How to break into Cyber Security

Hello, I am Rehan Shaikh, a Cyber Security Analyst at TCS. I also volunteer with a local cybersecurity meetup group called BreachForce. I recently graduated from college and secured my job at TCS as a fresher. It might sound unbelievable, but it's true - you can get a job in cybersecurity as a newcomer. I did it, and you can too. If you're a fresher struggling to break into the cybersecurity landscape or an experienced professional looking to pivot into this field, this blog will provide clarity on the Indian job market for cybersecurity.

In the cybersecurity domain, jobs are categorized into teams based on their responsibilities. Depending on which team you work with, your duties may vary. These teams are:

• Red Team: This team is responsible for attacking into (hacking) the organization. We call them the attackers. Their job is to simulate real-world attacks by identifying paths that a potential attacker could use to compromise the organization.

• Blue Team: This team is responsible for protecting (defending) the organization. We call them the defenders. Their role is to safeguard the organization from external threat actors (malicious hackers).

• White Team: This team is responsible for assessing (inspecting) the organization's security posture. We call them auditors. Their job is to inspect the systems, networks, and other security controls used by the organization.

In cybersecurity, job opportunities are limited. Despite what you might hear online, be aware that the number of positions is restricted, especially for red team roles such as penetration testers or red teamers. The majority of openings in the cybersecurity domain are for blue team roles, like Junior SOC Analysts or SOC L1 positions. There are even fewer roles available for white team positions, such as ISO Auditors.

This blog will be divided into two sections:

• Getting a job as a fresher

• Getting a job as an experienced professional

Getting job as a fresher

Freshers’ Dilemma: Breaking Into Cybersecurity

The cybersecurity job market is tough for freshers—and that’s a fact! Most entry-level roles require some form of work experience in domains like Helpdesk/IT Support, Web Development, or Network/System Administration.

Now, the question is, how do you get a job as a fresher? Isn’t it impossible since recruiters are looking for experienced professionals, even for entry-level roles? Is it a lost cause? Not at all! You can still get a job as a fresher, but you'll have to hustle a bit more than the seasoned pros. Keep this mantra in mind: "Having work experience doesn’t necessarily mean having knowledge." I might have one year of work experience, but I still might not know how to install Python. You’ll encounter situations like this often, especially in the Indian corporate world, where there’s a tendency to exaggerate skills on resume.

The best way to compete with working professionals is by showcasing your deep understanding of concepts in your domain and your ability to learn new concepts quickly across various fields.

Additionally, you may come across situations where a large number of applicants apply for junior or intern roles in cybersecurity. It can feel overwhelming to see such numbers, and you might lose hope of being selected. But don't worry - most applicants lack a fundamental understanding of cybersecurity. Many individuals applied simply because online influencers promoted the notion of abundant job opportunities in the field..

Recruiter’s Dilemma: Hiring the Right Talent

Before attempting to hack anything, it’s essential to study the entire product, understand its functionality, and learn how it works. Similarly, before "hacking" your way into landing a job, let's first understand the mindset of a recruiter.

As a recruiter, imagine I’ve posted a job opening for an entry-level role in cybersecurity, outlining the roles and responsibilities. Within a few hours, I received over 400 applications for the position.

Faced with such a large pool of applicants, I’d find myself in a dilemma: Who is the right candidate for the company? Who is honest about their skills, and who is exaggerating? How do I select the best candidates? This is why I’ll focus on one crucial section of the resume: the skills section. Do the skills listed in the resume match the job description? If they do, I’ll consider that candidate. However, what if someone is exaggerating their skills? I’ll schedule an interview to find out if they are a hecker or heckler.

I’ll narrow down the applicants by comparing the skills mentioned in the job description (JD) against those listed in their resumes. After this initial process, I’ll be left with around 100 candidates.

Next, I’ll schedule interviews with the remaining candidates to test their skills. Keep in mind, I’m looking for the best of the best. The interview will allow me to see if candidates truly possess the knowledge and skills they claim. I’ll be looking for those who can "put their money where their mouth is."

During the interview process, besides educational qualifications and skills, I’ll also look at their achievements. What distinguishes them from other candidates? What unique qualities or experiences do they bring to the table? These factors will help me select the right candidates.

So, what are those distinguishing parameters? Lets study them in detail.

How Recruiters Distinguish the Best Candidates

• Bug Bounties: Do candidates have bug bounty experience as freshers? Bug bounty hunting involves identifying security flaws, known as "bugs," in popular websites and receiving rewards, or "bounties," from organizations for these findings. By participating in bug bounties, you can earn monetary rewards while building a solid profile within the bug bounty community.

  Don't worry if your bug bounty report is a duplicate—it can still help you stand out from other candidates. Be sure to highlight your bug bounty achievements in both your resume and during your interview.

  

  Some companies even hire bug bounty hunters based on their profiles on platforms like HackerOne, Bugcrowd, or Intigriti. These platforms host bug bounty programs for well-known websites. By participating in these programs, you can be rewarded for finding and reporting bugs. Stay on the lookout for public programs, Vulnerability Disclosure Programs (VDPs), or private programs on these platforms.

• CVEs: Do candidates have experience finding CVEs in applications or products? Vulnerabilities are security flaws in application software that can compromise the confidentiality, integrity, and availability of systems, companies, or individuals. Finding and reporting CVEs (Common Vulnerabilities and Exposures) involves identifying these vulnerabilities, reporting them to the vendor and the National Institute of Standards and Technology (NIST), and receiving a CVE-ID (an identification number assigned to the vulnerability). The vulnerability is then added to the National Vulnerability Database (NVD).

  Experience with finding CVEs indicates that a candidate is well-versed in research. Such candidates are particularly valuable when targeting product-based companies as a cybersecurity researcher. A good way to find CVEs is by identifying vulnerabilities in open-source software. This can earn you recognition from both the open-source and cybersecurity communities, which you can highlight on your resume.

• CTFs: Do candidates have experience participating in Capture The Flag (CTF) competitions? CTFs are contests where participants solve challenges across various categories, such as OSINT, Web, Reverse Engineering, and Forensics, to test their skills and competency. The first person to solve a challenge often receives a "first blood" badge (typically reserved for exceptionally difficult challenges). Participants earn points based on the number of challenges solved, which contribute to their overall score. CTF organizers maintain a leaderboard to rank candidates by their scores. The top 3 score holders on the leaderboard are awarded by the organizing team once the CTF competition ends.

  Participation in CTFs demonstrates a candidate's proficiency in critical thinking, research, and application. High rankings in CTF competitions, whether local (Indian-based) or global, attract the attention of HR professionals and indicate that a candidate is among the top performers worldwide. Unlike other candidates, those who excel in CTFs are actively testing their skills against many peers. You can find CTF competitions listed on ctftime.org or ctf.hackthebox.com. I recommend starting by playing solo to develop your skills; once you feel more confident, search for a team and participate with them.

  Some companies, including TCS, KPMG, Payatu, and Cloudsek, specifically recruit through CTF competitions. Therefore, it’s highly beneficial to highlight your CTF rankings on your resume.

• Internships: Do candidates have prior internship experience related to cybersecurity? Internship experience, regardless of its duration (whether 3 months or 6 months), plays a crucial role in the selection process. Recruiters often prefer candidates who have some experience, as it minimizes the time and effort needed to train someone from scratch. They look for individuals who are already familiar with corporate culture, client interactions, and job responsibilities.
  To gain internship experience, consider targeting cybersecurity startups. These companies often offer valuable hands-on experience and can be more flexible in providing opportunities. Be sure to highlight your internship experience as an achievement on your resume, as it demonstrates your practical knowledge in the field.
  If you haven’t secured an internship in the corporate world, consider exploring unpaid internships. Three notable options are:

  • Gurugram Police Cyber Security Summer Internship Program: This program typically starts in June. For more details, check the official handle of Dr. Rakshit Tandon who is the brains behind this amazing endaevor for updates.

  • Maharashtra Cyber Cell Internship Program: Information about this program is available on the Maharashtra Cyber Cell’s official Instagram handle.

  • Cyber Secured India Internship Program: This program, led by Nikhil Mahadeshvar, offers an exciting opportunity for mentorship by experts and practical exams that simulate real-world scenarios—all for free. This deserves an honorable mention. The updates are available on Cyber Secured India’s official handle.

These internships offer valuable experience and can be a great addition to your resume if you're looking to build your cybersecurity skills.

• Certifications: Do candidates hold any cybersecurity certifications? Certifications play a crucial role in the cybersecurity domain as they offer third-party validation of a candidate's skills. However, not all certifications are equally valued by recruiters. The certifications most recognized by HR professionals for different roles include CEH (Certified Ethical Hacker), Security+, and OSCP (Offensive Security Certified Professional).

  If you’re unsure which certification to pursue or want to learn more about the certification landscape, feel free to share this blog with your peers or give me a shoutout on LinkedIn. I’ll gladly create another blog focused on cybersecurity certifications.

  Moreover, certifications are especially important in consultancy firms, as they play a key role in securing projects from clients

  

• Degree: Does the candidate have a degree in the cybersecurity domain? Do degrees matter? The answer is both yes and no—it depends on the recruiter. Candidates with a specialization in cybersecurity often receive higher priority compared to those with degrees in IT or Computer Science Engineering (CSE). It’s a hard pill to swallow, but it reflects the current hiring trends. However, don’t lose hope! You can always work on developing the other factors that set you apart and make you a strong candidate for cybersecurity roles.

• Training Platforms: Does the candidate have a profile on cybersecurity training platforms? Platforms like TryHackMe, Hack The Box (HTB), or PortSwigger Academy provide freshers with opportunities to practice and hone their skills. These platforms offer hands-on labs and study materials, enabling users to legally hack systems or defend them, simulating real-world scenarios. Rankings on platforms like TryHackMe or HTB carry significant weight with recruiters, especially those with technical expertise.

  Additionally, an impressive HTB ranking can open doors to remote job opportunities globally. If you have notable rankings or achievements on these platforms, be sure to highlight them in your resume

  

• Projects: Has the candidate worked on any cybersecurity projects? Projects are especially important for freshers as they demonstrate a genuine passion for the field. Projects tailored to different roles can capture the attention of recruiters and show that the candidate is committed to developing practical skills.

  Examples of valuable projects include setting up a home lab, building a keylogger, or creating a SIEM (Security Information and Event Management) monitoring system. These projects not only showcase technical abilities but also set you apart from other candidates. Be sure to build meaningful projects, showcase them on GitHub, and include them in your resume to enhance your candidacy.

• Referrals: Does the candidate have a referral from an employee of the company? Referrals are incredibly valuable, especially in the competitive cybersecurity job market. They indicate that the candidate has relevant skills and is endorsed by someone within the company. As the saying goes, “In cybersecurity, you need to polish your networking skills, both technically and figuratively.”

  Building a strong network makes it easier to receive referrals from employees across organizations. In many cases, a referral can help you bypass the CV selection stage and move directly to the technical or HR interview round. Your network significantly impacts your career, establishing your "net worth" in the industry. Communities play a key role in this, which we'll explore further in the next point.

  

• Communities: Is the candidate involved in any cybersecurity communities? Communities play a vital role in expanding your network, connecting with like-minded peers, and gaining referrals from experienced professionals. Attending or speaking at conferences and events organized by these communities allows you to interact with individuals from various cybersecurity domains. Presenting at a local chapter event boosts your confidence, showcases your skills to recruiters, and attracts interest from industry professionals.

  Breachforce is one such community where you can learn new technologies, network with others, and exchange knowledge. If you come across any events hosted by Breachforce, be sure to check them out. Additionally, look for local chapters of cybersecurity communities in your area on LinkedIn. Volunteering at these communities can also help you develop valuable soft skills like teamwork, communication, coordination, leadership, and decision-making.

  So far, I’ve covered numerous points that can help you enhance your resume and stand out from the competition in the cybersecurity job market. Many of these strategies also apply to working professionals looking to further their careers or transition into the cybersecurity field.

Getting job as a working professional

As a working professional, you likely have valuable work experience that can strengthen your resume. HR’s highly value work experience, especially in cybersecurity. Whether you're looking to pivot from your current career into cybersecurity or transition from a non-tech domain to a tech-focused role, your prior experience can be a major asset.

Below are key factors that can help you stand out from other candidates:

• Work Experience: Does the candidate have prior work experience before applying for this role? Work experience is one of the most significant factors in securing a cybersecurity job. You should highlight your previous work experience and how it aligns with your current professional pursuits in cybersecurity. However, be prepared to answer the common interview question: "What is your reason for switching to cybersecurity?" Your ability to explain this transition passionately can convince HR to take a chance on you.

• The key is to relate your experience in your previous domain to the cybersecurity field. For example:

  1. A Web Developer can highlight their expertise in building systems to qualify for a Web Penetration Tester role.

  2. A Systems Administrator can emphasize their knowledge of configuring and managing systems for an Infra Penetration Tester role.

  3. A Network Administrator can draw on their understanding of network configurations to transition into a Network Penetration Tester role.

In general, companies tend to prefer professionals with work experience over freshers, but you must be able to demonstrate your skills and knowledge for the role you're applying for.

• Internal Switch: As a working professional, you may have the opportunity to switch internally within your organization. If there is an opening in the cybersecurity department, you can recommend yourself for the role to HR. However, before approaching HR, it’s a good idea to first have a conversation with the department head or project manager to express your interest and gather any insights about the role. This proactive approach can increase your chances of making a successful internal transition.

• Referrals: As mentioned earlier, referrals play a crucial role in securing a job in cybersecurity. As a working professional, obtaining referrals is generally easier than it is for freshers. Having a referral from someone within the company can significantly boost your chances of getting noticed, as it serves as a strong endorsement of your skills. For more details, refer to the "Referrals" section earlier in this blog.

Consider all the factors mentioned above when applying for a cybersecurity role, whether you are a fresher or a working professional. Incorporating these parameters into your skillset will undoubtedly strengthen your resume and increase your chances of being selected for a cybersecurity position. Best of luck on your cybersecurity journey! Don’t forget to follow Me and Breachforce on LinkedIn for more insightful content!