Top Tip - Start Looking Early in Your Second Year
So, you're a university student dreaming of a third-year cybersecurity placement. You've survived fresher's week, learned that "phishing" isn't about trout, and mastered the art of submitting assignments 3 minutes before the deadline. Progress!
But now comes the real boss level: finding a cybersecurity placement.
But here's the twist; if you wait until the end of your second year to start looking, you're already late. The cybersecurity world moves fast like, "patch-it-before-it's-breached" fast. So, let's get cracking in your second year, shall we?
You could sit back, relax and wait for the university to come up with the goods, this is typically the university's Careers Service, Employability Team, or a dedicated Placements Team. In some cases, individual academic departments (such as Engineering or Computer Science), also have their own placement coordinators or officers who work closely with students and employers.
However, all too often students are left high and dry and at the last minute, have to shorten their 4 year degree to a 3 year degree without a placement year. So what? I hear you ask, aside from having to accept the dregs of the remaining student housing. For an employer, a graduate who has completed a placement year can hit the ground running, having gained some invaluable commercial experience and will definitely have an edge over their 3 year graduate competitors.
In addition to providing cyber security services, we also own the UK's oldest independent cyber security recruitment agency, and despite the alleged shortage of cyber security professionals in the UK, we have found that there are far too many graduates looking for work than there are jobs for them, a placement year may not only give you an edge commercially, but the cyber skills you develop during your placement may result in you achieving a higher final grade.
Step 1: LinkedIn Is Your New Social Life
Yes, it's time to stop binge-watching conspiracy documentaries and start binge-connecting with professionals. Update your profile. Add keywords like "cybersecurity," "threat hunting," and perhaps not "I promise not to hack your coffee machine." Bonus points if you've done a Capture the Flag (CTF) and didn't cry.
Yes, a profile picture is a must have, and no, your profile picture shouldn't be you in a nightclub, LinkedIn isn't Facebook. Even if the nightclub is hosting a DEFCON afterparty.
When reviewing LinkedIn profiles for prospective staff, we often look at their activity, what have they posted, liked or commented on. Your activity on LinkedIn is public, and can provide a positive and negative perspective on what you are about.
Step 2: Slide Into DMs (But Make It Professional)
Here's the golden rule: don't wait for job boards to do the work, or even your university. Reach out to companies directly. Send emails. Message professionals. Be bold, be polite, and for the love of encryption, spellcheck.
Example:
"Hi, I'm a second-year cybersecurity student looking ahead to my placement year. I'm passionate about cybersecurity and have a knack for [insert skill eg spotting vulnerabilities]. I looked at [insert company name] and love what you do, especially [insert key detail]"
It's confident. It's clear. It's better than "Hi, do you have jobs?" Which is surprisingly common and never successful.
Make sure you spell the company name correctly! You would be amazed about how many prospective placement students lack this ever essential attention to detail in their rush to apply to as many companies as possible.
Finally, make sure it's you that makes the approach and not a well meaning relative, afterall, it's you that will be employed, not your ever helpful Uncle Herbert. If you attend a trade show or cyber conference with a relative, such as BSides and speak to the sponsors looking for a placement, don't let your relative dominate the conversations about you, it won't reflect well.
Step 3: Learn Stuff (Before You're Asked About It)
Let's be real: companies aren't offering placements entirely out of the kindness of their firewalled hearts. They're paying you a wage, giving you access to their systems, and trusting you not to accidentally email the entire company with "test123." That said, they know that you are only 2 years in, and aren't expecting a 31337* hacker.
So, show them you can hit the ground running.
Brush up on the basics. Know your OWASP Top 10 from your top 10 Spotify tracks. Be knowledgeable about the basics such as networking and protocols, unless you want your placement interview to last exactly 12 minutes.
And if you don't know something? That's fine, just be honest and show you're actively learning. That's code for "I watched a YouTube tutorial five minutes ago and now I'm dangerously confident."
Remember: the more you know before you start, the less likely you are to break something expensive. And that's exactly what companies want — a student who's curious, capable, and not a dangerous liability with admin access.
Interlude - Ancient Cyber History, who says this isn't educational!
*31337 = eleet = elite. Was originally a term for extremely capable hackers in the 90's and as a result, then used as the favoured hacker port for Back Orifice, a backdoor application that lets hackers remotely read and write files on Windows computers, this was improved (BO2K) by the Cult of the Dead Cow in 2000, numerous crudely named plug-ins were written, called Butt Plugs
The plug-in ButtFunnel allows you to ping sweep for BO-Infected Computers through a Back Orifice infected computer
The plug-in ButtTrumpet upon activation, will fire off an email to a predetermined SMTP server and email address
The plug-in ButtSniffer 'sniffs' passwords, filters packets, from the Back Orifice infected computer.
Back in the day, "Back Orifice" wasn't just a cheeky name, it was the go-to party trick for cyber security professionals who wanted to wake up a room by showing just how easily things could go wrong. Fast forward to today, and just uttering the word "cyber" is enough to send half the audience into a deep, peaceful slumber, despite the fact the threats are more real than ever. Twenty-five years ago, if you gave a talk about "computer security" (because "cyber" hadn't been invented yet), you could practically watch the audience stiffen up with boredom, rigor mortis by PowerPoint! The crude but humorously named elements of Back Orifice were a life saver, and helped to awaken an audience to the threat.
Note: if you have Googled for Butt Plug and ended up here, you are almost certainly in the wrong place!
Step 4: Be a Cyber Detective
Companies love initiative. So, stalk (ethically) their websites. Find out what they do, who they work with, and whether what they do peaks your interest.
Tailor your message. If they specialise in defence, talk about national security. If they work with banks, mention fraud detection. If they sell socks rather than SOCs… maybe try another company.
Also, consider the locations of their offices, CND have offices in the UK and Isle of Man, but we only take placement students in the Isle of Man, and if tropical beaches and palm trees aren't your thing, you may wish to look elsewhere! Seriously though, look at accommodation costs for where you are applying, as most placement student employers don't pay for accommodation.
Top Tip: Prioritise placement applications near your home town and move back in with Mum & Dad. If that sounds like a living hell after becoming feral at uni, perhaps approach your favourite Aunty for her spare room.
Step 5: Stay Hydrated and Don't Panic
Rejections will happen. Ghosting will happen. You'll send an email and hear nothing but the sound of your own sobbing. It's fine.
Keep going. Keep learning. Keep reaching out. Don't let rejection reduce the quality of your approaches.
And remember: every cybersecurity expert started somewhere, possibly in a hoodie, surrounded by empty coffee cups, wondering why their Python script won't run.
If you are as truly awesome as you obviously are, afterall you're reading this blog, then you may have a number of opportunities, don't immediately accept the first, but hold out (not too long) and select the best for you. Also, don't try to haggle for more money, unless you truly cannot afford to accept, nor should you pitch potential placement opportunities against each other, otherwise you may end up with none.
Step 6: Try Before You Buy
A placement year gives you an opportunity to see if this employer is where you would like to end up when (if) you graduate. This works both ways, the employer will be evaluating you for the same reason throughout the placement.
Final Tip: Ask your lecturers, alumni, relatives, or even your nan (she might know someone from her bridge club who works in cyber). You never know.
CND's Annual Placement Schedule
September. We start taking applicants for a start the following June, you will receive a fact finding call from our Team, this is your chance to ask logisitcal questions about the placement.
December. If shortlisted, you will have a remote technical interview, this is your opportunity to ask about what you will be doing, we will try to include the current placement student on the call. Don't even think about using AI!
January or February. Finally you will have a face to face formal interview in the UK near Bath, after which you will be informed about whether or not you have been selected. You will be introduced to the current placement student as your mentor.
June. Start your placement, we will try to have a 2 week overlap with the previous placement student to show you the roles and around the Isle of Man.
