Ever wonder what hiring managers look for in “good” resumes? While I cannot speak for my employers, I can say that there are certain pieces of resumes that I care more (or less) about when I review them.
I usually am looking to hire people that are computer-savvy. The positions I need filled are computer-related and information security-specific. While this blog is mostly directed at those candidates, I’m sure that people in other industries can use this information too.
Many people looking to break into infosec positions (specifically penetration testing) come out of college or are in a related field but they have no direct hacking experience. This post is also for you. I want you to understand what things outside of paid hacking work you can do to impress hiring managers and show them that you are motivated, exercise your initiative and you understand/are learning infosec.
Let’s get started
If you are applying for a position in information security, we expect…
- …that you understand how to use computers. Please do not list all of the different operating systems (OSs) that you have ever moved a mouse on. Just leave this out unless there is a specific OS that shows something important. Applying for a “Mainframe Penetration Tester” position? OK, go ahead and put that you are competent in z/OS. But please omit every version of Windows, Mac OS, and Unix/Linux unless they are absolutely relevant.
- …that you have used “Office-type” applications like Microsoft Word/Excel/Powerpoint (or their free counterparts by OpenOffice or something else). Putting that you know how to use these tools is expected. Making a hiring manager read through this fluff to get to the info that they care about is not cool.
- …that you will expand acronyms and abbreviations the first time you use them in the document. With so many technologies and so many overlapping acronyms, don’t assume that I know what you mean by a certain term. This is especially the case when working in the government realm. There are acronyms and abbreviations for abbreviations in that world. Spell it out for me so that I understand what you mean.
- …that you know our companies may allow us to do some Internet searches on you to augment your resume. We can leverage many free, public Internet resources to discover things about you. Try Googling yourself to see what we may see. You might wish to tighten down the privacy controls on your social media profiles and remove certain things from the Internet before sending that request to get a job.
The resume sections
Summary / Career Objective
Personally, I skip this section as I have mostly seen marketing-type content in here that only tells me how “awesome” you think you are and “where you want your career to go.” I expect no real content in here just things about how you are “a team-player“, “can successfully balance multiple assignments concurrently” and are “highly motivated to tackle your next challenge for your next employer“. What I’d prefer to see is how you do these things in the other sections of the resume or in a cover letter/email.
Here is where you can impress or fall short. Tailor this section to the position for which you are applying. Most people have had jobs that are unrelated to the career position they have or they one they want. Please…
- …make my job easier to find your relevant experience by not listing every job you have had since you entered the workforce at age 14.
- …leave off unrelated positions. When I see that people have worked at McDonald’s (even if you were a night manager) or as a barista at Starbucks I try to think about how that applies to a position in penetration testing. If you can tie the experiences you had at these types of employers in to the position you are applying for, awesome. “At Starbucks I learned how to effectively work with a variety of customers. While customers waited for their drinks to be made, I always tried a little social engineering on them to see how much personal information I could get them to disclose in under 3 minutes.” << That would be an excellent read and show that you understand what I’m looking for.
- …tailor what tasks you performed at each job to reflect how they show your experience in the position for which you are applying. Did you work in cyber defense doing APT-hunting but are applying for a web app pentesting position? Show me that you know how your existing skills make you a more-valuable candidate to me: “Through my X years of cyber defense, I’ve investigated hundreds of web application compromises. I’ve learned how attackers exploit SQL injection and command injection and have replicated these attacks in a lab.“
- …make sure that you use operational security (OPSEC) in your document. If I’m going to consider hiring you to discover infosec weaknesses in my organization, I need to see that you are being careful with the secrets/sensitive information from your previous positions. This also applies if you get an interview. Coming in to an interview and telling me that you have “pwned all the Department of XYZ’s externally-facing human resources web app servers because they allow SQL injection.” is not reassuring me that you will keep my organization’s weaknesses to yourself. And please please please do not continue to talk about the detailed content of each of those databases and tables that you dumped and how specific people at your customer site responded. It is way-bad OPSEC.
- …make sure you understand that, after working in this industry for 15+ years, attending conferences, teaching hundreds of people and working with a wide variety of contractors, government people and others in the industry, my network of contacts is quite wide. And I’m not the only one. The infosec industry is smaller than you may think. It is trivial to reach out to colleagues to verify the content you put on your resume. Oh, and when you come in for an interview, please be positive about the people you have worked with and, in general, don’t give names or positions. I may have worked with or might know the person that you are blaming for something.
Here candidates put the college and other courses they have taken to further their careers. Here are some tips:
- If you took a certain technical certification class but I do not see the certification noted on your resume, I wonder what happened. Took the “Pentesting with Kali” course but no OSCP? Be prepared to explain.
- In some parts of infosec (government contracting), having a college degree can be important. As a person with a liberal arts Bachelor’s degree in Psychology, I really do understand that even though you majored in something other than Computer Science, you still can be very good in our infosec field. Don’t worry about that. Oh, don’t have a college degree? For me, I don’t care about degrees. I care about…well, I’ll get to what I look for in a candidate in a bit.
Skills / Tools
A NoVA Hacker reminded me that this is usually a section people put keywords that they hope will make their resume bubble to the top of the automated scanning tool a recruiter is using. Unfortunately, when the resume gets to the technical interviewer and we see that there are a bazillion tools listed, it makes us wonder how deep your knowledge is on each. She suggested (and I agree) that you need to have proficient-level knowledge of a tool to put it on your resume. Touch a version of ABC scanner? Nope. Don’t put it on there.
Additionally, each tool you put in here (if you use this section) should have at least one bigger bullet in your resume experience content area explaining how you applied your knowledge in your work (or other activities).Keep in mind that if you put something on your resume and get an interview, you may be asked about it. I’ve interviewed many people that cannot explain much of what is noted in this section on their resume. Don’t be like them. Make this section compact and represent what you have used and know and tell us why it is important.
References provided upon request
What do I look for in an employee
I want people that are motivated, self-starters working with me. People that understand that Googling-first and then asking questions is probably a good methodology to use. People that try hard and are tenacious in their search to figure out challenges. I can (do?) teach people to hack. I cannot teach you to care, to be motivated and to do your best. You need to come to me with these attributes AND you need to show me them on your resume and in the interview.
Instead of telling me that you…
- …managed a group of X people. Tell me how you ensured that they were motivated and engaged (things a good manager does). “Managed” doesn’t really tell me about what you did.
- …monitored some system or process. Explain to me what monitoring entailed and how it is important. Monitoring sounds like you are just watching a screen waiting for something to happen. I want someone that “monitored XYZ system for alerts and also hunted for issues/vulnerabilities/events by …” Show me the active parts of your work. [That doesn’t sound very professional but you get it I think.]
No paid experience? “Show me”
- Show me that you are motivated.
- Show me that you care about learning and growing and applying what you know. In infosec there are many places you can do this.
- Show me the related other things you do in infosec. Don’t have a lot of experience? No problem. We all start somewhere.
- Show me that you are self-learning and not going to require me to hold daily classes to teach you everything that can be Duck-Duck-Go’d or Google’d
- Show me all the cool things you do outside your position to grow your skills. Don’t have any? Try some of these:
- Join a hacker-space.
- Attend/present/participate in local infosec groups (ISSA, OWASP, etc.)
- Join an infosec-related club at your school/in your community
- Do online or in-person CTF (Capture the Flag) competitions: http://captf.com/practice-ctf/ and http://ctf.forgottensec.com/wiki/index.php?title=Main_Page
- Find an open source project you like in a language you can code in (or want to learn) and start contributing.
- Talk to some senior people in the industry and see if they have any projects that they need help on. Many times these people have more ideas than time to follow-through and appreciate the offers of help.
Look to the Interwebs
We all know that “if you can think it, it is already on the Internet”. Some very well respected people in the infosec community have blogged about how to break into our industry.
- Chris Gates (@carnal0wnage) has this post http://carnal0wnage.attackresearch.com/2015/05/answers-on-how-to-get-started-in.html
- Robin Wood (@digininja) posted this https://digi.ninja/projects/breaking_in_data.php
- Leslie Carhart (@hacks4pancakes) wrote a 6 part series on this here https://tisiphone.net/2016/02/10/starting-an-infosec-career-the-megamix-chapter-6/.
- Daniel Miessler (@DanielMiessler) wrote https://danielmiessler.com/blog/build-successful-infosec-career/
Check them out and do what they say.Keep in mind that recruiters and hiring managers see hundreds or thousands of resumes each day/week. Make your resume stand out. You have the power to help me hire you!