January 2023 Job Search Retrospective

I wanted to share some notes on how my job search went this year. I was looking for a security engineering role here in Stuttgart, Germany, or remtely, ideally for a company with an established security team or culture, where I could learn from established processes and mentors.

Tools I used:

Applying for jobs

On LinkedIn Finding jobs to apply to was not as easy as I had expected. LinkedIn Job's search query is pretty bad. Searching for “security engineer” returned many unrelated roles. By the end of my 2nd week of applying, my search input was “security engineer -fullstack -backend -cloud -junior -software -informationssicherheit”. That last word may be surprising since it means Information Security in German.

I don't speak German well, and that closed 75% of job postings for my local area. This and the fact that I don't have a degree in a technical domain are probably the reason I got rejection emails in less than 24 hours from a certain number of consulting companies.

The jobs I could apply for were mostly with start-ups that were remote-friendly, were looking to start a security program and were looking for their first hire. That was not really what I was looking for, but I could not afford to be picky.

I applied to every job where I matched 50% of the requirements layed out in the job description. This is a tip I got from the Women in CyberSecurity (WiCyS) mentorship program. Research has shown that women tend to apply for jobs only when they match 80% to 100% of the criteria, but men tend to apply a lot more freely, where they match ~50% or more. So I decided to be bold and that paid off.

Cover Letters and Resume For cover letters, I usually copied the job description into a new word doc and used the wording of the job description to describe the work I have done and how my experiences fit with the job opening. I did not do this for all the jobs I applied to, but it was very helpful. There is nothing more daunting than starting with a blank page.

I've met someone recently who has attended CactusCon this January. One of the talks there was about using this technique too, but for creating job-specific resumes rather than cover letters. That seems like a lot of work, but I'm sure that's a good way to write a solid resume. Here is the resume I used for all my job applications.


The Interview Process

For the companies that did find my resume interesting and started the interview process with me, none rejected me throughout the different rounds. The type of interviews I had were a little different everywhere. Some companies had technical rounds, with sample penetration testing exercises, but most where simply chats through my experience and discussion scenarios, strategies and tools. Nothing too challenging. The key for me was to remember that: – How I do on this interview does not define me. – Whether the people I talk to like me or not is not a reflection of who I am as a person. – It's okay if I am not a match for what they are looking for. It's okay if they are not a match for what I'm looking for. – Be honest and transparent. Be open about what I don't know. – If I fail this interview, I will learn something and be better prepared for the next one.

I usually took a few minutes before the interviews to scribble some version of that at the very top of my notepad, to let it sync in and be a reminder during the interview. This helped me go into all interviews quite relaxed.

Negociations and accepting an offer

I wrapped up the first two interview processes within 3 weeks of first applying. Both were with large, stable companies, with established security teams, and the jobs were fully remote. Both also happen to have women team leads. They were exactly what I was looking for, so I started turning down some of the other companies (all start ups with no security team) I was in process with. I sent everyone polite messages letting them know I was moving forward with another company, and added the hiring managers on LinkedIn to build my network and keep in touch.

Every single company I talked to either asked about salary expectations when submitting a resume or in the very first interview with the recruiter. I am glad that was handled early so that there were no surprises when the offers did come through.

I used offer A to negociate offer B. A had a higher total comp. Company B matched it. Then I went to company A, told them I had another offer with a higher montlhy gross salary. So they (almost) matched it. In the end, the offer I accepted was almost 15% higher than where it started.

Negociating was very uncomfortable but it was worth it.

A few other notes

Networking In December, I attended BlackHat Europe in London, with the main goal of networking in preparation for my job search. I made some connections, but none that led to opportunities this time around. I also attended OWASP's Global AppSec Conference in Dublin in mid-February. I met a lot more interesting people there, but by that time, I had already accepted a job offer, so I got to fully enjoy the conference. None of these trips were wasted efforts, since I get to build and strenghen those connections now. I hope to meet some of the same people at future conferences, and to be able to help them find their next job too.

On job searching in Stuttgart I have a friend here in Stuttgart who also works in the cyber security industry. He has about 2 years of experience in cyber but in a non-technical area. He is also German and has a masters degree in physics. He told us he got a job offer after a single one hour phone interview with a major consulting firm. Like I mentioned earlier, I was turned down very fast by similar companies, despite having more experience than him, but I attribute that to the language and degree requirements a lot of those companies have here. This is Europe and this part of Germany can be considered especially conservative and slow to change.

All that to say the job market is very hot.