Job hunting guide: from the perspective of a hiring manager
Over the past few years I have reviewed thousands of resumes and interviewed over 100 candidates for various roles within Security Compliance, Security Risk, Assurance Engineering, and Enterprise Security roles.
Given the current job market and all the news of layoffs, I wanted to share some of my perspective and tips for job seekers as a hiring manager. This should go without saying, but please keep in mind these are all my own opinions and perspectives; others may have very different approaches.
This is going to be a long post. There's lots to cover.
📜 The resume 📜
Keep your resume to one (1) page. I estimate only 15 - 20% of the resumes I review are actually one page, but for the candidates that did stick to this rule, they immediately got my attention and I spent more time reviewing their resume.
Make sure your resume is well put together, organized, and free of typos or grammatical errors. Triple check this. I was shocked by the quantity of resumes I reviewed that were so poorly formatted or had terrible grammar and typos.
Focus on your last 2-4 years of relevant work experience. You may have 15+ years of great experience, but I'm most interested in what you've done recently and how that is going to translate to success in this role.
Don't put things on your resume you aren't prepared to talk about in depth. Don't list SOC2 experience if you can't talk to me about the 5 Trust Service Criteria and speak to at least some of the specific criteria and points of focus behind them.
Use job titles that make sense, not necessarily what your HR department/ system assigned you. You must be genuine about your experience and level, but some HR systems are really generic and unhelpful. Don't use “Security Consultant” if your actual role is managing a GRC team. You need to make it immediately clear from the title what your responsibilities and job level are.
Why does this matter?
The resume is your first impression to prove you can write well and produce high quality work. I would have 300+ resumes to review for each role. If you can't put together a solid resume, I have no faith you could put together a proper risk writeup or audit playbook without me needing to redo most of it.
With 300+ resumes, I spend less than 30 seconds scanning most of them. You must immediately show your resume is worth spending extra time on.
🤵🤵 Develop and use your network🧍🧍🧍
Cold applying to places is tough. I have experience at a Big4 firm and two top tech companies and I'm sure I would still have mixed results getting through the resume screen at best. Getting a referral is good, but not great. It will usually get you past any automated resume screeners and I generally give any referral some extra time when reviewing resumes. I may even offer an initial interview screen, even if they weren't the strongest candidate on paper.
However, you're going to have much better luck if you know, or can get connected to, the hiring manager or someone directly on the team. The vast majority of jobs I've gotten have been through a direct connection at the company that could influence or make the hiring decision.
So, how do you go about building and maintaining your network? A few tips (in order of effectiveness, imho):
For people you've worked with in the past, go out of your way to meet up at least a couple times a year. It can be virtually or in person, just make sure you're maintaining those relationships. I've also found these conversations really helpful for comparing notes and sharing ideas for projects to prioritize.
Go to small networking events. Ideally you're looking for dinners, happy hours, or other similar events with less than 30 people in roles similar to yours. If you aren't already connected or invited to these, use your network from tip 1 above to find them. Use these events to make friends. Most importantly, go to these events even when you are happily employed. You want to build and maintain these connections, not just use them when it serves you; that will come across as inauthentic.
Go to relevant conferences. I have mixed feelings about using conferences for networking. They're great for getting CPE credits, but they're often so large you wind up hanging out with the coworkers you already work with and not making new connections. If you go to a conference, you need to be intentional about talking to other people and exchanging contact information. For us introverts, that can be scary. Come up with a few relevant topics or questions you've been thinking about and use them to get a conversation started.
📤📤 Applying 📤📤
Get your resume out there. Be flexible, be optimistic, be prepared for rejection, be realistic.
Be flexible:
Apply for lots of positions, even if the company, role, or comp range isn't exactly what you're looking for. Even if you don't intend to accept the position, the interview experience is valuable. The more you do, the more comfortable you'll be and your answers will get more refined. In addition, you might just find you are interested in the company after you get the chance to hear more about it.
Be optimistic:
Apply for positions a level above your current role. The worst that can happen is they say no. Best case, you are able to impress them and accelerate your career. Keep a positive attitude; the right position will come.
Be prepared for rejection:
The current job market is tough. Be prepared for numerous rejections without even a phone screen for positions you know you are well qualified for. Don't take it personally. There are numerous reasons companies reject candidates and it often has nothing to do with the quality of the candidate (the position might be filled, the company might be in a hiring freeze, the headcount may be repurposed, etc). Unfortunately, they just use the standard rejection email template no matter the reason, so you'll never know.
Be realistic:
Don't expect to get an interview for a job 2 levels above your current role. This also isn't the market to expect an interview if you're trying to change to a different type of role you don’t have direct experience in. In my own experience, it is much easier to land a job at a new company at your current level and prove yourself to get quickly promoted internally.
Make sure you understand how the seniority structure works across your industry so you know what level you are and what levels are realistic for you to apply for. Every company varies their leveling structure somewhat, but here's a guide for tech. I've seen many other industries have something similar:
Individual Contributors (IC):
Entry level
Senior
Staff
Senior Staff
Principal
Distinguished
Management:
Manager
Senior Manager
Director
Senior Director
Vice President (VP)
Senior Vice President (SVP)
Executive Vice President (EVP)
President / C-suite
In addition, there are lots of nuances about titles that are helpful to learn. For example, some program management (e.g. TPM) and even GRC roles have “manager” in the title, but are actually IC roles, not managing other people. I guess the idea there is that you’re managing a program, but it can be very confusing for applicants, recruiters, and hiring managers trying to understand the roles and responsibilities.
🗣️🗣️The interview(s)🗣️🗣️
Interviews can be challenging. You get a relatively short amount of time to make a good impression in a high pressure environment.
This section probably needs to be its own series of posts, but here are a few tips:
Spend time learning about the company and the industry you are applying for. You need to know recent news about the company, their products, and the industry. For example, if you're looking for a security compliance role, being knowledgeable about only SOC2 and ISO 27001/2 probably isn't enough. If you're applying to an AI company, you should also be knowledgeable about ISO 42001 and developing AI regulations around the world; for an Autonomous Vehicle company, you should also know about ISO 21434 and UN R155/6; etc.
If you don't understand an interview question, ask for clarity. It's important to answer the intended question.
Make sure you follow up and ask if you answered the questions completely or if they were looking for any additional signal. This is a great way to get another chance at a question you didn't fully answer.
Ask substantive questions at the end. Stay away from generic questions like “what's the company culture?” Generic questions will get you generic answers. Ask specific questions about the team structure, short and long term roadmaps, what your first project would be, current challenges, how the team operates, etc. It is okay to ask the same question to multiple interviewers; it's actually a great way to get different perspectives on a topic at the company.
Send thank you emails to each interviewer with reference to specific points you talked about in the interview. I thought this was interview etiquette 101, but I rarely receive these. Don't expect this to be a silver bullet to getting hired, but it may just be the extra points needed to demonstrate you're the best candidate in a close decision.
If the company decides not to move forward with you, ask for feedback from the interview! Some companies may have a policy where they can't disclose specifics, but any feedback you may be able to get to improve is really valuable.
💰💰 Finally… compensation negotiation 💰💰
If the compensation range wasn't in the job posting, you should ask the recruiter during the first phone screen what the range is for the role. If the range doesn't align with your expectations, you may want to continue the interview process anyways for the experience, but don't expect the range to change.
Before you start negotiations, make sure you've thought about your compensation priorities (salary vs bonus vs equity vs other benefits). The company may also have areas they are more flexible (e.g. many companies have company-wide bonus percentage targets by level that are non-negotiable, but salary and equity can be negotiated).
Whatever the initial offer is, ask for more, but be realistic. Once you're at the offer stage, asking for more money isn't going to hurt your offer; the company wants to hire you. However, don't expect them to pay you the very top of the range. They need wiggle room to allow for raises in the future without going outside the range.
—-
If you've made it this far, thanks for reading! I hope this was helpful for you. Feel free to ask questions; there is still a lot I didn't cover. Remember, this is all based on my personal experience and opinions. Other people may have different approaches, which is part of what makes job searching a challenge.
I'm considering writing a similar post, geared towards hiring managers and how to pick solid candidates out of a stack of 300+ resumes and then conduct interviews that actually provide good signals. If that sounds helpful, let me know!
View this post and associated discussion on LinkedIn as well.
