This article was written on June 4, 2024, by The Cyber Why author Katie Teitler-Santullo.

Hi — I’ve been gone for a while, recalibrating and job hunting. Maybe you’ve noticed, maybe you haven’t. In either case, I had about two months away from work and even though I was much busier than I wanted to be, I had time to reflect and think about cybersecurity as a career. Not just my career, but cybersecurity as a career, in general.

Flashback to April

My former job was on shaky ground. Over the last year (plus) there were a number of major changes to my department as well as other organizational changes that directly and indirectly impacted my and my team’s work. As a result, I’d been thinking about making a move. But I’m usually not a quitter; I prefer to be shoved out the door for some sadistic reason. 

During the first week in April, it became readily apparent to me that I’d need to start looking for a new job ASAP. I was out of town, getting ready to speak at a conference. What I should have been doing that morning was prepping my talk. Instead, I had a bad gut feeling and started messaging trusted friends and colleagues. The gist of my messages: “I think I need to look for a new job. If you know anyone who is hiring, I’d appreciate an introduction.”

Within minutes, the first reply came back: “Call me. I might know someone.” Over the course of the day, I received several other responses with a similar tone. That was a Wednesday. On Friday, I had my first conversation with the person who would ultimately facilitate my new job (at an amazing company!!). The following Monday, I had three more conversations with companies that were hiring for my role. Several of those conversations turned into opportunities, meaning they weren’t fluff conversations scheduled simply because a friend of a friend of a friend asked for a favor. I was being ushered down the hiring pipeline solely because of the industry connections I’ve made. I have been incredibly fortunate throughout my career to work with some really good people who (for some odd reason) appreciate my work and me as a person. And, in this situation, they were willing to dedicate time and effort to help me find my next job.

Share

Work your network

You might think this is luck; where I’ve worked, and the positions in which I’ve worked have given me certain “advantages.” While there might be some truth in that, I also work really hard at cultivating and maintaining my network of security friends and colleagues. I check in with people “just because.” I send birthday texts (if I know their birthday). I reach out when I see/hear that someone is job searching. I make introductions whenever I can. 

(Importantly, though, I am not a pest; I won’t continue to communicate with someone if they indicate in any way that my touchpoints are unwelcome. I’m not that LinkedIn connection.) 

I know many of you readers also work hard at the community aspect of cybersecurity. Mostly, though, when we’re networking, the goal is less about “what can you do for me” than shared interests or, more simply, a connection with someone fun, friendly, interesting, etc. Personally, I don’t keep in touch with people because I’m thinking, “One day, I might need their help.” However, it’s hard to ignore the fact that I got my current job, had the plethora of interviews I did, and was offered jobs only at companies — not just now, but over the last 20 years — that began with a personal introduction. Every single job I’ve had in cybersecurity, going back to 2004, has started with an introduction. And I’ve never had more than a two-month gap between jobs. (If you’re now checking my LinkedIn, you’ll see a few gaps that are greater than two months. There were times I left a job, dabbled outside of security, then returned. Those positions appear only on my resume.)    

My network has had a significant and profound impact on my ability to find employment. Again — I am incredibly grateful. I am even more grateful when I look at the state of the industry and my friends and colleagues who have been job-seeking for longer periods of time. Over the last few years, I’ve spoken with several people who want or need a new job and have to rely on the old-fashioned method of job hunting: applying through companies’ websites or job boards. These people send out hundreds and hundreds of resumes and fill out countless forms because they don’t have an inside track. 

And they’re not getting great or rapid responses. I know a lot of very skilled people who have a hard time scheduling interviews because they are applying “blind.” I have two friends who, after applying for cybersecurity jobs for months on end (and have job history in the field), decided to send resumes to non-security tech companies. Guess what happened. They got positive responses right away.

In only one instance during this last round of job seeking did I land an interview with a company at which I knew no one. And even though the conversation went well, the HR person never followed up, even after saying I was a “great fit for the role.”

It’s a miserable situation. I’ve felt it. Even though my latest job search was fast-tracked due to connections, I built a backup plan in case something went awry. I applied to a dozen or so positions — which were exactly the same as the one I have and another for which I was offered a job — at which I didn’t have a personal connection. I either never got responses from those “blind” applications or received responses claiming there were “other candidates better suited.”

Share

Stranded without a network

Thinking about this — and watching several of my friends and former colleagues struggle with the state of hiring in security — I have to wonder: when did we become so insular that only a connection — tenuous as it might be — will do? Is cybersecurity the type of community that refuses to welcome unknowns, even when the person’s skills, background, and temperament are a perfect fit for a position? Is a person imminently more qualified when referred by a friend, or a friend of a friend (or more)? 

I saw this happening during my search, so I asked one of the people interviewing me why she was only talking to people to whom she’d be introduced by a mutual connection. “These positions are too risky to hire just anybody.”

Is that actually true? And isn’t that what the interview process is for? Aren’t recruiters supposed to help establish a connection? Do people honestly think that only the people they already know are the only good workers in the industry? Is keeping the circle tight helping advance security? Shouldn’t we be more impressed with what someone brings to the table than whom they bring to the table?

Expand your periphery

In my opinion, it’s extremely limiting to shrug off candidates purely because there’s no direct or dotted line to the hiring manager or company. While every job I’ve had in the last two decades started with an introduction by a mutual connection, I have met a number of amazingly impressive people at those jobs who are now colleagues I would recommend to any hiring manager. My professional life is richer for meeting these new people. My network has grown because I had the opportunity to work with people I didn’t previously know anything about. Some of these “outsiders” are now personal friends with whom I regularly communicate and/or spend my non-work time.

On the flip side, some of the people in my network who were once very close colleagues have significantly drifted outside my periphery (and vice versa). I have no idea what they’re up to now. If they are as committed as they once were. If they’ve kept up their skills. Sure, if someone in my network were to reach out and ask me to vouch for one of these people, I likely would. But I’d have to caveat it and say we haven’t been in contact for X while. Knowing the industry, I’d guess that even a latent relationship counts for more than no relationship. 

Even though I benefit from wonderful professional relationships, I think it’s a disservice to the industry to rely solely on introductions when hiring for open positions. It might take more effort to vet an “unknown,” but it can pay off multifold. You never know how someone will act or react inside a new company, even if you’ve worked with them for years under different circumstances. When faced with a toxic environment or bad team composition, a previously amazing worker can sour or develop apathy. Stressful situations can breed bad — or anomalous — behavior. Someone you already know isn’t necessarily a “sure thing.”  

A different perspective on hiring

Personally, I will continue to grow my network and connect with past and current colleagues. I will also continue to try to help people in my network when I can. But I will also be mindful that the next best candidate for a job I might be hiring is someone completely disconnected from me or my network. From my point of view, the industry is in too much need of skilled workers to write people off purely because they were heads down at their jobs or too shy to attend RSA parties. I know some HR pros and hiring managers will say it’s too much work to wade through pages and pages of blindly submitted resumes or, worse yet, that their “AI-based resume scanner” didn’t identify the “correct” buzzwords. 

If we want talented people to work for and with our teams, we have to expand our perception of who is the “right” fit. A tenuous LinkedIn, user group, online forum, or social media “connection” does not a known quantity make. Let’s be honest: on the internet, nobody knows you’re a dog. 

So, while it might be easier to take the path of least resistance, which includes personal introductions for open positions, it might be profitable in the future to invest in cultivating new colleagues along the way. After all, a stranger is just a friend we have not yet met, or something… 

In the meantime, I will continue to thank the gracious colleagues and friends who helped me land my current role.

FTR: I have recruiters connecting on LinkedIn all the time. They’re always willing to help when I don’t want or need a job. But when I reached out on this last hunt, ONLY the recruiters who personally knew at least one of my LinkedIn connections responded.