Recruiters are noticing that while there are vacancies in information security, very few are entry level. Almost every job asks for prior experience.

Here's why.

1. Information security is mostly driven by laws and regulations.

2. Information security is still considered as an offshoot of IT. So much so, that having an IT experience is a definite '+'.

3. Infosec is a cost centre. Outsourcing is always a juicier option, than maintaining staff, in-house.

4. Security is like brushing your teeth or taking a daily bath - everyone knows the benefit, still very few people do it (unless forced, either by society or by regulation), unless they get compromised. It's a different ball-game then.

5. When an employer looks to bolster their security status, they hire

   1. The leader (CISO), if they are in a regulated industry or a decent size company. Hiring happens, top-down (senior-most, then senior, then junior, followed by junior-most).

   2. Someone slightly experienced, but cheaper than an executive.

6. Due to point 1 above, budgets are limited. Skill stacking is a given, resulting in cocktail JDs. Budgets get depleted by the time it comes to juniors.

One must read the below posts, related to job and work in general. Read them, chew them (in mind, of course).

End of Work - Daniel Miessler's theory on why it is so hard to find and keep a job that makes you happy.

Job security in cyber security is changing - Jai Minton's take on the changing job landscape in cybersecurity

Doesn't mean all is lost, though.

Here are some ways for an entry level guy to enter into this field. Remember - very few people can do all the things that are listed below. So, even if you could do 'some' things out of below list, congratulate yourself every-day. And push on.

Few non-negotiable pre-requisites first. These must be sorted out before you put in the hard work.

1. Why do you want to get into Infosec? Get your 'why' sorted out.

2. Understand your learning process, is it top-down or bottoms-up?

3. Understand the value that you bring to your employer - cheap, open for experiments, can be deployed for anything, always available. Not every senior can do this. This is your value to most of the employers (at least for the first 3-4 years). Remember this. And,

Remember to tell yourself every day - Hard choices, easy life. Easy choices, hard life.

After you sort the pre-requisites out, do the following while looking for a job in infosec. Keep updating your CV every 6 months. Keep a daily journal of things that you did at work and learning. It will help you when you update your CV (and in interviews). Remember - pivot when things doesn't seem to be going your way. But, give yourself time before deciding to pivot.

1. Invest in a desktop (not in that fancy laptop) and build a home-lab. Anant Srivastava has articulated it very well in his c0c0n talk 'Expanding capability horizons : Homelabs and beyond', watch and take notes.

   1. If you like offence, pick few vulnerable VMs, pick an introductory course (from TCM Academy; their YouTube channel has lot of useful info for no cost) and follow along.

   2. If you like defence, setup a defensive lab (an AD with DNS, couple of windows machines, 1-2 linux machines, one web server, etc.). Learn how to set up log forwarding, how to analyse logs. Hover to BTL, Let's Defend, or Chris Sanders' courses.

   3. Jason Haddix has some pointers for red, blue, and purple trainings that are available for free.

   4. If you are a developer who is looking to get into security, source code review, web app pentest are some of the ways you can contribute. Pentesterlab runs a very good source code review course that you can look into. It is not cheap ($950), but very systematic, with a worthy trainer. Their lab, even otherwise, is a good investment for people who want to get into web app security. Another excellent resource is from makers of Burp Suite Pro - the web security academy.

2. Document your experience. It is crucial because it tells a recruiter that you are hungry and that you are learning/ amenable to learn. Both are crucial traits that employers look for. It could be a blog, tweets, LinkedIn posts, etc.

   1. If you are learning offence, look for vulnerabilities in open source software, raise PR (Pull Request), and ask for CVE number when they accept your PR.

   2. If you are learning defence, document your journey of setting up your homelab, setting up logging, analysing those logs, identifying attacks, responding to them, etc.

3. After you have been at it for about 6 months (no less), try contacting CISOs in/ near your city using LinkedIn with crisp, 2-para cover letter. Highlight what you have been doing for your learning, and express interest in joining their team.

4. Visit resume clinics in conferences. Hand out your CVs. This will help you get over your shyness. It will be very difficult initially (doubly so if you are an introvert). Use LinkedIn if you can't visit personally.

5. First 2-3 years are very crucial, after you get a job. Think about them as investment. You need to optimise your initial days. Here's how.

   1. Spend some time (2-3 years) in IT, if your learning happens in a bottoms-up manner. Some of the options are -

      • Helpdesk - You will learn how an organisation works, how to troubleshoot basic issues in IT.

      • Supporting system/ network administrators - You will learn all the ways in which a server or network blows up, how users react, how sysadmins and network admins keep the mis-configurations alive, how they get flagged by auditors as security vulnerabilities, etc.

      • Junior developer - You will learn about how development happens, which will help you in setting up a Secure SDLC practice, or setup secure CI/ CD pipeline, or get into secure code review, or web app pen testing, etc.

   2. Spend some time in ISO 27001 implementation teams, if you happen to be a top-down person. You will learn more about how an organisation works, the processes interact, how work gets done at high level, etc.

6. Don't worry if you feel overwhelmed in one specialty (offence, defence, AD, app-sec, governance, compliance, etc.) and looking to pivot. Everything is connected in infosec. You must learn how to connect 'what you are doing now' to 'how will this help in your new role'. Here's an example. Doing application risk assessment is very hard if you don't understand

   1. key vulnerabilities (XSS, resulting in session hijacking; the application storing data on an S3 bucket which is unprotected),

   2. the business need of the application (used for customer Video-KYC, which is different from Customer-KYC),

   3. its placement in the network (how does risk changes when application and data are stored in vendor network vs. stored in your datacenter),

   4. applicable regulations (e.g., for Indian BFSI, RBI regulations around V-KYC, RBI cybersecurity framework, RBI master direction on IT Governance, RBI master direction on Outsourcing of IT activities, DPDP Act of India, etc.), and

   5. impact of exploit (session hijacking, coupled with open S3 bucket, leads to ATO - Account Take Over - and customer PII; potentially resulting in fine/ penalty).

7. What does the last example mean? It means,

   1. It is Ok to pivot to defence if you find offence overwhelming or not suiting your temperament. However, you must be clear on

      • why you are doing it, and

      • what value you bring to the other side, when you pivot (e.g., your application development skills make you a juicier candidate to IT, your understanding of application vulnerabilities and exploits make you a better risk assessor in InfoSec Governance or a better SOC analyst because you know application logs better than anyone, your experience in infosec governance makes you a better compliance officer, etc.)

   2. You must be honest with yourself. Are you pivoting because you know you don't belong to this sub-field or is it just laziness and lethargy? Sometimes, it takes time for information to seep into brain and crystallise into something actionable. Give yourself tough love, because no one else knows you like you do.

All the best for your future. May the force be with you.