Post

The Job Hunt - Cybersecurity Work and How to Find it

In this post, we’re going to discuss some of the nuances that go into performing the actual job hunt for your next (or perhaps, first) cybersecurity job. When looking to launch a career in cybersecurity, most people are chiefly concerned with developing their technical aptitude: enrolling in university, studying for industry certifications, etc. While that’s certainly a priority, failing to deliberately allocate effort towards the job hunt can set you up for a really harsh experience (and finding your first job in cybersecurity is already incredibly challenging all on its own). This post will focus exclusively on the job hunt for cybersecurity roles.

At a high-level, the job hunt consists of the following actions:

  • Obtaining an interview
  • Performing the interview
  • Negotiating compensation

Obtaining the Interview

When you’re looking for work – whether you’re a student, a career changer, or working professional – it’s easy to slide into the lowest-effort option:

  1. Slap together a resume; maybe lifting a template straight off of Microsoft Word’s default options.
  2. Drop the keyword “cybersecurity” into your choice job listings platform (i.e. LinkedIn) and submit your resume en masse.
  3. Repeat step (2) with different keywords.
  4. Check for new listings day after day, month after month.

If the above methodology more-or-less describes what you’ve been doing (or what you planned on doing), you may have discovered for yourself that the number of unanswered applications or automatic rejections can be pretty disheartening. Many users in the /r/cybersecurity subreddit looking for work bemoan how challenging the job hunt has been for them this way:

“I understand that my combination of certifications, degree, and knowledge should make me eligible for entry-level positions. However, the reality is that I haven’t received responses to most of my applications. Initially, I focused on security positions, then expanded to network administration, and ultimately applied for help desk roles with similar results. Overall I sent out maybe 50 applications.” –/u/nf022

“I submitted 350+ applications and got a total of 3 interviews which led to nowhere.” –/u/Howl5Overide

“Two years ago I moved from a sr. sysadmin role to a SOC analyst and it took me 8 months to find that role. It also required me to relocate during the pandemic (which I wish I had pushed back on) and about ~1200 applications. Yes I kept track.” –/u/HexTrace

Cold-submitting applications – either through job listings platforms or even directly through a company’s career portal – has the worst application-to-interview conversion ratio. According to ZipJobs, the average ratio for a generic applicant rests anywhere between 10% and 20%; as an average, that means half of job applicants experience less than 1 interview for every 10 applications they submit; in the above testimonies, we see that the figure can creep up to be 1 in every hundred (or even 1 in every thousand).

There’s a variety of reasons for this:

  • Headhunters/recruiters typically leverage Application Tracking Systems (ATS), which provide varying degrees of automation for filtering out resumes (more nuanced ones use natural-language programming to evaluate how good a “fit” your application is; cruder ones do raw keyword searches); when entry-level applications number in the hundreds, hiring teams utilize ATS to help filter down the number of applications down to a more manageable figure. This means your application may be filtered out before a single set of human eyes has ever looked at it.
  • Outside of organizations which specialize in technical (and more narrowly, cybersecurity) recruitment , hiring managers don’t necessarily understand the qualities/characteristics that make a competent cybersecurity employee; for those managers, they default back to generic metrics (i.e. years of experience, presence/absence of a degree, citizenship, criminal record, English-language aptitude, etc.). If you fail to align your resume to account for this kind of recruiter, you essentially rule yourself out of consideration for employment by those human eyes that would see your resume.
  • For those looking to get their first foothold in the industry, so-called entry-level jobs have an overwhelming number of online applications for every listing. One hiring manager was quoted as having over 700 applicants for their last SOC analyst role. Another noted getting nearly 1,500 applications for one of their openings. Absent any other differentiating factor, your application is playing remarkable odds to make the final cut for interview consideration.

Resume Submission Merits

Having said all the above, you should still engage in cold-submitting resumes; not applying for a job is not synonymous with not getting a callback. Just be mindful that – as discussed above – cold-submitting resumes is a really low-yield method for attaining interviews. In exercising the skills of the job hunt:

  • Your application is stored inside hiring managers’ internal databases, which may be pulled in the event of future opportunities.
  • You signal to the employer your desire to work for them, which may have them redirect your application to a more fitting role.
  • Against all odds, you may get a callback (initiating the interview process). Per 6sense.com, the largest and most active job listings platforms (by marketshare) are:

  • Indeed
  • LinkedIn
  • Glassdoor
  • AngelList
  • GovernmentJobs

LinkedIn, unlike the other job listings platforms, also doubles as a social media platform; there are a variety of steps you can take to passively attract headhunters/recruiters in setting up a professional profile.

For U.S. military veterans or government workers: you might also consider adding usajobs.gov and clearancejobs.com to your list of considered platforms; the former lists federal employment opportunities, the latter specifically caters to job applicants in possession of a government clearance.

An Alternative Approach

Instead of just cold-submitting your resume to job listings platforms or employer career portals, look for channels that get a human directly involved in the handling of your resume. This can manifest in all sorts of ways. Some examples include: directly working with a recruiter, career fairs, and internal referrals.

Recruiters

Working with a recruiter is one avenue that yields better interview rates. Recruiters are tasked with finding talent that appropriately aligns with the roles they are trying to fill; assuming that you are a fit, they can help facilitate getting you moved along to staff interviews – bypassing all of the resume filters described above. Under optimal circumstances, recruiters would reach out to you via job listings platforms such as LinkedIn. However, since we cannot always wait around for a recruiter to notice us, actively searching for and reaching out to recruiters on the same platforms is also appropriate.

A note on reaching out to recruiters: again, you should fight the low-effort impulse to merely “connect” with a recruiter on these platforms. Be kind, courteous, and transparent with your intentions. If possible, include a brief message when you do so. Something to the effect of, “Hi there; I saw [insert job listing] open on LinkedIn and noticed you were a recruiter for [employer]. Would it be alright to ask you some questions about the opening (or can you direct me to someone I can speak with)? Thank you.” Be sure to include a copy of your resume as well; don’t wait for them to ask for it.

Larger, more prominent employers have no trouble finding talent; recruiters representing them get pinged with these kinds of inquiries all the time. To help ease into the connection, you might try to connect with other employees belonging to the same employer first; this can help loosen LinkedIn’s mitigating restrictions surrounding degrees of separation (and also lets them see that you already have some amount of association).

Career fairs

Career fairs are another venue for engaging someone directly. These kinds of events are hosted at various points in the year at major cities, in conventions, and on university campuses. This sort of event is somewhat derivative of seeking out and speaking to a recruiter (as recruiters are often the ones at these kinds of events). But they also provide an opportunity – depending on how busy the booths are – to speak with other members of their staff/team and get an impression of the work from a first-hand source; this allows you to make an early impression among a number of internal staff – not just the recruiter.

If you’re going to one of these events, it’s important to be professional. You should take care of your grooming, wear business attire, and make an effort to keep unfolded/creased/wrinkled copies of your resume at hand. You might also want to have business cards printed, which are more easily handed out for later reference. Have a rehearsed elevator pitch prepared to highlight your major assets and what it is you’re looking for. You should review ahead of time the floor plan of the venue you’re attending and note the locations of all the major employers you definitely want to get your resume handed to; again, bigger names are going to have longer lines – if you’re not careful, you’ll waste a considerable amount of time standing in a line not engaging other smaller businesses only to get 15-30 seconds of facetime with one recruiter at the larger ones. Don’t be late.

Instead of cold-submitting your resume to job listings platforms or employer career portals, look for channels that get a human directly involved in the handling of your resume.

Internal Refferals

By far the best option of the bunch is an internal referral; this is when an existing employee routes your resume along for consideration to a particular job opening, vouching on your behalf in your competency for the role. Zippia’s research shows that between 30% – 50% of all employees are a result of internal referrals. Getting a referral is a huge way of distinguishing your resume apart from the multitude of others for consideration for an interview. If you know of someone who works for the targeted employers you’re interested in, make time to courteously ask them for a referral. It’s helpful if – when you do so – you include a particular job opening when you ask (so as not to impose upon them to ask around if such an opportunity exists).

Obviously, you may not know anyone at all of the prospective employers you look at. That’s okay; sites like Blind and LinkedIn offer opportunities to solicit referrals. It may feel a little awkward asking for a referral from someone you don’t know, but oftentimes it’s to their benefit to consider taking you up on the offer. Many employers have reward programs in place that compensate employees who refer someone that ultimately gets hired. Moreover they – not you – have the ultimate decision about whether or not to make the referral at all; if they don’t want to refer you, they won’t – no harm, no foul.

Concurrent Actions

Deliberately allocating time/effort to the job hunt extends to more than simply looking for work. There’s a multitude of actions you can take that makes a job hunt more procedural and less haphazard. These things include:

Enacting version control on your resume

Whether or not you are presently employed, you shouldn’t wait until you’re looking for work to update your resume (because at that point, you might be hard pressed to recall all the nascent and impactful details). But it’s also easy to need to backpedal from time-to-time as you tailor your resume for various employers. It’s to your benefit then to track implemented changes to your resume over time. Version control also lets you see what your employability profile looked like in prior applications (in the event you end up re-applying to the same employer over the course of your job hunt).

Application status tracking

When you are looking for work, it can get easy to lose track of which job openings you’ve applied to and which you haven’t. Moreover, some employers throttle the number of applications you can submit in a given timeframe. Tracking your application submissions in a spreadsheet is an easy way to manage these things; other things you can track include whether or not the role is remote, the point-of-contact you coordinate with, the names of folks who interview you, the URL of the job listing, compensation notes, what stage of the interview process you’re at for any given application, and any feedback/notes you take in the course of interviewing. Tracking is especially important when juggling multiple job offers, as it gives you better situational awareness for speeding-up or slowing down an interview process (so as to have better leverage when it comes time to evaluate competing offers).

Cultivating representation

Apply some deliberate effort towards the creation and maintenance of your various forms of representation. This includes (but is not limited to) your resume, cover letter, LinkedIn profile, Github repositories, and website/blog. If you have these things, great; if you don’t, consider fostering them. See this post on resume writing for cybersecurity professionals. When in doubt, get feedback from third parties as to how these things look and what you might do to improve them.

A lot of people often have the question in mind of “am I good enough?” or “what are my chance of getting a job as X?” Truthfully, we can only speculate as to what your odds might be (the only people who can meaningfully give you any indicator would be the people who interview you). However, you can help yourself out by taking a look at a cross-section of job listings out there and observe the trends that emerge between them. For example, you might notice particular certifications being in-demand. These notes can help close the delta between what employers are looking for in the optimal applicant and you.

Depending on what results are turning up for you, it may be time to expand your job hunt criteria. Perhaps consider extending the number of miles that are considered for local searches; maybe opt for roles that you consider yourself over-qualified for; and of course, if no momentum is coming from your job hunt, consider applying to other, cyber-adjacent lines of work (e.g. software engineer, web developer, systems administrator, network engineer, etc.).

Military Service

For those willing and able, consider military service. While such a decision shouldn’t be taken lightly (and joining the military strictly for the opportunity to work in cybersecurity is a rather lackluster motivator), military service can be an excellent career accelerator – assuming you contractually land a related service assignment. For U.S. servicemembers, this can equip you with a federal clearance which is an asset for Department of Defense (DoD) contractors.

Performing the Interview

Once you’ve gotten a callback lined up, it’s time to get ready for the interview. There are a number of different stages to an interview process, with varying forms that they can take.

Screening Interview

Oftentimes, the first stage of the interview process is a screening interview. The screening interview is likely performed by a headhunter/recruiter; it is usually equal parts identity verification, alignment assessment, and expectation setting. The interviewer wants to determine that you are who you say you are; they want to evaluate whether you meet a minimum threshold of criteria provided to them by staff; and they will relay the overarching details of the work opportunity and logistics of working for the employer.

  • DO ask questions concerning administrative details of the job listing; things like location/remote/hybrid models, the steps/process of any subsequent interviews and who they will be with, benefits packages, etc.
  • DO clarify whether or not the interviewer will be your point-of-contact throughout the interview process (vs. working with someone else).
  • DON’T expect to ask detailed technical questions about the nature of the work; the headhunter/recruiter is unlikely to have worked with the team and may not be familiar with the particular functions; under most circumstances, they are reading off of a summarized description that was passed to them by staff.

Staff Interview(s)

After the screening interview, you will go through some arbitrary rounds of staff interviewing. These will likely include your prospective peers on the team you’d work with, your prospective supervisor(s), and perhaps non-team employees. The types of questions you’ll encounter can vary (and leaning into your screening interviewer to get a better sense of things ahead of time will help you better prepare and align your preparations); some examples include:

Technical Q&A

These tend to be didactic, where they ask you to explain a concept, a technology, or a process to them. Here, their goal is to evaluate for themselves whether your raw breadth/depth of knowledge of the pertinent subject matter areas is up to par. Examples might include, “Explain what SQL injection is,” or “What is deserialization and why is it a security concern?”.

Scenario-based hypotheticals

These are a step-up from the technical Q&A. These kinds of questions pose various situations to you and ask for you to explain how you might approach/resolve the challenge presented. With these kinds of questions, they are both trying to evaluate your aptitude as well as your critical thinking. It’s important to be transparent in these kinds of questions: even if you don’t know what the correct response might look like, demonstrating the actions you might take and the logical/deductive reasoning behind your response may be of greater value to the interviewer. You should strongly consider asking clarifying questions early-on as well, since the interviewer may be deliberately withholding pertinent information to the solution. An example might come as, “Someone reported that they think an attacker compromised a Windows workstation after it had connected to a public WiFi hotspot outside of work; what indicators of compromise might you look for to verify this and what potential ways did the attacker leverage to compromise the machine?”.

Personal Anecdotes

These questions ask you to elaborate on examples of situations you’ve engaged with in the past. They may ask for instances where you’ve had to overcome a particular challenge, work as a consultant, lead a team, etc. The questions may be with regard to content you listed on your own resume (i.e. “I noticed you listed [detail], would you mind elaborating on that for us?”). Since it’s your history, you should have 2-3 canned responses ready for questions like these: for example, if you’re applying for a penetration testing role you should have an example of a vulnerability you exploited on-hand. Be familiar with your own accomplishments and work.

Sometimes these interviews happen back-to-back and other times the interviews may be scheduled across several weeks. These are the interviews that makeup the “meat-and-potatoes” of the interview process and the ones that you should allocate more deliberate effort in preparing for.

  • DO take notes throughout the interview, including the questions you receive (and especially the ones you don’t know the answers to).
  • DO be sure to have a written list of questions to ask your interviewers, as time allows.
  • DON’T lie or suggest you know something you don’t.

Technical Screening Demonstrations

A technical screening demonstration involves showing that you can “walk-the-walk”, so-to-speak. Technical screenings – if they even occur in your interview pipeline – usually are lined up before staff interviews take place and test the practical application of your skills. Depending on the employer and role, this might be anything from a small capture-the-flag (CTF) challenge, reverse engineering some de-fanged malware, or coding together a trivial programmatic function. Technical screening demonstrations may or may not be proctored.

  • DO your research on your employer and their interview process ahead of time; it may be possible to discern whether a technical screening demonstration is a part of the pipeline and what the screening might look like.
  • DO make sure you afford yourself the maximum amount of time possible to action the technical screening; verify how much time you have available before you start it.
  • DO validate the use of external tools/resources (such as the open internet) before you engage the technical screening demonstration.
  • DON’T waste time; be methodical. These problems are deliberately chosen to be scaled in difficulty relative to the amount of time you have to action them.

Other Actions and Questions

Preparing for your interviews can be a really difficult undertaking. There are a number of really good resources available to help you with it however, including:

Additionally, interviewing is one of the rare opportunities you have to tease out direct feedback to your own employability. Some example questions you might ask include:

If I were to be brought aboard with your team, is there anything you’d want me to read-up on or study to help better perform the work? What is it about my background/resume/experience that I’ve conveyed to you that you find is the most valuable asset to your team? What is the most important quality about an applicant that you’re looking for?

Responses to the above questions should be added to your notes and serve as a mechanism for steering your efforts to develop your professional aptitude. You should have a number of other questions ready to learn more about the team/contract you’d be supporting. Ask about what your working relationship with your interviewer would be (if one even were to exist). Find out when the last time they took a vacation was. Ask them about their tenure and the changes they’ve observed with the employer in that time. Inquire about the circumstances around the job opening (i.e. bigger budget? Backfill? Replacing layoffs?). All of these should help inform you whether or not you want to work there.

Negotiating Compensation

There are usually at least two rounds of negotiation when it comes to compensation. The first occurs somewhere around the time of the initial screening interview; at this point, the goal of the headhunter/recruiter is to make sure your own personal expectations are in-alignment with what the employer is willing to offer (i.e. commiserate with their paybands or salary ranges). All that is being done on their end is to make sure that it’s worthwhile continuing the interview; they don’t want to push forward a candidate who is expecting X and then gets offered value lower than what they were expecting. Your goal in this round is to find that range and ask for the top end of it.

No one is going to turn you down because you asked for more money than they are are ready to pay (provided it’s not an order of magnitude greater). They will probably respond with a counter-offer of “Our actual rate is X, would you be alright with that?”; assuming you are, then the interview process carries forward. Deferring the question (“I don’t have a figure in mind at this point in time, but I don’t think compensation will be a problem”) or requesting that they disclose their ranges is totally reasonable; in some states, there is a legal obligation for that information to be disclosed upon request.

The second round of negotiation is what people generally think of when they refer to negotiating compensation. This takes place after the interviews but before a formal offer of employment is made. If you’ve made it this far, congratulations! Regardless of where you’re at in your attitude towards getting to this point, always ask for a day or two to think over things. Both you and them have gone through an exhaustive series of interviews; in their case, they’ve likely had to parse through and evaluate many candidates who were not as qualified as you. Out of everyone, they chose you – they want you. Negotiating for more money isn’t going to automatically break the deal, provided you approach the matter with respect; in fact, recruiters are anticipating for you to do so at this point. One of the last things they want to do at this point is have you back out of an offer.

In ideal circumstances, you have competing offers to leverage against each other. This is a brilliant position to be in, because you are in a win-win situation. A riskier proposition is to feign having a competing offer, as they may ask to see an offer letter from the competing employer. However, there’s a trivial counter to this, as /u/Lazy_ML explains:

“Many FAANG type companies say their offer letter is confidential and ask you not to share it. You can always use this to deflect the question. It may not get them to match but it won’t make you look like you were bluffing. Many companies also won’t give you the letter until you verbally accept because they don’t want you to shop it around so not having a letter isn’t an indicator of not being truthful (side note: I suggest trying to get the company to confirm the numbers via email, though some mf’s will call you back to confirm). I’ve never provided an offer letter and it has never been an issue (for FAANG as well).” –/u/Lazy_ML

Importantly, salary isn’t the only form of compensation to negotiate. Some companies offer stock options (i.e. Restricted Stock Units or ‘RSUs’). There’s also signing bonuses, vacation days, and other benefits that are on the table.

Compensation References

Here are some resources that can help inform you of your worth:

This post is licensed under CC BY 4.0 by the author.