that is, that is huge.
364
:So attending cyber security conferences.
365
:And I'll, I'll link that in the
show notes is, um, absolutely huge.
366
:How should I handle rejection in
my job search, and what can I learn
367
:from unsuccessful applications to
improve my chances in the future?
368
:I'd say I had about a 54% hit
rate on stuff where I would hear
369
:something back from somebody.
370
:Um, 50% ghost.
371
:Like nothing.
372
:And then 50%.
373
:You know, I'd hear back from something.
374
:I got a lot.
375
:I got really close to a lot
of thought opportunities.
376
:And rejected.
377
:And I had a lot of
highs and a lot of lows.
378
:And it was really.
379
:Took.
380
:84 tailor job applications.
381
:And this is 20 18 84 tailored
job tailored job applications.
382
:I wasn't shot getting it.
383
:And.
384
:It was, it was.
385
:It very difficult and painful.
386
:Uh, seven months to be able to
land that first cyber security job.
387
:And I made my job looking for a job I
was applying or looking every single day.
388
:I never really took breaks.
389
:Um, I didn't burn out.
390
:But you get really good at interviewing
and you get really good at.
391
:Knowing what questions people are
going to ask you because eventually
392
:it's like an actor, right?
393
:You're learning your lines.
394
:At first, you don't know your lines,
you really nervous you, you fumble
395
:around, but after a while you hear the
same, what's the difference between
396
:asymmetric and symmetric encryption?
397
:Or how would you secure this network
or what order do firewalls rules go in?
398
:You know, whatever.
399
:You're going to hear the same
things over and over and over.
400
:Um, And you'll just get better at that
and there, how to handle rejection.
401
:I never took it personally.
402
:And I never really followed up with
interviewers or hiring managers.
403
:Anybody I would apply.
404
:I would interview.
405
:And I would go onto the next job.
406
:I didn't spend time sending gift baskets
and flowers and thanking recruiters
407
:and having a bunch of conversations.
408
:I'd follow up.
409
:If I didn't hear back from somebody.
410
:But I didn't, it didn't really matter.
411
:And if I was rejected, I never asked
the recruiter why, or they're never
412
:going to give you any good information.
413
:For legal reasons for a
whole bunch of reasons.
414
:It won't really disclose any of that.
415
:Um, and I don't really care, you
know, maybe it wasn't a culture fit.
416
:Maybe they're hiring their brother-in-law.
417
:Who knows, who cares?
418
:So I didn't.
419
:I didn't handle rejection per se.
420
:I just moved on and went to the next thing
and the next thing and the next thing,
421
:the next thing, I just, I was a machine
that's my job was looking for a job.
422
:To get a job in cybersecurity industry.
423
:That was, that was it.
424
:Basically in a nutshell, that was it.
425
:I didn't think about anything else.
426
:And it didn't.
427
:It doesn't matter.
428
:I see a lot of that on LinkedIn.
429
:It's like, oh, what do I, you know, I'll
go on LinkedIn and complain about the job.
430
:How sucky jobs are and how
broken industry is whatever.
431
:Not going to change anything.
432
:And it doesn't help you.
433
:It's not to say venting doesn't
help, but public venting is just.
434
:Yeah.
435
:Waste of time.
436
:And you're not really gonna learn
anything from the, recruiter's not going
437
:to be like, oh, if only you had more
experience or if only you had this or you
438
:really should present yourself better.
439
:You're.
440
:You got to say anything.
441
:And nobody wants to get sued.
442
:So you just, oh, you know, we went
with a different candidate choice.
443
:You know, the generic bullshit, whatever.
444
:And what if they said, oh,
you're just in a culture fit.
445
:What are you going to do with that?
446
:How was that helpful to you?
447
:Oh, I'm not a culture fit.
448
:What?
449
:Come on.
450
:Don't so don't, you don't
need to really handle it.
451
:You just need to not take
it personally and move on.
452
:And I think this job market is a
lot harder than when I had, I got my
453
:was hard, but that's my perspective.
454
:But.
455
:I think it's, I think it's definitely
harder now than it was before.
456
:So.
457
:You know, Now, what can you learn
from unsuccessful applications
458
:to improve your chances?
459
:I would always constantly tweak my resume.
460
:Uh, I wrote a book zero to
hired and it's on Amazon.
461
:And I've got a podcast on it.
462
:It's called the higher drive.
463
:And one of the things that I did
was I constantly looked at jobs
464
:on LinkedIn that I wanted to do.
465
:And maybe there's a bullet point
that I missed that I had done
466
:that looked better like, oh yeah,
I've done vuln, vulnerability
467
:management, scanning, and Nessus.
468
:Why didn't I include that on my resume?
469
:And then it would just take that
from what they were looking for.
470
:And then I'd put that on my LinkedIn
profile on my resume and use that.
471
:And eventually what you end up doing,
I called it the save a job method was.
472
:I would save jobs.
473
:I was interested in and I was looking
at what they were looking for.
474
:And then I'd look at my resume and see
if there was areas that I can improve.
475
:Could I improve.
476
:the description?
477
:Could I add a keyword that I'd missed?
478
:Could I add a bullet point that I had
done that I neglected to put on there?
479
:Could I drop something that wasn't,
that I thought was important that
480
:apparently no, one's looking for.
481
:And put something else.
482
:So could I word it better so
that the industry is looking for.
483
:this particular set of keywords, but
I'd use a different set of keywords.
484
:So I used their job descriptions to build
up my resume for things that I had done.
485
:And then at the end of the
month or whatever, I had a
486
:damn good looking resume.
487
:In my opinion.
488
:That.
489
:Are what people in the cybersecurity
industry are looking for of
490
:things that I'd done, because
there are looking for That.
491
:I had done that and it was
able to present on a resume.
492
:And I did it in a way that
I would have talking points.
493
:So it wasn't just a list
of responsibilities.
494
:It will list of accomplishments
and things that I'd done.
495
:So I could have stories to tell
because storytelling is important.
496
:And that's why I think podcasting
is successful is because people like
497
:listening to content and stories.
498
:If I just rattled off these six questions
and gave you real quick answers,
499
:it wouldn't be that entertaining.
500
:But I'm giving you information
and in a kind of a story format.
501
:That's giving you that information.
502
:It's more, it's better.
503
:And so a resume in ways like
a calling card slash story.
504
:Tell me about when you
worked here, what'd you do?
505
:it shows that you saved the money, the
company, this much money and stuff.
506
:Can you tell me about that?
507
:It's a much more interesting
than I manage SharePoint.
508
:Okay.
509
:Great.
510
:But, you know, what else?
511
:So thank you for your resume as
like a, as a list of accomplishments
512
:and things that you had done, your
responsibilities are important, but.
513
:A lot of people, they got ugly looking
resumes and that doesn't really, it might
514
:pass an applicant tracking system, but.
515
:it doesn't make for something that
someone is curious to talk to you
516
:about the things that you've done.
517
:You should toot your own horn,
tell people what you've done.
518
:and how you can help them out.
519
:That kind of thing.
520
:But, you.
521
:know, getting into
cybersecurity is difficult.
522
:Not going to lie.
523
:It was hard for me and I, and I look
out there in the landscape now..
524
:It looks nasty.
525
:So there's anything.
526
:That I want to do.
527
:It's trying to help people avoid
the mistakes or the pain that I did.
528
:And that's the purpose of this podcast.
529
:And the videos that I do.
530
:And I think the industry needs a lot
more qualified, passionate, good people.
531
:And I know there's a lot of
people out there that could do.
532
:These type of jobs.
533
:Thank you Marc!
534
:I hope the listeners
will enjoy this episode.
535
:As a reminder, contact
information and show notes will
536
:be available in this episode.
537
:Check your podcast app to view the notes
for links to any resources mentioned.
538
:Stay safe and hope you join us again.