Entry Level

I started my first Endpoint Security Engineer role late last month and I wanted to write down how I was able to finally break into security. This is going to be written in a journal style as this is just my experience.

For some context, here is my work experience:

  • 5 years of IT support experience overall
  • 2 years at a FAANG doing internal IT support
  • 6 months running IT at a startup as the sole IT person

I honestly wouldn’t say that I’m the most technical person in the world but I definitely have a lot of interest in learning new technologies, automation, and tinkering with tech such as Raspberry Pis.

I’ve been interested in security for almost 3 years now and had been actively trying to break into a security role for the past 2 years. The thing about security is that it’s not an entry level field even if roles are advertised as “entry level”. What I mean by that is that many organization desire folks with experience as it is cheaper to hire someone with experience than it is to train someone with no experience. Unfortunately, security is still seen as a cost center today and organizations tend to want to save on that cost as much as possible. There are so many folks trying to break into roles with actual experience, degrees, certs, and bootcamps that I didn’t think that I really stood a chance.

I probably applied to over 150 “entry level” roles over the past 2 years including SOC Analyst, Security Analyst, Security Engineer, SecOps Engineer roles, and received maybe 5-7 responses in total. When the pandemic hit in 2019, I had some time on my hands to get my Security+. The Sec+ was honestly a good way to learn the fundamentals of security, and I highly recommend it for anyone trying to get into security if they don’t have experience. I was asked a lot of foundational questions covered in the material during interviews.

Getting the Sec+ won’t get you a job rightaway though. It’s good for learning the basics and as a checkmark if job descriptions have it but it isn’t really helpful to get a job in the end in my experience. I was applying to roles and still couldn’t get to a recruiter screen for awhile. I started doing TryHackMe rooms to learn about tools, reading security blogs, and learned scripting as I saw that those were desirable skills. My IT Support roles actually helped a lot as I was able to learn the foundations of how computers worked, networking basics, system administration, and most importantly how to work and communicate with people.

We sometimes see recruiter posts about how applying for jobs isn’t a numbers game and that we should be tailoring our resume to every single job that we apply to. I half agree with that and half don’t and here’s why. Yes, we should be taking a look at the job description and making sure that our resume has the key words to get past ATS, but, you should absolutely be applying to every and any job that you are interested in and it’s okay to use the same resume as long as it makes sense to. The more jobs that you apply to the better in my opinion. When I was applying to jobs, I went through all of LinkedIn and filtered by “Easy Apply” jobs first to quickly send out my resume. I never once filled out a cover letter and most organizations don’t require filling out a million fields after submitting a resume these days. After that, if I saw a posting that I really liked and it required me to go through the Workday fields, I did it as my chances were 0% if I didn’t try.

Eventually, I started getting reach outs for Security Engineer and SecOps Engineer roles during the “Great Resignation” time.

To prepare for the interviews, I researched the interviewers and other folks from the same company that had the same or similar job titles. LinkedIn was a great place to utilize OSINT to gather information on tooling and the day to day. I didn’t have to do any coding except for one job interview (which I tanked horribly). To me, the biggest thing was showing that I had a passion for security and willingness to learn. Even if I didn’t know everything, I showed them that I had huge potential and that all I needed was the right opportunity and a chance to learn.

I couldn’t have done it without the support of my friends, family, and peers. When I was having trouble with getting a security job, I made sure to look for IT opportunities that could at least lead to a specialization in Security, and made it clear to all hiring managers that that was my plan. If a job didn’t have that potential, I didn’t take it or move forward with the interview. All my coworkers, friends, and family supported me and helped me to network with security folks or sent me security resources.

The most important thing is, don’t give up. There were days when I felt done and thought maybe I should stick with IT support or maybe try moving into a systems admin/engineer role if security didn’t work out. After those periods of lows, I would always fall back in love with learning about security and reading up on security news.

I’ll be creating a separate post on how I passed Security+ and what materials I used.