Searching for a Job
Making a job change is often a serious life event. Balancing the needs of your current job while prioritizing your happiness, mental health, and financial requirements can be rough.
I recently left my job as a Technical Director at Praetorian to take a new role as a Senior Detection and Response Engineer at Abbott labs, but this culmination came at the end of almost six months of job searching. The first three months of my job search I would call a "soft" search, where I only applied or made contact for roles that fit a pretty strict set of criteria looking for the "perfect" job. The second three months were more of a "hard" search where I was being a little more lenient with my criteria. Ultimately, this role with Abbott would have fit into my soft search.
Having just gone through this arduous process, I wanted to provide some insight to other potential job seekers in case it might help them.
Reasons To Leave
While I will not highlight why I left Praetorian, I did want to discuss the first question on many job seekers' minds: should I start searching for a job? It might be time to begin your job search if:
- The percentage of days that you wake up dreading work is more than 50%. Let's face it, many of us would rather not work, but we can still get excited about our work. If that is not happening most of the time, something must change.
- You do not see a progressive path ahead of you. I leave this intentionally vague because this could mean many things to different people, from promotions to education to project responsibility and more. General growth can also fall into this category.
- Economic considerations (pay and benefits) cause you stress. In a perfect world, everyone is paid enough not to leave a job due to money, but we all know this is not often the case. You are not a bad person for wanting to improve your economic situation.
- Moral inconsistencies cause you stress. Being able to leave a job because you are morally opposed to something the organization is doing or has done is definitely a privileged position to be in. Depending on your sector, the job market may be strong enough to support this decision.
- Your work does not have the impact or value you think you can provide. When I worked at Rackspace, there was a quote from Graham Weston, "What we all want from work is to be valued members of a winning team on an inspiring mission." If this isn't true for you, it might be time to look elsewhere.
The Job Search
This section is 100% my own opinions, not really based on much other than my experience both as a job seeker and someone who has been part of a hiring team. Inputs here are in no particular order.
- The recommendation you often see to tailor your resume based on the job you are looking for is valid. BUUUT, that does not mean you need to tailor it for every single role necessarily. In the case of the cybersecurity field, you might have a resume for a technical defensive position, a technical offensive position, and a management position. Of course, YMMV, but you get the idea. Different resumes highlighting particular skills and experiences for different job categories can be very useful.
- To save yourself some data entry time, each role on your resume should have its own "header" with the organization name, dates (month/year), and title. You may be tempted to lump multiple roles from a single company under a single header, but for whatever reason, application systems that parse resumes get really confused by this, and you end up spending a bunch of time fixing this. Don't ask me why they need that information when they already have the resume.
- I have rarely seen a resume longer than two pages that offered significant additional value. Keep it brief and focus on the highlights.
- Personal opinion: it is ok to list expired certifications on your resume if you continue to show progression and recency. Listing these certifications demonstrates that you care about continuing education without wasting money to keep earlier or less rigorous certifications current.
- Submit resumes as a PDF.
- You might find this in most resume-writing articles, but I have found success with these sections:
- Contact info, obviously. Use a professional-sounding email. Include your LinkedIn profile link and a personal website if you have one. A phone number and your address should go without saying.
- Education: again fairly standard. Your GPA is probably not super valuable here unless you recently graduated college.
- Key Skills: I really don't like this section, but this is the section that will help you get past any HR filters for specific things. It is ok to be reasonably verbose here but DO NOT ever put something here that you are not ready to speak intelligently about. You don't have to be a pro to put something here, but you better be able to explain the skill, why you would use it, and what your experience is.
- Certifications: I used to include dates but found this was mostly unnecessary information. I do note if they are expired to avoid any false advertising claims.
- Training: This is valuable information if you have attended courses without an associated certification.
- Job descriptions: the obvious meat of the resume. Keep each role to under five bullets; any more than that, and it loses focus. I tend to reduce the number of bullets as I go further back. My first job is summed up in 2 bullets.
In the tech (or at least cybersecurity) field, there is a lot of value in stuff you do outside work, such as home labs, projects, CTFs, etc. While I do not recommend that anyone try to do all of these, I recommend you have at least 1 or 2 of these on your resume or ready to discuss during an interview.
- HackTheBox of TryHackMe type platforms. Activity on these platforms shows passion but also some skill. If you have done much of this work, these platforms often have a way to share a public profile link; include that in your resume if you have it.
- HomeLab: This could be a full-fledged test environment or just that you run your own firewall instead of ISP-provided gear. Homelab topics are usually not resume fodder but could be helpful in an interview scenario. Perhaps you have customized your attack box for use on HackTheBox of TryHackMe; this all shows a passion for the field.
- Personal Website: You could document your HackTheBox of TryHackMe 'sploits or what you learned about running your own firewall or be extra meta and detail how you built the website you are writing about it on.
- CTF: there are tons of them throughout the year at cons, online, etc. In this category, I also include things like the SANS Holiday Hack, Advent of Code, or other challenge-based events.
Searching for jobs is perhaps the most challenging part of the process. If you are looking, you want quick results, but the more narrowly you define your search, the longer your search might take. Here are a few tips that might be a little less common.
- First, establish your criteria for a job and decide which criteria are hard and which are soft. For example:
- Not a megacorp (soft)
- Salary $XXX+ (hard)
- Travel <15% (hard)
- Technical/IC Role (soft)
- Think through products you use that you like and whether you would want to work for those companies. Also, think through companies that you like for other reasons. Follow those companies on LinkedIn and potentially other social media.
- Engage your network. If you can be public about your job search, do it! Make a LinkedIn post that you are in the market and add details about what you are looking for.
- Connect with prior colleagues and new acquaintances on LinkedIn. You never know when someone might post about an open position before it is officially posted.
- Join local communities on Slack, Discord, Meetup, etc. Be active and get your name out there.
- As a prior hiring manager, I never found cover letters useful except to explain or highlight a particular situation. YMMV, some places treat the cover letter as an indicator of passion (oh they REALLY want to work here because they submitted a cover letter). While I don't personally agree with this, it may help increase your success rate. I might have only submitted a cover letter twice in my job search. Because...
- Getting a warm intro when you can from a connection will trump almost anything else here. Many places have referral bonuses, and there is often a low risk to an internal employee submitting a referral. A referral will go far beyond a cover letter any day. I reached out to people I had only met years ago at conferences and was never ignored. I even made new connections in some cases. It can help when connecting with someone to indicate why with something like, "Hey I saw your post on LinkedIn because another connection liked it. I am curious if you can provide more information..."
- While I somewhat regret not doing a better job of tracking what companies I contacted, not doing so alleviated a TON of stress because I was not constantly waiting for replies or trying to figure out if I should follow up. The exception was "dream job" type opportunities.
- If you are in an interview process and have not gotten an update, 3-4 days is probably a fair timeframe to reach out for updates.
- Remember, you are interviewing the employer just as much as they are interviewing you. It is ok not to continue if red flags are raised.
- Be sure you get to talk to the person who will be your manager and at least one person they manage. If they are not part of the regular interview panel, it is fair to ask your contact if you could schedule a time with them. You want to know if you vibe with your manager and if other employees have had a good experience with this manager.
- Video interviews are a thing now; ensure your camera space is tidy or at least blur the background.
- Be yourself. Cliche, I know, but you don't want a version of yourself to get hired that is not fun every day.
Good luck! I know you will do great, and feel free to reach out if you have any questions, need a resume review, or for anything else.