How do you create a compelling cyber security resume? What kind of resume will stand out and get my foot in the door? What do I need to include on a resume? I've heard these questions and much more that are pretty typical for anyone looking to break into the field and build out their professional experience. These questions are pretty standard even for those who've been around for a little while but looking to change jobs. If you want to skip all the hard introspective work on creating your resume and get some assistance, let me know, but otherwise, keep reading!
Your resume is like your professional billboard, your calling card; it’s what you present to the world of hiring managers to land that interview and get you one step closer to the job you want. Despite the significant number of job openings in the cyber security field, it’s still a competitive market for those seeking jobs. Organizations understand the importance of security to their business and generally speaking try to hire quality people into the roles they’re looking to fill. What this means for you is that just having a passion or some experience or knowledge in this field does not guarantee you anything; you still need to seek ways to stand out.
Three Resume No No’s
This article covers three things that you need to stop doing when it comes to your resume, ASAP. Resumes are too often extraordinarily mechanical and don’t really represent who you are and what you can bring to the table. As a hiring manager myself, these three things drove me nuts and never once led me to call upon somebody to take the next step in the hiring process.
1: Simply Listing Your Job Responsibilities
A hiring manager working in this field will typically have a working mental model of what the job responsibilities are for the roles that you’ve worked. This especially applies when you’re applying for positions similar to ones that you’ve already worked in, maybe they’re just at a different company or in a more senior capacity. It’s possible that there was something incredibly unique in your particular situation as, let’s say, a SOC analyst or a penetration tester, but we can represent that in another way that doesn’t assume the reader of your resume has zero experience in the field.
Instead of listing out all of the job responsibilities that you’ve had at each of the positions you’ve held, instead, focus on the value you’ve delivered. Let me repeat this, focus on the value you’ve delivered. Communicating value does NOT mean stating your accomplishments, which might look something like:
Performed 15 manual penetration tests of internal web applications and servers in 2017, identifying high-risk vulnerabilities for product engineering teams.
Instead, a value-driven focus might look like:
I helped make sure that vulnerabilities that could impact business revenues or operations were proactively identified in our most mission-critical products through 15 different web and server penetration tests.
What you want somebody to take away from reading about this particular role you held is how you could provide similar or even greater value to them in their organization. Focusing on value over responsibilities or accomplishments helps drive this narrative home.
2: Outlining All Of The Tools You Have Used
It drives me nuts when I encounter a section in a resume that merely lists a bunch of tools that the individual has used at some point in their career or studies. Admittedly, I used to do this myself; it’s tempting to do so I get it. I personally recommend that you resist that urge.
One caveat to this piece of advice is that if you're tailoring your resume for automated resume review systems, typically in place at larger organizations, then a skills section can be useful. In this case, I'd recommend maybe putting it towards the bottom and streamlining it to the types of jobs you're targeting, pulling keywords from the positions you're applying for.
Having a section that exhaustively outlines all of the tools you’ve used is typically an obvious thing to most hiring managers. For example, a penetration tester telling me as a hiring manager that they’re familiar with NMAP, Metasploit, Burp Suite, ZAP proxy, and Wireshark is affirming my assumptions. In some cases having tool names in your resume can help you out in this age of keyword analysis tooling used by HR and recruiting software. However, this format doesn’t tell a compelling story about you.
Instead of a section that outlines tools (programming languages fall into this bucket too), I'd recommend weaving them into your value statements for each role and how you used them. Talking about how you used Burp Suite’s API to create automated test cases for a CI pipeline which saved your team countless hours and decreased turnaround time for product teams is compelling. I want that for my team. Tell that story instead of merely telling me that you know how to use Burp Suite because everyone else who’s applying for this job does too. This approach helps you capture the keywords needed to align with the machines that review resumes while still telling your personal story.
Another caveat to all of this is that if you do decide to list out a specific skills section, consider placing a brief, qualitative statement about what you can do/have done with those tools to go with it.
3: Excessively Inflating Your Accomplishments
We already talked briefly about accomplishments on your resume and how I think they can be tailored to value statements. It’s natural to want to make yourself look good on your resume. With that said though, you should never overly inflate your accomplishments. Don’t tell me that you led a team when you were in no position of leadership. Don’t tell me that you delivered on a massive project even though it never really took hold, got adopted and delivered any value to the business. Don’t tell me that you were heavily involved in a particular type of testing or business process when you only spent a week or two dealing with it in contrast to your peers. Don’t do these things. It should go without saying as to why being overly generous to your accomplishments on your resume is a bad idea, but let me dig a little deeper.
When somebody goes to validate this and finds out that you were misleading about your experience, your reputation could take a hit.
Your reputation is one of the only things you have to yourself in your professional life, and you should take great pride in protecting it. I know people who have gone down this road, and even if it works out for them in the short term, it will eventually catch up, I know that I will never be advocates on their behalf and I know others that feel the same.
The degree of honesty and sincerity is something that’s 100% in your control when you write your resume, so be honest, own up to your successes and your failures.
Presenting a resume that tells the real story of you and how you can provide unique value to your new prospective boss and employer is essential. Take a look at your resume today and see if it falls into any of these traps. I would encourage you to be really honest with yourself about it. If you find yourself in a rut and need some help in writing a resume that will help you win in the job market, let me know on Twitter or if you need a boost in your career development I'm here to help!