Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
Gaining a Foothold: Transitioning into a Penetration Testing Career
Penetration testing is an exciting career field with numerous projected growth opportunities. However, transitioning into this field can be intimidating—particularly when your previous skills and abilities are not always aligned well with specific job descriptions. But with proper preparation and planning, it is possible to make a successful career transition into penetration testing.
This blog post breaks down the career transition process into 3 phases: preparing to apply, making the shift, and surviving the first 6 months after gaining employment. I will provide techniques, advice, and recommendations throughout.
Phase 1 begins when you decide to become a penetration tester, and the length of this phase can vary widely. This is because your previous work experience, technical aptitude, and time available for preparation activities will all impact the time needed to meet the objectives of this phase. While you will likely want to start early, I recommend that you begin this phase no later than 3 months before you intend to begin applying for penetration testing positions.
You should accomplish 3 key objectives during this phase. The first one is to complete a skill inventory. Put simply, this is a list of professional experiences, education, and skills. This skill inventory is an important step in identifying where you should focus your efforts in order to gain the skills and knowledge required to become a penetration tester. You can complete a skill inventory in 3 steps:
Figure 1: Sample Technical Skill Inventory
Figure 2: Sample Soft Skill Inventory
Once you’ve completed your skill inventory and understand your skill and knowledge gaps, you are ready to address the second objective of the preparation phase—developing any skills you lack. Training resources for penetration testers have become more widespread. Whether you prefer books, YouTube videos, or formal training courses, there are multiple options available to help you develop necessary skills. I’ve compiled a list of recommended resources used by myself and my colleagues to help you get started.
At some point in your learning, you should take a course to pursue a penetration testing certification. Employers often value applicants with certifications. This is because, unlike many other IT certifications, penetration testing certifications typically include a practical, hands-on component to validate that you can successfully enumerate and attack vulnerable hosts. Based on your personal preference and career goals, you can pursue any of the commonly known and accepted certifications.
To develop any skills you are lacking, you should also build some experience using the tools, techniques, and procedures (TTPs) that you have learned about in theory and practice. This knowledge will help you demonstrate to potential employers that you not only learned the necessary material of “what” adversaries do, but that you also developed a deeper understanding of attack methodologies and “how” adversaries pursue their objectives. Numerous training platforms host “capture the flag” exercises, where users can safely attack vulnerable machines to develop skills and build experience. Most of these platforms have both free and paid tiers with flexible learning options. I recommend subscribing to one or more training platforms and working through a variety of challenge types to gain a broad understanding of the various attack methodologies and technologies leveraged by both adversaries and penetration testers. Keep track of the number of challenges solved on each platform, as this will be helpful in phase 2.
The final objective of the preparation phase is to refine your personal brand. If you are transitioning from a non-IT career field, then your personal brand and social media presence are likely tailored to your current career field. To assist in the transition, it is important to shape your brand to demonstrate your interest in cybersecurity and to make network connections in the field.
Refining your personal brand requires effort, but you can achieve this by focusing on 3 aspects. First, you need to expand your current professional network to include cybersecurity professionals and penetration testers. Networking can feel intimidating. But, luckily, a lot of us in the penetration field have been in this transitional position and are eager to help forge a path for others. If you make your intentions known, plenty of individuals are more than willing to connect and assist you on your journey. Some good ways to meaningfully expand your network include attending industry conferences, joining online groups and message boards, and connecting with individuals on social media. Ideally you can develop mentor relationships with penetration testers and have at least one trusted advisor to discuss your training and certification plans with.
Finally, you will want to craft your personal narrative. This includes creating and practicing your “elevator pitch,” as well as developing 2-3 stories from your previous work experiences that you can use to demonstrate your interest in the field. These stories do not have to be overly complex. But they can help you curate your social media messages and create ice-breaking discussions as expand your professional network.
The execution phase begins approximately 3 months before your desired start date and continues until you accept and employment offer. This primary activities during this phase include reshaping your resume, applying for positions, and conducting interviews with potential employers.
The first step is to reframe your resume to appeal to potential employers. If you are pursuing a career transition, then you likely you already have a strong resume suited to your current field. Your goal is twofold. First, highlight the skills required for pen testing that you already possess, which you identified in your skill inventory. For me, this primarily included soft skills that I developed during my previous career path, such as communication, collaboration, and time management. These skills are your value proposition to a potential employer, and they will set you apart from recent college graduates who have not yet had the opportunities to develop and refine these skills. Second, provide details on the training, certification, and experience building that you conducted during phase 1. Once your feel that your resume is ready, send it to a mentor—preferably in cybersecurity—to get feedback. This will help to ensure that you have accurately conveyed the above items, caught any errors, and gained insight into how potential hiring managers will interpret your resume.
Once you have prepared your resume, you are ready to apply for positions. You should start applying approximately 8 weeks before your desired start date. This reduces the likelihood of hiring managers passing over you because your availability date is too far into the future, as well as leaves ample time for the hiring process to unfold. It is important to tailor your resume for each application that you submit. Begin by reviewing the position listing carefully—identifying specific keywords, technologies, and desired skills. You can then revise your resume to highlight your skills and experiences that are most relevant to each specific role. This will help your application stand out in application tracking systems and increase your chances of being invited for an interview.
The final activity in phase 2 is interviewing for desired positions. As someone with significant previous work experience, this is your chance to distinguish yourself from entry-level applicants. When interviewing, you should be honest and humble about your technical abilities. Be sure to discuss transferrable skills and how your previous work and life experience will prove beneficial in the position you are applying for. Interviews are a great time to share stories that you developed when refining your personal brand. Finally, take some time to prepare before for each interview. Most technical jobs will require several rounds of interviews. You should know who will be interviewing you and prepare accordingly. It is also important to plan your responses to common interview questions ahead of time.
Your transition into penetration testing does not end when you begin your first job in the field. There is a considerable amount of self-reflection, change, and growth required to ensure your success as a penetration tester. Below are recommendations for what you should both do and avoid as you prepare for your first 6 months:
Transitioning into a new career is a journey that requires dedication and perseverance. Penetration testing is a dynamic and rewarding field with significant career opportunities, making it an excellent choice for a second career. By following the 3 phases outlined in this article, you can pave the way for a successful and rewarding career as a penetration tester. Happy (ethical!) hacking!
Optiv Security: Secure greatness.®
Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.
Let us know what you need, and we will have an Optiv professional contact you shortly.