One of the most common questions that comes up after our presentations and in our Career Advice Tuesday question
set is about the value of certifications and, specifically, which certifications are most likely to assist a security professional in getting a job. The answer that we give most often is some version of: "It depends on the job that you want to get."
While this answer is true, it most often leaves the person who asked the question feeling aimless. For most of these people, though, the true question they're asking is: "What should I do to let potential employers know who I am and that I know what I'm doing?" Infosec pros want to know how people can find out enough about them to want to hire them.
This is ultimately a marketing issue. In other words, while infosec pros may already have the skills and experience they need to land the jobs they want, they aren't skilled in how to "sell" themselves to potential employers. And the problem with marketing in the security industry is that most people believe there are only a few things that really impress employers: gaining infosec certification, speaking at conferences and spending huge amounts of time on social networks are probably the top three. However, in this tip, we're going to present some lesser-known career networking alternatives for making yourself well-known within the industry.
Party like a rock star
At the 2010 Black Hat conference, one of us heard a quote that really rang true:
"They make DVDs of the conference talks that you can watch when you get home. They don't make DVDs of the hallway conversations."
In other words, at major industry conferences like Black Hat, RSA, SecureWorld and CanSecWest, a great deal of career marketing happens during the hallway conversations and the evenings' activities. While speaking at conferences is one way to get your name out to a large number of security professionals, ensuring you attend the cocktail parties and get involved in conversation is another way to not only introduce yourself to those same people, but also to practice the art of selling yourself to a potential employer. And it's a good deal easier to end up at those events than it is to get on the speaking roster.
(As an aside, this is how Mike and Lee met -- during a hallway conversation at Black Hat a few years ago. It is possible to form long-term business relationships this way.)
Get involved locally
If you are in a decent-sized metropolitan area, there are bound to be security industry groups and/or events that are looking for help. In most large cities, some form of security group meets monthly: ISSA, ISACA, OWASP, Citysec and other groups generally have presences.
Here's a little-known fact: All of those organizations are run almost entirely by volunteers, which they rarely have enough of. That means they're always looking for new people to help them run meetings, find speakers and rally the membership. The great thing about this type of involvement is that you'll get to know all of the people at the meetings, including the speakers. The conversations that you'll have could help you get to know people who are looking for someone with your skill set.
Get involved with online communities
When most people think about getting involved online, their first thought is to join groups on LinkedIn, or get involved with Facebook and Twitter. While social networking can be an effective strategy, there are a large number of other online communities where people will see your skills and understand your qualifications in the industry.
These communities break down mostly into two categories: bulletin boards/forums and mailing lists. Most of these are broken out by subject matter expertise. For example, if you're a penetration tester/ethical hacker, there are sites like the Ethical Hacker Network. Other forums exist with a focus on almost any security specialization. Similarly, mailing lists can be a place to get to know (and become known by) those with similar interests as yours: Check out the Neohapsis mailing list archive to get an idea of some of the opportunities that are out there.
Active participation in these online forums can be a great way to show yourself as someone who has the skills to perform a given task: Answering questions, having detailed discussions and asking intelligent questions can demonstrate that you know what you're talking about.
The common thread
The astute reader will have noticed a common thread among all of these methods: You have to get involved. Marketing yourself -- whether speaking at conferences, getting a certification or using the networking methods above -- is going to involve some amount of hard work. Whether that hard work includes reading books and passing tests, participating in a local meeting, hobnobbing at conferences or chiming in on mailing lists, it's still going to be hard work. But everyone who's been extremely successful in the industry has put in that work.
About the authors:
The columnists, Lee Kushner and Mike Murray, bring with them different perspectives on career related topics. Together Lee and Mike have advised many information security professionals in various stages of their career development and are regular speakers at industry conferences on information security career-related topics. Their blog can be found at www.infosecleaders.com.
Lee Kushner is the President of LJ Kushner and Associates, an executive search firm that has been dedicated to the information security profession since 1999.
Mike Murray is an information security professional and career coach. Mike has held leadership positions in environments that include professional services, security product vendors, and corporate environments.