top of page
Writer's pictureJames Riley

Recruiter Advice: James Riley, PenTesting & AppSec Recruiter @ Advance Resource Managers

Updated: Feb 12, 2020

I really wanted to make this website a proper goldmine of useful, tactical information - both on getting into the industry from a candidate standpoint but also from the people who get us hired.

Recruiters sometimes get a bad rep, but a lot of them will happily share their knowledge with you given the chance. James Riley is one of those recruiters and his advice is below. I would highly recommend linking up with him if you're looking to break into the industry or change position!



This is my first attempt to write down my thoughts on recruitment in cybersecurity, so hopefully you find this useful and informative.


Starting out in cybersecurity can be an absolute minefield – unlike say being a doctor, a banker or a policeman, there’s no set ‘pathway’ that you can take or checklist you can tick to say ‘Yes, I’m now ready to apply for a vacancy in the cybersecurity sector’.


Which can be both massively intimidating for a newbie but also incredibly exciting.


For me, as a recruiter, it’s the latter as every candidate I speak to has a completely different background and it’s often a real joy speaking on the phone with them and following their journey into the cybersecurity realm.


As an example, some of the most talented – and now equally successful – individuals I’ve engaged with in my nearly 3 year career have in their previous ‘life’ been;

· A successful pub owner

· A Drummer

· A high ranking police officer/close protection specialist

· A chef


Not what you’d expect right? And here’s the thing – you’d expect to see things like ‘python’ or ‘C++’ or some kind of computer background on their CV - but that isn’t always the case.


Particularly in pentesting when often soft skills, being pro-active and willingness to learn on the job and consultative ability can trump someone that has years of ‘bedroom programming’ but struggles with layman’s terms and therefore relatability.


And its core that’s what cybersecurity is – making something complex relatable and engaging to a C-Level executive whose only concerns could be ‘But okay how much will this cost?’

When really your job is to convince him to invest in a proactive approach,rather than a reactive “Okay, we’ve been breached, let’s fix it’ approach!


So where does one start then?


Often as a recruiter the term ‘cybersecurity’ becomes almost a bit of a misdirection – when someone contacts me and says they want to ‘get into cybersecurity’, what they really mean is they want to be a penetration tester, or a SOC analyst or a GRC consultant, etc.


Cybersecurity is an umbrella term really as its typically broken down into 7 main areas:


  • Identity and Access Management (IAM) & Public Key Infrastructure (PKI)

  • Threat & Vulnerability Management

  • Cyber Security & Technology Sales

  • Security Analysis & Operations

  • Incident Response & Digital Forensics (DFIR)

  • GRC ( Governance Risk & Compliance)

  • Network & Perimeter Security


The recruitment consultancy I work for, Advanced Resource Managers (ARM for short – not to be confused with the computer chip manufacturer) are pretty unique.


Rather than trying to get 1 or 2 people to cover all of those niches and cram a couple of encyclopaedias worth of knowledge about the field into their brain, each consultant instead focuses on one of those specific silos and endeavours to be an expert in recruiting for that specific field.


‘Inch Wide, Mile Deep’ is our approach - although try saying that out loud and it sounds a little filthy ;)


It’s proven to be an effective strategy. I was privileged enough to put my focus on Penetration Testing and Offensive Security as my niche area of recruitment after an initial 6 months spent recruiting within the cryptography space.


When I moved into pentesting it struck me how vibrant the community was and the willingness to share information between seniors and juniors was so refreshing – it was unlike anything I had experienced and I quickly knew this was where I wanted to ‘live’, so to speak.


I quickly became aware of the much talked about "Skills Gap" in Cybersecurity – something I’m sure you’ve all heard about numerous times, but I assure you it is a real thing and not just a buzzword.


As Cybersecurity has evolved so much in a short space of time – it pretty much didn’t really exist 15 years ago until smart phones took off and everyone had the Internet in their back pocket 24/7 – there are now more roles than there are qualified individuals that can ‘hit the ground running’ - so a lot is being done to try and address this.


My main role as a niche recruiter is to identify talent that maybe does not fit the traditional mould of what a ‘perfect candidate’ looks like in the eyes of a client when they write their job spec - but holds all the qualities needed to complete the job.


They will be loyal, will be proactive and will be a good ambassador for their brand.

Not as easy as it sounds, but that’s the fun of it all right?


To keep things simple, as a recruiter, I mainly see 3 types of candidates – I’ve detailed these below to hopefully give you an idea of what I’d be looking out for:





Graduate


Traditionally, university has always been seen as a sure-fire route to get a good paying and respectable job – and that is still true in many fields.

In cybersecurity though it’s not as clear cut that ‘degree = great job’.


In truth, most of the best security professionals I know have never been to university and don’t ever intend to.

Often, many folks leave uni with identical degrees & modules and therefore identical CVs.

For a client this can be a headache – if everyone is equal, who do I hire?


On the flipside, there are many fantastic graduate programmes that produce some quality consultants – but not everyone will get these a place on these schemes, and in truth a grad programme might not be for everyone’s taste!


So what to do?


I’d advise to start your career building as early as you can:


· Join your university’s cyber security society

· Go to niche events such as

BSides London/Manchester/Leeds/Liverpool/Cheltenham/Newcastle and start networking with your peers and your potential future employers.

I’ve lost track of the amount of people I know who secured an internship through a casual conversation with the right person that gave them a recommendation.

· Get active on LinkedIn early – Start connecting with influential people in the cybersecurity sector you wish to work in, start commenting and engaging on relevant posts, and post/share things that mirror your interest. You’ll be surprised at the network you can build!

· On that note, choose your sector – A lot of people leave uni wanting to be a generalist and then ‘niche down’, but the industry needs folks that can start delivering on specific work. So the earlier you choose which niche you want to focus on, the quicker you can start building the skills needed to increase employability which leads me to my next point...

· Certifications – choose them wisely. Not everyone needs something like CISSP or CompTIA CySA/Security+ on their CV, especially if your intended role doesn’t involve any GRC. On the same wavelength, if you just have CEH on your CV and believe that’s enough to make you a ‘Certified Ethical Hacker’….I’m afraid it’s not!

If you want to be a penetration tester, an OSCP or a SANS GPEN qualification that gives you hands on practical experience in a virtual lab is the best way to showcase your skills.

· Enter CyberSecurity Challenge – A yearly event, I know countless folks that have been scouted from this and scored both internships and their first job from it!





Ex- Military


As someone from an ex-Forces family – RAF for anyone that’s interested (maybe I’m a little biased) but I’ve found ex-Military folk to be some of the hardest working, adaptable, pro-active, engaging and loyal candidates I’ve worked with.


And the good news is clients seem to agree. My success with introducing ex-Military personnel to pentesting roles has been a joy to experience and is probably a higher percentage of my successful placements within organisations than any other talent pool.


Some tips I’d suggest:


· Use your transition time wisely – Much like with graduates, you will have the advantage of some dedicated time on your hands to learn some new skills, but with the added bonus of some potential cash towards this too. Identify the sector you want to pursue a career in and start looking at relevant certs. A company called Crucial Academy provide a well-regarded Threat Intel and Pentesting (Offensive Security) course which has the backing of numerous military forces, so they can help with this as well.

· When writing your CV, be sure to back up any technical experience with examples.

Sounds straight forward - but often with being exposed to so much different technology, it can be easy to lose track of what is relevant and there can be a tendency for some to overcompensate by listing every technology/software/tool you’re confident with.

For example, if you were going for a tech support role, being an ace with Windows Server and Active Directory is great – but for a pentesting role not so much. So be a bit specific and tailor appropriately.

· Attend security events and local meetup groups – As with grads, these places can be a great way to speak directly to potential employers, and get a feel for what role you would like to do next. If anyone is out there at a BSides, a BlackHat or an InfoSec Europe, that’s usually a good sign if I see it on a CV.

· Connect on LinkedIn and don’t be afraid to ask questions to your network – it’s surprising how many people in cybersecurity have a military background so are always happy to share information!

· Open an Immersive Labs account and take on the courses and challenges – this is offered to a number of veterans free of charge. It’s a useful database for finding your feet, sharpening your skills and deciding which part of cybersecurity excites you. Great bunch of guys too :)





Career Changer


So this is the "wildcard" – these folks often fall through the cracks as a lot of recruiters (and clients) will often pass them over, as on paper their CVs don’t match a traditional job spec or what the client perceives as the "ideal" candidate.


I enjoy working with these folks as often they’ve spent a number of years in another field of IT and have a diverse skillset – and often they don’t realise how much they can bring to the table until we start talking.


For example:


A few years back I received a CV via email. As I read though his CV, nothing on there immediately screamed ‘pentester’ on the surface, but something had struck me about the way he had written his CV.

His choice of words…it just had passion and this guy low-key knew his stuff – perhaps he was being modest with some details?


So I phoned him up and within 10 minutes, as he started speaking about his studying, his side projects, his achievement of OSCP in 3 months.


With his manner of speaking in a clear way without jargon - I knew that all I had to do was connect this chap with the right client and he would be an asset to any team.


My question was “Why isn’t this info all on your CV?!”.


He confessed that he wanted to keep to a word limit and not overwhelm with information – I somewhat agreed with him but said he shouldn’t be shy to include anything he feels is relevant.

Together, we realigned the CV.


Long story short, after linking him up with a well-known consultancy this chap has smashed every target given to him and become a valuable and dependable team member.


A lot of the advice I’ve just given to ex-Military and Graduates still applies – but there’s a few different things you can do to differentiate yourself:

The main one is to be clear in your mind which area of cybersecurity you feel you want to realign yourself to.


Once you know this, you can then tailor your CV to reflect which transferable skills you currently have and use examples.


It seems like a simple thing, but as cybersecurity has this ‘grey area’ of an entry point, it is good to get a bit specific with how experienced you are - and how that will enable you to quickly adapt to your potential new role.


 

There’s also a number of free resources you can use online and books to upskill:


· The Web Application Hacker's Handbook - a MUST for web application security;

· A great (free) Linux command line / bash scripting refresher:

· An Introduction to network/infrastructure testing, often used for initial CREST theory exam revision;

· Some Windows & Linux Privilege Escalation Fundamentals:

· This one is for Windows and Linux, comes with free VMs:

· A great pen test book series:

· A great guide to how Nmap works:

· Some online hacking challenges that are similar to OSCP (see below) quality:


I guess what I’m trying to say, is that cybersecurity is a fluid and ever-changing industry and often it can take a little while to get your foot in the door but with the right contacts – or right recruiter ;) – Hopefully this process can become easier!


I’m sure I’ll have more thoughts on this as time goes on so feel free to drop me a LinkedIn request if you like and maybe we’ll speak in the future!

111 views0 comments

Comments


bottom of page