Erik Boemanns has been in IT for more than 30 years, from starting his own companies to consulting to working for companies directly. He added a legal degree along the way, which led to compliance work and then cybersecurity through PCI, HIPAA, and other compliance standards. He currently works in a blended role of technologist, compliance, and cybersecurity at Improving, an IT consulting firm with offices across Canada, Mexico, and 15 US cities.
Host: Richard Lowe | Guest: Erik Boemanns
Conversation Transcript
Breaking Into Cybersecurity
Richard: A lot of our audience is beginners. They’re in school or changing careers. Cybersecurity looks like a good field. How would a person who’s done some certs or courses get started?
Erik: This is the answer folks hate, but it depends. What is your background? What certs do you have? Who do you know? What opportunities are available? Not all cybersecurity jobs are remote, so geography matters. Entry-level positions are starting to get harder to get into, or they expect you to have experience for entry level, which is always confusing.
Having a certification is a good thing but not necessary. Having a technical background is good but also not necessary. We have people going into security without a computer science degree. I don’t have a computer science degree.
Look at it from an individual perspective. Being an analyst in a security operations center is a good entry-level or junior-level position, but there are limited rolls. Another thing to consider: small and medium businesses are struggling with cybersecurity more than large enterprises because the risk is the same but they can’t afford their own SOC. If you have a couple different skills, maybe you’re pivoting from a role where 80% could be your current discipline and that 20% could be helping them establish a better security posture. You’re practicing security skills in a real-world environment with real risks.
Networking on LinkedIn
Richard: You do a lot of networking on LinkedIn. Having a good profile, posting regularly, commenting, connecting with the right people. How do you connect with the right people?
Erik: Take profile and posting and put them a little lower on your list if you’re focused on networking. You need them because you want substance when someone looks at your profile. But the effective thing is finding the people who are active on LinkedIn and talking about the things that interest you. If you’re trying to get into cybersecurity, find the people talking about it. There’s a bunch of us.
Start paying attention to what they’re writing. More importantly, start commenting on their posts. Start engaging them with conversation in the public space. Don’t just send a direct message because a lot of folks get so many they can’t look through them. But what they do see is when you have something interesting to say on their post. Your name becomes associated with that thought. That’s how you start creating connections.
For people who are in the industry but maybe not as active, follow them. See what they’re talking about. See if they’re someone you want to engage with further.
Your profile still matters. Once you start engaging, they’re going to see your tagline on that post. If that tagline isn’t catchy and interesting, you’ve lost the first glance. When they click through, the profile needs to close the deal and make them want to connect back.
Richard: When you comment, you should always follow up. If someone responds to your comment, elaborate. That starts helping you find other people who are active. Liking doesn’t do that much.
Erik: Right. Three people like it, big deal. But you’re scratching their back by commenting, and they scratch yours. Your comment is on their post in front of their network. If Richard posts something and I comment on it, that’s visible to my network but also to his network. It’s a very cheap and easy way to get your name in front of a lot of people. I’ll see a great post, comment on it, and then the conversation spawns off into its own thing that may or may not relate back to the original post.
Richard: The repost is also powerful because it takes the post with all its comments and puts it in your feed, which drags people over. But leave intelligent comments. Don’t just put “done” or “good.” You want to be seen as contributing, not just clicking buttons.
Erik: Exactly. LinkedIn will actually prompt you: “Tell them why you like it” or “Tell them what you find funny.” That’s what you should do. Even better, add your own thoughts. If they’re talking about password security, say this is interesting because you also know something about it. You’re building on the conversation.
Being Cautious on Social Media
Richard: Use humor with caution because different cultures value different things and humor doesn’t translate well over the internet. Try to keep it positive. If you don’t have anything good to say, don’t say anything at all. Those comments stick around. Sometimes they’re judged just on what you commented, not on what you were commenting on. You start becoming seen as a jerk.
Erik: LinkedIn is a positive, optimistic network compared to other social networks because that’s your real name next to every comment and post. It’s not a Twitter handle that may or may not tie back to you. You’re being tied to those words.
Richard: Social media sticks around forever. People have lost jobs because of posts they made ten years ago. You have to present yourself in a good light. You brand yourself. How do you brand yourself?
Erik: Personal brand is marketing. When people see Richard’s name, they know what he stands for. When they see Erik, they know what I stand for. Be consistent in your posting. I talk a lot about cybersecurity, but I also talk about careers and paths. Every so often I post about something I cooked. That’s off brand but it’s still authentic to who I am. Authentic is the word we use. If you’re not authentic as you promote yourself on LinkedIn, it may not be obvious at first, but it will become obvious. People will notice the inconsistency.
Richard: Mix in a few personal things but not too much. We don’t need to know all the details. And avoid gossip, office gossip, talking badly about your company.
Erik: There’s a fine line. If you talk about a health scare and there’s a reason for that message, maybe awareness, that’s fine. But if you’re gossiping about work or talking bad about your company, remember that company is watching. If your brand is diverging from your company’s principles, you might hit issues. But also, that might mean it’s not the company you should be working for long term.
Richard: Many companies run reputation management software that scans social media. If you’re posting bad things about a company, it’ll probably get picked up. And if I’m a hiring manager and I see you slamming your old company, I’m probably not going to hire you.
Erik: That’s the safe rule. There are people willing to stand for a cause and that can be admirable. But they’ve accepted the risk.
Richard: There is a place for whistleblowers, and that’s important in a free society. But there is risk associated with it.
The Power of Referrals
Richard: Establishing a positive brand is actually the best way to find a job. Sending a resume to 50,000 companies, those get filtered into a big pile. I put out a job for a DBA once and got over 700 resumes. You think I read 700 resumes? I was going gone, gone, gone, gone, okay this looks good. But the networking door, getting a reference from somebody else, that’s the key. Build the network. Build rapport with someone like Erik. He learns you’re a great pen tester. He knows someone who needs a pen tester. He refers you. That’s gold.
Erik: At Improving, we put job postings out there and get resumes, but a huge percent of our hires end up being referrals. If you want to work with Tom, fictional Tom, and you already work for us, then we probably want Tom to work for us as well. Referral is still a powerful way to skip the resume stack and be on top. It doesn’t mean you don’t do your due diligence, but you have a known quantity coming through the door that a resume alone will never get you.
Richard: I was talking to a system engineer who told me he’s been hired numerous times and not one person who interviewed him even asked for his resume. It’s his reputation and his LinkedIn profile and the way he came across in the interview.
Erik: When I’m acting as a hiring manager, I let our recruiting team screen the resume. For me, the resume is a conversation device, not a filtering device. By the time it’s on my desk, I’m already talking to the person. I just need to know what to talk to them about.
Interview Skills
Richard: The second big piece of your brand is your interview skills. People come to me as a ghostwriter through referrals. I’ve had people say they had ten interviews lined up, I was the first, and they said, “You’re it. I’m hiring you now.” It’s because I interview well. I’m typically introverted. I used to be very shy. I went to Toastmasters, learned to speak, got coaching, had someone pretend to be the interviewer and threw hard questions at each other. You can do that with anybody. You have to have those interview skills nailed because you can sell yourself in an interview.
Erik: I’ve been at Improving for more than ten years, so my experience on the other side of the desk has faded. But having interviewed so many people, it’s a comfortable experience now. Like you, I was shy and introverted. I’m still challenged with group networking events. But one-on-one, I’m as good as I’m going to be.
Coffee chats on LinkedIn are amazing for this. You’re talking to a total stranger. A job interview is high stress and highly targeted. If you can be comfortable just talking to a stranger first, and if you have the confidence to have fun in an interview, you are going to be so far ahead of people who feel like they’re being interrogated. As a hiring manager, the people who sit and have a conversation with me about the topic are going to rank so much higher than the people I’m dragging one-word answers out of.
Richard: I’ll tell you a story. My favorite hire ever was a guy named Ross. His wife came in for an interview with HR. While she was interviewing, he was sitting in the lobby, and I happened to walk by. He introduced himself. He sounded like Wolfman Jack. We started talking because he was a fun guy. He mentioned he used to own a motorcycle shop, sold it, had a steel plate in his head. He came across so well, so good with people, that I made a position for him. He wasn’t technical. He got certifications after I hired him. I put him in as the person who negotiates with vendors, helps users, deals with managers. He was my person who talked to people because he was so good at it. Even though I’ve been gone nine years, he’s still there. I hired him about 15 years ago. It all happened because he came in and talked the talk and was able to walk the walk. His words were, “Why don’t you just take a chance? If in 30 days it ain’t working out, just tell me and I’ll leave.” We shook hands on it.
Erik: That’s awesome. I don’t think it’s unusual. A lot of people found their path that exact way.
Richard: I highly recommend Toastmasters. They’re in most cities, meetings in the morning or evening. One week you’re speaking, the next you’re critiquing. You learn humor, you learn to be comfortable. Around $100 a year, some are free. The better you can communicate, the easier it is.
Erik: For me, every company I’ve worked for has had some sort of lunch-and-learn program. Pick a topic, present to your coworkers. Super safe environment. That’s what helped me gradually increase my audience from coworkers to strangers to larger groups.
Richard: Library reading groups are another option. I’ve given speeches at libraries. I used to be unable to get on stage. I won an award and they couldn’t get me up there to accept it. Now I’m like, give me 50,000 people, I’m happy to talk. You realize you’re not going to die on stage.
Erik: Most people in the audience are more scared than you are on stage.
The World Is Your Market
Richard: Whether you’re going for cybersecurity or some other field, it’s a worldwide web. If you’re scared of finding a job, there are tens of millions of companies just in the United States, and you’ve got the entire world. I’ve had clients from France, Singapore, Taiwan. Time zones can be tough, but it’s a remote world. Go out and find it.
Erik: The whole world is available to us through social media, through the internet. To your point, we started on cybersecurity but moved into hiring in general. Security is a profession like all the others. The same rules apply: networking, good connections, a good profile. Lean in and figure out how to leverage it. Reach out to people. Connect with folks like myself, like Richard. We’re here to help. Take advantage of what’s out there.
Learn more about Erik Boemanns on LinkedIn.
Find Richard Lowe at TheWritingKing.com.