Hack the Hustle!
Hack the Hustle!Career Strategies for Information Security PractitionersEve Adams (@HackerHuntress)BSidesChicago | April 27, 2013No unemployment in infosec, no crying in baseball1A negative-unemployment industry, sort of0.9% infosec unemployment in 2012;Security workforce in 2012: 52,0004.7% web dev unemployment in 201222% more infosec jobs by 2020
Sources: Bureau of Labor Statistics via Eric Chabrowhttp://www.bankinfosecurity.com/blogs/3-unemployment-among-infosec-pros-p-1400/op-1Numbers seem low, but they must be true because theyre from the government, and I would never question them. 7.2% increase from 2011. We all like data vizRemember the bubble days when nobody could hire enough Java devs?2
Infosec hiring 10 years ago3
Infosec hiring nowprobably because they hired so many java devs.4And yet.Highly desirable skill sets lead to highly volatile job markets.
Money/bidding warsGeneral IT churnBurnoutWorking for idiots
How do you get what you want when everyone seems to want you? You have to be ready to jump.5
First impressions: Your rsum and youVerb ALL the nouns!Your rsum is not a racecara pretty princessa junk drawerTl;dr: Show me what you got! No more. No less.We all get a massive volume of interest good resumes can help improve signal to noise7Verb ALL the nouns!
FAILNon-specificity kills8Your rsum is not: a racecar
FAILIf your certs are the first, best thing about you, youre doing it wrong9Your rsum is not: a pretty princess
FAILThis makes me wonder why youre trying to distract me from your content.10Your rsum is not: a junk drawer
Maybe FAIL? Cant tell.Dont tell me everything youve done. Tell me what youre best at. If you truly have all these skills, create separate resumes.11
WINYou can show off your unique blend of skills and remain focused. Do this by verbing all the nouns clearly and specifically. Talk about initiatives and projects.12It begins.How to get a cool infosec job:Post and pray job boards, etc.Spray and pray apply to whats postedNetwork inLearn about jobs before theyre officially openCurrent employees, events, even recruitersInscrutable job description is inscrutable.Information Security Analyst
Job DescriptionThe IT Security Engineer is responsible for design, development, and implementation of IT security solutions for network, systems, and applications. The IT Security Engineer also manages the Infrastructure Security Team and allocates resources to various security engineering activities.
Sometimes theyre actually impossible.Qualifications5+ years of experience in Kali LinuxCISSP, OSCP, GXPN, C|EH, JNCIE, and A+ certifications REQUIREDPh.D. in actuarial mathMUST BE LOCAL to Nome, AKAbility to lift 700 poundsMust make amazing coffee
Inscrutable titles/descriptions are inscrutable.Job descriptions can be legally binding documents, usually written by non-practitioners.There is therefore a high degree of vagueness and CYA in them.Get the real story by asking the hiring authority or someone who has contact with them.Try the back door: network inLearn about jobs before theyre openFriends and associatesSocial media oft-neglected!LinkedIn is okayTwitter is awesome and underutilizedGood recruiters can helpFind one you trust to act as your agent#infosecjobs; qualities of a good recruiter; the SOC from hell19Protips: Interviewing and decisionsAsk questions about responsibilities early and comp details late (offer stage)If you want the job, say so and vice versaBe above board as much as possibleAvoid temptation to be too casual
Be upfront about your interest level. You can express yourself while still being businesslike, but maybe leave the Vibrams at home.20
You dont have to look/act like these guys to hack the planet and, by extension, the hustle.21