Cybering for Fun and Profit: Lessons from a Year of Cyber Security Job Hunting

So I've spent around the last year hunting for entry level jobs in Cyber Security, and after recently finding success, I'd like to share some of what I've learnt, what I wish people had told me, and some tips to help you succeed where I struggled.

University

This article is going to mostly be written about alternative post sixth-form options, but given how many people choose to go down the University route, I thought it at least worth discussing.

Firstly, picking a course. If you are interested in pursuing a degree in Cyber Security, the National Cyber Security Centre has a list of degrees which they have certified the quality of, but even with these, I would be careful. Remember, for a degree to be created, it will need years of development, and that means that much of the information will be out of date. Whilst there is certainly value in a Cyber Security degree, it is hardly the be all and end all of educational opportunities. And let's face it, most professors teaching those courses haven't been in industry in years. Much of this applies to Computer Science degrees as well, but at least they won't be anywhere near as out of date a few years down the line. In my opinion, if you want to do Cyber at University, better to join a Cyber Security society like ENUSEC, and participate in some of the opportunities I'm going to talk about a bit further down.

Apprenticeships

Given all the costs involved in University and the questionable relevance of some of the material, what alternatives are there? Well, what about apprenticeships? You're earning money whilst gaining skills and practical experience, plus a degree if you can get a place on a degree apprenticeship. So what is applying for apprenticeships actually like? Well, let's take a dive into the process!

Before we begin though, we need to get something out of the way. You're going to be doing this a while. Apprenticeship applications are generally much later in the year than University applications (I went to an assessment centre the day after my last exam), so even if you see yourself as an apprentice, it may still be worth applying for University, just to give you that backup. But don't get caught in the trap of thinking Apprenticeships are easier to get. Where a University course might have 50 places, I've been at assessment centres for one position. Also, get ready to deal with rejection emails, they don't feel great...

Finding Something

With all that being said, how do you actually find apprenticeships to apply for? There is no centralised website like UCAS, so how do you find something? Well, as a starting point, I'd highly recommend some sites which do try and list all available apprenticeships

Specifically for Cyber however, I would recommend looking into some of the following:

  • NCSC CyberFirst Degree Apprenticeship
  • Government Security Practitioners Cyber Security Apprenticeship
  • Santander Digital Technology Apprenticeship
  • BT Cyber Security Degree Apprenticeship
  • IBM Digital Degree Apprenticeship
  • QinetiQ Cyber Security Degree Apprenticeship
  • Home Office Cyber Security Degree Apprenticeship
  • Microsoft Cyber Security Apprenticeship
  • Vodafone Cyber Defence Higher Apprenticeship

Some of these may not run again, and there are likely many that I have missed, but this should hopefully give you a starting point.

The Application Process

So whilst the application process can vary massively between organisers, things normally begin with a resume (or a resume copied into a poorly designed website), so make sure you have an up to date resume. Even if you're not applying for stuff now, try and make a resume now. It's going to take you a while, and it's much easier to keep it up to date then have to make a completely new one when it comes time to apply. Also prepare for some "Why do you want to work here" style questions in the initial application.

Once you've got past that, there will normally be some kind of vetting process. Those which I have seen can be split into three categories, some places will do all three, some will only do one, one or two will skip all three.

Psychometric Testing

Did you do 11+? If yes, do you remember the dumb questions you had to do? If yes to both, you should feel right at home with psychometric testing. If not, let me give you an idea of the hell that awaits. Psychometric testing will generally consist of numerical sequences (GCSE Maths to A-Level Further Maths level), verbal reasoning (If Paris is to France, what is to England?), and non-verbal reasoning (see below).

Speaking from both my own experience and that of others who have been through this, expect to come out of this feeling like you've failed, but don't worry, you'll be fine. If I were cynical, I would say that tests like these are mostly just testing how much you care, but I'm not cynical, so I won't say that.

Subject Specialist Testing

Many programs will try and assess your Cyber skills by having you complete labs. I'll talk a bit more about Immersive Labs (the source of the below screenshot) in a minute, but as a suggestion, if you are given a minimum number of labs to do, do more. Do as many as you can.

Written Testing

If you're anything like me, next comes the worst part. At this point, many schemes will try and get as much writing out of you as they can to try and assess your suitability. On one application, I have seen 500 words on all of the following requested:

  • Yourself
  • Teamwork
  • Effective Communication
  • Self-motivation and Drive to Succeed
  • Initiative
  • Client Focus
  • Adaptability
  • Technical Skill
  • Motivation for Applying

I'm not sure really what advice I can give for this beyond get other people to read your answers. It may sound great to you but utter rubbish to other people. Unfortunately, in this situation, it's other people's opinion which matters more than yours.

Assessment Centres

So, congratulations, you've made it through candidate vetting (and maybe some video interviews, which may be the most unpleasant thing you'll do whilst job hunting), it's time for an assessment centre. These are generally much more standard, with most containing these three elements.

Group Task

These will normally involve some kind of logic puzzle or judgement on attributes of an employee. The thing is however, in most cases, it doesn't actually matter if you get the right answer (if there is one), what is actually being assessed is your teamwork and communication, so make sure to focus on that.

Interviews

I'll be honest, I absolutely hate interviews, so I'm probably not the best person to give advice about them. Instead I'd recommend this great article by Barclays, which should help set you on the right direction. The only pointer I might give is that it's fine to be nervous, the interviewer is expecting it, and they'll do everything they can to calm you down.

Individual Activities

Sometimes organisers will ask you to give a presentation on a topic they specify. Depending on if you enjoy this kind of thing this can either be a Godsend or damnation. As with most things, practice is the key. I have claimed classrooms at school for hours to practice presentations, much to the bemusement of anyone who walks in, but the only way you are going to get comfortable presenting like this is practice. Oh, and don't wing it like I've seen some people do. You may as well not even show up, it will be painfully obvious how little you've prepared.

Offers

If all goes well, you should be able to put your feet up at this point and wait for the offer! Or, as will often be the case, the rejection. I said it at the start, and I'll say it again, get ready for the rejections, no matter how well you think you did. If you do get rejected, make sure to ask for feedback so you can improve for next time. If you were accepted, congratulations!

Jobs

Alternatively to all that, you could always look at getting a job that's not part of an apprenticeship scheme. Many companies are happy to take younger less experienced people on and train them up. Don't worry if you feel a bit underqualified looking at job listings, just take the plunge and see if they respond. Unlike apprenticeships, jobs tend to have much simpler application processes, so applying for one is nowhere near as big of a commitment. Some stuff that might be worth applying for:

(Recruiters, email me and I may add you to this list)

Making Yourself Stand Out

This could probably be a blog post of its own at some point, but here are some things you can get involved in or do to help yourself really stand out from the other candidates.

Cyber Discovery

Ok, if you're here, you probably know what Cyber Discovery is, but for those of you who don't; Cyber Discovery is a UK Government funded scheme to train 14-18 year olds in everything Cyber Security with a great community. Starting from the very basics, up to industry level reverse engineering and web app testing, it's a great way to learn, and I can credit it with a large part of my knowledge. If you do really well, you may get the opportunity to participate in professional qualifications like SEC504 and FOR500, and if you're really lucky, go to the USA to learn even more. They even let me write a blog post on their site which is always nice. Bonus brownie points if you set up a club to help teach others.

CyberCenturion

CyberCenturion is a team based blue team competition for 12-18 year olds, focused around Windows and Linux security run by Cyber Security Challenge UK and Northrup Grumman. As your team patches vulnerabilities they are awarded points which can contribute to a place in the final, where a place on a trip to the USA can be won. Did I mention I led the team who won this year?

Cyber Security Challenge UK

Cyber Security Challenge is an organisation dedicated to running competitions and training in Cyber Security for young people. For a long time they ran competitions for sponsors which I can give a ringing endorsement to. Recently, they have shifted their focus to younger audiences, and I'm interested to see where they go with this.

Hack the Box

Hack the Box is a free platform for Hackers to practice their skills. After completing the welcome challenge, you are given a VPN connection with 20 boxes to hack into in return for badges which you can use to show off what you can do to employers! Boxes are regularly rotated so there's always something fresh to try, and you can even submit your own boxes for ultimate bragging rights!

Immersive Labs

Immersive Labs is a huge collection of free labs, each designed around a specific skill. Want to practice unquoted service paths? There's a lab for that. Want to know a bit more about Snort? There's a lab for that. Immersive Labs is great for learning and practicing specific skills, and if you can get your future workplace to pay for it, there is a massive collection of premium labs with new ones added every week.

Google Code-in

Whilst not stricly Cyber Security, Google Code-in is a competition for 13-17 year olds, where you participate in open source projects, and those with the greatest levels of participation are given a very expensive Google Goodie Bag and a free trip to Google's office in California.

Start a Blog

If you've not noticed by now, I'm a big fan of blogging. Blogging is a great way to show to employers what you can do, and the range of skills that you have. If you have a little bit of money to throw towards the project for a server to host on, I can highly recommend Ghost (WordPress also exists, but please don't use it), or if you want something completely free, Google's Blogger is a great no-frills option. Make sure to check out other people's blogs to help you stay up to date with the industry.

Twitter

Despite its many faults, Twitter is still a great platform for getting yourself out there and noticed. Twitter can be a great place to keep up with the Cyber Security industry, and to showcase things you'd like an employer to see.

Conventions

Less valuable from an employment perspective, but still great fun, conventions can be a brilliant way to network. You don't have to spend thousands to get to DEFCON, BSides events (London, Bristol, etc.) are excellent ways to meet people and expand both your knowledge and your circle of contacts. Oh, and drink a stupid amount of booze (if you're an adult and into that sort of thing, not for me but you do you), eat an unhealthy amount of pizza (much more my thing), and hack a bunch of stuff.

LinkedIn

Oh LinkedIn, Facebook for old people (as it's known). Whilst on the surface LinkedIn may seem to be just another social media platform, it's so much more. LinkedIn is both a great way to stay in contact with people you meet, and conduct OSINT. Unlike Twitter, there's no one hiding behind a handle, and unlike Facebook, there's no well... Facebook. It's hardly perfect, but I am yet to find a better way to network with people.

Conclusion

First of all, seriously well done for getting through all that. I know it's a lot, so thank you for sticking with me (you did read the whole thing right?). I'm not saying that you need to do all these things to get a job in Cyber, nor that doing all these things will get you a job, far from it. These are simply some of the steps I have taken which have helped me move from education to a career in Cyber. Hopefully this has been of some value to you, and if it has (or if you have any suggestions for modifications), drop me an email on daniel@daniel-milnes.uk.