About This Episode
In this episode, we’re going to learn how one person was able to overcome the catch-22 of getting a cybersecurity job when you don’t have experience, but you cannot get experience because no one will hire you.
Our guest, Ed Skipka, a professional vulnerability management analyst, shares his personal experience of how he overcame this catch-22 and provides some great recommendations for others who find themselves in this same position.
So, how does someone get the position if you didn’t already have experience?
During the interview, Ed answers this by talking about how he landed that first IT job. Many of our listeners struggle with getting their first job, and hearing how others have navigated this challenge in the hiring process can help you get some ideas that you can apply to your own job search.
Ed shares his certification experience and the different positions he chosein order to land his first “real” cybersecurity role. Ed went from zero experience and working in a bike shop to being a vulnerability management analyst in 18 months. His story shows that you can break through the catch-22 through certifications, networking, and your own personal ambition.
Ed also talks about how he wanted to move up within his current company, but when there were no roles for him there he didn’t give up and landed a position at a new company.
The moral of Ed’s story is that even if you are “just” working a field service role, you never know where your NEXT role is going to come from, so always impress your bosses, your customers, and those you interact with daily. Network, network, network.
What You’ll Learn
Relevant Websites For This Episode
Speaker 1:
Welcome to Your Cyber Path, the podcast that helps you get your dream cyber security job by sharing the secrets of experienced hiring managers and top cyber security professionals with you. Now, onto the show.
Kip:
Today we’re going learn how our guest over came this catch-22 that a lot of us have either faced ourselves or have heard people talk about, which is I can’t get a job that requires experience if no one will hire me so I can get experience. Right. So it’s a really common issue in the cyber security career field for people who are just starting out. But our guest actually busted right through that and we were inspired when we heard about his story, so we wanted to make sure that he would share his secret weapon with you, folks in our audience, and we’re going to unpack his secret weapon. We’re going to learn how he did this. And we’re going to talk about how you can do this, too. It may be a secret right now, but it’s not going to be a secret by the time this episode is done.
Our guest today is Ed Skipca, and today he’s working as a vulnerability management analyst. And in general, Ed’s a technologist. What I would call a gadgeteer, both in technology and both also in the kitchen, is what he was telling us a little earlier, so that’s interesting. Maybe we’ll learn a little bit more about what Ed likes to cook or bake. But let’s get right into the subject here. So Ed, would you tell us a little bit about your first IT job, how you got that position. And if you didn’t have any experience, right, in your first IT job, how did you get over that hurdle?
Ed:
So my first IT job was a tier 2 job for the government. So anybody who’s got a problem, you’re there replacing software, hardware. The big catch-22 like you said, it’s like I had a friend. And I call myself incredibly lucky. Living on Oahu, there’s a lot of contracts around and I knew a few people. But they gave me a chance. That’s what they said, they said, “And you look for that one person to give you a chance and to endear yourself to that person that will give you a chance.” I got an interview and they said, “Hey, you have a background. You already have a bachelor’s. You have no IT experience whatsoever. We tell you can learn things, you can pick things up quickly. And if you can find a subcontractor to our contract, hey, we’ll give you a chance. But you’ve got to do that and you’ve got to get your SEC+.”
So they knew I was a straight and narrow guy who could learn. They liked me in the room, that’s always generally good. They said, “Find a subcontractor, get your SEC+ and we’ll give you a shot. You have a 90-day probationary period. You’re going to do what you’re going to do with that.” So I talked to some people. I found a subcontractor. We went through kind of my resume. I was coming from an educational background. I actually went to Berkeley College of Music for music education. So I had a bachelor’s, but no certs whatsoever. I didn’t have A+, Network+, SEC+. But I had a degree and a passion for it. So talked to that person, they said, “Hey, we’ll get you on the path for whatever you need for the backend of government work and you’ve got to get that SEC+.”
So that’s when I started, and Jason’s classes really helped me a lot. You’ve got to get that SEC+ by this date, and I did that and they gave us a chance. And you quickly find out that Googling is one of the skills that you have to learn very quickly. But that’s how I got that first job. I had someone that gave me a chance and I had a little bit of a background and I could show that I could learn, I could pick things up quickly. And that I was willing to do so. Not, “Hey, I want this job, this is what I’m looking to get paid to do it.” It’s, I have an ability to learn. I want to learn. I’m here. I’m a sponge. And I’m ready for it. That’s how it all started.
Jason:
So you said you had a degree. The degree is in music education, right? So it wasn’t IT related at all, necessarily, right?
Ed:
Not whatsoever. I mean, Berkeley has a pretty good technology slant, so we were using GarageBand and Sibelius and just generally Mac based products, the platform, as opposed to Windows. So I actually went into this Windows field service position, daily driving a Mac with an iPhone and Apple TV, not knowing what a CAC reader is, common access card reader was. I was like, “They’re going to fire me. I don’t even know how to sign in with this freaking active client thing, whatever that is, I don’t know.” So I had to learn very quickly. But yeah, I just had to show that I had the ability to learn, that I have learned things in the past. But I wanted to learn a lot more. And they really liked that, at least.
Jason:
Awesome. Yeah. The other thing is, I know you mentioned tier 2 field services. I just want to clarify what that is for the audience, because I know the tier 2 depends on where you work. I’ve done a lot of work in the government sector. So when I hear tier 2 field services, I’m thinking about the guy who’s coming out and replacing my monitor, taking away my mouse or keyboard when they don’t work. Anytime the computer, and I called the help desk and they can’t reach out over the network and fix it, they send out a tier 2 field services person to do that work locally. So I’m assuming that’s what you were doing, right?
Ed:
Right. Right. So yeah, tier 1 is your help desk. They call in, “Hey, password reset.” Just smaller things that you can’t physically be on premises. If you’re tier 1, it gets escalated up to tier 2. So we would actually drive our own vehicles, good thing we got mileage. To these various buildings around Oahu on various military bases. And we had to set up the calls and we had to set our own schedule. So we had tickets that would come in and we would organize our day however we wanted, whether that worked or not. And we would go there and say, “Hey, I have a general idea of what’s going on. Let’s try to figure this out. And yes, we need a new motherboard. We need a new mouse. Hey, there’s a corrupt package within Adobe,” or something like that. Or, “Hey, you don’t have Adobe. We’ve got to talk to somebody, see if we can get that installed for you.” That would be the tier 2 side of that.
Jason:
Awesome. And because you’re working on the military side, I’m assuming you had to have some form of security clearance to be able to do this work. Did you have a clearance before getting this job or is that something you got sponsored for once you got this position?
Ed:
That is a huge hurdle for a lot of people. I did not have a clearance whatsoever. I was kind of adjacent to the military, but I did not personally have a clearance. That was the thing, finding someone to take a chance for the level of clearance that you’re going for. There are various levels, and various levels are harder to get. So depending on your qualifications, if you have a degree or certifications, that’s going to work in your favor to see… It’s all about risk management.
And someone needs to look at you and go, “This person looks like they are a good person, but I want to hire them and I don’t want to look bad on me” Because these are recruiters. And these are people, program managers that are looking to make themselves look good as well as give you a job. Because they’re trying to fill a billet. So yeah, someone took a chance on me and said, “If you get a SEC+ by this date, I will sponsor your clearance.” And I was able to do that through my various training online, through Udemy and all those things. And yeah, that whole process had to kick off and it was fairly rigorous.
Jason:
Yeah. The reason I bring that up is because I hear from a lot of people, right, that the two things that hold them back is either they don’t have the experience and they can’t get the experience because they don’t have a job, which we’re talking about here. But also, especially in the world of DOD and military contracting, where if you don’t have a clearance nobody’s going to hire you. And that’s not true. There are people who will take a chance on you. But it is harder than if you already had a clearance, then it would be a lot easier to bring you in. So in your case it really sounds like you made an impression on somebody and they were willing to take that chance on you. And so, a lot of that goes into soft skills which is something that a lot of people in our world don’t think about, but is so important in the hiring process, I think.
Ed:
Oh, 100%. And program managers and recruiters alike, they keep telling me, “We like talking to you. Your soft skills are pretty good.” And coming from a music background, I’m thankful. Coming from an education background, you’ve got to be able to connect with people and talk to people and have a little bit of an emotional IQ to kind of read beyond the headline and see, “Okay, what does this person want? And what kind of person are they?” And then you kind of, you have to talk to them. Everybody’s different and everybody wants to feel valued. So if you go in there and say, “Hey, I want a job.” And you have no qualifications, well, you better be a pretty nice person. Or have something going for you. If you’ve nothing going for you, no one’s going to just come over and hand you a job.
But you can play up those soft skills. And, hey, if you’re a pleasant person to be around and you show that you really want to be there, you want to learn and you have the ability to learn, people are more apt to give you a chance. Because you feel like, oh well, I know Linux backwards and forwards. But no one wants to be around you, no one’s going to want to work with you, especially if you don’t have experience. So you’ve got to at least breakthrough that first job before you can get cloistered in your closet with all the servers and stuff.
Kip:
Yeah. There’s a saying that I think you are talking about, and I want to bring this out for people because I think it’s something that you can remember. It’s a little pneumonic that you keep in your mind. And so, what Ed’s talking about is that, he allowed people to know him, to get to like him. And then from that came trust. Okay? So people want to do business with people that they know, like and trust. And that’s really what that social glue there is. Right. When we talk about soft skills, that’s really the goal, right. To let people get to know you. Hopefully they’ll like you. And then they’ll begin to trust you. Now another thing, Ed, that you did that I think is fantastic is you just, you brought a hungriness to learn. And there’s a little term that I use for that as well, and I call those folks infinite learners.
So there’s a curiosity that just never ends, and you demonstrate that curiosity to the people that you’re allowing to get to know you so that they’ll like you and so that they’ll trust you. Man, I mean, just so far, we’ve just started this episode but already, Ed, you’re helping people really understand what we really mean by soft skills. And how soft skills can actually overcome all kinds of hurdles that hard skills, the lack of hard skills, would potentially stop you. So this is absolutely fantastic. I want to back up for a moment, because I want to make sure that from a career progression point of view that we’re really, really clear. So you came out of school. You studied music and you worked in education. And I think I saw on your LinkedIn profile that you were even working in a bike shop for a while, is that right?
Ed:
Oh yeah. Yeah. So Berkeley is in Boston, so I was an avid cyclist. I did various charity rides for the MS150, for raising awareness and money for multiple sclerosis. And that was a big part of my life. Cycling was great. So I was like, I was working in some restaurants and I was like, “I want to get to a more healthy spot.” So that I started working at the bike shop. And that was, I started right near the end of my college into a year or so afterwards, and it was a passion. And if I’m honest, it also didn’t help or didn’t hurt that I got half off most of the bike parts, stuff.
Kip:
Thank you for my paycheck, go put it in the cash register.
Ed:
It would be like that too, like, “Do you want this Direct deferred to your tab that you have over here, you lay-aways?” I do have a bike that I can’t afford, but was able to afford because I worked at a bike shop. But yeah, working in, that was sales. But also some backend management and stuff like that. And you have to get to know people, what they need, what are they looking for. There were a lot of students. Boston is a huge college town. So “Hey, do you need a commuter? Are you looking to have a road bike?” You had to find the requirements this person needed. But yeah, that was a progression through school and then had the sales job. And then just some odd jobs here and there until that first IT job.
Kip:
I think that’s fantastic. I think that people in the audience, they might be thinking like, “Well, I’ve never had an IT job.” Right. “I’ve had this job and I’ve had that job.” And they might be feeling like, “I’m so far away from that cyber security job that I want so badly. I don’t even have an undergraduate degree in technology. How will I ever make this happen?” And I just wanted to take a moment so that people could see, guess what, Ed, just came from a place like that. Right. Where he didn’t have that deep technology background, and he worked in a bike shop and he studied music, but now look at him. Look where he’s been able to get to.
And it’s really that transition that you’ve made that I think we really want to focus on here, because I really want to encourage people. I’m really glad you’re here, Ed, because I want to celebrate what you’ve done because I think it’s fantastic. But also, I want other people to get inspired by what you’ve done because I think you’ve set a fantastic example. So then you go from the bike shop and then in the story that you were just telling, you were a second-tier support tech, is that right?
Ed:
Yup.
Kip:
Okay, got it. All right. Now, so you’re a second tier support tech. You’re learning the technology. Right? You’re fighting the imposter syndrome.
Ed:
Oh, yes.
Kip:
Any minute they’re going to know that I don’t know what I’m doing and I’m going to get fired, right. That’s imposter syndrome raging its ugly head. And you fought through that. And then you were able to make the leap into cyber security. But before we talk about that, I want to ask you a couple things. So first of all, how did you manage those thoughts of doubt that we’re just pinging around in your head?
Ed:
I’ve always been someone that doesn’t want to disappoint, and I want to do the best I can. And I take pride in everything I do whether it’s mowing the lawn or setting up an infrastructure of some sort. I take pride in pretty much everything I do. So that was the driving factor is, I don’t want to let these people down. I don’t think I lucked into it, or it was like I had something. I was presenting something to these people. So it wasn’t like I didn’t deserve to be there. But it was more of, okay, I’ve been given a chance and I need to earn my salt a bit here. And that’s what helped me push through, was I want to be here, I want to continue to be here. It’s a good environment. Obviously, the pay was pretty good at the time. So it was like, “I want to stay here as long as I can and do whatever I need to do to stay in this seat.” And that’s what pushed me through.
Jason:
So how long did you stay in that tier 2 support role? Because we’re not really in the cyber security job yet. We’re doing more of IT tech support here. So how long were you in that role?
Ed:
I was in that role in various ways for one year 10 months, so just shy of two years. But the way they did it, the turnover was so great. And that’s why I found an in, was because these support things, people go to these things and they use it as a stepping stone to get that clearance, to go to the next job, whatever. So the rollover was every three, six months we would have new people or a lot of new people after the first bit. So I was trained in various different areas. So I was started off just doing hardware software, and then I was working in a specific are within one of the basis. And then I was learning voice over IP stuff. VTC, video tele conference. So they were just cross-training me left and right.
And then eventually, in the same position, I learned a little bit of sys admin things. So Windows sys admin. So setting up accounts, enabling accounts within active directory. Setting up phones within unified endpoint manager, that type of stuff. The rigamarole that keeps the grease on the tracks. They cross-trained me in everything, so it really was not just, hey, you’re going to go and replace a mouse or something like that, or replace the modem. I got trained in all these different things and that was why it was so great. But yeah, I was there or a year and 10 months, and my job title and area changed maybe 10, 11 times.
And you might find that, you might not. It really depends on your environment. What they’re going to do for you and what… You might be doing just one thing, but I know we had so many people leaving or some people stayed that you can’t have single points of failure. So Ed, knows how to learn. And I got myself not in trouble for that, but no one else wanted to do it, so I learned it and then they actually needed me. And I was like, “Ah man, I have to do this thing, this thing and that thing.” And it came to the point where I was taking care of… We were in zones, so we were broken up in zones. And I was the remote tech, so I had 12 to 13 remote sites all along Oahu. And my mileage actually became a secondary income at that point. Getting that 53 cents a mile, because I was driving five, 600 miles at least for my job alone a month.
Kip:
Wow.
Ed:
So I was all over, and I built up to that. So I started smaller and then they cross-trained me in sys admin and then we had MAC tickets move, add, change. So I was dealing with customers and then I was dealing with kind of managers, and then I was dealing with the customer technical representatives. So at higher level, I’m like, “Hey, here’s some change management.” So I was lucky that I got into that type of area, but I also sought those opportunities out, and that’s why I got that cross-training. It was like, “Oh, I’ll learn active directly, or I’ll learn to set up a fricking iPhone and shut off the microphone on that thing.” Okay. And then they were happy to teach me, because they needed someone to do it.
Jason:
Yeah. I think that’s the important thing, because your willingness to learn allows you to cross train. And by cross-training, you got this bigger broader skill set. But also, because of the position you were in being a tier 2 field service guy, you’re driving all over the island, which means you’re interacting with a lot of people and that helps you build your network even more because that’s where you relied to get into the first job was building your network of people. So I guess that’s how that led to your second job, right?
Ed:
Yeah. So the current job I’m in right now is my third job. So my second job was actually as more of a watch officer, operations type thing where it was a total culture and… It was within an operations, security, a NOSC, so a network operations security center. And it really was adjacent to cyber, so I really wanted to be in cyber and I talked to my contract. So I didn’t move into the second job with my current or my previous contract. I was like, “You know I want cyber. You know I’m hungry for it. I’m going for these certs. I want to get to the next level.” So they’re like, “We’ll get you in a spot that there’s a lot of cyber going on and then if positions open up we can just roll you over,” because we want to get your face in front of them so it’s not just, “Hey, I got this guy that wants to be in cyber, we can roll him over.”
So that second job, yeah, you’re just monitoring maintenance. You’re a benevolent overlord of just pushing messages from one place to another. It was very administrative, but you got to see the operations side of it, which was great. You’re at a 5,000 foot view where before I was on the ground with the users. So that was valuable in that way, for that second job.
Jason:
And even though it wasn’t the ideal job that you wanted in cyber, it got you closer, right? So you took another step closer. You went from IT field services to this watch position, which got you closer to cyber. And then that was able to be leveraged into your third position, right?
Ed:
Yeah. So by proximity and also I took it because there was a lot of downtime. And it was explained to me, hey, it was shift work. And it was four, 10 hour shifts. But really you’re probably only going to be working two, three hours. So I did take that with that in consideration. Because I had anywhere from two hours to four hours per shift, per day that I could study. And we had TVs, so there would have been the temptation to, “Hey, let’s watch TV, watch some DVDs and some Game of Thrones,” whatever. And I did do that sometimes, but a lot of the time I was studying. And this is the time where I actually went back to school. Currently in Western Governors University, WGU, because of the certs. Because I was cert hungry again. I’m like, “Listen, I don’t have the experience. I can work on my degree, but also work on my certs.” And I just worked on certs and certs and certs.
So to kind of reverse, I had to get that SEC+ for my first job. And I was like, the imposter syndrome was creeping up and I’m like, “I’ve got to fill in some gaps.” So I actually did go back and I got my Network+, and my A+. And truth be told, the A+ was actually one of the harder tests. It wasn’t necessarily that everything was tough in itself, it was just that you had to memorize so much. What’s the capacity of a dual layered DVD and So-DIMMS, and stuff like that. So if you’re studying A+, and you’re like, well, this is this and the SEC+ is insurmountable. I’ll say, they both have their challenges for different reasons, and they’re all valuable. So if you get the SEC+ or net plus or A+, you can always go back. You should never feel bad for knowing more.
So I did go back and I got those, and I got the ITIL four foundations and that rolled me over to my second job. And there I just, I cranked out the CYSA in about six weeks and then I did the PenTest+ after that. And then I started working on (ISC)2, ISCP after that. So in five months I was able to get all three of those, then I started working on my next one. So I use that second job as, hey, you’re paying me to study. I have down time. And if you have down time, you can make that what you will. And I was able to get five classes out of the way and three certs under my belt. And that extremely helped me.
Kip:
That’s great. One of the things I like about the way you did that, Ed, is first of all, you didn’t give into the temptation to just watch television and goof off. I mean, a certain amount of that’s perfectly fine. Right? But you took the vast majority of that time and you invested in yourself. The other thing I like about what I heard is you didn’t collect certifications just because you felt like, “Well, I need to boost my resume. So I’m just going to go get a bunch of certifications to make my resume look better or whatever.” You did it because you had a specific goal for yourself, which is, I want to fill in some gaps that I have in my knowledge because I want to be more useful. I want to be able to solve more problems.
So certification for you, was a way to become more educated about what it is that you were doing. And I think that’s a much healthier attitude about certifications in general than what I sometimes see is people collect certs like Pokemon cards. And they just do whatever they have to do to pass the test, but they really don’t retain much or maybe anything that they learned. And so, what I tell people is like, “Look, I’d much rather see you go out and volunteer and learn by volunteering. Than to go take a bunch of certs just because you think that’s going to help you get a job, and it’s really not.”
In fact, that can backfire on you. If you get too many certs, and you throw them all in your resume, then a hiring manager could look at that and go, “Uh, I don’t know what to do with this person, because they’re all over the place. I don’t see any focus here. And they just seem to be valuing certifications too much.” And it would just make me wonder, what was their real motivation for going off and doing all that? So anyway, just wanted to point out and commend you for that attitude. And just help our audience really understand, why was it that you went off and did those certifications. And I think that’s fantastic, Ed.
Jason:
Yeah. I think the other piece of that is, Ed, had said that he went to Western Governors University. So for those that don’t know Western Governors University, is a school in the United States. It’s one of accredited colleges and it is a distance learning school. And a lot of their courses line up directly with the different certifications. So for instance, I know they have a course that covers service management, which is IL4 foundation certification. They have one in cyber security, which is the Security+. They have another one for Network+. They have another one for A+, part one and part two. And so as you’re going through that degree program to get your bachelor’s degree inside of cyber security, you’re also collecting a bunch of these certs or have the opportunity to collect those certs.
The curriculum is based on the certifications, but you don’t necessarily have to take the test or that certification. But while you’re studying, you might as well, so you have it on your resume if you need it. Or you can add or remove it as you need to based on the jobs you’re applying for. And again, Ed, is in this defense contracting world where certifications based on the 8570 requirements are actually critical to you getting certain jobs, like you mentioned earlier. He wouldn’t have gotten that first job without a Security+, because that was a contractual requirement they had.
Ed:
[crosstalk] 100% in the
Kip:
Yeah. That’s great.
Ed:
Yeah. So I’m glad you brought up the DoD requirements because they all have an overlap. So if you’re like, “I’m going to just certified blast this and they all fulfill the same requirement.” Well, maybe that time could be spent elsewhere. So I got the CYSA and the PenTest and those extended the SEC+. But if you’re not looking to go much past SEC+, maybe you get into a lab environment, and you do volunteer. You do enrich yourself with your skills and hard skills other than certifications, because certification is a piece of paper that says, “Hey, on this day, I had this knowledge.” And that is good. But once you meet that requirement, you have to have the diminishing returns of, “Okay, I don’t need three of these that fulfill the same requirement.”
Kip:
Definitely. So that brings up to your third position, right? So you went from your watch floor that you were working on. So you went from the tier 2, doing field service. You went to the watch floor. You got some more certifications once working on your degree. And then you wanted to get into cyber. And a position, I guess, opened up that got you into your current job as a vulnerability analyst. Can you tell us about that transition?
Ed:
Sure. So I’m a bit of a squeaky wheel. And there is a fine line between being a squeaky wheel that gets the thing going or gets the grease. And there’s the squeaky wheel that gets removed. So you do have to find that balance. And that was one thing that was hammered in me, at Berkeley was, networking. And everybody does it poorly when they first start out, where they just start conversations with people that really don’t want to talk to them. Or just don’t share the same interests. Like, “We’re networking. We’re networking.” And yeah, they never talk to people. But building relationships and building communication with these people over an extended period of time is how people get to know you. How people trust you. And they learn from you that, “Hey, maybe this is a person that I’ll want to hire one day.”
And I just wanted to keep myself in people’s heads. So I was in front of all these people that were program managers. And my current job, it was a customer. It was a person that I fixed their computers. I reimaged their computers at one point in time. And I worked on that base, so I had a reputation of good service management and providing a good service to them. It was a program manager. I didn’t know that at the time, and I wasn’t going at it… You don’t want to go at it with, “Hey, this person’s a program manager and I’m just going to talk their ear off about how great I am, or even how much I can provide to them.” You want to build a relationship. And you want these people to want you in the room. And there’s nothing worse than someone asking you for something all the time. So I spent my time that year and 10 months cultivating, but I didn’t stop. So anytime I got a cert, there was a blast email of five or six people like, “Hey, how was your trip to Vegas?” Say all this, whatever.
I kept up with people, in a respectful way. I wasn’t on their Facebooks or anything like that. But I would send out an official email, “Hey, I passed my PenTest and I’m really psyched about it. How are you doing?” It wasn’t, “Hey, I passed my PenTest, please give me a job.” I mean, I stopped just short of that. But I did keep up with people, so I was in their heads. So if a position did come up, it was, “Hey, who do we know that could possibly cover this gap? Who do we have on our shortlist?” And I put myself in front of those people. I kept myself in their head and I worked with the person that hired me for nine months on something. I started in my first job, into the second, into this job like, “Hey, what’s out there?” He would pitch some ideas. Some of them were the GS/GG. If you don’t know the government actual civilian government, and somethings didn’t pan out. They had some people that were able to fill it with more experience.
But I didn’t give up. And there were times that you’re discouraged, and there was probably five or six positions that passed by that I didn’t get. And they are ones that it seemed like it was a done deal like, “Hey, I think you’d be great for this position, we’re going to bring you in.” And then the emails go dark for a month or two and you’re like, “Aw man, what did I do?” And you kind of internalize, and it’s very easy to do that. But I never thought I would give up, but it was discouraging. It was hard to kind of just persevering even though this seemed so, it was so hot and cold. Like, “Yeah, yeah, yeah, yeah.” And then it was just a flat no. And you have to not take that personally, because there’s reasons why people get chosen. It’s not because you’re a bad person or you weren’t qualified. It’s maybe someone had a different mojo or mix of things that got them that job, so.
Kip:
Yeah. And candidates, this is a wonderful point, and I just want to emphasize this. The information situation is so asymmetrical. Candidates know so little compared to what hiring managers know. Hiring managers know so much more and they can see things that the candidate could never see, just because of the position that they’re in. Right. So they see the shifting requirements for the job. They might post the job as one thing, but then half way through the hiring process they realize, oh wow, we actually need to add cloud security into this job. Well, that wasn’t on there when you applied, and then they added it and then you didn’t have cloud security because that wasn’t something that you saw that you needed to put on your resume. And so, you tailored it and you didn’t put it on there. Maybe you don’t know anything about cloud security.
But anyway, you’re making a great point which is, people tend to take this stuff very personally. And I mean, I can see. I struggle with that too. But I think it’s really important to realize that there’s so much you don’t know. There’s so much that’s out of your control that you really need to remember that when you don’t get the answers you’re looking for or when somebody ghosts you. I know it does affect you personally, but you really need to try to not really dwell on that, that it must have been something you said or something you did or didn’t say. It usually has nothing to do with that stuff.
Jason:
Yeah. So I know Ed had mentioned also the GG and the GS positions, right, that he was trying to get into. That’s government civilian, where you actually work for the federal government and are hired by the federal government. If you’re interested in those jobs, you go to usajobs.gov and there’s a list of all of the ones across the entire world that are there and sponsored. Now, the challenge of those sometimes is that may be the best qualified, but you may not have the right hiring preference. So when it gets down to that final selection, we may have looked at that person. Let’s say we looked at Ed and Mary and Sue, and we looked at all of them and we said, “Oh, well, Ed’s maybe the most technically qualified, but Mary is a disabled veteran,” so she’s going to have a hiring preference over Ed. And I’m going to have to justify why I would choose her and why I would choose Ed instead.
And so, sometimes you’ll see people who may not be as technically adept or as technically qualified for a position get the job because of certain hiring practices within an organization. And the government is a great example of this because by law we have to give preference, and we give a certain amount of points of an additional advantage for anybody who’s a disabled veteran. Anybody who has spousal hiring preference. Because for instance, Ed is in Hawaii. If there is a military family that got moved to Hawaii, and the wife or husband used to work for the federal government and the other one was a service member, they have to give that spouse preference on hiring because the government just moved them to Hawaii and took her or him away from their job in D.C. for example.
And so, that may be a case where you applied and you may have been the best person. And that organization, you’re already there and they know you, they like you, they trust you, and they want to hire you. But they can’t because the other person has preference and they’re going to bump you out of that spot. So these are some of the things that happen behind the scenes and nobody would ever go, “Hey Ed, sorry you didn’t get that job because of spousal preference, or a disabled veteran got it,” or something like that. And you’ll never know that. But these are the things that do happen in the back side.
Ed:
Yeah. 100%.
Kip:
Yup. Anyway, so Ed, you were telling us really super insightful things that happened to you while you were making that last step into the cyber security role that you have now. And Jason, and I totally hijacked what you were saying because-
Ed:
That’s fine.
Kip:
… we just couldn’t help ourselves. And that’s why we had you on the episode here, right, because there’s so many fantastic lessons in what you’ve been able to accomplish that we want to make sure that we’re sharing with our audience so that they can then become smarter and better at this. But just to recap, so Ed, you did what maybe we’d call a three-step. Because Jason, we often talk about that when you’re coming from a non-IT background, a two-step into a cyber security job is usually the right thing to do. In other words, you’re in the job that you’re in, then you move to an intermediate job and then you stay there for a year or two and then you move over to the cyber security job that you really want.
So Ed did a three-step, but it makes sense. Right. Based on your story, based on your location, the opportunities that were available to you, a three-step is what made sense. And I really also want to commend the work that you did to stay in touch with people, right. When you got a certification, you would just send them a message going, “Hey, how are you? I’m excited today because I just finished this certification.” You stayed in the front of their minds so that when the opportunity came, they thought of you because they’d heard from you recently, right?
Ed:
Mm-hmm (affirmative).
Kip:
Anyway, just want to commend you for that.
Ed:
I appreciate that. Yeah. I mean, the program manager that gave me my current job, I mean, like I said, we worked through several different positions. And we just found one that finally worked and he gave me a little bit of a leg up and I had access to some trainings and things for some DoD specific trainings for specific tools. So that’s something you might want to suss out from the job market as well is, what are we looking for? And there are some things that you have access to that you wouldn’t know, like working with certain scanning software and things like that. And then that’s what a hiring manager would be looking for. It’s not a CompTIA, (ISC)2, Axelos. There’re specific trainings of tools and you can… Maybe they need Splunk or Snort or these different SEIMs. And you wouldn’t know that from the job posting unless you kind of endear yourself to these people. And this our ideal candidate for the qualifications, but on the job this is the trainings you’re going to need. And someone that doesn’t have those isn’t going to look at good as the recruiters.
Jason:
Yeah. One of the things I took away from your story is that, you made these relationships over time. You were in a position that got you into these different offices and you were able to make relationships with people based on your reputation of being a good worker, a good tech. And people start saying, “Hey, this is somebody I want to work with. Somebody I like. Somebody I now know. Somebody I’m now trusting.” And so, by the time you got to your third position, this program manager was looking for a position to put you in because he knew he wanted to work with you. He just had to find the right job that he could match your resume against and be able to hire you into that position. And some people may say, that’s not fair, right? You got a leg up. You were able to bypass the hiring system. But honestly, this is how it works a lot of the time, because when we’re hiring somebody as hiring managers, we are taking a risk on bringing somebody on board. And it costs us tens of thousands of dollars if we make the wrong hire, because I may waste six months with you and then I have to get rid of you and find somebody else.
And that process is time consuming. It’s expensive. And when I don’t have somebody in the contract, I’m not getting reimbursed from the government. So I want to make sure I minimize my risk. And so, when I found somebody that happened to be in my office as a tech working and impressed me with their skill or the way they handle themselves or their customer service skills or whatever it is, that is somebody I now put on my shortlist that I want to find a way to get them into my company and be able to fill one of my positions. Because I know they’re going to last a long time. And so, I think a lot of people think that it’s this pure unbridled system that nobody has a leg up, but sometimes you can give yourself a leg up by making those relationships. And I think you did that really well. Even if you weren’t necessarily trying to do that on purpose, that’s kind of ended up where you were by making those relationships. It gave you that leg up.
Ed:
Yeah, 100%. And I almost didn’t get the job. My current job, I did a post-mortem once I got hired on. And he’s like, “Listen Ed, it was tough. And we had someone that had experience, six months to a year. And it was very tough. It came down to you and two other people of maybe 10, 12 that we sifted it down to.” And he told me, so this is secondhand from him, but he’s like, “Can Ed make up the difference?” And they said, this is not me gloating for myself. And he’s like, “I think Ed has the courage to make up that difference, and to be uncomfortable. And we liked the guy, we know this guy. We know this guy.” And they’re looking around the room and like, “This guy is good and he has the experience, but we know this guy.” So we’re like equal footing. And that’s the swap this variable for that thing, the tangible, intangible. And I’m glad you brought up the hiring manager thing, too. It’s like, you make a bad hire. And their boss and their boss’s boss sees that this person is a program manager and they had a bad hire. They’ve lost some intangible assets there where it’s like, the whole team loses that trust. And that’s what they’re hiring for.
And this one was a very good, and I’m glad it’s a team environment. It’s not just a job. And the people work as a team. And he was vetting for a team. So in that, I had a leg up because it wasn’t this monolithic soc where they have 25 people and I need to fill five seats. It was a smaller kind of splinter group type, like five, six people that really needs to know their stuff. And they need to be able to work together. And that’s what they were hiring for is, okay. Given the skills, we know him. We think he would get along with everybody that would be there. He’s approachable, teachable. That’s what we need right now. If we give him a chance, because again, 90-day probationary period. We’re going to give them a chance. And that’s why we feel we can take a chance on him is because we know this guy, and he could possibly make up that difference. But also, that he works with the team that we currently have.
Kip:
Yeah. I mean, gosh, I tell people all the time when I’m hiring, I may be 60% soft skills and 40% hard skills. And I’ve just got my thumb on that. I want somebody that I know that I like, that I trust that will work with the team. That isn’t going to everybody off because they come in and they’re gruff and difficult to deal with. Right. That’s going to mess up my apple cart here, if I do that. And it’s especially bad if I have a false start where I hire somebody and they don’t work out and they leave in 90 days or six months or something like that. You’re absolutely right, Ed. The cost to a hiring manager in that situation is awful. The candidate had an awful time. The people on the team are having an awful time. Everybody loses when you have that false start, everybody loses. And it’s not just money. But yeah, that’s very perceptive of you. Okay. Listen, we’re almost out of time on this episode today. So I just want to give one final a little bit of time to Jason, and then we’ll go to you Ed before we wrap up. So any last words, Jason?
Jason:
Yeah, I think it’s important. A lot of new people in the cybersecurity field that are studying, they think technical is the most important thing. And just like Kip us said, right? It’s more of a 60/40 split of non-tech versus tech. And some places it’s even 70/30. The reason for this is the fit in the organization. And the culture is so much more important. I can’t teach you how not to be a jerk, but I can teach you how to pass the Security+ exam. I can teach you how to pass your CISSP. I could teach you how to do log analysis. I could teach you how to use Splunk, but I can’t teach you how to be a nice person, right? That’s something you’ve developed over 30 or 40 years on this planet. And so, as a hiring manager, I’m looking for somebody who’s going to be a good fit culturally in my organization, primarily. And then those technical skills to back it up when all things else become equal.
Kip:
Yup. Thanks. Ed, last words.
Ed:
Last words I’d say, go to Jason’s courses. I think he does a good job. I think if you guys are going to do something together then, Kip and Jason, some of the best tests are out there that’ll help you out. But again, you can be discouraged. It’s fine. You can acknowledge that sometimes stuff is tough, but try to focus on the right things. Get the right certifications for the job that you want. And then just start making yourself valuable. And as, is said, 60/40 cross-training, is there something? Talk to people. Can I get cross-trained in this? Can I pick up these extra little skills? And then in doing that, endearing yourself to people and being a person people want to be around. You both you’re getting skills, and you’re getting your name in front of people. That may be down the line there could be a position, three degrees separated. “Hey, this guy, I know he’s a really good guy. You should give him a shot.” Word travels fast if you’re a good worker and you know where to focus and people want to be around you, people will want to be around you. So just seek to be valuable and seek to be teachable. And I’d say never stop learning, no matter where you are, if you have a CISSP or beyond, pick up some courses. Never stop learning, and never stop making yourself valuable.
Kip:
Ed Skipca, thank you so much for being our guest today.
Ed:
Glad to be here.
Speaker 1:
Thank you for listening to this week’s episode of Your Cyber Path. Don’t miss an episode, press the subscribe button now. If you would like to learn more about how to get your dream cybersecurity job, then be sure to visit yourcyberpath.com, where you can access the show notes, search the archive of our top tips and tricks and discover some fantastic bonus content.
YOUR HOST:
Kip Boyle serves as virtual chief information security officer for many customers, including a professional sports team and fast-growing FinTech and AdTech companies. Over the years, Kip has built teams by interviewing hundreds of cybersecurity professionals. And now, he’s sharing his insider’s perspective with you!
YOUR CO-HOST:
Jason Dion is the lead instructor at Dion Training Solutions. Jason has been the Director of a Network and Security Operations Center and an Information Systems Officer for large organizations around the globe. He is an experienced hiring manager in the government and defense sectors.
Don’t forget to sign up for our weekly Mentor Notes so you can break into the cybersecurity industry faster!