Hello friends,

I hope you all had a wonderful Halloween and are having a good start to your November. The holidays are right around the corner! It’s my favorite part of the year.

In our last issue, we took a deep look at the beginning stages of a job search- evaluating yourself and what you are looking for, building a strategy for what to target, and applying a multi-pronged approach to sourcing job opportunities.

This is a nice complement to our job board, where you can directly scout out interesting opportunities.

Today, we’ll pickup downstream and provide practical advice on networking, interviewing, and handling negotiation.

Let me know if you have any additional thoughts you’d add!

Enjoy,

Brad

Finding your next role – part 2

Alright, so you’ve committed yourself to a job search. You may be currently employed; you may have left your job already. But you’ve decided to make a change and put in the work. 

An intentional job search is a ton of work. And it isn’t easy. But, done right, it dramatically increases the chance that you will find a job that you are genuinely happy in. It’s worth the time. 

The last piece in this series covered practical advice on the early stages- getting set up, building a strategy, and starting to generate opportunities. We’ll pick up there with a deeper dive on negotiation, and navigating company processes from interview to offer.

 1) Networking

Everyone says that networking is critical. Well, guess what- they are right. In security, the odds that you will find your next role because of your network (vs. dropping an application on a job board or getting an inbound from a recruiter) is quite high. It’s probably most critical early in your security career (when job supply is low) and later in your career, as you become more senior.

Particularly in the current market, with over-stretched recruiting teams and overwhelming amounts of job applicants, networking becomes more critical than ever.

To some degree, this is a numbers game. The odds of any given connection coming through at the time you are in the market is low. So you have to generate connection points and make your own luck.

Networking these days comes in both in person and digital form. I’d recommend you invest in both.

Universally, the best mindset to have is to give first and look to build relationships, not accumulate transactional interactions. Find a way to be of value to the people you are connecting with. Be genuinely interested in them, and they will be interested in you. Don’t be shy to ask for help, but make those asks easy for them, and only ask after you’ve built a good rapport.

Since the number of potential people you can reach out to and connect with is huge, it pays to have a strategy.

You should already have a target company list. That’s a great starting point. Your goal is to build connections with people within the company that 1) Can refer you in to open roles, and 2) Provide you with insights on what it’s like to work there, and how to best position yourself to land a role.

Additionally, networking may open up opportunities that you hadn’t thought about or even knew existed.

The easiest way to start is by activating your existing network. Build a list of old colleagues, friends, mentors and ask them for a catch up call (or coffee). For those calls, make sure you have your elevator pitch on what you are looking for (type of job, type of company). Identify a few topics of advice that each person can give you. Write down any follow up actions and don’t be afraid to follow up with people after ~5 business days if they haven’t made any downstream intros they promised. 

Going on a walk or a hike is also a great way to reconnect with people and allows for fantastic conversation.

Secondly, dive into LinkedIn. 1) Look for who you know at your target companies. Even people outside security can connect you with someone inside, and they can answer questions about the team and program. They can also refer you into roles. 2) Identify people inside the target companies that you’d want to speak with. They could be hiring managers (don’t target the CISO in most instances, unless it’s a small company), recruiters, or potential future peers. Keep in mind that recruiters and senior people get a ton of inbound over email and LinkedIn. Look for mutual first degree connections that may be able to introduce you.

Some things to try with your LinkedIn outreach:

• For people that get a lot of inbound normally, you’ll have a better hit rate if you can get someone to connect you. If they are active on LinkedIn, engage with their content regularly. Comment, add to the conversation, re-post. That generates goodwill.

• When you do reach out, seek input, counsel, and advice. Try to find ways to be helpful to them. Don’t approach it transactionally.

• Be concise in your outreach and express authentic interest in them and their company.

• Try to find mutual points of experience or connection (common friends, locations, experiences, etc).

• Potential topics for discovery: Company culture, common entry points, what they look for in new hires, what’s great/ what’s challenging

• Be generous with your appreciation for their time

Build and maintain a network of relationships (this should be always-on, not just when you are looking for a new job)

• Join local security communities and meetups

• Volunteer for local security community chapters (e.g. Cloud Security Alliance or OWASP)

• Help organize network and chapter events

As we noted in the prior post, there’s also a large investment option (which can also yield large rewards), and that’s building your personal brand. Lemlist has a great guide for how to do this, available here.

Resources:

• General networking advice

• Tips for networking over LinkedIn

2) Interviewing

Alright, so you’ve gotten invited to the dance. Hopefully you are able to line up parallel processes with at least a few companies, which increases the odds you will have a real decision to make at the end of the road (see below, negotiation).

It pays to do your homework here.

You should understand what the process is going to look like (try to get this from the recruiter). Who will be interviewing, what the interviews will be like, and what criteria they will use to make a decision. Don’t be afraid to ask the detailed questions- often you won’t get this information offered up.

Research the company you are speaking with:

• How do they make money?

• How fast are they growing? If they are private, look at headcount growth on LinkedIn as a proxy for their growth rate

• What are the company’s strategic priorities?

• What regulations are likely to apply to them?

• What can you tell about how mature their security program is?

• Browse people in the security department on LinkedIn- see what you can tell about how the org is structured and where there is investment

• Check out other job descriptions that they are hiring for

• If the company is public, read through their latest management presentations covering trends and performance

• Read up on recent news articles

Formulate your questions in advance. Hone in one ones that are most important for your own diligence, and ones that will impress your interviewers.

• Demonstrate that you have a somewhat nuanced understanding of the business

• Don’t ask broad open ended questions- take it down one level (for example instead of ‘tell me about the culture,’ you could ask about the ‘How is the connection between the security and the dev team’ or ‘What would be a couple things you would change about the culture if you could.’)

• Dig in to make sure you really understand the job they need done and develop your own perspective on the alignment with your skillset

Prep on the topics you will be discussing in your interviews:

• Research your interviewers. Look at their prior experiences, think about the questions they will ask of you

• Understand if there are technical components, what that is going to look like

• Find ways to show, don’t tell: Show evidence of projects with a portfolio, tell stories with concrete examples 

As you interview, keep in mind the things that nearly every employer is looking for:

1) How you communicate

• Confidence, eye contact

• Concise but not terse

• Ability to stay on topic without wandering too far

• Ability to provide examples and back up arguments

2) Clarity of thinking

• Clear, logical structure to your explanations

• Analytical orientation

• Ability to keep asking questions to go deeper

3) What you care about, what makes you tick

• They will test this against their own values and those of the company

4) How interested in the job/ company you actually are

5) Your eagerness and ability to learn

• Demonstrate genuine curiosity

• Show examples of how you go deeper/ above and beyond

• Provide evidence of a continuous learning orientation (classes, certs, projects, etc)

6) Your hustle and how hard you will work

• Show this, don’t assert it

If you don’t proceed forward, seek genuine feedback from the people who interviewed you. Many won’t provide it, but you should make sure you are self-aware in terms of how you show up.

Resources:

• You are the interviewer- how to do your diligence on a company

• Good interview questions to ask by Josh Fullmer

3) Offer & negotiation

Many companies have sloppy hiring processes. Don’t be surprised if it isn’t always clear what the steps are, or if you have to have a few loops back with people that have already spoken to you. Don’t be shocked if the recruiter doesn’t know how to prep you for specific interviews because they aren’t sure how that interviewer actually works. Unfortunately, this is the norm (though, most decidedly NOT how it goes when you work with Crux 😊).

As you navigate the process, be persistent but not annoying. Being ghosted is a fact of life, but that doesn’t mean that it is OK. As a rule of thumb, follow up a few times. If you still aren’t hearing anything, assume they have moved on.

Once you do get to the offer point, you should know what to expect. Hopefully the company has been transparent through the process on compensation package, and it’s generally aligned with what you’d find acceptable.

You should negotiate. For many people this is uncomfortable, but employers expect it. It’s worth pushing through the discomfort. And you never have as much leverage to increase your compensation once you are in a company as you do when you join it. Know what you are worth. Triangulate between past comp, what you see on public postings, and comp benchmarks (a few resources below).

The best thing you can do is to have a couple offers in hand at the same time. Try to manage the processes so they land roughly at the same time. Companies want people that others want. You have to play the negotiation right, but generally speaking if you ask for a certain number, they are going to want you to show a rationale or evidence, and having another offer at that level is the strongest form of evidence that you can provide. 

In terms of your asks, understand the levers that the company has. Often base salary flexibility is more constrained than bonus or equity (if you are in a role that qualifies for equity… many don’t). Play with the various levers and consider building a tradeoff calculator in excel. Questions to ask as you evaluate the expected value of bonus and equity:

Bonuses:

• What the curve is around target- how much upside is there? How much downside? Is there a payoff cliff? How is the business performing?

• How often are bonuses paid? What are the requirements for working at the company to be paid a bonus?

• What is the calculation of individual performance component vs. company performance?

• How the company has done in hitting the company performance component? What is the track record of over and under performance?

• How individual performance is evaluated? What are the common performance distributions?

Equity:

• Stock options and RSUs are very different. Educate yourself on the mechanics (resources below). RSUs are real money (ownership) that you get as soon as they vest. Options are the right to buy shares at a current price. Remember, if you have vested options and you leave a company, you will have to write the company a check to be an owner!

With options, here’s what you need to understand:

•  If the company is privately held, when is there likely to be an event?

• When was the latest valuation that the options are based on?

• What has the history been in terms of value creation?

• What are the company’s growth forecasts? Owner expectations?

• Does the company have an ongoing equity program or should you expect the initial grant to be all that you will receive?

Companies are often most constrained on base salary ranges, so negotiating based on bonus and equity may be a way to find a ‘win / win.’

Remember that once a company decides they want you, that you have the leverage (to a point). Also remember that the hiring manager and recruiter both are acting as the company’s procurement department. They want to bring you on at the lowest cost possible. Negotiate with confidence and kindness. Empathy and evidence. And you’ll maximize what is possible.

Compensation benchmarks:

• Hitch partners CISO comp

• Stanton House cybersecurity comp report

• Crux quarterly market analysis, including compensation

Options and equity:

• Stock option basics from Carta

• Guide to RSUs

4) Mindset

Finding a job sucks. That’s just the reality. It’s hard to dive in and be in the game. There are a lot of dead ends, and a TON of rejection. The more resilient you are, the better off you will be.

This is as much about mindset as it is about skill.

Take the opportunity to know yourself. What you are exceptionally good at. What you aren’t so good at. What you love doing. The type of people you want be around. The type of work you want to do.

Set your expectations realistically up front. It’s probably best to be conservative in those expectations, as positive surprise tends to be better than negative. It’s going to be a full time job for a while. The more senior you are, and the more junior you are, the longer it will take. Six months is not unreasonable in the current market. Try to get your finances in order and manage your cash burn.

There will be rejection- a lot of it. Most of the time you won’t understand why, but you should still try. And seek to learn wherever you can.

Remember that the automated rejections aren’t really about you. Don’t take them personally. They are often more about poorly worded job descriptions and sloppy screening.

Despite this, don’t sell yourself short. Only take something you aren’t really excited about if that’s what you need to do to pay the bills (we get it).

Find outlets to build your resilience and sustain your mental health. Maybe try meditating. Get outdoors. Be active. Be engaged with your friends. Pursue activities that fill you up.

Apply yourself with passion, energy, and fortitude. Bring your best you to all your interactions. Give without the expectation of getting something in return. Not only will you find the right job, it might just find you.

Tools, resources, and useful things from the internet

🧑‍💻ISC2 has released their annual cybersecurity workforce report. It’s the authoritative analysis of the cybersecurity talent base globally. I’ll be publishing a synthesis soon.

🛠️Harvard has released a free introduction to cybersecurity course- ~4 hours/ week over 5 weeks. It’s designed to cover both technical and non-technical audiences.

🤖Is there a hotter topic in security than generative AI and the security implications of tools like ChatGPT? Sandesh Anand and Ashwath Kumar have written a deep dive series on their Substack with practical guidance for enterprises on how to secure against risks with ChatGPT.

News

☀️The big news last week was the suit filed by the SEC against Solarwinds and their CISO (Tim Brown). LinkedIn and Twitter are abuzz with most security people upset that the security department is being scapegoated by a failure in business decision making. It’s hard to know outside-in how much the leadership team and board truly knew about the vulnerabilities and whether they chose to accept the risk. (Fortune)

🤖The Biden administration issued a 100 page executive order on AI. It’s incredibly ambitious in scope. I’ll be publishing a teardown on this in a future issue of The Human Element.

🦹A slew of federal agencies have teamed up with MS-ISAC to issue updated guidance on ransomware prevention techniques. You can find the guide here. (CISA)

🎣In the theme of good cyber hygiene advice from the government, the same series of agencies has released a report with guidance for how to avoid phishing attacks (which, fwiw, is the top entry point for ransomware)

💸MGM’s board is speaking out about their decision not to pay the ransom. Plaudits to them for taking the harder road. (Casino.org)

📈Does it feel like ransomware attacks are up after a (comparatively) subdued 2022? That’s because they are. Guidepoint just released a report with the startling stat that they are up 83% YOY. (CISA)

🫸California passed a law mandating that individuals be able to delete their personal data across data brokers with a single request (LA Times)

Jobs

This week we are featuring incident response roles. You will find these and many more at the new Crux job board.

💼Paramount Pictures. Senior Director, Incident Response (Remote) $210-220K

💼Tik Tok. Privacy Incident Response Program Manager. San Rafel, CA. $200-300K

💼Gilead Sciences. IT Security Lead, Incident Response & Investigations. Raleigh, NC. $139-180K

💼Amazon. Security Engineer, Security Incident Response Team (SIRT). Seattle, WA. $136-213K

💼USG. Cybersecurity Incident Response Engineer (Remote).

💼Milliman. Incident Response Analyst (Remote). $64-125K

💼Coalition. Senior Incident Response Analyst (Remote) $115-185K

💼Lucid Motors. Incident Response Engineer - Automotive Security. Newark, CA. $108-149K

Events

One of the (awesome) features of our new website is a comprehensive list of upcoming conferences. It’s one of the largest collections of cybersecurity conferences available. Check it out! 

A few of the exciting ones in store over the next month:

IANS Chicago Information Security Forum. Chicago, IL. Nov 7

Secureworld Seattle. Nov 8-9.

bSides Chicago. Nov 11.

CISO 360 Americas. Los Angeles, CA. Nov. 15

SANS HackFest. Hollywood, CA. Nov 16-17

Gartner IAM. Grapevine, TX. Dec 9-11.

Thinking about your next move? Join our network

Looking for support with your hiring needs? Book a consultation.

Crux is the talent platform for cybersecurity. Check us out.