Finding your next role – part 1

Hello friends,

As the feel of fall starts to bite, the leaves change, and the last feelings of summer recede, it’s a beautiful season.?

Here in Colorado the aspen trees are starting to peak with brilliant yellow amongst the evergreens.?

Personally, it’s my favorite time of the year, and it’s a vivid expression of change in the seasons not just of our year, but of our lives.?

This week, we’ll be starting a series that reflects on the transitional moments in the seasons of our career- with a ton of practical advice for those that are ready for their next opportunity. We’ve released a powerful tool with the Crux cybersecurity job board - you can consider this series a complementary set of assets to help find that next role along your own journey.?

Before we get to that, though, a friendly reminder for folks in Colorado- I’m extremely excited to be speaking at the CSA Colorado Fall Summit on the topic of AI and its impact on careers in cybersecurity. We’ll be breaking down potential implications for skill development, the impact on the talent shortage, and have practical advice for both hiring managers and candidates. The conference is the first of its kind, fully dedicated to the intersection of AI and cybersecurity and takes place on October 25 at the Cable Center. You can register here .

Enjoy,

Brad?

Finding your next role – part 1

There are no more jobs for life. And particularly in cybersecurity, it’s just the norm for people to change jobs on a fairly regular basis. Sometimes this may be running away from an environment that wasn’t a good fit. Other times it’s heading toward an opportunity that offers career progression or a significant boost in pay.

Either way, it’s a situation we all encounter.

There’s a tremendous amount to be said on this topic, so in this series, we’ll be taking a flyover perspective. Think of this collectively as the blueprint for your search.? I’ll link to some resources for further reading on the many topics where you can take a deeper dive.

It’s worth noting that this is written for people that are ready to be active in the market. Sometimes we are fortunate enough to be working in a role that is good (but maybe not great) and have opportunities come knocking on our door that are reliably better. But for most people, this usually isn’t the case, and it when it’s time to go, it’s time to go.?

In today’s newsletter, we’ll focus on the work leading up to your actual search. How to get ready, do the research and planning, build your strategy, brush up the resume, and start hitting the pavement in search of new opportunities.?

In the next post, we’ll offer more detailed networking recommendations and take the process through acceptance and onboarding. And in part 3 we will tackle particular advice based on where you are in your career, with a particular focus on advice for aspiring cybersecurity professionals.?

The first part of the process has 4 steps:

1. Know yourself
2. Understand the market
3. Get the basics set up
4. ?Use a multi-channel strategy to guild your opportunities

1) Starting point: knowing yourself

It all starts with having a really good understanding of what you want to do (near term, not necessarily long term), and understanding what your strengths and weaknesses are relative to other candidates you are likely competing against.

The key questions:

• What makes you happy every day in your work? What makes you tick????
• What makes you unhappy? What’s important to avoid?
• What motivates you?
• What type of work do genuinely enjoy and find fulfillment in?
• What are you particularly good at?
• What are you not particularly good at? From these things, what can be improved and what are more innate?

Without these answers you are liable to drift from job to job and have a higher probability of being in situations that aren’t a good fit for you.

With these questions answered you can hone in on target roles, companies, and have a good sense of the diligence you need to do in order to assess cultural fit.

For further reading:

• Discovering you - practical advice for self discovery in your cybersecurity career

2) Understand the market

It’s worth getting your expectations appropriately calibrated at the outset of an active search, particularly around a few dimensions:

• How long it’s likely to take to find the next role
• How many compromises you may have to make vs. your ‘ideal’ role
• Market compensation for your skill set

Of course, you won’t end up knowing the actual answers to these things until you find your next job, but having realistic expectations going in will allow you to determine the amount of effort you will likely have to put in, and start doing things like appropriately budgeting expenditures.

There are a few things you can do to gauge market:

• Assess the amount of inbound recruiter outreach you are getting (for relevant jobs, ignore the ones you are way over qualified for). Obviously, if there’s a healthy inbound flow, your search is going to be easier
• Read up on market reports (some helpful links below)
• Browse relevant job descriptions to check out compensation ranges

?Here are some resources that can get you started on market understanding:

Supply and demand:

• Cyberseek
• ISC2 Cybersecurty workforce study
• Crux quarterly market study

Compensation:

• CISO/ executive level- Hitch partners survey
• Staff level- Stanton House survey

3) Get the basics set up

Before actively starting your search, it pays to get your house in order. Three big steps here:?

Build your elevator pitch/ story and your target list

Elevator pitch: this is all about being able to crisply articulate what you are looking for (type of work and type of company), and what makes you a uniquely awesome candidate for that role. The value of being able to distill this into a 30 second story is not just for those occasions where that’s going to be the time you have (when you are meeting someone at an event, or reaching out to a recruiter, for instance); but also to help in your own mind distill your target into a crisp, coherent and manageable set of things.

Target list: It also pays to build your list of ideal employers. As we will get into below, unless you are in a super hot space, or a unicorn, it’s unlikely that you’ll find success by just dropping applications. You will have to get proactive in your search. And the best way to action this is to build a list of target employers.

• I know this may feel awkward, because generally the things that people care about are not necessarily the company they are working for but the people they are working with, the culture of the place, whether they are having an impact, whether the job aligns with what they expected, etc. But the problem is that those things generally aren’t observable outside-in (Glassdoor can help, but even that has a really high distribution of commentary). So those things that matter are ones you need to assess as you are doing your diligence during the interview process. You can’t screen for these things top of funnel.
• You can think about variables that do matter to you and use those to help inform your target list

1.?????? Do you have an industry preference?

2.?????? Do you want to work for a larger company or a smaller company (and wear more hats)?

3.?????? Which companies are local to you?

4.?????? If you are looking for remote work, which companies tend to have remote-first security teams?

5.?????? Are there companies that have good reputations that you want to target, or places where you have friends that are happy?

Brush up the resume

There is literally nobody who enjoys the process of updating their resume. It’s a necessary evil, to be sure. But it’s essential. There are several ‘jobs’ that your resume is doing for you, and when you update it, you need to keep this in mind:

• It gets parsed by applicant tracking systems (ATS), which recruiters use for Boolean searches to find potential candidates. So you need it to be readable by those systems and your skills and experience need to pop out
• It gets scanned by interviewers (often right prior to your interview), so the key things need to pop
• It’s taken as a shorthand for who you are, sometimes in ways that might be unfair. Typos or poor grammar? You’ll be seen as sloppy or not thorough. Too long? You may be seen as self-centered. Too wordy? People will worry about your communication skills. Etc.

There is no single format that is best. You can make many of them work. But I do have a set of general recommendations:

• Length: generally speaking, 2 pages is great. 3 pages max. Any longer than this and you WILL lose the reader and they will doubt your ability to economize words. You don’t need all the details on your older jobs, particularly if they are not germane to what you are seeking
• Flow: The best flow in my experience: Personal info in header, objective (or summary), experience, education, skills. Optional sections include interests, publications or speaking engagements, technologies.
• LinkedIn: Put the URL for your LinkedIn profile in the header. You want your resume and LI profile to be coupled in the ATS
• Soft skills: Don’t put in too many adjectives or claims on soft skills (hard worker, great team player, exceptional people leader)- these are things that you need to demonstrate, not claim
• Company descriptions: Provide relevant context on the company before getting to what you did- for instance, size, unique challenges they were facing, etc.
• Outcomes: Wherever possible, discuss accomplishments and outputs. If something can be quantified, state it (as long as it isn’t confidential)
• Economy: Don’t be exhaustive about everything you did in a particular role. Highlight the most important and impactful things you achieved
• Bold: Make use of bold in your bullets to draw the reader’s attention (e.g. Risk quantification: Built first program to score and quantify cybersecurity risk instead of ‘Implemented program to measure and quantify cybersecurity risk’)
• Customization: Adapt your resume for particular jobs or types of jobs (if you are pursuing a couple avenues). Choose the most relevant experiences to highlight, try to get your wording to credibly match important requirements in the job description.

Resources

• How to write a cybersecurity resume by Josh Fullmer (you should follow Josh, he has amazing content!)
• Showcasing skills - goes deeper on resume advice and how to stand out

I have not used, nor do I necessarily endorse, any of the AI tools that are out there to help with resume writing, but there are a ton. Here are some ones that look interesting, from the outside:

• Teal
• Rezi
• Resume.co

Activate LinkedIn

LinkedIn is an incredibly powerful tool for your job search. If your profile and LI presence isn’t working for you, then you are going to be missing out on a significant flow of potential leads.

In general, your goal with LinkedIn is:

• To craft your profile so that you are hitting recruiter searches
• To get recruiters and hiring managers excited about your background specifically as a fit for their jobs

There’s one more level above this which is to try to build your following on LinkedIn. Having a strong personal brand can carry a ton of benefits, but it’s also a massive amount of work. It’s most useful for people that are building their own business or anticipate a relatively high degree of job switching.

Since that’s not really the right objective for most job seekers, I’ll constrain the advice to the profile side of things.

It’s pretty simple:

• Have a good, solid photo
• Think about your headline- this is really important and the first impression that is going to make the difference whether people ‘double click’ on your profile
• Describe your key accomplishments in your work experience section
• Check your Url and make a custom one (looks nicer on the resume, anyway)
• Apply some of the same keyword considerations for your resume in your profile
• Make sure you have a catchy cover profile background. You can make one for free with Canva’s free LinkedIn profile banner tool

And of course, get your profile set up on Crux (if you don’t already!)

4)????? Apply a multi-channel approach to sourcing opportunities

You can think of your job search like a funnel. You want to cast a wide net at the top in order to have a few options at the bottom. With options you have a higher chance of landing in a place that will be a good fit all the way around. It will also give you negotiation leverage.?

This means that you should take a multi-channel approach toward sourcing your next job.?

Consider the following:

• Proactively networking in to your target employers (particularly good for entry and mid-level roles). Try build relationships well ahead of postings in order to get referred into jobs.
• LinkedIn is a great tool to build not only loose digital connections but real life connections as well- don’t be shy about expressing interest in a company and asking for advice
• Job boards – in particular the Crux job board
• Local security meetups and communities (oftentimes these will have dedicated slack or discord channels with discussion on job opportunities)
• Volunteering with local chapters of large security organizations such as the Cloud Security Alliance, OWASP, ISC2, ISSA, etc.

Generally speaking, taking the semi-passive approach by dropping applications on job boards is not going to be enough (even for cyber jobs, companies will often have hundreds of applicants- particularly for entry level jobs, or CISO jobs). The odds are almost always stacked against you- even when you are well qualified. But this doesn’t mean that there isn’t a ton of value in job boards- you can read more here on how to productively utilize job boards. Consider job boards as a tool to:

• Efficiently expand the reach of opportunities that you are considered for
• Understand which companies regularly hire people with your type of skillset
• Understand remote/ in office policies of potential target companies
• More deeply understand the market- skills that employers are looking for, compensation, etc
• Alert you to opportunities that you are really excited about- which you should then try to network into

If you have a good amount of experience under your belt as an engineer, you may find yourself with plenty of inbound opportunities. Most of these will be a bad fit, but you might come across ones that do look pretty interesting. I’d encourage you to still apply this proactive approach, even though it’s a good amount of work, because it will increase the probability you find a great fit, and also increase your leverage.

There is no doubt- this part of the process is tough. Expect to have plenty of rejections with zero explanation as to why- even when you are well qualified. The reality is that the cut from applicants to interviews can be super random and is subject to recency/ top of pile bias from recruiters, poorly executed screening, and all sorts of quirks that can’t be easily explained. Warm connections will always have a significant advantage over cold applications. So try to build that network in order to be that person that gets recommended in or has early visibility.?

And most importantly, keep your chin up. It isn’t always easy, but you will find the place you are meant to be.

Tools, resources, and useful things from the internet

??CISA and NSA have released detailed guidance on best practices for IAM for administrators and developers and vendors . It’s excellent; take a look. (NSA, CISA)

??NSA and CISA have also released a top ten list of most common security misconfigurations- many of which have been issues for a long, long time.

??Sean Wright, CISO of Universal Music, has been working with the Cloud Security Alliance on a framework for AI readiness for the enterprise. Check out his excellent presentation here . (CSA)

??Aspen Digital just released a great new report on the evolution of the role of the CISO. My column from a few months ago on the ‘Shift Left of the CISO ’ is a nice complement to this.

??♂?New York magazine has published an in depth profile of Sam Altman. Given the power he wields, this is worth a read.

News

??Microsoft has published their annual Digital Defense Report summarizing key trends in the threat landscape. It’s excellent. (Microsoft)

??SEC disclosure requirements are adding a lot of clarity to the cost of a breach. Clorox has spent $25M directly but is predicting a 23-28% decline in sales. The company is now expecting a loss this quarter instead of the $150M in profit that had been expected. MGM is predicting a cost of $100M (WSJ)

??Speaking of MGM, props to them- they refused to pay the ransom . It cost them more than paying off (like Ceasars), but they did the right thing (WSJ)

??Cyberstarts just raised a massive $480M fund , following up on their $54M fund one success. Cumulatively, their companies are valued at $30BN+, one of the highest (paper) returns of any venture fund, ever (FinTech Global)

??While IT unemployment has ticked up, cybersecurity demand remains relatively strong, according to recent analysis by the WSJ

Jobs

This week we are featuring well paying remote cybersecurity jobs with mid-sized companies. You will find these and many more at the new Crux job board .

NeoGenomics Laboratories . CISO. $210-310K

Paramount Pictures . Sr. Director, Incident Response. $210-220K

Dropbox . Security Engineer. $156-294K

Chemonics International . CISO. $156-195K

SOC Director . McAfee. $146-239K

MedPro Group . Cybersecurity Architect. $130-180K

QSC . Security Architect. $124-181K

TNS . Cloud Security Vulnerability Analyst. $123-149K

Events

One of the (awesome) features of our new website is a comprehensive list of upcoming conferences . It’s one of the largest collections of cybersecurity conferences available. Check it out!?

A few of the exciting ones in store over the next month:

??NetDiligence . Beverly Hills. Oct 16-18.

??Industrial Control Systems Cybersecurity Conference (ICS) . Atlanta. October 23-26.

??CSA Colorado Fall Summit : AI in Cybersecurity: Revolution and Risks. Denver. October 25.

??OWASP Global AppSec . Washington, DC. October 30- November 3.

??SANS HackFest . Hollywood, CA. Nov 16-17

Thinking about your next move? Join our network

Looking for support with your hiring needs? Book a consultation.

Crux is the talent platform for cybersecurity. Check us out.