This page contains our recommendations on how to seek a remote, entry-level job in technical information security with good chances of getting hired. Similarly to the Self-Education Academy, this guide is not panacea. It is mostly tested, and mostly reliable, but it's clearly not the only path to follow. You are encouraged, in true hacker spirit, to make adjustments and changes so that the process fits your personal requirements. Make this work for you.
This guide assumes that you have completed (at least some of) the Greenbridge Curriculum. Though it may theoretically be possible to get a job in cybersecurity while being almost clueless on the subject matter, you will need a very rare combination of factors for this to succeed: a desperate, gullible, opportunistic employer on one hand, and an aptitude for lies, suitably placed buzzwords and deceit on your behalf. To be clear: this is not the career hacking we are trying to help you with here @ Greenbridge.
In order to get a job in Information Security, you'll need some key elements:
The first thing you need to do is spend some time thinking what exactly it is that you would like to do in cybersecurity. Generally speaking, the entry level roles that can be performed remotely in technical cybersecurity fall into three categories, which mostly align with three distinct hackers types:
- Security Analysts (Seekers)
- Security Engineers (Builders)
- Penetration Testers (Destroyers)
If you have done your homework and completed (at least some of) the Greenbridge Curriculum, it should be fairly clear by now which of the above appears most appealing to you and compatible both with your future aspirations and your current modus operandi. This will probably be related to what you have been working on so far, either at your current job or as part of your studies, but also to how you relate to information security in a more general sense.
Use your google-fu to locate job opportunities related to these roles as well as their variants. Try different combinations and wording pairs to track down as many relevant opportunities as possible. Try searching for opportunities in languages other than English. Try to think in reverse: what would a prospective employer include in their hiring campaign to attract talent? Consider trying search terms which are adjacent to what you are looking for (i.e "vulnerability assessment" and "red teaming" are different things, but relevant to penetration testing). Here are a few example search terms for penetration testing:
- penetration testing jobs
- penetration tester jobs
- junior pen testing roles
- penetration testing vacancies
- penetration testing recruitment
- pen testing careers
Make a shortlist of 20 vacancies that interest you and prioritise your applications according to a set of criteria. We'd recommend the following criteria, but, as usually, feel free to adjust these to match your own goals:
- Prioritise small(er) employers. In smaller companies, you'll get the chance to learn more and be part of a more intimate team with whom you can form strong bonds. This stable and nurturing environment is important for someone at the beginning of their career in cybersecurity. More importantly, smaller companies are much more likely to match your energy levels: they tend to move more swiftly, reply faster to your questions and support you more readily in anything you need. Furthermore, they are not plagued by protocol and bureaucracy. On the "downside", pay and job security tend to be smaller. But is a phat paycheck and job security what attracted you to cybersecurity in the first place?
- Prioritise companies in other countries. It is our experience that both employers and employees manifest better versions of themselves when working with people from other cultures. When working in a non-native environment, people tend to be more alert, more open to change, more tolerant and more likely to act in good faith.
- Prioritise companies that do not have published vacancies but otherwise match your compatibility criteria. This is an intelligent way to avoid unnecessary, toxic competition.
- Prioritise security specialist companies over generalist companies that have vacancies for security personnel. A cybersecurity company will provide a more suitable environment and more opportunities to learn to a newcomer when compared to other types of companies.
- Prioritise companies that operate in your timezone. Working for a company in the West Coast of the US while living in Europe is not a good way to safeguard your personal time and mental health.
- Consider salary levels and sector maturity in different places. If you are based at Bulgaria and apply for a job in Austria, there is plenty of financial potential for both parties: If the employer likes you, you can hope to secure a salary that's higher than what you would get in Bulgaria, while still being (very) affordable to your employer. Conversely, if you are based at a very competitive country with high wages, such as Belgium, you may consider applying to an employer based in a cheaper country where the Cybersecurity Industry is still growing, like Slovakia. Many employers nowadays are willing to pay high salaries to international talent, particularly if they feel that the candidate's presence will heavily boost the company's performance, both from a technical and a marketing perspective.
Pay attention to the wording at the job vacancy posting and submit, with surgical precision, exactly what is required. No more, no less.
In most cases, they will require a CV. Your CV is your personal marketing tool. It must be fairly compatible with contemporary-looking CVs, but it should have your own trademark personal touch. Make sure that it is in English, that it is a PDF document (not .txt, .docx or anything else), that is is visually apealling and that is fits in one page. Avoid spelling, grammar or punctuation errors and do not use plagiarised or boilerplate content. Besides the presentation of your CV, the actual content obviously matters too, so make sure to include all your relevant achievements here, including degrees, FOSS projects, programming languages, operating systems, work experience, and any offbeat interests you may have.
If a cover letter is required, tailor your response to say exactly why you are a good fit for the role. A couple of well-written, error-free paragraphs are usually enough to draw attention. If your potential employer is asking for other credentials, such as copies of certificates or anything else that they may need, make sure that you submit them, or provide a valid justification for any prerequisites you are not able to provide.
If you are invited to an interview, make sure that you conduct extensive open source intelligence gathering on the company you are interviewing with. If your interviewer's name is known to you, do your OSINT on them as well. Educate yourself in relation to the interview process and be prepared for any specific tests they will be asking you to take. You may also want to prepare a few things to reply to some of the most common interview questions. Last but not least, to state the obvious: Get a good night's sleep before the interview.
Things to keep in mind for the interview:
- Be on time
- Make sure that you are on a reliable internet connection, in a quiet room, and not in motion.
- Listen to your interviewer. Let them lead the session.
- Be alert but do not haste into answering as quickly as possible.
- Try to answer questions with precision. Neither waste nor withhold information.
- If given the chance, show them that you are familiar with their company and their services. Be careful to strike the right balance here: while lack of knowledge on what they are doing may signal indifference, too much knowledge may liken you to someone obsessive or desperate.
- Do not talk too quickly or mumble, and try to clean up your accent if it is particularly thick to the point of potentially being incomprehensible.
- Be honest but diplomatic. If you don't know the answer to something, say so. If "don't know" answers start piling up, remind your interviewer that you are very capable of working and learning independently.