 Welcome back to career hacking village, hacking career village, whatever as many of you know I haven't had a lot of coffee yet today and it just doesn't seem like a hacker con without a shot at tequila so maybe I'll go do that. In the meantime, a lot of people in our community are frustrated with figuring out how do they go from one job that is non tech non security related into being a security pro. And I'm so thankful that Alyssa Miller decided to tackle this topic and bring to us her insight, her wisdom and her shared strategies on how we could be successful. Alyssa. Awesome. Well, thank you Kathleen and hey everybody from def con. Weird def conness is this here miss seeing all my my buds, you know my hacker fan but here we are. And as Kathleen mentioned, you know, I think we're all kind of familiar with the struggles of trying to find jobs in cybersecurity, especially if you're new and trying to make that transition from one industry into the security industry. And it's something that's very near and dear to my heart. So today, I really wanted to go through some strategies with you. Let's talk a little bit about some of the problems that are out there, and how we can tackle them, how people who are trying to find that first job in cybersecurity can really jump in and overcome some of those obstacles that unfortunately exist in the industry today. So when that thing started, let me just share a little bit about myself. First of all, for those of you that don't know me. My name is Alyssa Miller and I'm a hacker and a researcher first and foremost. I've been hacking all my life bought my first computer when I was 12, did some things of questionable legality with some online services and it's kind of been that way ever since you know I taught myself how to program I taught them communications and sort of dug in and later on in life became a developer and finally jumped into the security industry as a pen tester. So I've been doing this pretty much my whole life it's really my mindset is that I love tearing things apart figure out how they work I like to break stuff, and I like to make it work better. So that career of mine has led me to where I'm at right now which is a security advocate for a company called sneak just means basically that my job is to get out in security community and talk about topics that are important to us in security and how that ties in organization like DevSecOps and things like that, but part of my career journey has really centered on the fact that I've been a security leader in other words a manager a hiring manager for 12 of the 15 years that I've been in security. It didn't take long after I took over that first penetration testing role that was leading that whole team and the vulnerability management program for a huge, huge organization. And so this is a space that I've worked in a lot. I have built a number of different consulting teams from the ground up where there was nothing that existed or a very skeleton crew and it needed to be grown quickly. And I've had a lot of success with that but it's enabled me to see a lot of the struggles that people deal with from a job search perspective. And indeed, it's given me the perspective to have what are hiring managers looking for a lot of times, hiring managers have their own frustrations. I've had to work with recruiters and headhunters and job search systems and so forth and we'll talk about all of that. And then finally, about me I'm, I'm also the co host of a podcast called the uncommon journey. And that's up because it's on this podcast that we focus on something that's really important to understand in cybersecurity. And that is that every one of us has a very unique and very different story about how we got here. I always tell the story I started off as a pre med major. There were people in this industry who were wrestlers. I know people who were, you know, worked in sanitation I know people who are actors and did drama. And all of these people somehow ended up in the same place because they had an interest in a passion for security. So, it's a great podcast check it out but more importantly understand that concept that no matter where you're coming from, there's a place for you here. So let's start off a little bit of a story. And the story goes back to the title of this talk being about from a barista to a security pro. So, some time ago, I was having a conversation with one of my colleagues, and he was lamenting the fact that he was hiring for some positions and he was having getting qualified candidates and these were these were entry level positions in the sock so the security operations center. And along this conversation at one point, he brought up the fact that he had somebody who was a seven year barista had been working for Starbucks for the last seven years. And he was frustrated, didn't think that they had any place applying for a cybersecurity role, because they hadn't worked in tech before so I started to question about that and I asked okay, you know, well what qualifications do they have. Well they had gone and they had gotten a computer science degree, and they had achieved their security plus certification I think he might have mentioned they were also working on a CEH or something like that. And so I started to ask him I said, did you think about what it is that a barista does on a daily basis and how some of those skills might be really valuable to you in a sock environment. And I started to go through my we're going to talk about that more a little bit down the ways in this talk today. So I really started to, we dug into this and by the end of it he started to realize that you know what, this barista might actually have some really good skills and might be the kind of person that they can build. So the point of this being, there's always that path in, sometimes it's not so obvious. And since hiring managers recruiters job search systems may not always see those connections, it's up to us as job seekers to help people see what those connections are and justify why it is that we're coming to this industry to start a career, and why it is that you want us to be your next hire. So we're going to talk all about that. But first, let's just start off with a state of where the industry is today. If you're looking to get into cybersecurity chances are you once or twice before heard this mantra that there's a talent shortage in security. There are studies, there are surveys, there are articles galore that speak to this every single day. If you go through any new sites related to cybersecurity or related to tech chances are somewhere over the past year you're going to find that they had some article that talked about the challenges of this so called talent shortage that exists in cybersecurity. And it ends up here, for instance, the great cybersecurity talent shortage continues. And, and it's blown up really big but the question always comes back to me I start to wonder. I hear from a lot of people who are trying to find roles in cybersecurity and are unable to find them. And I hear from people who are experienced and who are trying to find new jobs and are having trouble. So, you're telling me there's a talent shortage yet I'm hearing from all these people who are having trouble finding jobs. So, what's the reality. And that's something that was, I really wanted to start to try to find some answers to. So, at the very beginning of this year. I made the decision to do some research. And it's related to a book that I'm also writing in fact a lot of the stuff you're going to see in this talk today comes from this book that I'm currently working on. But one of the things I did was I launched a pair of surveys. One survey was targeted at people who had never worked in cybersecurity before and wanted to get that first job insecurity. The other survey was targeted at people who are working in security and already have some experience. I got over 1500 responses it was very successful survey. But one of the questions I asked people because I wanted to really understand this town shortage in particular. I simply asked those entry level folks people who had never had a job insecurity before. If you're searching for a job how long have you been searching. Simple question. And the results are what surprised me. We're talking about a talent shortage where employers are desperate to find people to fill these jobs they have open. Yet as we look at these numbers, I can see close to three quarters of these people have been searching for three months or longer to find a job. Over 32% of them have been searching for seven months or more. That's a long time to be out on the job market when you're looking for that first job. We have such a talent shortage. How come all these people are having such a hard time finding jobs. This is something I really want to get to the bottom of. So you might look at this you might say well yeah that's probably because they're their entry level and you know they don't have any experience. And you know a lot of these jobs and security while they're looking for secure they're looking for experienced people and you're not wrong about that you wouldn't be wrong to think that. And in fact, when I asked the same exact question of experienced people who said they were already looking or said they were currently looking for a job. The numbers changed a little bit, but they still didn't change a lot we see yeah I went up to 46% that you know I are less than two months in the job market and that's pretty good. And that's what we'd expect to see people with experience there's high demand they're finding jobs quickly. But what about the other 54% or 53 and a half percent. They're still taking three months or longer to find a new job. That's a long time and almost a quarter of them it's taking over seven months. So, we see the same issues here whether your entry level or whether you're experienced. So, if there's this talent shortage we have this high demand 4 million jobs is one of the quotes you'll see mentioned recently, over 4 million jobs are going to be left unfilled this year of course, some of those numbers came up before COVID so we'll see how that adjust as people have adjusted their hiring practices, but that's a significant number to say that we've got these 4 million positions but these experienced people can sit in the job market for seven months or more. So, all right, is it a problem maybe with the applicants. So, in that same survey, I asked the people who were hiring managers I asked them hey are you are you trying to hire for a cybersecurity position. And there were a good number of them that came back and said yes indeed they were, they were trying to hire for cybersecurity as well. And so I asked them all right well what's the biggest challenge that you're encountering when hiring cybersecurity candidates. The number one was unqualified applicants. And this gets me thinking that works maybe when we're talking about entry level people but we're seeing all of these people with experience with degrees with certifications everything else. How are we finding so many that are unqualified for the positions they're applying for. The second one is kind of telling. And this is where we're going to start to dive in more. The second most common answer with struggles with job descriptions, hiring managers, recruiters, they work together to put together these job descriptions, but it's not an easy job. We need figuring out a way that we can word a job description that accurately accurately captures the things that are important to us as a hiring manager. Also, are compliant with all the employment laws and everything else that we have to worry about. This is actually a lot of heavy lifting and it's not easy to do. And so, it's not really a surprise to me that I see this up there. And then we see lack of applicants is number three. And now I'm scratching my head again. Because how are we running into so many people who say they're in the job market for this extended period of time but you're telling me you have a lack of applicants to your role. Well, how's that happening. So we're going to explore those because I think those latter two in particular job descriptions and the lack of applicants, they're actually really tightly related. So look at job descriptions for a minute, because what I'm going to tell you is that one of the core problems when I look at why we're struggling to fill roles in cybersecurity, it comes down to that job description. So as a new security person, a new person looking to start that career in cybersecurity, you might be thinking, hey, I want to start my job as an intern. I want to look for an intern role, especially if you're coming out of college or maybe you're wrapping up your degree, and you're thinking in terms of intern positions. Now, if any of you follow me on Twitter, you've seen me throw out from time to time examples of bad job descriptions. Well, here's the job description from this information security intern position that was posted just a few weeks ago, right off the top, a bachelor's degree in information technology or a technical discipline. So this is an internship they immediately want you to have your, they want you to have a degree already. So there's no flexibility here to say, you know, have other experience that maybe plays in instead, and can replace that particular role. The next one is what really trips me out and this is something you see is really common, certified in one or more of the following. You're talking about an intern and yet they're expecting them to have a certification. Okay, if you look you see CISSP is the first one anyone who knows anything about the CISP knows that there's a minimum number of years of job experience that you have to have to get a CISSP. So how can any organization expect an intern to have a CISSP. This is simply not realistic. This is the one that set me off and resulted in a really long Twitter thread that ended up really kind of blowing up on Twitter for a few days. Minimum of seven years experience working in information technology security. We're talking about an intern. An intern role. These are the ones that you use to bring people out of college and into the workforce and they want you to have seven years of experience. This is the landscape you all are trying to conquer. So if you think you've got some, some key obstacles in your way. Clearly you do. But it gets worse. So remember I talked about these experienced people. Here's one for information security architect. And yes I've, I've protected the guilty here I'm not going to name and shame who this is. But take a look at this job description so they start off with all the usual stuff talking about their company and their great culture and how wonderful they are, and then they start to describe the role. And you can see here's three bullet points. Okay, that's great. But it doesn't end there. This continues. This is the job role. This is what they're telling you and you're going to do day today. Now I've cut it off here. There's actually four more bullets that follow this yet. Who is this magic unicorn who's going to fill all of these responsibilities. And if you look at them, I know they're hard to read because it's really, really, really small because it was the only way I could fit it on the screen. I'm talking about everything from configuring ISPs and WAFs to working in DevSecOps. This like runs the gamut of everything that's in cybersecurity. But it doesn't end there. Let's go and look at their requirements for this job. So that's all of what you were going to be doing if you get the job. Here's what they expect you to have. And these aren't preferred qualifications. These are listed as requirements required that you have every single bullet here. You wonder why this job didn't get filled. It's no surprise. So we're going to dive into this deeper. But before we do, I also want to share one more element of that survey. One element of that survey was I asked job seekers, experienced job seekers, because I wanted to know people who've been around the block a couple times. What do you see as your biggest struggle and no surprise in light of everything we just saw. They come back and they say predominantly it's bad job descriptions. So when you have bad job descriptions like this at that float throughout the industry. So how can you expect people to even want to apply. And indeed, this is what happens. You have these job descriptions. Sure, some people may apply and they might be under qualified, because they can't even figure out what this company is really looking for. On the other side of it, you've got people who then just don't apply. So that, you know, that percentage that said that they're having trouble finding job applicants. Well, yeah, no kidding, because when you have bad job descriptions people don't apply. So, enough of talking about the problems I didn't come here today to tell you about how bad things are we know that you know that if you're looking for a job you know it's a struggle. So let's talk about how we start to overcome some of these problems. And let's start by just looking at the typical hiring process, because especially for some of you coming in as first time job seekers. This might not just be your first time security job this might be your first time really looking for a corporate level professional job overall. So let's just talk about this for a minute. The way it works in most organizations is really similar to what you see on this, this image here that I pulled from job scan now job scan is a company that produces one of what we call these application tracking systems or applicant tracking or ATS. So that's, that's that automated system that collects all your information when you apply for a job. So usually what happens is, they'll go in, they will create a job in that system now there's usually some stuff with approvals and things that happen before that, but a recruiter from the company is going to go and create this job. And they're going to attach to it a job description that the recruiter is likely worked with the hiring manager on they probably have some standard job descriptions laid out and you know they might work with a hiring manager to make sure that's accurate for what they're trying to hide it for. And then of course they publish it to the world. They put it out on LinkedIn they put it out on job sites they put it on their own job career board on their website, and they hopefully start getting applicants. Then they start screening. And they start screening each of these applicants and over stages they eliminate them and then finally, you get to the point where they select some and they interview them, and then hopefully they find the one they want to hire and they hire them. What I want to focus on here is this lower left where we see the applicant screening process, because when I talk about how people fail to get into a cybersecurity job and how jobs failed to get filled from the hiring side. This is where the things fall apart. More than anything else. It's when we get into that screening process. So let's talk a little bit more about that process for a minute what that looks like in organizations where they're using an applicant tracking system. That is your first layer of filter. A lot of these systems have built in rules that immediately look at your resume and are going to identify very, you know, very objective tangible things that they can identify and a lot of times there are algorithms built in there that will actually, they may not actually delete you from consideration, but they rank you they provide scoring that now the recruiters in the hiring manager going to look at to say, Hey, let's prioritize these and look at who's most qualified. So it's important that we understand that that system is a crucial aspect in how we get considered for a job when we apply. So that's from there and typically a recruiter or someone in human resources is going to look at that next. They're going to the ones that are receiving that and it's their job to screen further. So they're going to look at your resume and your qualifications. And if you meet at least some of them, they're probably going to get in touch with you, because their job is to get in touch, talk to you and screen you do meet some of the just the bare qualifications for that job. They're going to make sure that some of the legal aspects of it are considered so if you need to be for instance here in the US if it's requires that you're able to legally work in the US they're going to make sure that you have whatever those legal qualifications are. They're going to talk to you about some of the base skill sets and things that they're looking for maybe ask you a little bit about your experience. So that's their job. And what they're trying to do is they're trying to filter out those applications before they ultimately submit them to the hiring manager. So the hiring manager and potentially their team and maybe some other managers and whatnot will be involved in the last steps of that screening process. So they're the ones that are ultimately involved in some of the interviews, and they're going to make that final decision on who comes in for an interview and of course who they ultimately end up hiring. So understanding this process is important because more often than not applicants do apply for jobs. I know people who have told me they've applied for 3040 50 jobs, because they're just, they're not hearing back they're not making it through and I start to question well if you're planning that many jobs how are you not getting calls back from any of them. That seems surprising. And indeed, when you're entering this world of searching for a cybersecurity job in particular, you're on the road to frustration. For those of you coming out of school you may have had schools that told you hey just get that cybersecurity degree and you're going to be all set. Or maybe you went and you got that that certification and boy they they promise all these great things hey if you just get this, this certification everybody's going to want to hire you because, you know, 3540 50% of people working in security have this certification so if you get it you can get a job there too right, and then you go and you hit the job market and it doesn't happen. So let's talk about how we're going to get beyond that how do we hack that system and make sure that you can get your next job. I'm going to tell you, it starts with you. You are the first step, and you need to understand yourself. Self analysis is probably one of the most crucial aspects of getting a job in cybersecurity. I mentor a lot of people as they're searching for security jobs. And one of the first questions I'll ask them someone will come to me a lot of times they'll just ask Kate will you be my mentor, which is a pretty vague request in general. And so I'll start to ask right away hey okay what are your interests what do you want to do in security. And the answer that I dread but I get quite often is, why just want to work I want to learn everything I want to be in cybersecurity. Well what do you want to do in cybersecurity well I don't know I want to learn at all. This image here is a wonderful image I love this. I put this together and you posted in an article on LinkedIn. And I don't agree with all of how it's arranged and I would definitely change a lot of the aspects of it. But this gives you some idea the amount of different opportunities topic areas skill sets whatnot that exists within this thing we call cybersecurity. So to say you want to learn all of it. That's not a realistic expectation to say to somebody hey I just want to learn cybersecurity that's super broad. How do you self analyzing get to a point where you understand what it is in cybersecurity that interests you. Now I've talked with people sometimes they're able to figure it out and we'll chat a little bit and when we get to the root of it. Sometimes what I've encouraged people to do. Go out look at maybe 510 security related blogs and news sites. You have the first five headlines off of each one of them and put them in a list and rank them rank them in order of which headline seems most interesting to you. Now take the top five of those headlines and look for what's common. What are the aspects about those headlines that actually excite you. Is it because they're doing some kind of investigation they're doing maybe digital forensics and and they they're they're investigating and you really like that idea of trying to solve a mystery. Is it because they've launched some new defense mechanism and maybe that's where you really like to to sink your teeth into. Is it maybe headlines about new vulnerabilities that were discovered and so hey that's certainly tell you I really like this idea of vulnerability research and I want to start getting into things like pen testing. This is a great way to simply narrow down your interest and actually understand what is it in security that you want to be doing because this is a huge field and it's growing every day as the digital world becomes more and more our way of life. Security fits into every piece of it. Next thing you need to do is you need to be out there building your network. So you know what you want to do start interacting with people in social media if nowhere else. If you go to conferences I know this year it's different because we don't have the interactivity of being able to walk through hallway con like we normally do and we're at def con and everywhere else and meet new people. But meet them on Twitter honestly it's easier to meet them in social media first anyway and then find them at conferences later. But the key here that I see the key mistake I see made. Is interact with them. Building a network isn't just going out and following a bunch of people and trying to get a bunch of people to follow you on all these different social media platforms. It's interacting with them the wonderful thing I love Twitter for this and there's a reason why security lives so strongly in Twitter. You can interact with anybody as long as they haven't blocked you at least so don't make them angry. But you can go out there you can find the biggest names in the industry you can follow them and as they post things you can respond and you can have conversations with them. Not only do you have conversations with them but you may have conversations with their other followers who've also responded. Get engaged in those active conversations as questions offer your opinions be respectful build that community. That's how you get followers. That's how you make friends. That's how you'll start to discover not just learning opportunities, but you'll start to find job opportunities. Now linkedin's really great if you're looking really to on a more professional level of course, not as active from a security perspective, definitely more formalized, but a great place again to start connecting with people who work for certain organizations that you want to work for. Find those people do a search. LinkedIn actually has a pretty decent search capability go look for people who work at a job that your work at a company excuse me that is one that you want to work for and then look for the people who are in those security roles. Yeah, it's not the greatest search in the world. It does take some learning but when you learn how to use it you can actually effectively find these people. Add them add them as connections a lot of people on linkedin are more than happy to add connections all the time. Unless there's something red flagged about you. I'm going to add you if you add me so make those connections and again now you can start interacting with those people when they post stuff. They'll start to see what you're posting as well so post good topics concepts things. Be out there be active but this is what I mean about being interactive and building that network because now as you start to engage with these people and you build relationships. Those are people that can help you find opportunities and help you land those opportunities. But now let's talk about the hiring process so we've worked on you we've got you ready, but now you're going to go and you're going to start putting your resume out there to the world. Let's talk about how you beat the ATS those applicant tracking systems some they're used to varying degrees different recruiters use them differently different companies use them differently. But there's a few things you need to remember with the ATS most importantly remember. This is a machine it's software it might be AI based it might use machine learning and all these buzzwords that you know the vendors talk about that their products do, but at the end of the day you're talking to a machine. So let's think about some of the things that are really important there first and foremost when it comes to your resume. Simple formatting. And there's a lot of aspects here. Use common fonts, believe it or not this can be an issue. Don't use wild crazy fonts use ones that are common there's no one specific that you have to use. But use ones that are typical Calibri times new Romans. The ones that you typically see in documentation other things that are easy to read. These are the ones that those systems can most effectively process accurately and that's important. But let's go beyond that just format your resume in a way that's easy to read. I know we like to have things that stand out and it's okay to have a separate resume that you're going to hand to people, but the one that you upload to the ATS needs to be simply formatted. Don't put pictures in there don't put designs in there. Lay it out structured use bullet points things that it will be able to easily process. The second thing, and this to me is so crucial I cannot believe how often people miss on this, and this I don't care if you're looking for a cybersecurity job, or what kind of job this is something you need to be aware of if you're trying to get hired. You need to be tailoring your resume to that job that you're applying to. This means for every job that you apply to you should have a separate file. And literally if I showed you my file system where I store my resumes when I'm applying to jobs. I've got a different one for everyone and I name them with the date and the company of who I sent it to. Why, because I need to be looking at key words that appear in those job descriptions. What are the things that are most important to them in those job descriptions what ranks highly in the requirements and how can I work those terms into my resume. Not saying I have to have experience in that term if I don't have it and we'll talk more about that in a minute. But at least make sure that you mentioned that keyword somewhere get it in there. Look for variations on that keyword as well so if we think about penetration testing and ethical hacking for instance are two different variations that you might focus on. And make sure you're ticking all of those boxes and sometimes those boxes that they can be, you know, pretty complex they might include certifications so I'm going to talk to you in a second about certifications. But the last thing I'm going to tell you with checking the boxes is make sure that you look at these step by step and lay them out. And know which ones that you want to have in that resume because you need to make sure your resume touches all of those when you upload it to this system. Don't lie. Don't over exaggerate, but make sure that you check the boxes that they're asking you to check. Now as I said one of those boxes is often the certification. And this is another extremely common question I get from people who are looking for cybersecurity jobs they want to know what search to get. I love this picture was put together by someone on Reddit. I've got the credit down there at the bottom. These are all the cybersecurity related certifications you can get. And I said CISSP is very commonly asked for in fact I did some research. I went through five different major job boards including LinkedIn and Monster. And I looked at what are they looking for what is the most commonly asked for certification bar in a way bar none it's the CISSP. Now I filtered out any jobs that were from the government because the government does have actually specific requirements around why they have to have CISSP. But more often than not people say they want to CISSP. And here's the magic words are equivalent. You don't have to have a CISSP to get a job. Just get a cert. Now there's very few that as an entry level person you can get but there's a couple. One that I recommend most often to people is look at the security plus because the security plus certification is one of the cheapest to get. It is attainable for anybody and it covers a wide breadth of security knowledge. It doesn't hamstring you into one specific area if you go for like a CEH well that's very focused on ethical hacking and penetration testing. That doesn't make a lot of sense. If you look at the GAC ones all these the ones from sands well one they're super duper duper expensive and two they're very narrowly focused as well. So get something general something that can apply. You're not looking to say hey I've got this great wonderful certification you're looking to check that box that says CISSP are equivalent. And I will tell you that having a security plus more often than not will be looked at as an equivalent. So you've made it past the ATS congratulations the recruiters now looking at your your resume what do you how do I get them how do I get them on board. Well you got to inspire them. You got to inspire that recruiter who's looking at thousands maybe of resumes in a week. You've got to inspire them to take your resume and pass it on to the hiring manager. How do you do that step one be memorable and I cannot stress this enough. And this goes beyond maybe having some unique formatting about a resume that you sent to them outside of the ATS again don't use crazy formatting for ATS do something more be bold. If you don't have a blog start writing one that way you can link to your blog in your resume. I don't care if only five people ever read your blog the fact that you wrote content you put it out there immediately demonstrates hey I'm doing something in security it makes you memorable. Create a YouTube channel and record videos that talk about different security concepts. I one of my favorite stories and this was actually as a hiring manager this wasn't even at a recruiter level. I interviewed a person and then she moved on and she interviewed with some of the people on my team and she didn't like one of the answers she gave them in this technical interview. So she immediately left that after that interview went and recorded a YouTube video where she explained the concept in detail talked about how to how to remediate it and so forth. And then she emailed that video link to not only the two people she interviewed with, but to me and the recruiter as well. It makes you memorable that's something that stands out. So what I tell people I borrow a phrase from a colleague of mine Phil Gerbyshek who speaks all about personal branding. What's your weird. Figure out that thing about you that makes you unique it may not be security related at all, and highlight that in your resume on it, something that makes you very unique from everybody else that hey I mean for me it's the fact that I bought my first computer when I was 12 years old I was 12 years and I saved up money with a paper out and I bought a computer. How many people do you know that we did that especially back in the late 80s when I grew up yes I'm that old. So, put those unique stories out there. That's the thing that when recruiters read through that they see that they're like oh hey this is memorable. That's something that sticks in their head and they're like, This is someone I want to know more about, and they'll get in touch with you. Link everything to those requirements. Now we talked about tailoring your resume already this is that same thing. If you're talking to them do the same so you've gotten past maybe that resume you've gotten that initial HR screening call now. Talk to them but make sure everything that you're talking about that you somehow link it back to their requirements. And then finally this one I can't believe I have to tell you this but unfortunately as I talked to recruiters all the time they tell me this is one of the biggest problems. It's not responsive. If a recruiter contacts you and says hey I'd like to schedule a screening interview. Respond back. Respond back as quick as you can now sometimes we're out on vacation we're not checking emails great, but make sure you're using an email that you check often and respond to them quickly. Nothing is more frustrating for recruiter than when they see a candidate who they really like and they want to bring them in, and they try to get in touch with them and they can't get that person to return their calls or return their emails. And this is a huge problem that stands in people's way. So we can do better. Then finally, alright, so we did all that we got through the recruiter passed us on to the hiring manager the hiring manager wants to know more about us. How do I went over the hiring manager. This is where things are crucial. This first of all is where you've got the opportunity. We're no longer talking about resume at the point they call you in for an interview. It's not about your resume anymore it's about you and what do you do. And in that survey. When I talked to hiring managers and the last question I asked them on the survey the last question I asked was what's one piece of advice you would give to people looking to get their first job in security. It's a single most common theme throughout all the thousand answers that I got. They all related back to passion. The vast majority. And you see some of the direct quotes here. How do you share your passion. Be excited about the things that you're talking about. If you built that blog. If you've suggested. Talk about it that shows you have passion. That's something that's completely voluntary that you chose to do on your own or if you created a bunch of videos that's something you chose to do on your own. If you went you engaged in labs and other things. That's all stuff that shows you have a passion for security. Make sure you share that when you're talking with the hiring manager. I want to share this with you. So I told you I host this podcast and one of the people we had on was malware Jake Jake Williams and he shared with us something that I thought was absolutely incredible advice. Here's how you refine your resume to sell yourself. First write up a resume. Take what I told you so far create a resume. Then I want you to completely separately prepare a one to two minute elevator pitch. You're going to sell yourself in two minutes tell somebody why they should hire you what it is that you're going to do to make their business better what it is that you're going to do to make their department stronger. Now go and find those things in your resume. If you can't find those elements in your resume. Get revising figure out how you're going to add those elements to your resume to hit those things that are a part of what you said were most important because that's what you squeezed into that two minute elevator pitch. This is such a great idea if you can do this with your resume your resume is going to be so much stronger and then now you can carry through that narrative that you told me that one to two minute elevator pitch. That becomes the theme for every interview that you have after that. Make them know why it is that they want to hire you. So let's go back to our barista then we're going to we're going to tie things all together here now so how do I how do I revise that resume. Say I don't I'm entry level I don't have a lot of experience. Well let's understand first technical capabilities and when I say technical capabilities I'm talking about those things that ultimately show up as requirements. There's kind of three levels that you can have here. You can have knowledge and knowledge is just hey I read a book I did some training. I investigated research studied this somehow. Here it is. I have knowledge of this area. Sometimes for certain things that might be all you need. But more often than not people want you to have skill. And when I say skill what we're referring to in skills is that you've actually taken that knowledge and applied it in some way. Maybe you did a lab maybe you worked in a CTF or you went to a village or some other hands on training somewhere where you actually got to do application of that knowledge into the actual technology you got to apply it somehow that is a skill. That's we're kind of as you see going from good better best here so you've got knowledge and skill. The last one is experience. And this is the coup de gras right this is what employers tell us they want all the time they want to know that you have experience. And when they say experience or talking about that you have some kind of formal document and examples of applying that skill in a real life, most often business scenario. So understanding making an inventory of your capabilities technically and understanding are they knowledge, are they skills, and are they experienced into what level of each is so crucial this is back to working on you again and talking about how you can be better. And then finally I want to talk about this idea of core skills now that you know what those capabilities are your core skills are the transferable elements of those that you can take from one capability and apply it to any capability. And any technology anywhere. So if I look at my barista they start off with well they make coffee beverages. Well, really if I break that down. Here's a lot of the steps they did they received orders they prepared according to recipes, they delivered on the customers and they had to clean the equipment. But that's still shades of a barista so how do I take it further. They processed multiple inputs they translated inputs into tasks and prioritize them for maximum efficiency. And they were always focused on efficient delivery to the customer and throughout all that they had to plan and execute maintenance activities. These are general words that can apply to any job anywhere. And when you can now take and view your skills in that light, you can take those requirements that they're asking for understand the core skills behind those. Take your own core skills, tie them together. And now you can see how you can easily word your resume to highlight the skills and experiences that you have from your job to fit into that job that you are applying for. And this is where the rubber really meets the road. How do you take that simple role as a barista. Where it seems so completely unconnected. And this is literally what I told that manager when he was complaining to me I said, didn't they absorb all of this input from all these different areas and process it. Didn't they have to focus on how they were going to arrange those. And do it in an efficient manner so they could be most effective what they always focused on customers and the customer was what was most important and yet throughout all of that they had to plan and execute maintenance activities. And you started to look at me I said, isn't that exactly what you want your sock analysts to be able to do. That barista would be perfectly qualified to be a sock analyst in light of the fact that they have the other knowledge that you asked for they may not have the experience but they have the knowledge. So look to highlight these on your resume in your discussions in those interviews as you're blogging as you're making videos tie these things together. And then last I'm going to leave you with this quote from Ella Fitzgerald. Just don't give up. Whatever it is. Don't give up. This is tough. I'm not going to say the security industry is perfect we've got a lot of do a lot of work to do from the industry side to make things better for those that we're trying to bring into the industry. Keep working. Use your network find mentors who can help you leverage your connections and foster those relationships because they're going to help you get there. So finally, I can be one of those people for you and I'm always happy to find me on social media. You've got my Twitter handle my LinkedIn address there you've also got the link to my website which includes my blog and lots of other information so please continue reach out to me reach out to others. If I can't help you I will find somebody to connect you with or I will put the call out to the world and to my network and find you somebody who can help you with what you need. So with that I want to say thank you so much to everybody who's attended today thank you sneak my employer for allowing me to be here today. Thank you to deaf con and the deaf con career hacking village I'm so excited to be a part of the inaugural version of this that is so cool. And I hope you all enjoy the rest of the conference. I know it's a weird world out there we'll get back to the real things soon enough, but enjoy this virtual experience and make the most of it. This is where you're going to learn so many things, and I hope to see you soon. That was just absolutely excuse me absolutely awesome. I hope you saw me doing thumbs up and being excited. I hit so many points 20 years in the recruitment industry, and I am so glad you pointed everything out listed some of the key things listed a lot of the key things that job seekers really need, and sort of gave a little bit of a back slap to those employers who really need to change their jobs descriptions that's something I've been trying to do for 20 years and I think it will take all of us to do that. Thank you so much for all of your great input for doing the great survey, and I know that you've also made yourself available for career coaching through that the village and we really appreciate that so definitely connect with the community and we will be back with another session shortly. Bye bye.