Hey, citizens of planet earth. I wanted to get your opinion on my job application process so far. I hit a dead-end and can’t seem to find my way through this ditch. Will try to summarize what I went so far down below.
I have been trying to relocate (or get a remote position) for the last 2 years. I’ve applied to ~90 companies/organizations however the return rate is abysmally small (4/90). This is not the actual problem though, as I was expecting such an outcome. The problem is, there seems to be an inconsistency.
About 86 companies outright rejected me during the initial application step. A generic, cold-hearted HR mail slapped me in the face with its merciless thrust. From the remaining 4, one said that they have stopped hiring people because of an emergency and said that they would get back to me as soon as the situation changes (and still hired another person about a few months later). One said that I was not “enthusiastic enough to relocate”, which might be related to them asking me about 3 times if I had any relatives to stay with as I might not make enough to live by myself. One said that I should expect a mail after the meeting with a senior security engineer and then disappeared forever. The last one was positive but could not agree on when to relocate, as the covid is still present.
# What I’ve tried:
At first, I thought to myself and said, “I don’t have anything that verifies my abilities, that must be the issue”. I’ve written an Android app that handles basic recon operations about web applications and put it up there. Also wrote 2 little tools to have something that I can display on my GitHub (small, insignificant tools). Nothing changed.
Then I thought, “Eureka, I don’t get any responses because I don’t have decent certifications!” and got OSCP/OSCE that year. Nothing changed.
Then I thought, “There are platforms like HackTheBox, maybe that would help if I get a cool rank on those” and got to Guru rank on HackTheBox. Nothing changed.
Then I thought, “I need to get the approval of a 3rd party, a bug bounty submission could be good” and submitted a high/critical bug bounty report to a well-known organization. Got a pretty good award for it and they actually said “nice catch!”. Nothing changed.
Finally, I thought, “Maybe I don’t have enough years of experience”. Right now I have about 4.5 years of experience (3.5 directly related to security). Guess what happened? >!Yeah, nothing changed.!<
I did my internship in a consultancy firm in Germany and even got a letter of recommendation because of an (albeit simple) vulnerability in a bank. I have a master’s degree in Information Security.
I’ve worked; as a freelancer, part-time and full-time. I’ve worked in a consultancy firm, a SaaS application startup, and a government institute.
# Why it feels weird?
Most of my friends (DevOps, frontend developer, backend developer, designer) are getting offers from companies in the EU/US. Even if they don’t, they get a high percentage of positive answers from job ads that they apply. It feels as if I’m (or the whole security field is) cursed somehow.
If I could’ve gotten maybe 20-25 positive responses for my initial applications and then get rejected, I would say that I am simply not that good. I would think that I am not up to the standards of the industry and I would need to try harder. Getting immediately rejected from HR does not tell me anything.
I’ve checked the security folks in the companies that I’ve applied to. About 30%-60% of them have less experience than me. A small part of them had almost empty LinkedIn profiles! I know having an empty profile is not an indication of being inexperienced, but does not explain how they got through the HR filter with that kind of resume. On top of that, the HR of the only company that offered me a salary said that I was obviously a senior engineer (I had applied to a mid-level position).
I’ve also asked a board member of a large certification organization (whom I would not like to disclose) and he said that he could not find anything bad on my resume and baffled about why I would not get any responses. Then I’ve applied to the company where I had found the vulnerability. They also rejected me in 2 days with a generic HR mail.
At the beginning of this process, I wrote cover letters that go into detail about my career goals. I talked about the structure of the company, attack vectors, things that could be improved if I got in. I even begged them to give me a challenge/chance at a few of those letters.
Honestly, I am feeling burned out. I don’t believe that getting a gazillion years of experience or mega-premium-CISSP would change anything at this point. The 2 main problems I have are the country of residence (in middle-east) and having experiences that lasted shorter than 2 years (a.k.a. job hopping). Apart from those, I can’t think about anything that could result in an HR rejection. I have friends that do not have job-hopping on their resumes and they are having the same problems. That leaves me with the country I’m living in being the only issue.