If you are just joining us, the series starts here.

If you follow LinkedIn alerts, you'll see a clean pattern where the musical chairs, that is InfoSec, pick up and move to the left. The first starts the week after RSAC in SF, the other is after Black Hat.

This isn't because recruiting happens, even though it does.

It is because people go work for great companies, and leave bad people, circumstances, or have found an opportunity to grow somewhere else (for more coin!)

Keep your head on straight

No one (in their right mind) likes talking (in public) about a job hunt while they're employed. Obviously it's an uncomfortable subject, and if word gets out you're looking, your day job becomes a little less safe. Like it or not, networking leads to new gigs and a brighter future-- just be aware of how many people know that you're looking or listening.

Keys to success in this venture, in my humble opinion, are found in perspective and transparency. Everyone, if honest, can see the gaps between what they dream of, their ideal, and what they have to offer.

Searching for where to start? Understand where you are today.

Carefully shape what you'd like to be doing in 3-5 years. Keep in mind that growth is part of every job you take, so you won't be 100% qualified, or know how to do everything in your next role JUST YET. Successful candidates grow, and we expect it.

Many of you are actively looking, this post breaks down some of the discussions I keep having with folks.

“I'm not qualified, I've never done that before”

Almost everyone says this at some point, and for good reason, rooted in their humility, impostor syndrome, or Dunning Kruger-type things, and almost everyone worth their salt probably wrestles with these tendencies.

I'm going to say it again: Change your perspective.

You are not applying for a job where you need to do clearly defined work, like mowing a lawn, running a cash register, manning a post for a specified time—all of which fits nicely onto a timesheet. The work we do in this industry is very fluid, even if job definitions seem pretty straight forward.

Remember: People are hired for aptitude.

Jobs are chosen for growth potential.

If you can already execute the duties in a job description, managers aren't worrying about hiring you—we worry you'll be a pain in the rear as you get bored.

You're qualified because you have the potential, the question you need to have is the gap: Is this something you can get up to speed fast enough to be a help to the team? That is the question you need to answer when you look at things on the job description.

So let's look harder at that:

Reading the Job Description (JD)

The JD is not a tool to determine if you are qualified. Read it while asking yourself: “Is this what I want to be doing for the next three years?” and “Is there room to grow into this job?”

For those of you who haven't directly managed humans, hiring and firing is a thing, and it is very different than managing systems. Rebooting (err, mis-hiring) hurts people, changing their lives in a painful way. Scaling systems is straightforward, even if tedious—cloud technology has helped dial us in, and configs are pretty structured—but there ‘s no Chef or Puppet config for adding humans to your team, so we use job descriptions.

Unlike system and application profiles, we can only attempt to describe the skill sets, attitudes, preferences, and special gifts or traits of what we think a successful candidate might embody.

Read that paragraph again. The JD is effectively guesswork.

There are bullets that aren't negotiable, and there are bullets that are flexible. You won't know which is which, so tread lightly and read thoughtfully.

As a hiring manager, I can't tell you how many times we finished interviewing some people, only to realize there was absolutely NO WAY these people were work out. Moment of clarity, it wasn't them, it was us—and the JD needed a re-write.

When you read the job description, try to read between the lines and be quick to ask questions while you have someone F2F at Black Hat.

  • What does the day-to-day workload look like?
  • What does the new hire need to ALREADY know how to do?
  • What can they learn on the job and grow in to?

(Another side-note: Even if you know how to do something, you can almost bet a prospective future employer does it differently, so there is always learning, growth, and adaptation required…)

You have a great resource available to you at events like RSA and Black Hat -- corporate recruiters and potential future teammates. So while at Black Hat, don't avoid the recruiters—talk to them and find out who is hiring for what roles. Once you do, then talk to the folks on that team. I know a number of hiring managers coming to Black Hat with headcount they are looking to fill—immediately. Seek them out. I promise that you'll learn farmore over coffee or a meal about the team and company than you will in 10 hours scouring their website.

Reading your resume

Let me state this again, determining if you are qualified is not your job. The hiring manager makes that determination.

You really want companies to find the right folks, and sometimes, you really are the right person with all the right attributes. Let's break that down.

If the JD is a recipe, and resumes offer a list of available ingredients. Hiring managers know their culture, organization, and the specific needs of the team.

A great manager isn't cooking food, they're crafting cuisine. Building a team is tedious, takes considerable investment, and is a lot harder than it looks. Blind applications represents a numbers game, and the challenge you'll face is having zero access to the hiring manager until you've made it past the recruiting/HR filters as they judge you on your resume alone… unless you are meeting them face-to-face at Black Hat or other live industry events.

What hiring managers look for in you

If you haven't walked a mile in these shoes, think about anyone you've ever interviewed. Meeting face to face at Black Hat allows you to skip an initial resume screen and answer meaningful questions.

Questions being asked on both sides of the table might be:

  • Can we work together?
  • Laugh and pull pranks together?
  • Are you an eight-to-fiver, or are you in-it-to-win-it?
  • Would I look forward to lunch with this person several days a week?
  • Are you my particular brand of crazy?
  • Can we collaborate?

If things are going well, this evolves from the personal chemistry into a situation where you want to know they can actually do the job.

  • Can you hold a job?
  • Are you a leader or follower?
  • Are you self-directed, or need continual guidance?
  • Will your experience and expertise complement my team?

What you (the seeker) are looking for

You also need to ask, in earnest, if this is a company you want to work for. What is the reputation of the company, who works there, what are they doing, is the future of the company viable (read: will the company survive)?

Some folks prefer smaller companies they can bleed into, where they can stretch their wings and earn sweat equity. There are more unknowns and higher risk, but there may be a possible equity payback. Risk can bring rewards, and many thrive on the instability and flexibility found in these smaller companies.

Other folks aren't in a place to take on the culture or the risk of a smaller company for whatever reason, and they find comfort in larger, safer and more established companies. Yes, there might be more bureaucracy and a slower pace, but some people that thrive in this environment  and need the trimmings that come with stability, like benefits, healthcare, and retirement considerations.

How would you describe the company's philosophy?

You want to know what their ethics and belief system is—if they have one, and hopefully they do!—and what it means to them. Core values are important. If it's just a marketing exercise, find out. Companies I love strive to honor their mission, check out Nike, Delta Airlines, and Zynga core values as examples.

My hopes for you

First and foremost, be grateful for the work we do: There are other industries hurting right now, and we have no shortage of jobs. For those of you employed and considering a jump, remember that you came here for a reason-- a big part of my income is that sense of purpose.

Second, be graceful as you move about the industry. Laugh as you might, and as excited as you may be to leave, don't forget you may wind up working with many of your current team in a few years… so don't burn bridges or bad-mouth people. People make mistakes, people change. Hopefully we all progress and grow from lessons learned.

Third, try not to focus on the money. What we do is lucrative, no doubt, but Lennon and McCartney put it best: “You can't buy me love.” Join a team you enjoy, with people you love, at a company you believe in. You'll have Mondays and happy-hour filled Fridays, and the occasional no-sleep work weeks. Warts and all, this is your chosen profession. At the end of the day, you need to believe in what you're doing.

Finally, if at all possible, try to negotiate a bullet into your job description focused on community work. Maybe that's focused on an OWASP project, leading a local ISSA chapter, mentoring locally, or organizing a BSides event. Make it something you are incentivized to do and your company supports in writing.

We're building this industry together—do your part.

As always, your thoughts and comments are most welcome here on the blog, or out in the Twitterverse.


Want more? You can catch all the entries in the Black Hat Attendee's Guide series here.