Having the technical skills are great, going to meet-ups and making the social contacts is even better. What really gets you in the door though? Knowing people? A CV? Being somewhat known? All valid points and questions, all worth looking into and all will get you somewhere.
Things to Consider
The main thing that I hear again and again is to get a job you need to sell yourself to an employer. What do you do or have that Joe/Jane Doe does not? The two things I would recommend that you do are:
- Create a blog
- Keep it up to date with projects you're doing, write-ups & tutorials(all optional of course, however will stand you in good stead).
By creating a blog you are doing two things essentially, you're creating a log of the projects you do outside of your studies or in your spare time and what you're also doing is demonstrating your ability to write things down.
Typically the first engagement you'll have with a potential employer is either face to face at an event or by sending your CV out to them. If it is the first my advice would be, just be careful what you say to people and how you approach different situations however that's just general life advice!
When it comes to CVs though, the best thing you can do is write it yourself, especially if you're applying for a role in infosec that involves reporting. As a full disclosure I'm not a careers expert however I have seen many CVs in my time in the industry.
Getting that disclaimer out of the way, taking penetration testing as an example job you're applying for. You want to craft your CV in a way that it peaks the reader's attention from opening it (
CV_totes_not_malware.pdf.exe <- don't do this).
Typically the core details you'll want to include should include; a blurb about yourself, employment/education history, hobbies/achievements + any professional certifications you've gained( this is things like OSCP & GPEN etc) however if you don't have these fair not it's not the end of the world.
When writing your CV you need to be mindful of your target audience. This can depend on where you're applying for i.e are you applying to a massive corporation who will likely filter based on certifications or are you applying to a small outfit who are more likely to read your CV despite certs?
Either way you want to hit the ground running with a one to two page highlight of how awesome you are and why you're the person they need! In your introduction blurb you want to tailor this to the audience, so for a corporation you might want to start out by explaining you have x,y & z certifications and are active in x community or have done y as a profession for z years etc. An example blurb may look similar to:
Andy has worked in information security for just under 4 years combined, focussed specifically on penetration testing, having achieved OSCP & Crest Registered Tester (CRT), He is a CHECK Team member (CTM) and has delivered several CHECK tests. Andy is currently working towards Crest Certified Tester(CCT-Inf) and CHECK Team Leader (CTL) status. Alongside his work in pentesting, he also spends his free time doing bug bounties and has identified many bugs in several companies.
This is written in the third person however you can write in first person too, this is mainly down to personal preference. The blurb above covers off my experience, qualifications, aspirations & involvement with bug bounties. Your milage will likely vary as you might not have experience within industry, just starting out you have more to play with when it comes to this intro text. An extended intro that I have used in the past looks similar to this:
I am an old school hacker in the sense that I like to take things apart and look at their inner workings them. My background has always been computer related, I currently work as a Penetration Tester and as a researcher in my free time. I hold a Bachelors of Engineering in Digital Security Forensics and Ethical Hacking. Previously I worked as a computer technician, working with both software and hardware on a variety of platforms, such as OSX, Windows and Linux. I participate in karate three times a week and currently hold a 1st Dan black belt; I have fought at Full contact level and in mixed martial arts competitions. I like to apply the same mind set to pentesting as I do with karate, which usually involves hard work and some pain the next day, if you are not exhausted at the end and feeling accomplished, you are doing it wrong.
This is different to the first block of text as it only includes two achievements that I held at that stage, these being a degree & my black belt in Karate. However what it does include is a description of me as a person with some highlights of things I have experience working with.
The bottom line being, your intro is what an employer is going to see first, so make yourself stand out.
Laying Things Out
As I've said previously I'm not a careers or CV expert however I've found the following layout to work. Note that this will vary depending on what you are applying for though.
If your employment history is lacking or you've not worked in industry at all before something like the following might work for you:
- Achievements & Hobbies
This can be switched up depending on what sits nicer or if you have more of one thing you want your potential employer to see first put this above the others.
Achievements & Hobbies
In your achievements and hobbies maybe include research you've done or capture the flag events you've taken part in. Some examples to include might include blog write-ups, projects you've contributed to on Github or similar, if you're involved in Bug Bounties - include where you've been featured in halls of fame. Try including other achievements outside of technology that might be interesting, maybe you're active in sports/fitness and have won something. Or you help out with a community project. Examples I could include would be:
- Own a blog that is read by 50,000 readers a month (https://blog.zsec.uk)
- Organiser of Defcon Glasgow (DC44141)
- Active in Bug Bounties
- Hall of Fame: Adobe, Starbucks, Mindgeek, Worldpay, Homebrew, Oracle
- Found ~80 Bugs total in many different companies
- Hold 1st Dan Blackbelt in Karate
- Training for 12 years
- Teach both Kids and Adults
- Competed at full contact level
- Spoken at Hack In The Box Amsterdam 2015
- Holds Enhanced Disclosure from Disclosure Scotland (PVG)
As can be seen an inclusion of a mix of both technical and social/sporting achievements can help. However don't worry if you are lacking in the achievements area, spin up a blog and start writing, try some capture the flag events in your spare time. Then add these in later.
In the skillset section, try to include what areas of technologies you feel you are good at. So if you prefer mobile applications note this down, include what else you're comfortable with, so if you've done OSCP you might put down that you can do infrastructure testing to a degree. If you do a lot of bug bounties with web apps, you could include that, something like:
- Web Application Penetration Testing
- Open-Source Intelligence Gathering
- Public Speaking
- Mobile Application Testing Experience
- Worked with Windows, *Unix & MacOS
- Able to build review Windows, Unix & MacOS
- Experience with Wireless Testing
- Competent with Hardware hacking & soldering
The main thing to keep in mind is being honest about your skillset. If your CV gets you an interview an employer is well within their right to ask you about your skillset or anything mentioned in your CV.
If you put down you know about hardware hacking then the interviewer asks you to describe the different logic levels you might come across when dealing with an embedded device and you sit blank expression it will be apparent you might have told a wee lie on that ol' CV of yours. You don't really want to be in this situation if you can help it.
Employment & Education
Another common thing I have seen with CVs in the past is people listing their entire employment history since the beginning of time meaning their CV is a million pages in length. If you've worked in lots of different jobs or had minor part time jobs try to only note the relevant ones on your CV, or alternatively note them all down but only include a paragraph about the ones that are relevant:
- ACME IT Support: Senior Technician 2015-2017
- Dealt with hardware and software
- Customer service experience
- Phone and onsite support
- Bill's Newsagents: Shop worker 2013-2015
- ACME Bank: Security Intern May 2012 - September 2012
- Logging Phishing Attempts
- Developed Automation of Logging
- Worked with CERT
Note above that the key skills used in the relevant positions have been included rather than padding out the section massively; remember your CV should ideally fit on one page, either double or single sided. The same goes with education history, depending on your stage in life/age/education try to be concise about it with relevant certifications put first.
- Offensive Security Wireless Professional (OSWP): March 2017
- Offensive Security Certified Professional (OSCP): Feb 2017
- Glasgow University: BSc Computer Science 2010 - 2014
- High School Example: 5 Highers including Computing & Maths 2004 - 2010
Creating a Blog
Now at this stage you might be reading this thinking, that advice is great but I don't have a blog or maybe you do but you don't have any ideas as to what to include on your blog?
If you fall into the first group and you don't have a blog, you can spin one up fairly easily there are lots of options out there things like medium & github offer free options to create a blog and start writing or if you're happy to spend a wee bit of money Digital Ocean have instance of ghost which you can deploy from $5/Month which is what this blog runs.
Once you have a blog setup get some things written up, try some capture the flags and do some write ups or maybe you've found a cool bug on a bug bounty try writing it up in a blog post(if the company agree that you can disclose it). If you haven't done any CTFs try some of the exercises from vulnhub or pentester lab and write up your solution. Alternatively maybe you've started learning an area and want to share your experience try doing that too!
Or even better, maybe you've learned about something new and want to write a tutorial like this one, shove that up on your blog then tweet it out or share on social media to drive traffic.
When you've got your blog all setup with some content try to include it on your CV or share with the community to help others(this will stand you in good stead in the future). The other benefit of a blog is it begins a pipeline of work you've done which you can show to future employers or potentially clients.
Overall good luck with what ever you decide to do, remember a few key things though:
- Always be clear
- Be Honest
- Show your interesting side!