CYBERSECURITY JOB HUNTING GUIDE
Dealing with poorly written job ads
Author: Stefan Waldvogel
Many job descriptions in Cybersecurity are poorly written, and it is helpful to know how to deal with them and how to use them to your advantage.
This article is about job hunting for a Security Engineer position. For this position, it is an employee market. Few unemployed people have the skills, and companies have difficulty finding talents. If you apply for 5 roles, you get 3 offers, and you pick the best.
Most companies are not prepared for this situation because applicants can more or less dictate the rules, and the ability to write well-written job descriptions decides how many applicants apply for a job.
Companies might consider 100% remote for a Security Engineer role but do not mention it... Many applicants sort these companies out because we have too many options. Companies do not mention benefits or a salary range... we sort them out because we have to cut down the numbers. If something positive is not mentioned in the job ad, it does not count.
As an applicant, you have to find the hidden gems, and that is challenging. At least in the US, HR is very slow in finding new ways to attract talents, and many job descriptions do not look attractive. Here, I will take a poorly written job ad and see what we can do about it.
I am looking for a Security Engineer position, and you could see something like this (3 pages):
Most companies are not prepared for this situation because applicants can more or less dictate the rules, and the ability to write well-written job descriptions decides how many applicants apply for a job.
Companies might consider 100% remote for a Security Engineer role but do not mention it... Many applicants sort these companies out because we have too many options. Companies do not mention benefits or a salary range... we sort them out because we have to cut down the numbers. If something positive is not mentioned in the job ad, it does not count.
As an applicant, you have to find the hidden gems, and that is challenging. At least in the US, HR is very slow in finding new ways to attract talents, and many job descriptions do not look attractive. Here, I will take a poorly written job ad and see what we can do about it.
I am looking for a Security Engineer position, and you could see something like this (3 pages):
This list of duties is massive. As an applicant, you apply blindly for a job because nobody on earth does such a job. It is a long list to make HR happy, and it is a reason why companies have such a hard time finding qualified people.
Find the keywords
Keywords might give you an idea about what your job is. Here, this list is just too massive and too broad, but it looks like it is position with a lot of hands-on. It is nearly impossible to determine what the technical department is looking for.
The job ad does not mention benefits or a salary range; it is just a "I want a unicorn" and "I give nothing for it" list.
Under minimum requirements is a Bachelors in Business Administration listed. Does the company want a hands-on-orientated Security Engineer with a degree in Business? This is really weird; ignore such things, HR just used copy-paste, but now you know the job description does not match the reality at all.
What can you get out of such a long job description?
Very, very few unemployed people have all of these skills. This company requires a penetration tester, an Incident Handler, a Security Advisor, a packet mover (10 lb 2h a day), a Risk Analyst, a technical Consultant, and more in one single person.
-> Maybe HR does it this way to make sure the company cover everything and can use you as a packet mover for 2 hours a day.
Do networking to get the actual job tasks
I asked a technical person (I guess it is the supervisor/boss) in this department and he is in fact, looking for this:
Find the keywords
Keywords might give you an idea about what your job is. Here, this list is just too massive and too broad, but it looks like it is position with a lot of hands-on. It is nearly impossible to determine what the technical department is looking for.
The job ad does not mention benefits or a salary range; it is just a "I want a unicorn" and "I give nothing for it" list.
Under minimum requirements is a Bachelors in Business Administration listed. Does the company want a hands-on-orientated Security Engineer with a degree in Business? This is really weird; ignore such things, HR just used copy-paste, but now you know the job description does not match the reality at all.
What can you get out of such a long job description?
Very, very few unemployed people have all of these skills. This company requires a penetration tester, an Incident Handler, a Security Advisor, a packet mover (10 lb 2h a day), a Risk Analyst, a technical Consultant, and more in one single person.
-> Maybe HR does it this way to make sure the company cover everything and can use you as a packet mover for 2 hours a day.
Do networking to get the actual job tasks
I asked a technical person (I guess it is the supervisor/boss) in this department and he is in fact, looking for this:
If you have experience with security engineering, AD, IDP's like AAD/Okta, AWS/Azure experience, Appsec, etc, then you should apply.
The job ad does not include the following wanted things:
This is the sad reality for most job descriptions. If you apply for a job, you do not know what you are doing, and therefore networking is the key. If you have a connection to the company, ask what you are really doing. Now, you can evaluate your skills. If you have >50% of the actual job tasks, the job could be right for you.
Use poorly written job ads to your advantage.
Most job descriptions do not mention a salary, but all use a title. With the title, you can search your value.
Each of your skills in combination with a requested skill increases your value. Here, the company asked red, blue, advisor, and cloud skills, and if you have it, the company pays for your skills.
A standard Information Security Engineer earns between $70K and $120K, but the job description listed other job activities. The following picture shows some numbers:
- Active Directory
- IDS
- Azure Active Directory
- Okta
This is the sad reality for most job descriptions. If you apply for a job, you do not know what you are doing, and therefore networking is the key. If you have a connection to the company, ask what you are really doing. Now, you can evaluate your skills. If you have >50% of the actual job tasks, the job could be right for you.
Use poorly written job ads to your advantage.
Most job descriptions do not mention a salary, but all use a title. With the title, you can search your value.
Each of your skills in combination with a requested skill increases your value. Here, the company asked red, blue, advisor, and cloud skills, and if you have it, the company pays for your skills.
A standard Information Security Engineer earns between $70K and $120K, but the job description listed other job activities. The following picture shows some numbers:
Source: www.payscale.com/research/US/Job=Information_Security_Engineer/Salary
Remember, these are just numbers, but requested skills increase your salary (especially cloud).
The given job description is pretty much useless, but it opens you a way to negotiate a higher salary. If you have many skills and know the company wants to use them, this brings you in a better position. If HR asks for penetration tester skills, they might pay 5 to 10% more for these skills even though you will never use them in this position.
Do networking to get information about salary and benefits
If you have so many skills, you have a lot of value, and companies are looking for you -> you are a unicorn. Most websites have a unique benefits area, and you get more info about them. This job has great benefits, but they are not mentioned:
Remember, these are just numbers, but requested skills increase your salary (especially cloud).
The given job description is pretty much useless, but it opens you a way to negotiate a higher salary. If you have many skills and know the company wants to use them, this brings you in a better position. If HR asks for penetration tester skills, they might pay 5 to 10% more for these skills even though you will never use them in this position.
Do networking to get information about salary and benefits
If you have so many skills, you have a lot of value, and companies are looking for you -> you are a unicorn. Most websites have a unique benefits area, and you get more info about them. This job has great benefits, but they are not mentioned:
we're open to 100% remote. 39 days off per year starting. 401k at a 6% match. Yearly bonus + RSU stock in the company - {...} Zero monthly premium healthcare along with extra money added to an HSA to offset deductibles.
This is awesome... I do not understand why companies do not include this. The job description is like a "We want everything and give nothing" list, but the reality is different.
This job only had 6 applicants, and it is most likely an excellent job in an exciting environment.
Conclusion
I turned this job down because the first list with >25 duty positions, including bizarre ones, gave me such a negative impression and damaged the company's reputation already. I had to search and ask for the positive points, but usually, I do not do that.
If you work in HR...
take care of the balance, if you want something you should offer something, highlight the positive points. If you create a massive list, the requested and expected salary jumps +50% just because of it.
The positive side
Digging into unattractive job descriptions can give you an excellent job. Deterrent and one-sided job descriptions keep the number of applicants/competitors low, and you might get a higher salary just because of that.
You cannot do this for 10,000 jobs, but it is worth it if you want a job and it fulfills one of your needs.
This job only had 6 applicants, and it is most likely an excellent job in an exciting environment.
Conclusion
I turned this job down because the first list with >25 duty positions, including bizarre ones, gave me such a negative impression and damaged the company's reputation already. I had to search and ask for the positive points, but usually, I do not do that.
If you work in HR...
take care of the balance, if you want something you should offer something, highlight the positive points. If you create a massive list, the requested and expected salary jumps +50% just because of it.
The positive side
Digging into unattractive job descriptions can give you an excellent job. Deterrent and one-sided job descriptions keep the number of applicants/competitors low, and you might get a higher salary just because of that.
You cannot do this for 10,000 jobs, but it is worth it if you want a job and it fulfills one of your needs.
© 2021. This work is licensed under a CC BY-SA 4.0 license