Real life job search stats and observations after 19+ months of looking in 2024-2025

This is in follow-up to a related LinkedIn post with some additional observations too long to fit LI limitations.

Back in September when I announced  on LinkedIn a successful conclusion to my long job search, I promised some numbers. Here they are with a few insights. If you're out of work, think you might someday be out of work, or be a recruiter, this may be of interest. While we all know the job market is tough, my context includes never having been out of work before in my entire adult life. Over a pretty long career, whenever I've wanted to change jobs for any reason, one was available to jump into - until now.

1,085 is the number of jobs I applied to from January 2024 - September 2025

44.5% of those received no reply at all, positive or negative. But 55.5% did get some kind of response.

6.2% of the time, that response was positive - a recruiter saying, "Hey, I liked your resume and would like to talk."

8 days is the median response time for those positive responses. If you're a recruiter and you're not getting back to your top candidates within that length of time, you are very likely to lose opportunities to other companies that are able to move more quickly.

65% of the time, if I got a contact from a recruiter, I would get to at least the first interview, usually with the hiring manager.

1% of all job applications was the number final round interviews I got to. For approximately 100 applications submitted, with one of those companies I could get through at least two, and sometimes as many as seven rounds of interviews until they said we'll be making our final decision very shortly and making someone an offer - and then didn't get it - until finally I did get the right one.

39 was the number of first round interviews I got; not recruiter screens, those are not "interviews". 11 was the number of final round interviews.

January thru May were the best months for finding postings I felt were relevant to me in both 2024 and 2025.

July was the best month across both 2024 and 2025 for getting back positive responses, whether the applications had been submitted in July or earlier.

The worsening job market - I did hear more beginning in the middle of 2025 about layoffs and increasing challenges people were having finding work. It wasn't a vague feeling or speculation. From January '25 into June, I was finding many more relevant job postings to apply to than I had in 2024. This might have to do with my criteria having shifted over time as I adjusted my horizons with a growing sense of desperation. But what is directly comparable and non-speculative is the fact total relevant job posting declined YoY in July and August of 2025, even with my lowered expectations. Whereas August had been my very best month in 2024, both for finding jobs to apply to and for getting back positive response, August was my worst month in 2025. Something had clearly shifted with the market in late June.

Ageism? - 57 years is how old I was when starting this exercise. While ageism is obviously a hot topic on LI, I was not able to conclude one way or another whether it applied to me. I feel like the calls I got or didn't get had more to do with having the required years of experience and the salary range I mentioned as my target. To set further context, 20+ years of experience in cybersecurity with about 14 of those directly applicable to most of the jobs I targeted may have helped. For all of you thinking that you're a victim of ageism, I have to wonder whether your response rate for landing interviews was as good as what I'm citing here? If not, maybe your targeting of positions you're actually suited for needs adjustment, maybe your resume isn't telling the compelling story you think it is. I think my job experience and skills are good, but what matter most for this exercise is not whether I have more or less than you, it's that we line up that experience accurately with some employer's need and then tell a compelling story about why we're the right fit for that job. I did have a feeling a few times that age might've been a factor in not getting some job, but it could also have been they thought they could get someone else cheaper.

Staffing Companies - These numbers don't include any contract or temp-to-hire roles. There were an additional 102 of those. With a very few exceptions, staffing companies really won't respond to you at all, ever, unless you can identify the specific recuiter in charge of hiring for the role you want and reach out to them directly or maybe if you've had some prior contact with somebody. My total response rate for all positions posted by any staffing company, including where I found the recruiter and convinced them they really wanted to talk to me or I had a previous contact from them, was only 7.8%. The conclusion for me was that looking at staffing companies is an absolute waste of time. With some exceptions, almost all of these are trying to fill the exact same job slots and have no real way of helping you get the inside line to the employer hiring team. Yes, I know there are some rare ones that do and this will depend on the level of position you're targeting. But for the average job seeker, this is not where you want to spend any amount of time.

Using LinkedIn - What's the value of LinkedIn Premium for job seekers or searching on LI versus anyplace else? I did sign up for Premium early in my job search and really thought it should help. In the end, I don't believe it helped in the slightest bit. But things might have gone differently had I been able to find the right contact. That InMail feature allowing you to message random non-contacts was the thing I found the most useful and used it to try reaching out to people I thought may be able to help get my foot in the door someplace. LI job search recommendations were, for me, absolutely useless. At least that was my seat-of-pants feeling, since I didn't track stats for when I sent in an app to a position as to how it may have been listed. Was it a position LI showed I should have a better match for skills than other applicants? I don't know, but I do know I didn't get any of those jobs. And while LI Premium touts the benefit of marking Easy Apply positions as one of your top choices, I found I got approximately zero (0, null, goose egg) responses back from any of those Easy Applies. Beyond the ability to send InMail messages, most of the other features of LI Premium give you a feeling that you're more informed and finding what you need to get that job, IMO it's mostly fluff.

Full price for LI Premium is currently $39.99/month. For that you get mostly pretty stale job posting showing up in your search, larded with a lot of promoted positions. Of course LI has probably the greatest number of high quality job posting anywhere. But just try to find the ones relevant to you. I continually found that a very specific search asking for postings in the last 24 hours not only turned up tons of jobs that had been posted weeks ago, promoted positions I had looked at three times already, and things I had even applied to weeks ago that were being reposted. But worse, that one really awesome job that should have shown up, actually popped up in my search 5 days later after the recruiter already had hundreds of applications in their inbox. So, my final hard number for this post is $2.99/month, which is what I rate as the actual value LI Premium delivers for a job seeker.

Where Should I look Instead? - I have no financial interest or stake in any of these job sites. Best job search site I found is hiring.cafe - yes, that's its address. Indeed had some occasionally interesting posts that I hadn't found on LI. Dice was mostly useless. Monster was worse than useless.

Best of luck to you if you're looking for work in this worst in a lifetime job market, and best of luck to us all in 2026 in this world that we're in.

Peace, Love, and Healthy Snacks

SANS Mentor training comes to Novi, Michigan in September 2019

DEV522 Defending Web Applications Security Essentials

This class is intended for anyone tasked with implementing, managing, or protecting Web applications. It is particularly well suited to application security analysts, developers, application architects, pen testers, auditors who are interested in recommending proper mitigations for web security issues, and infrastructure security professionals who have an interest in better defending their web applications.

*Save 10% on your tuition fees. Enter registration discount code 10mentor19 when you register

Who Should Attend:

• Application developers
• Application security analysts or managers
• Application architects
• Penetration testers who are interested in learning about defensive strategies
• Security professionals who are interested in learning about web application security
• Auditors who need to understand defensive mechanisms in web applications
• Employees of PCI compliant organizations who need to be trained to comply with PCI requirements
• Those wanting to earn the GWEB certification from SANS GIAC 

If you aren't familiar with the SANS Mentor course format, rather than six days in a lecture, you attend shorter sessions one evening per week.  We'll go over the hands-on lab exercises and answer your questions from the course material.  In between sessions you have time to study and digest the materials. You still get all the curriculum you would get at a large SANS conference, but without the expense of travel and time away from the office. For more information on the SANS Mentor program, go to http://www.sans.org/mentor/about.php

I have not yet settled on a venue for the class, but it will be in the Twelve Oaks area in Novi. More details on this as we get a little closer to the class dates.

For more details, visit the official SANS course page at https://www.sans.org/mentor/class/dev522-novi-16sep2019-melvin-drews

C Programming tip: Pass struct pointer to a function as an argument

I'm taking a class in "operating systems" programming this spring, focused on Linux. So, this post may not be much use if you're working in Windows. In my previous assignment we used pthreads to practice multi-threading concepts. One question that came up for me was how to pass multiple arguments to a function called by pthread_create. The answer I kept finding was to pass a pointer to a struct. I had never done that before, wasn't really sure how it was supposed to work and just worked around it in other ways. But in working through my most recent assignment, I decided this was a technique I really wanted to use for the sake of flexibility, even though I wasn't using pthread_create.

The assignment was basically to write a command shell. I won't go into all the details in this post, but just want to stick to passing a struct pointer. The technique works well for pthread_create also.

Step 1: Create a struct with the multiple variables you want to pass as arguments

 25: struct params {  
 26:   int nums[4];  
 27:   char* chPtr;  
 28:   char** argt;  
 29:   char** argu;  
 30: };  

Step 2: Declare an instance of the struct and set some values for your struct member variables

 65: struct params genericParams;
 66: int o;
 67: for(o = 0; o < 4; o++) {
 68:    genericParams.nums[o] = 0;   //initialized to some known value
 69: }
 70: char startDir[512];
 71: memset(startDir, '\0', sizeof(startDir));   //ensure all indices hold the null terminator character
 72: getcwd(startDir, 512);
 73: genericParams.chPtr = startDir;
 74: char* argr[512];
 75: char* args[512];
 76: genericParams.argt = argr;
 77: genericParams.argu = args;
 

What's going on in this block? After declaring an instance of the struct and initializing the int array to all zeros, I set up a char to hold the path of the current working directory  and store that path in the char (lines 70 - 72). The reason for using memset to initialize all array indices to the null terminator character is to make sure no matter what we put into the array other functions that try to make use of the string will be able to recognize where it ends. If we skip this step we might wind up referencing uninitialized memory, which could hold anything at all.

Line 73 points the chPtr member at the startDir. In this way, we can later read and modify contents of startDir if we want without having to go through a lot of other steps to copy it properly into a struct member.

Lines 74 and 75 declare arrays of pointers to char. We can use each of these array location to hold a separate char*. Remember a char* is one way of representing a string in C.

Lines 76 and 77 point the char** members in our struct at argr and args, giving us a pair of pointers to arrays of char pointers. This provides a lot of flexibility when it comes to manipulating our strings later.

Step 3: Call your function

 163: retVal = childExec(&genericParams);  

By passing &genericParams in our function call, we're really passing the address of the struct instance.

Step 4: Receive the parameters and perform some processing

 433: int childExec(struct params *aStruct) {  
 434:     int o;
 435:     for(o = 0; o < 4; o++) {
 436:         printf("aStruct->nums[%d] = %d\n", o, aStruct->nums[o]);  
 437:     };
     //more code to make use of your other variable members ...
 489: }

Here we receive the address of the struct instance and store it in a pointer, aStruct. Line 436 then just prints the contents of each integer in the nums member array. Since aStruct is a pointer to struct, not itself a struct, we use the -> operator to reference member variables instead of a dot.

That's all there is to this. I hope someone finds it helpful. At least it will serve as a reminder to me on how the heck I did that thing. I will try to follow-up with tips on some of the other techniques I got to make use of in this project. So, do check back.

Application Threat Modeling in Risk Management

I presented this topic at West Michigan ISC2 Chapter meeting back in February and have been meaning to get the slide deck posted ever since. My apologies for taking so long with it. I wanted to clean up the references section and needed to add attribution in some places. Life gets in the way sometimes, but anyway.... I hope someone finds it useful. I continue to mine these ideas and the information sources that I cite within the slides.

The central concept is that software is still one of the most insecure areas in any enterprise. We put up firewalls, intrusion detection and prevention systems, implement lovely policies and tell our various boards of directors that we're doing all that can be reasonably done. But how do we know we're really applying the most cost effective mitigations to the right assets? How can we really express to non-technical stakeholders the true levels of risk they are accepting? As security professionals, we know the true picture of security sometimes looks pretty bleak, but we need to do better at quantifying that reality in business terms.

This presentation points to some tools and methods that help us do this. I believe these ideas can help management make more intelligent decisions about what kinds of business services or interfaces they want to offer, build the culture of risk management and the consensus needed to start raising the bar on security.

Download the presentation from the Downloads page, or directly here to get the notes: https://goo.gl/lybi09
or just the slides from SlideShare http://www.slideshare.net/MelDrews/application-threat-modeling-in-risk-management

Reasonable Assurance Does Not Make Me Sleep Better

That was the title of a presentation I gave a few days ago at the Lansing Chapter of the Institute of Internal Auditors.  The idea for the theme came to me because I continue to hear the phrase "reasonable assurance" applied in several ways to audit work.  It just struck me that any audit of information technology security performed to a level of reasonable assurance does not make me feel any better about the actual security of the system.

Our adversaries are not "reasonable" in the lengths to which they will go to abuse the systems that we as IT professionals have worked so hard to build. Business customers and citizens interacting with government just want functionality to be able to get a product, a service or communicate with the organization.  But, because that's where the money is, criminals prefer to see these systems and applications as opportunities to steal money or proprietary information, embarrass the organization or bring them down.

If auditors are just trying to ensure that management has done a reasonably good job at implementing reasonable controls that are reasonably effective, we're sunk.  Of course, it's not the job of Audit to identify every vulnerability.  Audit is considered a third line of defense.  Stakeholders might believe Audit has their backs covered, but that's a different problem.  Audit is responsible to ensure stakeholders understand the true risk so that risk can be accepted, mitigated or transferred.  I believe this effort too often fails and I hope this presentation is useful in providing a perspective that may make it easier to achieve that limited goal.

The presentation can be downloaded from the share here: http://goo.gl/mqfjr8
If you go to my Downloads page, you'll be able to compare the sha1 checksum.

Slide 1 illustration courtesy of artist George Grie, from http://neosurrealismart.com/modern-art-prints/?images/insomnia-or-nocturnal-awakening.jpg

Big updates to ISC2 CISSP Exam coming soon

The recently announced changes to the ISC² CISSP exam are the most significant I've seen in years. They're moving to re-align test coverage to the newest issues in information security and current job practice areas. Some of the previous security domains have been expanded, while others have changed completely or been eliminated.  The new domains are:

Security and Risk Management (Security, Risk, Compliance, Law, Regulations, Business Continuity)

Asset Security (Protecting Security of Assets)

Security Engineering (Engineering and Management of Security)

Communications and Network Security (Designing and Protecting Network Security)

Identity and Access Management (Controlling Access and Managing Identity)

Security Assessment and Testing (Designing, Performing, and Analyzing Security Testing)

Security Operations (Foundational Concepts, Investigations, Incident Management, Disaster Recovery)

Software Development Security (Understanding, Applying, and Enforcing Software Security)

Dr. Eric Cole, author of SANS MGT414, is presenting the new curriculum through the vLive format in early March and other presenters will be field-testing it between now and September 9th when I launch the Mentor sessions in East Lansing, Michigan.

If you saw my earlier post about the Mentor session I'm presenting for the CISSP exam prep, I've updated it to link to the new flyer and registration page.

original post: http://www.redcedarnet.com/2015/01/sans-mentor-information-security.html

SANS Mentor Information Security Training in Mid-Michigan

If you are planning information security training for yourself or employees this year, I hope you'll consider the CISSP® exam preparation course I'm presenting in East Lansing, Michigan, beginning Thursday, March 19 

UPDATE: SANS Institute is in the process of updating the curriculum for this course to align with the changes being announced by ISC² for test candidates beginning April 15, 2015. You want the newest course content that will get you through the new test.  Since we need to move the Lansing Mentor session for this test prep course, the best opening to do it looks like September, starting on Wednesday the 9th.  Hopefully, this means a few more people who were considering the course will be able to register.

If you aren't familiar with the SANS Mentor course format, rather than five days in a lecture, you attend shorter presentations one evening per week.  Bring your questions to class and be prepared for discussion with your peers.  In between sessions you have time to study and digest the materials. You still get all the curriculum you would get at a large SANS conference costing thousands of dollars more, but without the need to take time away from the office.

Details are at http://www.sans.org/event/39467.  Be sure to get the discount and registration codes from the flyer on my downloads page, or directly via: http://goo.gl/vMNW1f