CYBERSECURITY JOB HUNTING GUIDE
  • Home
  • Introduction
    • Things you should know
    • The strategy
  • Paths into Cybersecurity
    • First steps
    • SWOT Analysis
    • How much time do you need?
    • Calculate& Evaluate Knowledge
    • Imposter syndrome
    • Time Management
    • Cybersecurity Domains
    • Cloud Security
    • Financial advice >
      • Credit score
    • The salary
    • Advocacy for underrepresented groups
  • Goal Setting & Career paths
    • Find your career in 5 steps
    • Cybersecurity career options
    • Career finding with LinkedIn
    • Transferable Skills (general)
    • Transferable IT Skills
    • Find a path with job descriptions
    • The I do not know path
    • Do you know “garbage” jobs?
    • “Bonus” knowledge
    • Learning & Motivation
    • Particular vs. any job
    • Pentester path (start)
    • Pen Testing as Career
    • SOC Analyst as career
    • Security Engineer as career
    • Compliance & Risk as career
    • How to find a career (IAM Engineer)
    • Find a company
  • Networking
    • Networking like a pro
    • LinkedIn
    • Referrals & Skills
    • LinkedIn Recruiters >
      • Working with a recruiter
    • Cyber Community
    • Networking University
    • Mentoring
    • Build your personal brand
    • Goal of Networking
  • Hands-on
    • The home lab >
      • Designing a home lab
      • Ways to create a home lab
      • Hypervisors >
        • VirtualBox
        • VMWare Player
        • QEMU/KVM
      • Docker
      • Operating Systems >
        • Kali Linux >
          • Installing Kali with VirtualBox
        • Parrot
        • BlackArch
        • Red Hat Enterprise Linux >
          • RHCSA
        • Security Onion >
          • Installation Security Onion
        • Metasploitable2
        • Ubuntu
        • Windows >
          • Windows in a VM
          • Windows with Virtual Machine Manager
          • Preparing Windows logging
          • John Strand's ADHD VM
      • Firewalls >
        • pfSense Installation
        • pfSense configuration for Security Onion
    • Volunteer Work
    • Note Taking
    • Red labs >
      • Cyberseclabs
      • HackTheBox >
        • HackTheBox Academy
      • INE red side
      • RangeForce
      • Offensive Security
      • TryHackMe
      • Virtual Hacking Labs
    • Red tools & techniques >
      • Atomic Red Team
      • DVWA
      • Metasploit
      • OSINT tools
      • OWASP Juice Shop
    • Blue labs >
      • Blue Team Labs Online
      • DetectionLab (free)
      • INE
      • Letsdefend >
        • LetsDefend password stealer
      • Opensecuritytraining (free)
      • PurpleLabs
      • RangeForce
    • Blue tools >
      • Install a Canary Token
      • CyberChef
      • EDR Lima Charlie installation
      • EDR LimaCharlie configuration
      • EDR Velociraptor (free)
      • EDR Bluespawn (free)
      • DeepBlueCLI (logs Powershell, free)
      • Raccine (ransomware protection, free)
      • Install RITA (detects C2 traffic, free)
      • Sandboxes >
        • Joe's Sandbox
      • SIEM ELK Stack
      • SIEM Graylog >
        • Getting started with Graylog
        • Install Graylog
        • Graylog Windows agent
        • Graylog Linux agent
        • Graylog as application
      • Suricata with RangeForce
      • Identifying IoCs with RangeForce
      • What2Log
  • Certifications, Degree & Courses
    • Overview
    • Free & Affordable Resources
    • Pick your cert
    • Skill Assessment
    • Get a cheap degree
  • (Employment) fraud & scams
    • Suspicious Offer
    • Second Offer
    • Certification Scams
    • Fraud with courses
  • Analyzing a job ad
    • The Header
    • Building a Bridge
    • The Responsibilities
    • Desired Skills
    • Preferred Qualification
    • Benefits
    • Own skills vs job ad
    • Dealing with poorly written job ads
  • Resume writing
    • Templates
    • Building a draft
    • Resume in Detail
    • Understand the company
    • ATS and tailoring
    • Last Step
  • Cover letter
    • Writing a cover letter
  • Preparation & Interview
    • Organize your job hunt
    • SWOT Again (interview)
    • Twitter
    • The interview
    • Interview Questions Designed To Trick You
    • Post interview tasks
  • I did it all, but...
    • You are not alone
    • Try Something New
    • Why You'll Fail in Cyber Security
  • Yes, I got a job!
    • Two, or more offers?
    • Continued learning
    • Moving up
    • Lessons learned
  • Conclusion
  • Additional things
    • Reviews (labs, courses, certs) >
      • CompTIA A+
      • CompTIA Network+
      • CompTIA Security+
      • CompTIA Server+
      • CompTIA PenTest+
      • DroneSec DSOC
      • Defensive-Security Purple Labs
      • FAA Part 107
      • INE eCPPT & PTP
      • Letsdefend review
      • Microsoft AZ-500
      • RangeForce SOC 1
      • RangeForce SOC 2
    • Work In A Different Country >
      • The Work Permit
      • Working in the US
      • Studying in the US
      • Studying in Germany
      • Work in a different country
    • Other Resources >
      • Useful Links >
        • All about careers
        • Red resources
        • Blue resources
      • YouTube
      • Twitch
      • Podcasts
      • Books
      • Udemy
      • Thanks
    • Contributors
  • Stefan Waldvogel, where can I help?
  • Home
  • Introduction
    • Things you should know
    • The strategy
  • Paths into Cybersecurity
    • First steps
    • SWOT Analysis
    • How much time do you need?
    • Calculate& Evaluate Knowledge
    • Imposter syndrome
    • Time Management
    • Cybersecurity Domains
    • Cloud Security
    • Financial advice >
      • Credit score
    • The salary
    • Advocacy for underrepresented groups
  • Goal Setting & Career paths
    • Find your career in 5 steps
    • Cybersecurity career options
    • Career finding with LinkedIn
    • Transferable Skills (general)
    • Transferable IT Skills
    • Find a path with job descriptions
    • The I do not know path
    • Do you know “garbage” jobs?
    • “Bonus” knowledge
    • Learning & Motivation
    • Particular vs. any job
    • Pentester path (start)
    • Pen Testing as Career
    • SOC Analyst as career
    • Security Engineer as career
    • Compliance & Risk as career
    • How to find a career (IAM Engineer)
    • Find a company
  • Networking
    • Networking like a pro
    • LinkedIn
    • Referrals & Skills
    • LinkedIn Recruiters >
      • Working with a recruiter
    • Cyber Community
    • Networking University
    • Mentoring
    • Build your personal brand
    • Goal of Networking
  • Hands-on
    • The home lab >
      • Designing a home lab
      • Ways to create a home lab
      • Hypervisors >
        • VirtualBox
        • VMWare Player
        • QEMU/KVM
      • Docker
      • Operating Systems >
        • Kali Linux >
          • Installing Kali with VirtualBox
        • Parrot
        • BlackArch
        • Red Hat Enterprise Linux >
          • RHCSA
        • Security Onion >
          • Installation Security Onion
        • Metasploitable2
        • Ubuntu
        • Windows >
          • Windows in a VM
          • Windows with Virtual Machine Manager
          • Preparing Windows logging
          • John Strand's ADHD VM
      • Firewalls >
        • pfSense Installation
        • pfSense configuration for Security Onion
    • Volunteer Work
    • Note Taking
    • Red labs >
      • Cyberseclabs
      • HackTheBox >
        • HackTheBox Academy
      • INE red side
      • RangeForce
      • Offensive Security
      • TryHackMe
      • Virtual Hacking Labs
    • Red tools & techniques >
      • Atomic Red Team
      • DVWA
      • Metasploit
      • OSINT tools
      • OWASP Juice Shop
    • Blue labs >
      • Blue Team Labs Online
      • DetectionLab (free)
      • INE
      • Letsdefend >
        • LetsDefend password stealer
      • Opensecuritytraining (free)
      • PurpleLabs
      • RangeForce
    • Blue tools >
      • Install a Canary Token
      • CyberChef
      • EDR Lima Charlie installation
      • EDR LimaCharlie configuration
      • EDR Velociraptor (free)
      • EDR Bluespawn (free)
      • DeepBlueCLI (logs Powershell, free)
      • Raccine (ransomware protection, free)
      • Install RITA (detects C2 traffic, free)
      • Sandboxes >
        • Joe's Sandbox
      • SIEM ELK Stack
      • SIEM Graylog >
        • Getting started with Graylog
        • Install Graylog
        • Graylog Windows agent
        • Graylog Linux agent
        • Graylog as application
      • Suricata with RangeForce
      • Identifying IoCs with RangeForce
      • What2Log
  • Certifications, Degree & Courses
    • Overview
    • Free & Affordable Resources
    • Pick your cert
    • Skill Assessment
    • Get a cheap degree
  • (Employment) fraud & scams
    • Suspicious Offer
    • Second Offer
    • Certification Scams
    • Fraud with courses
  • Analyzing a job ad
    • The Header
    • Building a Bridge
    • The Responsibilities
    • Desired Skills
    • Preferred Qualification
    • Benefits
    • Own skills vs job ad
    • Dealing with poorly written job ads
  • Resume writing
    • Templates
    • Building a draft
    • Resume in Detail
    • Understand the company
    • ATS and tailoring
    • Last Step
  • Cover letter
    • Writing a cover letter
  • Preparation & Interview
    • Organize your job hunt
    • SWOT Again (interview)
    • Twitter
    • The interview
    • Interview Questions Designed To Trick You
    • Post interview tasks
  • I did it all, but...
    • You are not alone
    • Try Something New
    • Why You'll Fail in Cyber Security
  • Yes, I got a job!
    • Two, or more offers?
    • Continued learning
    • Moving up
    • Lessons learned
  • Conclusion
  • Additional things
    • Reviews (labs, courses, certs) >
      • CompTIA A+
      • CompTIA Network+
      • CompTIA Security+
      • CompTIA Server+
      • CompTIA PenTest+
      • DroneSec DSOC
      • Defensive-Security Purple Labs
      • FAA Part 107
      • INE eCPPT & PTP
      • Letsdefend review
      • Microsoft AZ-500
      • RangeForce SOC 1
      • RangeForce SOC 2
    • Work In A Different Country >
      • The Work Permit
      • Working in the US
      • Studying in the US
      • Studying in Germany
      • Work in a different country
    • Other Resources >
      • Useful Links >
        • All about careers
        • Red resources
        • Blue resources
      • YouTube
      • Twitch
      • Podcasts
      • Books
      • Udemy
      • Thanks
    • Contributors
  • Stefan Waldvogel, where can I help?
  CYBERSECURITY JOB HUNTING GUIDE

Dealing with poorly written job ads

Author: Stefan Waldvogel
Many job descriptions in Cybersecurity are poorly written, and it is helpful to know how to deal with them and how to use them to your advantage.
Picture
This article is about job hunting for a Security Engineer position. For this position, it is an employee market. Few unemployed people have the skills, and companies have difficulty finding talents. If you apply for 5 roles, you get 3 offers, and you pick the best.
Most companies are not prepared for this situation because applicants can more or less dictate the rules, and the ability to write well-written job descriptions decides how many applicants apply for a job.

Companies might consider 100% remote for a Security Engineer role but do not mention it... Many applicants sort these companies out because we have too many options. Companies do not mention benefits or a salary range... we sort them out because we have to cut down the numbers. If something positive is not mentioned in the job ad, it does not count.

As an applicant, you have to find the hidden gems, and that is challenging. At least in the US, HR is very slow in finding new ways to attract talents, and many job descriptions do not look attractive. Here, I will take a poorly written job ad and see what we can do about it.

​I am looking for a Security Engineer position, and you could see something like this (3 pages):
This list of duties is massive. As an applicant, you apply blindly for a job because nobody on earth does such a job. It is a long list to make HR happy, and it is a reason why companies have such a hard time finding qualified people.

Find the keywords
Keywords might give you an idea about what your job is. Here, this list is just too massive and too broad, but it looks like it is position with a lot of hands-on. It is nearly impossible to determine what the technical department is looking for.
The job ad does not mention benefits or a salary range; it is just a "I want a unicorn" and "I give nothing for it" list.
Under minimum requirements is a Bachelors in Business Administration listed. Does the company want a hands-on-orientated Security Engineer with a degree in Business? This is really weird; ignore such things, HR just used copy-paste, but now you know the job description does not match the reality at all.

What can you get out of such a long job description? 
Very, very few unemployed people have all of these skills. This company requires a penetration tester, an Incident Handler, a Security Advisor, a packet mover (10 lb 2h a day), a Risk Analyst, a technical Consultant, and more in one single person.
-> Maybe HR does it this way to make sure the company cover everything and can use you as a packet mover for 2 hours a day.

Do networking to get the actual job tasks
​I asked a technical person (I guess it is the supervisor/boss) in this department and he is in fact, looking for this:
If you have experience with security engineering, AD, IDP's like AAD/Okta, AWS/Azure experience, Appsec, etc, then you should apply.​
The job ad does not include the following wanted things:
  • Active Directory
  • IDS
  • Azure Active Directory
  • Okta
--> The discrepancy between HR and the real needs of the technical department is enormous. It is like 50% of the wanted skills are not mentioned.

This is the sad reality for most job descriptions. If you apply for a job, you do not know what you are doing, and therefore networking is the key. If you have a connection to the company, ask what you are really doing. Now, you can evaluate your skills. If you have >50% of the actual job tasks, the job could be right for you.

​Use poorly written job ads to your advantage.
Most job descriptions do not mention a salary, but all use a title. With the title, you can search your value.
Each of your skills in combination with a requested skill increases your value. Here, the company asked red, blue, advisor, and cloud skills, and if you have it, the company pays for your skills.
A standard Information Security Engineer earns between $70K and $120K, but the job description listed other job activities. The following picture shows some numbers:
Picture
Source: www.payscale.com/research/US/Job=Information_Security_Engineer/Salary

Remember, these are just numbers, but requested skills increase your salary (especially cloud). 
The given job description is pretty much useless, but it opens you a way to negotiate a higher salary. If you have many skills and know the company wants to use them, this brings you in a better position. If HR asks for penetration tester skills, they might pay 5 to 10% more for these skills even though you will never use them in this position.

Do networking to get information about salary and benefits
​If you have so many skills, you have a lot of value, and companies are looking for you -> you are a unicorn. Most websites have a unique benefits area, and you get more info about them. This job has great benefits, but they are not mentioned:
we're open to 100% remote. 39 days off per year starting. 401k at a 6% match. Yearly bonus + RSU stock in the company - {...} Zero monthly premium healthcare along with extra money added to an HSA to offset deductibles.
This is awesome... I do not understand why companies do not include this. The job description is like a "We want everything and give nothing" list, but the reality is different.
This job only had 6 applicants, and it is most likely an excellent job in an exciting environment.

Conclusion
I turned this job down because the first list with >25 duty positions, including bizarre ones, gave me such a negative impression and damaged the company's reputation already. I had to search and ask for the positive points, but usually, I do not do that.
If you work in HR...
take care of the balance, if you want something you should offer something, highlight the positive points. If you create a massive list, the requested and expected salary jumps +50% just because of it. 

The positive side
Digging into unattractive job descriptions can give you an excellent job. Deterrent and one-sided job descriptions keep the number of applicants/competitors low, and you might get a higher salary just because of that.
You cannot do this for 10,000 jobs, but it is worth it if you want a job and it fulfills one of your needs.
Next: Resume writing
© 2021. This work is licensed under a CC BY-SA 4.0 license​