Why Job Boards Aren’t Enough for Cybersecurity Professionals: Key Challenges and Better Solutions

I’d have to consult with Dante, but I’m pretty sure that conducting a job search with a heavy reliance on job boards is at least some inner circle of hell. The fifth is anger, so maybe that one. I think root canals and DMV lines are sixth and seventh.

Almost all of us check out job postings from time to time. Some on a passive basis to stay on top of the market, others a bit more actively while thinking about making a move, and full on if you are in the market. They are less relevant for very senior roles, but a great way to gain visibility on staff and individual contributor roles.

That being said, I see many folks we work with struggling to productively leverage job boards, and frustrated by the travails of an active search, so I wanted to share a few common challenges and observations, as well as some advice.

We are also working on a major project to help address these concerns- but more to come on that in a few weeks.

First, the good.

• Job boards give you a sense of the market- what qualifications employers are looking for, who is hiring, what pay ranges look like (though often you have to look at a lot of jobs to get a good gauge on trends)
• You can set up alerts and hop on newly posted jobs (where you have an advantage as an early applicant)
• Sometimes they do actually lead to a company and candidate linking up

Now, the not so good. I’ll divide this into ‘pre-application’ and ‘post-application’.

Pre-application:

• It can be a huge pain to narrow down to a relevant set of jobs and stay on top of newly posted ones
• Most search algorithms are based on job titles, which are all over the place in our industry and frequently don’t accurately describe the work to be done
• Seniority level frequently isn’t clear, and at best is inconsistent across companies
• Search results tend to catch many irrelevant jobs (see below for results from an IAM job alert… thanks Indeed)

• Job descriptions suffer from myriad problems- we did a full teardown of this a few months ago here.
• There are a ton of jobs from recruiters that earn their money in contingent search and thus anonymize the actual employer. Often the JDs here are little more than 5 bullets on requirements. These just add noise from a job seeker’s perspective (does anyone actually apply for them??)

Post-application:

• The odds of a job application leading to an actual job at the end are low. That’s just a matter of statistics. Job boards are just one source of candidate flow. There’s proactive outreach, internal candidates, referrals, etc. So out of the gate, there’s only a certain percent chance (probably <30%).
• The constant rejection can be demoralizing, particularly when you know you are qualified and could do a good job
• Companies are screening on the wrong things. They are only looking at what is visible from the resume, and in the process, end up cutting out many people that could do a great job. More to come on this topic in future weeks.
• There’s been an increasing phenomenon of ‘ghost jobs’ that are posted but without a real intention of hiring. See full story here. (I’d be curious to speak with you if this has happened to you)

So, is it still worth it? Here’s what can you do:

• Don’t over-rely on job boards. Thing of it more as an intelligence tool than a means to get a job. Lean into networking, building recruiter relationships etc as part of a multi-pronged strategy.
• Network: How to do this well well is its own longform piece. However, I can point to a few good resources:
• Cold outreach on Linkedin (Josh Fullmer)
• Getting referred into a job (Josh Fullmer)
• Lean heavily on local security communities. For example, here in Colorado, there are very active chapters of the Cloud security alliance (CSA), OWASP, as well as local meetups and a group called Colorado = Security which is incredibly vibrant. Figure out what is relevant in your market and get involved (both in person and on slack/ discord channels)
• If there are jobs you are particularly excited about, invest to get to know the company, build relationships with folks on the security team, and stand out with your enthusiasm. It goes a long way.
• Set up your job alerts well. Try using “” around certain titles to increase the stringency of the search, and add a few various titles, for example:
• “IAM manager” OR “Identity & access management engineer” OR “IAM architect”
• Keep a saved folder of interesting/ relevant jobs. With some volume, take a close look at:
• Responsibilities and skills- fine tune your story on why you are a great fit. Make sure your resume hits the keywords.
• Comp- is it appropriate for what you are looking for
• Remote/ on site- to set your expectations appropriately
• Spend your time on good job boards. 
• Google Jobs- 4/5. Excellent search and filter capability. Alert relevance can be hit or miss (they tend to stuff a lot in there). The biggest issue is that some of the job boards that feed this service are super shady and frequently don’t reflect actual jobs that are really open.
• LinkedIn: 4/5. Has a large number of jobs and makes it (a bit) easier to research who the hiring manager and recruiter are. Their alerts are reasonably on point. Search accuracy can be somewhat low.
• Jooble- 4/5. This is a good service that aggregates jobs from various job boards. Their search accuracy is high, but quality is only as good as the job boards that feed it (builtin seems to be a good one). Alert quality is only OK
• Indeed: 3.5/5. Great for the number of jobs, but searches frequently yield many irrelevant jobs, and the ongoing alerts are almost useless.
• Ninja Jobs- 3.5/5.Good site with better filter capabilities than most, but job postings are pay to play so don’t expect to see a whole universe here. Lots of jobs from cyber tech and services firms if that’s what you are interested in. Check in in conjunction with the big job sites.
• Monster & Zip Recruiter: 3/5. These rarely have jobs that you won’t find elsewhere and don’t seem to fit security well. OK to skip.
• Dice- 3/5. Lots of anonymized recruiter jobs and not a ton of depth. But you may see jobs here that you don’t elsewhere.
• Infosec-jobs- 3/5. Good site with jobs that are easy to filter, but quantity is limited and many of the jobs are international
• CyberSN- 2/5. Claims to have 200K security job postings but the vast majority are expired or broken links. Pass.

Here’s an idea- what if there was a job board that was:

• Only cybersecurity
• Where all the job descriptions were solid, well written, and consistently formatted
• Classified according to seniority/ NIST-NICE framework/ security domain
• Super easy to see and filter on things that matter like remote/ hybrid, comp, and company glassdoor rating
• Wasn’t pay to play, so you’d have broad visibility

I’d say that sounds like a great idea. Maybe we will have to do something about that 😉