A hackers guide to FINDING cybersecurity jobs
Updated: Jun 18, 2022
Getting your foot in the door or finding your next gig in cyber security is sometimes a daunting task. Just like hacking, a methodology is needed to succeed. Here's how I see the core components (this methodology will evolve over time):
Aquire Skillsets / Experience
This blog is on Finding Opportunities in the scene.
The normal methods to look for roles are sites like LinkedIn, Indeed, and ZipRecruiter. All have very generic ways to find jobs:
The pro-tip within this normal way of scouting for positions is that in cyber security, many roles have different names. Let's take the example of a "Penetration Tester". Let me list the different keywords associated with this type of role so you can understand the word-soup that might get in the way:
Offensive Security Engineer
Application/Network Security Engineer
Now, I know that conflating all these titles can trigger some folk. I'm not saying they are all the same. What I'm saying is that they all can share a certain portion of skills for someone searching for a role. The point is to illustrate that you should do some research on adjacent or alternative names for roles you look for on these sites.
The Quarterly Reddit Hiring Threads
The 1st "hack" is wielding the power of the quarterly Reddit /Netsec Hiring threads. One of Reddit's most popular cybersecurity subreddits is /netsec. Each quarter they start a thread for prospective employers looking to hire cyber security talent.
These threads are invaluable. Not only should you be parsing them for the current quarter, but an aspiring hacker should be looking at everything from the past 2 years.
In these threads, even if a role is closed/filled, they give you a contact to reach out to. Here's another pro-tip from someone who has hired multiple hundreds of security people in his career:
There is almost always a role for an exceptional candidate. In cybersec it's REALLY hard to find good people. If you find one, often a hiring manager can "move things around" to open up a role.
So.. parse these threads and apply to the ones that interest you. If a company you are interested in is on there but they don't have a role posted for your skillset, don't be afraid to reach out to the contact and ask if they might soon. Persistence is key.
For your convenience here are the last two years of Hiring Threads for you to peruse:
Conference Hiring Boards (ShmooCon)
The 2nd place an aspiring cyber security person should be looking is conference hiring boards. Local infosec and cybersec conferences are increasingly having a "board" where prospective employers can recruit. Some, like ShmooCon's, post them online.
Similar to the Reddit hiring threads, ShmooCon and Rob Fuller (@mubix) post a yearly hiring board for each conference. Apply the same principles from the Reddit threads to these boards. Here are the last three:
2020 - https://malicious.link/post/2020/2020-shmoocon-hiring-list/
2019 - https://docs.google.com/spreadsheets/d/1HnDVbXqQU74X8RyLdTPZ36ZPlbpXYk5ByO1uw55eWI0/edit#gid=0
Marcus Carey's Twitter Hiring Threads Marcus is an amazing author and "OG" of the cyber security scene. I personally look up to him and Rob (Mubix) a ton. Marcus periodically posts hiring threads on Twitter where prospective cybersec employers or related contacts can reply with openings. Apply the same principles as the Reddit and ShmooCon list here. In addition, you get real contacts you can talk to on Twitter for these places and roles. Very useful. Here are the last few years' threads by Marcus:
The above are four tremendous resources to find open roles and contacts in cyber security. I would be remiss if I didn't mention my friend @PhillipWylie who also shares my passion for getting new people into the field. Throughout Phil's Twitter, conference talks, and podcast you can find all sorts of useful hacks to find gigs in cyber security.
6/17 Update -
Another resource that JUST got created by @gadievron aimed at helping those who've been laid off find new roles in CyberSecurity. Over 200 roles posted:
6/18 Update -
One more source that I forgot to include is related to the “networking“ section of the methodology but probably fits here too. This source is:
Slack and Discord channels
In any given large city there are somewhere between 3-10 different cyber security meetups. These are things like DEFCON groups, Owasp groups, ISSA groups, Cloud Security Groups, etc, etc.
Most of the live meetups maintain a discord or slack channel and these channels have sub channels for hiring where people post job openings, often before they even hit the internet. In addition, local conferences (bsides, ++) have channels like this too sometimes.
An aspiring hacker could find a ton of these servers local to them and search out jobs.
With the world opening up to more remote positions whose to say you need to limit yourself to your local ones 😉🤔🧐