How to Get a Job in Cybersecurity
Getting your foot in the door with cybersecurity is extremely challenging, especially right now. You may be just graduating college, or a veteran transitioning to the private sector, or you’ve worked in other areas of IT or maybe you’re just self taught. Theres a lot to be learned about the ins and outs of cybersecurity hiring. I’ve written and published entire books on this topic, and here, here I will try to be brief.
The first thing to know is what jobs in cybersecurity are considered ‘entry-level’. And the answer is complicated. If you’re coming from other areas of IT, then you may already have overlapping experience in one of the domains in cybersecurity that you could pivot into. Or if you worked intelligence or cyber ops in the Military then you will have some more options available to you. But if you’re self taught, or you are fresh out of college and looking for your first professional job, then there is only one clear winner and that is the Security Operations Center Analyst (SOC analyst).
So lets break down the SOC analyst role and why it is a good starting point.
When companies embrace the need for cybersecurity, it usually begins with the Security Operations Center or SOC for short. The SOC is responsible for triage, investigation, and response to cybersecurity incidents. This concept is not new. Military and law enforcement agencies have been using Tactical Operations Centers to coordinate operations during conflicts for decades. And like the TOC, the SOC serves as the Command and Control hub for first responders to cybersecurity incidents.
Definition: A cybersecurity incident is an adverse network event in an information system or network or the threat of the occurrence of such an event according to the SANS institute.
The purpose of this article is to prepare you to become a SOC analyst. Whether you wish to join one of the many specialties of cybersecurity, or work your way up to management, the SOC analyst profession has the lowest barrier of entry for cybersecurity. Becoming a SOC analyst is an excellent strategic position to get your start in the industry.
When staffing a SOC, hiring managers have a few challenges that they continuously face. The most prevalent of those challenges is the revolving door of the SOC.
After a SOC manager is hired for an open position, it takes them several months to train the new analyst. Once training is complete, retention becomes a problem as the new analysts are “head-hunted” repeatedly by recruiters enticing them with more money. The average tenure of a security analyst is only 1–3 years with a single company. Companies today offer very lucrative compensation packages tied to the amount of time spent with the company. A common practice is to use stock options spread out over 3–4 years to ensure the worker remains at the company.
Once a SOC analyst is proficient at their job and feels they are no longer challenged, it might be time for them to seek a higher position. One of the most common paths upward is to become a senior SOC analyst. The “senior” title comes with better pay and additional responsibilities such as mentoring the junior analysts that join the SOC. Senior SOC analysts also handle more complicated work as junior analysts will escalate challenging items to their seniors to resolve. Being in this position allows an analyst to become more technical and gives them the opportunity to learn how to train and mentor others. This role is an excellent way to become a SOC manager, grooming them for their next leadership role in the SOC. Almost everywhere in the United States, the senior SOC analyst pays over six figures.
As a new SOC analyst, set stretch goals for yourself to reach this milestone. However, that leaves the hiring manager with your spot open again!
Another problem that SOC managers struggle with is burnout or alert fatigue. An example of this could be when analysts are investigating so many alerts that something important is overlooked or “lost in the noise.” SOC analysts usually work in shifts with 8-, 10-, or 12-hour days, sometimes evening and overnight shifts, and at some point, the task might seem brainless. It’s easy to get complacent when the work becomes second nature and can get monotonous. Most everyone in a SOC is brilliant and constantly needs to be challenged.
The third challenge that SOC managers face is that the SOC is a 24/7/365 operation, which means they need coverage outside of regular business hours and on holidays. Many international companies utilize the “follow the sun” SOC model. That is when companies build three SOCs in different geographical locations for 24-hour coverage. Typically, companies will have a SOC in the United States, a second in Singapore or Australia, and the third in India or Europe. However, there are use cases where companies require analysts from a specific nationality to work with their data. It’s especially true in staffing a Managed Security Services Provider (MSSP).
Hiring for early morning and overnight shifts is not an easy task, and the people that fill them don’t stay for long before wanting to move to regular business hours. Tyler’s first security job was working as a second-shift analyst in a SOC at an MSSP. He was in a position in life where it worked out well for him. He had a base salary and was offered a small shift differential on top of it for working the second shift. He was freshly out of college, and who needed to wake up before noon anyway? He credits his career to making that sacrifice because it gave him invaluable experience that still serves him today. He decided he had to take his experience and run after only a year. It was a hard decision because it was a great company, but he couldn’t wait for a day shift to open up. The night hours started to take a toll. It is nobody’s fault, but it is another challenge of the SOC revolving door.
So now you know the challenges for hiring and retaining SOC analysts and why the position opens up frequently, let’s talk a little bit about what hiring managers are looking for in a SOC analyst.
There are four areas that make a well rounded SOC analyst.
- High Level Concepts
- Hard Technical Skills
- Business Acumen
- Culture Fit
High Level Concepts
The high level concepts everyone should know, not just for cybersecurity experts, but anyone in a professional capacity. Things like what is separation of duties, what is least privilege, and what is the CIA triad? These are fundamentals in cybersecurity and the best place to learn is CompTia’s Security+ Certification. Long standing and well regarded as the minimum standard for entry level cybersecurity.
For high level concepts it should be very structured, and maybe even boring, as its the same information we all get and know (and repeat). Any one of Udemy’s courses for Security+ would be a good start.
I wrote an introductory to SOC Analyst prerequisite skills that serve as fundamentals for what you need to know as a SOC Analyst, the gateway to cybersecurity.
Hard Technical Skills
Hard technical skills are harder to come by. Its all about projects, projects, projects. They don’t all have to be boring, in fact I wrote a free Medium article that is all about fun projects, here:
This Medium article is extremely popular in all circles, including LinkedIn. Its three projects to give you some exposure to cybersecurity projects that you can do at home on a weekend.
Since everything is moving to the cloud and having cloud exposure is very advantageous, I came up with a fun project for you to do in the cloud in this article:
Another project that I have deployed several times to AWS is the Modern Honey Network. Its much more challenging, but if you can complete it, then you absolutely have the technical skills to be a SOC analyst (and more). Pair this with the SOC Analyst Method here, and practice Security Analysis on your own:
Business Acumen
Cybersecurity is a glorious customer service job. Customer service is a very big part of the job. Knowing how to say bad things in a good way is going to be an important part of your job. Thats where framing comes in.
There are a wide variety of tasks related to cybersecurity. And because all security-related tasks are important, they need to be prioritized appropriately on a case-by-case basis. Determining which elements are important now can be difficult without an understanding of the business as a whole.
In a SOC queue, a big part of someone’s job is prioritizing the work for you but as you become more senior that will become more and more a part of your own job. I like the Eisenhower matrix for prioritizing tasks. Its simple and fast and crazy effective.
Most of us in cybersecurity work from home at some capacity and its a very important part in your career to learn how to communicate with people remotely. That is, learning how to not isolate yourself while you are at work when you are working from home. I wrote a free article about business tips for working from home, give it a watch/read.
Culture Fit
Here at Cyber NOW Education we love the SOC. We love everything about it, including this unique but strangely not unique, culture that comes along with it. After you spend some time in the SOC you will realize just how rewarding it is to be on front lines.
So much action, and we want you to love it like we do. Whether you lean hard left or right, or right down the middle, there are companies for you. I’ve worked on both sides of the spectrum and I’ve found hard left companies tend to rely on psychology a lot in management style and and hard right companies are more direct to your face, but make no mistake, they both are capitalistic at their very core. Its so important to find a boss that you like and its often not until you’re there do you really find out if you’re a good culture fit or not.
It takes practice to be a general culture fit but after awhile you’ll catch things like this:
And you’ll have a nice little chuckle that FedEX has an arrow in their logo for all the packages they deliver.
Now you understand what makes a qualified SOC analyst. You need a mix of hard technical skills, a company with the right culture, some business acumen, and you need to be able to recite all of the fundamental cybersecurity concepts.
Traditionally, a candidate would have a bachelor’s degree, and have a network+ and security+ certification. At least a degree and a security+ before they find themselves gainfully employed. Recently, the competition has gotten more fierce. There seems to be a bunch of folks wanting to make their way into cybersecurity right now and these people are doing ALOT.
Its important to note that less companies are requiring degree’s as time goes on because few people who graduate college actually have the skills needed to do the technical entry level work of a SOC analyst.
It takes awhile to develop the skills you need to have, and you really have to practice on your own. Just you, the computer, Google, a few projects, online courses and long romantic nights alone.
I am going to tell you how to do this the easy way, but it does take time.
Online Courses
You don’t need to spend a ton of money on online training if you can have a little patience and keep an open mind. Things might be less spoon fed to you and there might be some mistakes in the curriculum, but it requires you to think. Hop on over to Udemy and pick out a nice Security+ course. The fundamentals of cybersecurity don’t require you to be hands on keyboard so you can watch these modules on your own. Before you go to bed every night, lay in bed and watch a couple modules. What I used to do was cast it to my TV and I’d watch it while I’m eating dinner on a TV tray. A month goes by and batta bing batta boom you have a new certification and it wasn’t even hard at all. Didn’t cost much either. Just takes a little persistence.
Projects
You do need to have significant hands on keyboard muscle memory with a few things. Systems fundamentals is one, and networking is another. Its best if you focus these efforts in the cloud. By the time you’re getting a job in cybersecurity, infrastructure will mostly be in Amazon, Azure, or GCP. Mostly Amazon and Azure. Mostly Azure for large organizations.
You need to spin up a few honeypots, create VMs, configure access groups and play around with things. In the articles linked above there are two projects that you can spin up in the cloud, one is the 30m Azure Honeypot project that is super fun and relatively easy to do as an introduction. Play with it some, explore the attacks, Google around and ask yourself questions and answer them. Then move onto the harder project which is the Modern Honey Network. If you can successfully stand up an Modern Honey Network, you’ll have all the prerequisite technical knowledge you need to be a SOC analyst, and more. It can be frustrating and challenging but that’s growth.
Once you have the Modern Honey Network stood up, I want you to study the data. Use the 5-step SOC Analyst Methodology linked above and write sample tickets. If you don’t like doing this, you’re not going to like being a SOC analyst much. Being a SOC analyst is about having sense of curiosity of how things work and why they happen. Not everyone starts out with this curiosity but it can be cultivated if you make it intentional to be investigative.
You’re going to be curious for the rest of your career, and probably your life. Its going to change the way you think and if you pursue it long enough, it will change your life and open up a whole new esoteric world of creativity.
Competitions
This article wouldn’t be complete if we didn’t take a minute to talk about capture-the-flag (CTF) competitions. Capture-the-flag has been around since the very beginning and how it started is with vulnerable applications and systems that have a text string hidden inside of them. The participant finds the text string and submits it to the judges and they get points for every proof that they’ve hacked it. It started in 1996 at DEF CON and today, has evolved into all sorts of various capture-the-flag challenges inside and outside of conferences. In fact, Tyler’s favorite challenge is the DEF CON Blue Team Village capture-the-flag but has competed in Ghost in the Shellcode, SANS Netwars and Holiday Hack, CSAW and was a mentor for high schoolers for the CyberPatriot program. Tyler was never really fantastic at them but always competed on a team and that was the fun of it. Most bigger conferences other than DEF CON will have their own capture-the-flag competitions. For instance, the Splunk conference, Splunk.conf, hosts a popular capture-the-flag called BOTS, for Boss of the SOC, that is very challenging and popular. If you are in college, there are many student oriented capture-the-flag competitions and perhaps the biggest one that should be on your radar is the Collegiate Cyber Defense Competition (CCDC).
In addition to these, there are many online CTF competitions and challenges that not only have communities that you can join and participate in to enhance your networking by finding common ground with new people, but also provide awards, credentials, and overall bragging rights. Probably the most popular online CTF platform today that I would certainly recommend you taking a look at is TryHackMe. TryHackMe’s popularity has skyrocketed for being the premier hacking challenge and it’s common to look around on LinkedIn and see analysts advertising that they are “Top 2% in TryHackMe” or “Top 5% TryHackMe”. If you get serious about playing the game and showing off your skills, you can purchase the subscription to make your learning and earning points faster.
On the other hand, for defense (blue team) challenges, LetsDefend is rising in popularity. They have a free option but for the SOC Analyst track it’s a subscription. They have some neat challenges that would give you some hands-on exposure to some of the things we do on a daily basis and even give you a certificate to share on LinkedIn. To sign up for free scan below:
Medium
You need to start building a brand as a cybersecurity expert, so Medium is where you need to go to start doing it. I’m not asking you to do something that I don’t do even ten years into my career. Creating a blog can be one of the most rewarding things any professional can do, not only does Medium have a huge built-in audience of technology professionals, teaching and writing about a topic improves retention of the information. You’re going to find out sooner or later that if you don’t use the information you lose it. Teaching something to someone else helps you retain that knowledge for longer. Choose a few topics on the SOC and cybersecurity, maybe about your latest project or something you’ve studied that you’ve found interesting and teach it. One of your audience members might be your new manager! Write at least two articles every week and share them on all of your social media outlets, including LinkedIn. Everytime you finish a course, write about what you’ve learned. Everytime you finish a project, teach others how to do it. Write about your personal journey to finding a SOC analyst job.
And always remember to learn, do, teach to retain.
A blog will establish you as someone who knows something about cybersecurity. Make sure you leave a banner at the end of every Medium article connecting to your LinkedIn profile. This way any person interested in you can reach out and connect!
Once you have attended a few meetings and are blogging, you can start to build a network of like-minded community members to associate with. Make friends quickly, they are going to be vital in your career. You really can’t do cybersecurity alone with much success.
Now that you’ve made it this far, you’re now qualified, how in the heck do you find a SOC analyst JOB?
Where to Search for Jobs
The Information Security world has embraced social media to locate and recruit top talent. With LinkedIn standing out as a clear place to start. Not only can you find job postings, you can get connected with headhunters and recruiters looking to find top talent. LinkedIn offers a premium subscription that can be used to find and connect with recruiters. They offer free trials of LinkedIn Premium and I highly recommend using it when job searching.
If your LinkedIN is uninteresting, then you aren’t attracting the attention you need no matter how good your cybersecurity knowledge is. Other than putting in your certifications and credentials in the headline, there are a few tips to keep in mind.
LinkedIn is not the only website to consolidate job postings, Indeed and Monster are worth investigating too. Once you’ve accumulated a few technical certifications, sites like Credly.com have job boards that are looking for talented people with the certifications you’ve attained.
Finally, you can’t go wrong by looking at the careers section of a company’s website. This will show you what open positions are available and provide you insight into what they are looking for in an applicant.
Note: Don’t be afraid to apply even if you don’t meet all of the requirements in the job posting. To quote the great Wayne Gretzky, “You miss 100% of the shots you don’t take.”
Applying for Jobs
I would like to explain to you how to perform a job hunt. First off, you need to get your resume together. It takes a lot of trial and error to perfect a resume, but you can also have a professional help you build a good one. A resume can take form in many styles, but it will have the same basic information:
Keep your resume to under three pages to prevent over skimming by the readers. The benefit of having a professional resume writing service is they will share a document with you and probe you with questions until they get all of the information out of you about your previous experience and then write it in a way that is quickly and easily consumed.
I get zero commissions from this, just passing a deal along.
Once your resume is together, you can move forward to a job search. There are several job posting websites that have proven successful for us; however, I have had the most success with LinkedIn. When I am searching for a job, I usually purchase their premium membership so that I am able to see the statistics for each job I am applying for, send InMail messages to hiring managers or recruiters for a company I am interested in, and see who is looking at my profile. Also, Google has a good aggregation of jobs to search through. Using Google, you are able to set up and configure job alerts specifically for cybersecurity jobs.
The SOC analyst position is the job that you will be able to land the easiest as a first step into information security. There is a revolving door in most SOCs, and the position for SOC analyst opens frequently. The titles that you want to look for first are:
If you are mobile and can move anywhere, your odds for finding a good fit quickly are better. If you live far outside of a big city, then your options may be more limited. Most SOCs require you to be on-site for security purposes, during COVID everyone moved remote, and now more companies are returning to a hybrid work model.
You’ve got your resume together now, and you know how to apply for jobs, you have a network of colleagues because you’ve been attending meetings and getting involved in the community. You’ve provided them your resume and asked them to refer you to any open position they have, and you’ve kept in touch with them just to chit chat. You have some projects and a blog to show your progress in your road to cybersecurity success.
You have a portfolio now.
Include the link to your blog on your resume so that the hiring manager invests time into you as a candidate and read about your story and your projects.
You’re likely to get an interview now.
Whew, thats a lot to get an interview! So lets talk about that.
Common Interview Questions
The following is a list of common interview questions that might be asked during an interview for a junior SOC analyst. Some are very basic and some are harder, but we feel if you can answer these questions you have the required knowledge to become a SOC analyst:
- What is an RFC 1918 address?
Do you know them?
- Define a Class A, B, or C network.
- What are the seven phases of the cyber kill chain?
- What is the purpose of the Mitre ATT&CK Framework?
- What is the difference between TCP and UDP?
- What are ports 80, 443, 22, 23, 25, and 53?
- What is data exfiltration?
- What Windows protocol is commonly used for data exfiltration?
- Do you have a home lab?
Explain it.
- What is AWS? Azure?
Explain how you’ve used it.
- What is a DMZ, and why is it a common target for cyberattacks?
The importance of having technical knowledge cannot be overstated. The above questions are pretty simple, but you might be surprised to learn that seven out of ten candidates don’t know the common TCP/UDP ports used by modern services. I highly suggest using a common study guide to prepare for your interview. An example of this is the website Quizlet.com. They provide a flashcard style learning platform for information technology certifications like Network+ or Security+. Also, Udemy has a few SOC Analyst interview question courses that you can take (I like Udemy).
Despite the need for a basic understanding of information technology, that only covers half of the requirement to be a SOC analyst. An analyst should be a critical thinker and possess an acumen for problem solving. Interviewers will usually test a candidate’s ability for problem solving with scenario-based questions. Let’s cover some scenarios I’ve seen and used to conduct interviews:
“You are a tier 1 SOC analyst, responsible for monitoring the SOC inbox for user-reported incidents. The SOC receives an email from the VP of Human Resources stating that they can’t access their personal cloud drive. The VP knows this is against company policy, but the VP is adamant that this is required for legitimate business requirements.”
Do you process the access request for the VP?
What is your response to the VP?
Who else should you include in the reply email?
“You are monitoring the SIEM dashboard for new security events. A network IDS alert is triggered, and you begin investigating. You see a large amount of network traffic over UDP port 161 originating from dozens of internal IP addresses, all with the same, internal destination IP address. Some quick Googling shows that UDP port 161 is used for by the Simple Network Management Protocol and the byte count of the traffic is miniscule.”
Do you think this is data exfiltration?
If this is not data exfiltration, what legitimate services could cause this alert?
What team could provide an explanation for the traffic?
The first scenario is an example of what you might be asked when applying for an entry level analyst role, while the second is a little more advanced. Let’s go over what the interviewer is looking for.
Scenario 1 is designed to identify if the applicant can be easily intimidated by senior leadership in your organization. Information security is the responsibility of all members of the organization; it should not be waived for the convenience of one senior leader. The larger lesson here is about making risk-based decisions. A junior analyst should never assume the risk of policy exceptions.
The interviewer will ask how the applicant will respond to the VP as it will showcase their experience with customer service. Customer service is another very important task of a SOC analyst. Whether working for an MSSP or for a company internal SOC, there will be times when interfacing with other teams will require the analyst to show a certain level of tact and professionalism. The third question helps the interviewer to understand the prioritization skills of the analyst. If an analyst is working with a VP, there is a high probability there is a procedure around communicating with senior leadership within the org.
Scenario 2 is designed to test the applicant’s critical thinking and technical knowledge while also providing the interviewer with insight to the applicant’s investigative reasoning. This scenario also gives insight to the most important quality of a SOC analyst; if you don’t know the answer, admit it. The last thing the SOC team needs is a “know-it-all”; they are dangerous and toxic to the workplace. If this book teaches you one thing, let it be this lesson. There will be questions you can’t answer, and that’s fine. The worst thing you can do is give a wrong answer with the confidence that you are 100% correct.
Remember that the above scenarios are examples only; each interviewer will use their own set of questions. The goal remains the same, to locate and select the best applicant for the position. Our goal is to assist you in becoming that applicant. The following are a few tricks and tips to help you become that “best applicant” for the position:
And that covers it.
Summary
We’ve talked a bit about the demand for SOC analysts, and why that position is the best strategy for entering cybersecurity. We’ve talked a bit about the four requirements that an entry level SOC analyst needs to have, we’ve talked about how to get the fundamental knowledge and how to get hands-on technical skills, and we’ve talked a bit about interviewing. This is not an overnight process. It is going to take time. No one can walk into an entry level SOC analyst job without preparing. What I am trying to say is its not easy.
But it is worth it. I’ve dedicated my career to helping others find their way into cybersecurity. My courses have served over 25,000 students. I have developed training materials both paid and free for the last decade to give back to the community that gave to me. I can’t tell you how appreciative I am to have had the people in my life that I did when I was just starting out. They helped me and didn’t expect anything in return and it was unlike anything that I have ever experienced before. That is the community of cybersecurity and you’re doing yourself a disservice if you don’t get involved. There are so many communities that I am sure you’ll find your tribe. Go find them. Good luck and godspeed!
Tyler Wall is the founder of Cyber NOW Education. He holds bills for a Master of Science from Purdue University, and also CISSP, CCSK, CFSR, CEH, Sec+, Net+, A+ certifications. He mastered the SOC after having held every position from analyst to architect and is the author of three books, 100+ professional articles, four online courses, and regularly holds webinars for new cybersecurity talent.
You can connect with him on LinkedIn.
Get 20% off all courses in our On-Demand catalog with coupon code “Welcome20”
Download the Azure Security Labs eBook from the Secure Style Store. These labs walk you through several hands-on fun labs in Microsoft Azure, leaving you with the know-how to create a gig in Fiverr or Upwork to start your cybersecurity freelancing.
Also available in the Secure Style Store, download the Job Hunting Application Tracker for FREE to keep track of all your job applications.
Check out my latest book Jump-start Your SOC Analyst Career: A Roadmap to Cybersecurity Success published June 1st, 2024 and winner of the 2024 Cybersecurity Excellence Awards.
