Showcasing skills

Hello friends,

Before we get to content this week, I wanted to share a couple bits of exciting news:

1) We are launching a cybersecurity market study. If you work in security and are willing to share your compensation information (it is completely anonymous), you will receive a link to subscribe to our quarterly market reports, which will be specific to each cybersecurity job family (e.g. pen testing, IAM). These market reports will feature insights like:

• Compensation benchmarks for salary, bonus, and equity

• Calibrations for experience, skills, and certifications

• Employers that are paying high relative to market rates, and offering remote work

• Insights on in-demand skills that employers are hiring for

• Employee sentiment and retention trends

2) A bit of news about our business. Here at Crux, we have momentum. From a team of just one (me) a couple months ago, as of this week we are now a mighty team of four. And we are just getting started! Thanks to all of you who have been supporting and advising us on this journey.

In this week’s newsletter, we are going to be discussing the importance of skills- and more specifically how to highlight and show off the ones you already have if you are in the job market. Automation and assessment are changing the job search game, particularly in cybersecurity- so this is becoming increasingly important.

As always, please hit me up and let me know your thoughts on the topic. I’d also tremendously appreciate it if you could share this post on LinkedIn and tag friends that you think would enjoy the newsletter.

We will be off next week and back the week of the 30th.

Cheers,

Brad

Showcasing skills

If you approach a Ford F150 and an F150 Lightning, you won’t notice that much of a difference. The styling is basically the same, with subtle differences in the grill, rims, and headlights. If you pop open the trunk, however, that’s when you realize you have two very different automobiles. One has a traditional, heaving, loud and powerful internal combustion engine. The other simply has a ‘frunk’- a storage space under the hood. The magic happens underneath the truck, where the battery and motors are housed.

The job market is undergoing a transition not too dissimilar from the car market. Only it’s much less discussed and analyzed.

The trappings, in many ways, are the same. Employers post jobs; candidates apply with resumes that highlight their skills and accomplishments; then come interviews; decisions; offers; negotiations. Or, maybe a recruiter will reach out, pitch a job to a passive candidate, and they bite. Then the process goes from there.

However, there are a few advances in technology that are changing the game- and they have significant implications for both people thinking about moving to a new job, and hiring managers that are looking to build their teams.

The first part of the equation that has changed is getting noticed… being in a position to get on the radar screen at all. Think of this as search engine optimization for YOU.

Today, Applicant Tracking Systems (ATS) do much of the dirty work in the recruiting process. These systems are databases (particular to each company or recruiting firm) that track job postings, candidates, conversations, outreach, etc. They are essentially CRM systems for recruiting. These tools automatically parse resumes and/or LinkedIn profiles and sort (and sometimes even score) for fit with a given job.

This means that, in almost all situations now, a machine is reading your resume before a human is. The ML is doing the first screen, and making the recommendations.

Couple this with the massive online people database that is LinkedIn (and the downstream databases that scrape LinkedIn and other sites, then correlate the data points to contact information), and you have a recipe for a market that has a lot more volume, and a lot more reliance on ML to make decisions.

Implication: You need to set up your digital presence to put yourself in the best position to get noticed, particularly if you are earlier in your cybersecurity career.

Here is a succinct list of best practices for registering well in these databases:

• If you have a particular job type you are going after, analyze common job descriptions and make sure your resume includes the most commonly found skill requirements (assuming they are true, of course, and that your resume can still be easily read and interpreted by a human)

• Fill out the skills portion of your LinkedIn profile. Invite former colleagues to endorse you for those critical skills

• Include the link to your LinkedIn profile in your header

• Use common section labels and flow in your resume (e.g. header with contact info, objective, work experience, education, skills, interests)

• Don’t use exotic formatting (including columns and graphics) or uncommon fonts in your resume. Do use bullets and be succinct.

• Avoid low value buzzwords that are devoid of punch (‘market leading,’ ‘highly impactful,’ ‘team player,’ ‘results oriented’)

• Include both spelled out words and acronyms (e.g. Identity and access management (IAM))

• Do include soft skills as well as hard/ technical skills

• Use an online resume parser to make sure your document is being read correctly. Good ones are available here and here

Once you are on the radar, understand that, increasingly, companies are operating in a ‘trust but verify’ mode. I spoke with one CISO of a large financial institution last week and he was sharing with me that one of his most common frustrations is how to reliably understand what people really know vs. what they embellish. The person interviewing you is likely thinking things like:

• Did you really drive the project or were you just part of the team?

• Just because you have the certification does that really mean you know how to apply the knowledge?

When I was a CMO in a prior life, a common refrain of mine was ‘show, don’t tell.’ People want proof. And understand that people in cyber tend to naturally be more skeptical than the general public (it’s a positive character trait in this industry!) So here is our advice for bringing your skills to life, beyond having completed certifications:

• Tackle projects that you can use as proof of capability. Some examples:

  • List of a tool and activity to pen test at each layer

  • Set of ethical hacking labs

  • Example labs

  • Provide redacted illustrative examples of prior work that you’ve directly executed (don’t break your employer’s confidentiality agreement!)

• Hop on online education platforms, take assessments, and share results

  • Cybrary

  • Let’s Defend

  • Rootme

  • Cybervista

• Join capture the flags and platforms that have open competitions and share your results (best for offensive security roles):

  • Hack the box

  • Tryhackme

  • RingZer0ctf

  • PictoCTF

  • Over the Wire

• Provide proactive references that will attest to your accomplishments and skills

• Demonstrate your proficiency by teaching or mentoring

If you have any other thoughts or ideas, as always, please send them my way!

Tools, resources, and useful things from the internet

🔭CISA has published its 2022 year in review. It provides a nice overview of their key activities, priorities, and accomplishments last year (CISA)

🥸Excellent podcast on advances in deepfake detection technology (The Economist)

💾Great analysis unpacking why there are so many cybersecurity technology vendors (Venture in security, Ross Haleliuk)

🪲Nozomi has published a good overview of attacks and trends in the OT/ IOT arena in the back half of 2022 (Nozomi Networks)

🧑‍💼WEF has published a comprehensive report on the global cybersecurity outlook for 2023, in conjunction with Davos (WEF)

🗺️CISA has released updated best practices for Mitre Att&ck mapping (CISA)

🗺️Good set of articles and resources if you’ve been laid off recently (WSJ)

News

🔭Overview of security priorities for 2023 from 31 influential CISOs (Venture Beat)

🪦Another password manager breached (this time LifeLock), due to credential stuffing on accounts that didn’t have MFA enabled. (TechCrunch)

✈️The FAA outage last week was the result of a contractor who accidentally deleted a file (WSJ)

⚛️Good overview of the implications of quantum computing for encryption and cybersecurity (Phys.org)

💥Tmobile is on the wrong kind of roll. Second massive security breach in as many years. This one impacting 37M customers (WSJ)

💵Overview of what’s happening with cybersecurity budgets- general consensus seems to be focus on tool efficiency, budgets flat overall (WSJ)

📷Amnesty international reports that there are 15K cameras using facial recognition in NYC (Amnesty International)

🔐Good basic overview on passkeys and how they will replace passwords (NYT)

🪓The axes are out at Microsoft and Alphabet (Computing, NYT)

Jobs to check out

This week we are featuring cloud security roles with an emphasis on GCP.

💼Millennium. Cloud Security Engineer (Miami, FL)

💼Nintendo. Cloud Security Engineer (Redmond, WA)

💼MSCI, Inc. Cloud Security Engineer (New York, NY- hybrid)

💼C&S Wholesale Grocers. Senior Engineer, Cloud Security (Remote)

💼Wells Fargo. Lead Systems Architect - Information Security (Minneapolis, MN)

💼Advantis Global. Cloud Security Engineer (Cupertino, CA)

Events

💼Cactuscon. Jan 27-28. Mesa, AZ

💼Cyber risk alliance cybersecurity summit. January 27. Tampa

💻SANS Cyber threat intelligence solutions summit. Jan. 31. Virtual

💼SANS east. Feb 13-18. Virtual.

💼RSA 2023. April 24-27.San Francisco, CA

Stat of the week

86%

Percentage of business leaders who believe that geopolitical instability will lead to a catastrophic cyber event in the next two years (World Economic Forum)

Crux is building the talent platform for cybersecurity. Check us out.

Thinking about your next move? Join our network.

Want help with your hiring needs? Reply to this email to drop me a line