With the global financial crisis many people have been looking for stability. I on the other hand have worked mainly as a contractor in the past four years so have had a great deal of experience in finding new roles. Many roles have been really interesting and rewarding, generally lasting between 6 months and 1.5 years. I have been lucky enough to only ever have a maximum of two weeks between roles. These are some practical tips and lessons learnt for finding a job in security that have worked for me.
Like most endeavors some time spent planning upfront really makes a difference. Working out what you really want to do and why is critical. The more specific you can get that the better. Security has so many areas of specialization, a clear concise decision here really sets you up for success. Mind mapping to brainstorm this is a great way to get some thoughts down. It does not even have to be a specific role but at least a clear idea of the work you want to do day to day and what you do not want, based on what you enjoyed and motivated you in the past.
Once you have this description, it is a case of cutting your CV down to fit this and only this. As many have said about Steve Jobs, one of his key skills was the ability to say no, to cut out everything that is not required. I have found in security you can get invoked in so many different things and even some of your achievements in the past may not be what you want to do going forward. This is a really hard process but from the other side of the table, people really want to work out where you would best fit, what projects or work allocation you would be best suited to. Making this easier for them by clearly highlighting two or three real strengths and achievements with what you actually want to do works for everybody. I have worked in policy development, third party risk assessments, PCI-DSS, but if I list these three times each they are the only roles I will find. Also expect to be questioned about what you list, do not put things where you had a marginal involvement, but rather those that you know in intimate detail.
I am also not a fan of big lists of technology or skills without clear experience or achievements. Listing clear measurable wins with the relevant technology and skills demonstrated is the way to make an impact. Avoid generic cover letters and a shotgun approach. Even 10 minutes spent mirroring a reflecting back the wording of the job spec / advertisement with the fit to your experience and achievements will get significantly better results. There are many ways to order your CV but I like key achievements linked to experience first, education and certifications later.
Finding a role
There is a lot said about finding jobs through your contacts network and a large number of roles not being advertised but for me old fashioned job boards and recruiters have got me every job over the last four years. Find the major job board for technology in your city / country, setup a profile and some very specific alerts. Target the work you really want to do rather than generic or all security roles. I think the advertised roles are actually only useful to find recruiters who get these roles. Get to know these recruiters. Meet with them, keep in touch. Every role I got in the last four years was a recruiter I knew contacting me about a role that had come up, not for ones I had applied myself.
That said cultivating your network is never a waste of time. Personally I never got a role directly due to my network, however it is always a good way of keeping up with what is going on and security tends to be a small world so you never know where you may run into a contact. The monthly meetups like Defcon, OWASP are ideally suited for this and the best way to get people taking to you in these, is to do a short presentation. It does not have to be anything that special, just a perspective on a current issue with some fun and informative slides will do the trick.
When dealing with recruiters again having a clear statement of what you want to do and what you do not, really makes them work for you. Fight the feeling that you may miss out on something, being specific will get you more of what you want faster. A common question from recruiters is also what you are on currently and what you are looking for. My approach here is to have one number. Not a range. Just a researched number on what is realistically achievable. This should be from people that actually do the role you are after than recruiters of possible. If it is a recruiter number get at least 3 opinions and add 20%. State this number clearly and shut up. Do not negotiate at this stage, if there is an actual job offer latter you can work out whether any trade off is worthwhile but at this stage go in with the best position to negotiate down from. It is a lot easier for you to decide to go down rather than get it up later.
This seems to be where a lot of security people let themselves down. Technical questions are specific to the area you are applying for but having a clear structure with the answer or solution followed by a solid example of where you demonstrated this seems sensible. Like public speaking or presenting practice your response to common questions aloud many times. I believe every security professional should have a good answer to dealing with risk acceptance and influencing and convincing the business. I always found a whiteboard or bringing a pad to draw on was my friend. It is so much easier to explain ideas when you have a visual aid and it can get the interviewer involved in problem solving and provide a frame of reference for questions and answers. Even if the answer is not visual, anchoring with a mindmap works well. Definitely have some questions for them. It is a good opportunity to evaluate if you actually want to work there and also get them imaging you in the role. I like questions like what will my priorities be for the first month. What does good look like or success measured? What will be my decision authority? What is the style of management - hands on or off? How is bad news received by the organization?
Summary / TLDR;
- Decide what you really want to do day to day
- Cut down your CV to suit this only
- Get to know the recruiters that get your roles
- Pick a salary or rate number, state it and shut up
- Provide all interview answers with an answer from experience.
- Present visually if possible and ask questions that get them imagining you in the role
Photo credit Flikr