After 10 years of navigating the stormy seas of an information security career, yet another major disruption recently motivated me to change employers. I find job searching painful and at times humiliating, but at least this time around I had a lot of company. During the process, it became painfully obvious that many of my fellow IT security job seekers were struggling because they took the wrong approach.
My fellow IT security job seekers were struggling because they took the wrong approach.
Hiring managers must dread interviewing annoying infosec applicants. Many candidates offer no stability. Some aren't even willing to try to understand what potential employers actually need. They remain blinded by the assumption that the demand for infosec talent outstrips the supply. That may have been true three years ago, but it sure isn't now.
Job seeking is a promotional task that requires long hours of agonizing effort. You need to prospect for a suitable customer (the employer), sell yourself to them (interview), and then close the deal (get an offer). Start by preparing compelling "sales literature."
A good résumé won't guarantee a job, but a bad one is fatal. I've seen some real doozies in our profession. Does every CISSP study guide have an appendix called, "How to shoot yourself in the foot with your résumé?" Unrealistic expectations and inflated egos result in self-indulgent CVs that send the message that the applicant is mostly concerned with his own hobbies.
Most potential employers only have time for a quick scan of the first page of any résumé. Make sure it convinces them you're the best candidate for the job. The market for geek skills is fickle and undependable, but people who can solve security problems are always in demand. Paragraphs in a résumé are boring and hard to read. Instead, summarize your problem-solving achievements in easy-to-read bulleted points. For example, "Implemented AV architecture that reduced rate of PC infection by 900%"; "Created IDS system that increased ability to identify attacks while simultaneously reducing false-positive rate by 300%"; "Instituted organization's first awareness program to be approved by external audit."
Save space and improve readability by summarizing your knowledge of technologies and products in a single list at the end of your résumé, along with your education and any publications or speeches.
I've never found an infosec job directly through ads or headhunters. Networking is king. Especially in this tight market, personal acquaintances such as former coworkers, sales people and other industry contacts are your key to meeting a hiring manager and establishing mutual trust. If you are interested in a firm, use your investigative skills to find and then meet some of their security and IT people. Don't be shy about politely asking for assistance--one day they'll need a job, too.
In today's infosec market, you must be flexible about location, duties, title, company, responsibility and, yes, pay. Don't limit your opportunities by avoiding presales jobs, which offer good pay, variety and camaraderie. Technologists are often concerned that a marketing role is somehow ethically "compromising," but in my experience, the realities of corporate politics can be more ethically challenging than the well-understood role of product promotion.
Not to seem hypocritical after just changing jobs myself, but if you are dissatisfied, you should decide whether the problem is your job, your profession or your attitude. There's no perfect job, so never expect total fulfillment through work. Unrealistic expectations are a Sisyphean trap, dooming one to a life of professional frustration.
Although the pundits continue to predict growth, I know a lot of security people who are unemployed, underemployed or unhappy. This year, some will decide that maybe infosec isn't such a great profession after all. Remember that many infosec jobs are open only because someone became frustrated and left. Some firms completely turn over infosec staff every few years.
Whether you are searching today or not, you will be some time in the future--perhaps unexpectedly. If you want to work in infosec, you must be prepared for change. Build up a people network and use it to share leads, swap résumé suggestions and provide mutual support.
Jay Heiser is a London-based IT security analyst with TruSecure Corp.