This is, indeed, a monster

How to productively use job boards // CISO mind map // Appsec jobs

Author

Brad Rager
April 14, 2023

Hello friends,

I hope that spring is treating you well. Here in Colorado we are in binary season- either 70 degrees and gorgeous or the last lashes of winter like the whip that takes Gandalf out on the bridge in Lord of the Rings.

Spring is a natural time of renewal and assessment. It’s also a natural time for people, having been paid out their prior year bonuses, to give some consideration to what might be next.

This week we are taking a deep dive on cybersecurity job boards. The good, the bad, and the ugly. And how to use them to your advantage if you are in the market.

Would love to hear your personal thoughts and experiences. And if you are planning on being out at RSA later this month, please let me know- I’d love to meet up!

Cheers,

Brad

This is, indeed, a monster

I’d have to consult with Dante, but I’m pretty sure that conducting a job search with a heavy reliance on job boards is at least some inner circle of hell. The fifth is anger, so maybe that one. I think root canals and DMV lines are sixth and seventh.

Almost all of us check out job postings from time to time. Some on a passive basis to stay on top of the market, others a bit more actively while thinking about making a move, and full on if you are in the market. They are less relevant for very senior roles, but a great way to gain visibility on staff and individual contributor roles.

That being said, I see many folks we work with struggling to productively leverage job boards, and frustrated by the travails of an active search, so I wanted to share a few common challenges and observations, as well as some advice.

We are also working on a major project to help address these concerns- but more to come on that in a few weeks.

First, the good.

  • Job boards give you a sense of the market- what qualifications employers are looking for, who is hiring, what pay ranges look like (though often you have to look at a lot of jobs to get a good gauge on trends)

  • You can set up alerts and hop on newly posted jobs (where you have an advantage as an early applicant)

  • Sometimes they do actually lead to a company and candidate linking up

Now, the not so good. I’ll divide this into ‘pre-application’ and ‘post-application’.

Pre-application:

  • It can be a huge pain to narrow down to a relevant set of jobs and stay on top of newly posted ones

    • Most search algorithms are based on job titles, which are all over the place in our industry and frequently don’t accurately describe the work to be done

    • Seniority level frequently isn’t clear, and at best is inconsistent across companies

    • Search results tend to catch many irrelevant jobs (see below for results from an IAM job alert… thanks Indeed)

  • Job descriptions suffer from myriad problems- we did a full teardown of this a few months ago here.

  • There are a ton of jobs from recruiters that earn their money in contingent search and thus anonymize the actual employer. Often the JDs here are little more than 5 bullets on requirements. These just add noise from a job seeker’s perspective (does anyone actually apply for them??)

Post-application:

  • The odds of a job application leading to an actual job at the end are low. That’s just a matter of statistics. Job boards are just one source of candidate flow. There’s proactive outreach, internal candidates, referrals, etc. So out of the gate, there’s only a certain percent chance (probably <30%).

  • The constant rejection can be demoralizing, particularly when you know you are qualified and could do a good job

    • Companies are screening on the wrong things. They are only looking at what is visible from the resume, and in the process, end up cutting out many people that could do a great job. More to come on this topic in future weeks.

  • There’s been an increasing phenomenon of ‘ghost jobs’ that are posted but without a real intention of hiring. See full story here. (I’d be curious to speak with you if this has happened to you)

So, is it still worth it? Here’s what can you do:

  • Don’t over-rely on job boards. Thing of it more as an intelligence tool than a means to get a job. Lean into networking, building recruiter relationships etc as part of a multi-pronged strategy.

  • Network: How to do this well well is its own longform piece. However, I can point to a few good resources:

    • Cold outreach on Linkedin (Josh Fullmer)

    • Getting referred into a job (Josh Fullmer)

    • Lean heavily on local security communities. For example, here in Colorado, there are very active chapters of the Cloud security alliance (CSA), OWASP, as well as local meetups and a group called Colorado = Security which is incredibly vibrant. Figure out what is relevant in your market and get involved (both in person and on slack/ discord channels)

    • If there are jobs you are particularly excited about, invest to get to know the company, build relationships with folks on the security team, and stand out with your enthusiasm. It goes a long way.

  • Set up your job alerts well. Try using “” around certain titles to increase the stringency of the search, and add a few various titles, for example:

    • “IAM manager” OR “Identity & access management engineer” OR “IAM architect”

  • Keep a saved folder of interesting/ relevant jobs. With some volume, take a close look at:

    • Responsibilities and skills- fine tune your story on why you are a great fit. Make sure your resume hits the keywords.

    • Comp- is it appropriate for what you are looking for

    • Remote/ on site- to set your expectations appropriately

  • Spend your time on good job boards. 

    • Google Jobs- 4/5. Excellent search and filter capability. Alert relevance can be hit or miss (they tend to stuff a lot in there). The biggest issue is that some of the job boards that feed this service are super shady and frequently don’t reflect actual jobs that are really open.

    • LinkedIn: 4/5. Has a large number of jobs and makes it (a bit) easier to research who the hiring manager and recruiter are. Their alerts are reasonably on point. Search accuracy can be somewhat low.

    • Jooble- 4/5. This is a good service that aggregates jobs from various job boards. Their search accuracy is high, but quality is only as good as the job boards that feed it (builtin seems to be a good one). Alert quality is only OK

    • Indeed: 3.5/5. Great for the number of jobs, but searches frequently yield many irrelevant jobs, and the ongoing alerts are almost useless.

    • Ninja Jobs- 3.5/5.Good site with better filter capabilities than most, but job postings are pay to play so don’t expect to see a whole universe here. Lots of jobs from cyber tech and services firms if that’s what you are interested in. Check in in conjunction with the big job sites.

    • Monster & Zip Recruiter: 3/5. These rarely have jobs that you won’t find elsewhere and don’t seem to fit security well. OK to skip.

    • Dice- 3/5. Lots of anonymized recruiter jobs and not a ton of depth. But you may see jobs here that you don’t elsewhere.

    • Infosec-jobs- 3/5. Good site with jobs that are easy to filter, but quantity is limited and many of the jobs are international

    • CyberSN- 2/5. Claims to have 200K security job postings but the vast majority are expired or broken links. Pass.

Here’s an idea- what if there was a job board that was:

  • Only cybersecurity

  • Where all the job descriptions were solid, well written, and consistently formatted

  • Classified according to seniority/ NIST-NICE framework/ security domain

  • Super easy to see and filter on things that matter like remote/ hybrid, comp, and company glassdoor rating

  • Wasn’t pay to play, so you’d have broad visibility

I’d say that sounds like a great idea. Maybe we will have to do something about that 😉

Tools, resources, and useful things from the internet

🧠Rafeeq Rehman’s CISO mind map is an incredible tool to 1) Get a handle on the components of a security program that a CISO needs to drive, 2) A way to gain empathy for the complexity of these jobs and the humans in them

🦹Highly recommend this new newsletter from the perspective of an offensive security professional. Jason Haddix does an awesome job of summarizing key news, tools, and trends on the technical side of blue and red teaming (Executive Offense)

📝Studying for your security + exam? Here’s a course with 10 hours of free training content (Inside cloud and security)

💼Going to RSA? Here’s the full agenda of keynotes and trainings (there are some good ones). Not going to RSA? These should be available on demand for free after. 2022 keynotes are available here, here, and here.

👱‍♀️Women in cybersecurity just released a study on the barriers that hold greater female participation and progression back in our industry (WiCYS)

News

📈Gartner has released their 2023 security trends. The most interesting one, IMHO, is a prediction of increasing internal hiring and training for security teams (Gartner).

🦹Microsoft and Citizen Lab have outed an Israeli offensive security business that seems, on the face of it, similar to NSO group.  Their customers include Saudi Arabia. (Microsoft)

Australia is considering a ban on ransomware payments after a large event that included the exfiltration of 8M id numbers. As many of you know, I’ve been advocating for this, in conjunction with a public insurance scheme, as a universal policy and hope to see it happen (Coin Telegraph)

🔍The US government has made significant progress in being able to trace bitcoin wallets to specific individuals- reducing the anonymity for criminals (WSJ)

🐤Twitter has decided to make its algorithm open source, but many are critical of other moves that it’s taken which reduce transparency (Twitter, Wired)

Friends don’t let friends use WordPress. The notoriously security-weak platform has seen 1M sites infected with a single piece of malware over the past six years (SC Magazine).

🔦A nice rundown of lessons learned from the LastPass breach (Dark reading)

🌍Google is taking some positive steps in partnership with industry to strengthen the vulnerability management ecosystem (Hacker News)

Jobs to check out

This week we are featuring Appsec jobs

💼JLL. Senior Application Security Engineer (Hybrid, Chicago, Blatimore, Topeka, Lansing, Austin)

💼AIG. AVP, IT Application Security Engineer (Houston, Charlotte, Reston)

💼Ceasars Entertainment. Senior Cloud Application Security Engineer (Remote)

💼Royal Caribbean Group. Manager, Application Security (Miami)

💼Rockstar Games. Application Security Engineer (New York, NY)

💼Citi. Senior Application Security Officer (Tampa, FL)

💼Sanofi. Cybersecurity DevSecOps Expert (Bridgewater, NJ or Cambridge, MA)

Events

💼Sans Pen Test Austin. April 17-22

💼B Sides New York. April 22.

💼RSA. San Francisco, CA. April 24-27.

💼B Sides New Orleans. May 3.

💼Sans Security Leadership New Orleans. May 8-13

💼Sans West. San Diego. May 15-20.

Stat of the week

119

Number of people arrested globally in the Genesis market takedown

Crux is building the talent platform for cybersecurity. Check us out.

Thinking about your next move? Join our network.

Want help with your hiring needs? Reply to this email to drop me a line