Don’t be fooled by job descriptions and brand

So you’ve graduated from college with a computer engineering degree or some equivalent training that qualifies you for one of the more than million jobs available in cybersecurity. The world is your oyster. Unlike recent grads in other industries who are preparing to hunker down with their parents until they earn enough money to pay off their student loan debts, you stand to be making a reasonably impressive salary in only a few years.

How, then, do you decide to whom you want to be tethered in these nascent years of your career? What criteria do you use in deciding whether to work in the public or private sector? A large, well-known enterprise, a smaller or younger organization, or a riskier startup?

Certainly there are pros and cons to each, as is true in most industries. But, does the reward of getting in on the ground level of a new startup outweigh the risk of taking a job with a company that might not even exist in a few years?

Most of the folks with whom I’ve spoken in this industry have echoed the same advice to security newbs: Be passionate. Make sure you love what you do. The first job then, is hugely important for nurturing that passion. 

JJ Thompson, founder and CEO of Rook Security said, “There are two big factors. First, you have to consider what type of team you want to be a part of because you want to get the right leadership. Second, you want to know if the organization has an incentive to help you grow.”

Knowing whether you are an added cost versus a streamlining cost will serve as an indicator of whether you will be involved in doing something really cool.

Thompson explained that an in-house IT security team shows up on the cost side, so it’s important to understand the business and whether you will be serving on a team that is part of the cost center instead of the revenue center. “It’s treated differently,” said Thompson. “A sales person gets more perks because everything starts with sales in an organization. People in other roles are not treated the same ways as sales people are,” he continued.

Recent graduates applying for jobs should be looking for the cyber jobs where they are going to be treated like a sales person. “You should have the potential for growth in an area of passion where you are exposed to new and dynamic opportunities to learn,” said Thompson.

Be wary of security analyst positions that don’t allow for sharpening skills in new ways. “Most traditional MSSPs are more like a call center than security shops. Security analysts sit at desk and see an alert then follow up with an email. That’s a call center written as a security analyst position,” said Thompson.

[ ALSO: 4 Interview questions for data security analysts ]

Security analysts shouldn’t take instructions from a screen that pops up; rather, they want to be engaging in investigations where they are looking for root causes. “If you are applying to two jobs, both security analysts, and both read the same way, it’s likely that each could set you on a completely different trajectory,” said Thompson.

In order to completely understand what you are about to embark upon, Thompson advised asking these key questions:

• Who am I reporting to?
• How will I be able to grow and what will I be exposed to? (Make sure answers are not just following script.)
• How much am I actually getting to the root cause?
• How much interaction do I have with client?

In addition to asking these questions, Thompson said, “Take at least a day to shadow somebody doing the work in the security analyst role so that you can make your own judgment.”