9 Tips to Help You Land the Information Security Job You Want with Minimal Related Experience
I consistently hear from service members who are leaving the military and want to move into the information security field. For those who spent their time in the military working in the computer security field and are leaving the service with top secret clearances and valid polygraph tests, this might be an easy change to make.
However, not everyone has those advantages upon leaving the military and seeking an information security position.
Moving into Information Security Without a Computer Security Background
I left the Army in 2008 as an Infantry officer with a secret clearance. My only IT experience–desktop support and software development–was already several years out of date. I went through the Army’s transition assistance program and had settled on a career in project management. The civilian in charge of the program checked my resume and said it was fantastic. After several rejections, I received an offer for the same software development job I held in high school. I took the job, but was fortunate enough to ride the wave of DoD 8570 into a few SANS certifications. From there, I was able to do a lot of off-hours work and do some application security work on my application. After many more rejections, I found a small information security department at a local company that was willing to give me a chance.
In the past few years, I have heard from several other soldiers who share the same struggle to find a position in information security. The military’s process to prepare for reentry into civilian life is focused on how to pitch your military experience to employers who are not terribly discerning. The transition assistance program is not helpful for people who know exactly what they want to do after the military–especially if one’s military experience is not directly related. There are scores of combat arms and support jobs where a service member may not touch a computer during their entire tour in the military.
But that doesn’t mean there’s no hope for a smooth transition. The soldiers I have worked with recently actually have very good success rates getting jobs in InfoSec–but it does take some work.
9 Tips to Transition from a Military Career to InfoSec
- Do not try to move into InfoSec management.
As an officer getting out of the Army, most people I spoke with suggested that I move into management. While it is true that leadership and management have some components that are universal, it is an uphill battle trying to move from barely any computer contact in the military to managing InfoSec personnel.
- Focus on your ability to contribute.
Whenever making a drastic career shift, prepare to admit that you’re not an expert. It can be difficult going from a position where you’re the most experienced person in a unit to looking for a job as a junior security analyst. During interviews, try to focus conversations on how you can help the organization achieve its goals. While military service is looked upon favorably, it is unlikely it will outweigh your ability to contribute to the team. If you cannot explain how you will be of use to the organization, then do more afterhours training until you can. It is unreasonable to expect an employer to make the link between infantry training and your ability to work in a security operations center.
- Look for generic positions.
At this early stage in your InfoSec career, do not seek out highly-specialized positions. When I was a software developer for the Navy, I was trying to learn about packet analysis, incident response, and exploits. Many of the Department of the Navy security personnel and technologies did not appreciate a software developer with tools like Wireshark and Nmap. As an analyst at a corporation with only six people performing all InfoSec responsibilities, I had virtually unlimited opportunities to try new things, stand up intrusion detection systems with repurposed hardware, and run exploits on test systems. While you may think you want to work as a penetration tester, you may later discover you enjoy incident response or forensics more.
- Find interesting job postings while still in the military.
Look through public job postings for positions that look interesting. Depending on your time left in the military, it may not make sense to apply. But understanding the skills required will help you use your remaining time in the service to prepare, so when you do apply, the employer will give your resume full consideration.
- Try a functional resume.
The Army’s transition program presents both chronological and functional resume formats. Unless you are trying for a government job, give the functional resume a try. Most employers do not want to read more than two pages, and the functional resume allows you to remove the irrelevant details and focus on things that matter to your future employer.
- Show how you meet the job’s requirements.
I wrote a different resume for each company when I applied for jobs to reflect how I best fit with the job’s requirements. Pick out specific elements of the job that you can perform. Have you worked as part of a 24/7 operations center in the military? If you are applying for a SOC position, that experience could be relevant. Were you responsible for writing up after action reviews? That skill could be helpful for an InfoSec position. Where you can, include any experience gained in your free time. You should feel comfortable speaking to everything on your resume during an interview.
- Practice off-hours.
During terminal leave for the military or while you are looking for a job, there are plenty of opportunities for personal improvement, and doing so demonstrates motivation and a willingness to learn. One of the greatest aspects of InfoSec is there are many ways to gain experience without paid work. Focus your learning on the fundamentals, which apply to the widest breadth of positions and make learning more advanced subjects easier. Here are a few ways to start practicing:
- Download Virtualization Software.
Either Virtualbox or VMWare will be great. Virtualbox is free and allows snapshots of virtual machines. VMWare Workstation / Fusion is great if you have the money or are eligible for a discount.
- Download Kali Linux.
Download the Kali Linux image and get comfortable with it. Kali comes pre-loaded with enough tools to get started learning the basics of how attacks work.
- Download Samurai WTF.
Samurai WTF is a Linux virtual machine that has several intentionally vulnerable web applications. These applications are a great way to learn about the OWASP Top 10 vulnerabilities. The Mutillidae vulnerable web application is installed on Samurai WTF and is a good place to start. There are numerous walkthroughs posted online, and Mutillidae has a built-in hint system to help teach common web vulnerabilities.
- Learn to use Linux text parsing tools.
grep, cut, sort, uniq, awk, and sed are great tools for any IT job. Many security tools run from the command line, and the ability to quickly parse text from one tool and feed it to another is indispensable.
- Learn a scripting language.
You do not need to be a scripting expert, but writing simple programs with loops that use variables and call operating system commands is extremely helpful. I highly recommend PowerShell as a starting point. Almost everyone in InfoSec will be either attacking, defending, or investigating Windows systems. Bash scripting is another useful language since text processing in Linux is broadly applicable for text processing and automating many testing tools. More full-featured scripting languages such as Python, Perl, and Ruby are fantastic if you have spare cycles. However, these are not as readily available in most enterprise environments
- Try online challenges.
There are lots of challenges posted online that already have hints and walkthroughs. A few examples are https://holidayhackchallenge.com and https://www.root-me.org. These challenges have offensive and defensive components, giving a good cross-section of exercises. Root-me also contains several exercises to practice programming and scripting tasks.
- Practice on vulnerable Linux distributions.
Vulnhub.com is a great resource for finding vulnerable Linux distributions. These distributions allow you to practice offensive skills and exploit development. The Kioptrix distribution is a great starting point since it has several levels and readily-available walkthroughs. Vulnhub also has some great training resources listed on the site at https://www.vulnhub.com/resources/. Exploit-exercises.com is another site with distributions that focus specifically on the exploitation of Linux binaries.
- Online training resources.
I am a fan of the classes on opensecuritytraining.info. These courses are free and go very in-depth on a variety of topics including forensics, assembly language, and exploits. Cybrary is another option with several free, full courses. Kevin Johnson routinely gives free access to his information security classes to active duty soldiers, veterans, and first responders. Simply send him an email (firstname.lastname@example.org) for access.
- Build a home training lab.
Most training courses focus on Linux because of the extremely liberal licensing. However, most enterprises have a significant Microsoft presence. Although it does cost money, a visualstudio.com membership (previously MSDN) is relatively inexpensive at $539 for an annual subscription. For training, you can build an entire active directory domain using this license, virtualization software and a laptop with reasonable storage and RAM. Creating an environment like this gives experience with both the server and desktop versions of Windows, as well as enterprise management techniques.
- Read books.
There are some fantastic books available that cover both the system administration and security space. No Starch Press (https://www.nostarch.com/) has fantastic resources available at a reasonable cost. Wiley Publishing also creates the “Hacker’s Handbook” series that offer some very in-depth material on a variety of security topics. Although not always available, the Humble Bundle program (https://www.humblebundle.com/books/) often has bundles of system administration, programming, and security books for an extremely low price.
- Download Virtualization Software.
- Obtain some certifications.
It is best to consider the job postings you’ve have already seen when choosing certifications. Don’t rush out and spend time trying to get dozens of certifications. Read through the job postings and consider any certifications listed in the “requirements” section of multiple jobs. Avoid anything with an experience requirement you do not meet. The CISSP is a common example of a certification that will raise eyebrows if your five years of experience is not immediately obvious. Ask at your transition office about training and certifications where the military might assist with payment. Organizations like Hireourheroes.org also has a range of course offerings designed to help transitioning veterans gain information security certifications. While SANS training is notoriously expensive without employer subsidies, it is some of the best training available. As a veteran, it may be possible to enroll in the VetSuccess program at SANS to receive free training. The SANS website provides details at https://www.sans.org/cybertalent/immersion-academy?msc=PR. Offensive Security also offers courses, such as “Penetration Testing with Kali” and “Cracking the Perimeter,” that are very well respected in the industry and not terribly expensive ($800-$1,500). However, be prepared to dedicate a large amount of time to the course and a have a strong background in the fundamentals.
- Join a local professional organization.
Organizations such as ISSA or OWASP are great options. Hiring managers and other information security professionals are always in attendance and networking with them is a great way to get a foot in the door. Some chapters even review resumes and job placement assistance. These organizations also have presentations focused on information security topics that are good learning opportunities.
There are many ways you can prepare yourself for an information security career after leaving the military and avoid multiple rejections. If you spend the time to prepare for the job requirements and craft a resume that reflects your skills in the key areas, you’ll be one step ahead of the game when your military service comes to an end.
Written by: Stephen Deck
Stephen Deck is a Senior Security Consultant with over 15 years of experience in the information technology field. He currently focuses on performing software security assessments, but has also spent several years in incident response, security engineering, and software development.
Before joining DirectDefense, Stephen worked for Synovus Financial Corporation doing application security testing of in-house developed applications, embedded systems, and COTS software. Prior to Synovus, Stephen worked for Aflac Incorporated and focused on testing software as well as handling security incidents and engineered security solutions. Stephen also spent eight years developing software as a federal government contractor and four years as an infantry officer in the US Army.