Ever wonder what hiring managers look for in “good” resumes? While I cannot speak for my employers, I can say that there are certain pieces of resumes that I care more (or less) about when I review them.
Let’s get started
- …that you understand how to use computers. Please do not list all of the different operating systems (OSs) that you have ever moved a mouse on. Just leave this out unless there is a specific OS that shows something important. Applying for a “Mainframe Penetration Tester” position? OK, go ahead and put that you are competent in z/OS. But please omit every version of Windows, Mac OS, and Unix/Linux unless they are absolutely relevant.
- …that you have used “Office-type” applications like Microsoft Word/Excel/Powerpoint (or their free counterparts by OpenOffice or someone else). Putting that you know how to use these tools is expected. Making a hiring manager read through this fluff to get to the info that they care about is not cool.
- …that you will expand acronyms and abbreviations the first time you use them in the document. With so many technologies and so many overlapping acronyms, don’t assume that I know what you mean by a certain term. This is especially the case when working in the government realm. There are acronyms and abbreviations for abbreviations in that world. Spell it out for me so that I understand what you mean.
- …that you know our companies may allow us to do some Internet searches on you to augment your resume. We can leverage many free, public Internet resources to discover things about you. Try Googling yourself to see what we may see. You might wish to tighten down the privacy controls on your social media profiles and remove certain things from the Internet before sending that request to get a job.
The resume sections
Summary / Career Objective
- …make my job easier to find your relevant experience by not listing every job you have had since you entered the workforce at age 14.
- …leave off unrelated positions. When I see that people have worked at McDonald’s (even if you were a night manager) or as a barista at Starbucks I try to think about how that applies to a position in penetration testing. If you can tie the experiences you had at these types of employers in to the position you are applying for, awesome. “At Starbucks I learned how to effectively work with a variety of customers. While customers waited for their drinks to be made, I always tried a little social engineering on them to see how much personal information I could get them to disclose in under 3 minutes.” << That would be an excellent read and show that you understand what I’m looking for.
- …tailor what tasks you performed at each job to reflect how they show your experience in the position for which you are applying. Did you work in cyber defense doing APT-hunting but are applying for a web app pentesting position? Show me that you know how your existing skills make you a more-valuable candidate to me: “Through my X years of cyber defense, I’ve investigated hundreds of web application compromises. I’ve learned how attackers exploit SQL injection and command injection and have replicated these attacks in a lab.“
- …make sure that you use operational security (OPSEC) in your document. If I’m going to consider hiring you to discover infosec weaknesses in my organization, I need to see that you are being careful with the secrets/sensitive information from your previous positions. This also applies if you get an interview. Coming in to an interview and telling me that you have “pwned all the Department of XYZ’s externally-facing human resources web app servers because they allow SQL injection.” is not reassuring me that you will keep my organization’s weaknesses to yourself. And please please please do not continue to talk about the detailed content of each of those databases and tables that you dumped and how specific people at your customer site responded. It is way-bad OPSEC.
- …make sure you understand that, after working in this industry for 15+ years, attending conferences, teaching hundreds of people and working with a wide variety of contractors, government people and others in the industry, my network of contacts is quite wide. And I’m not the only one. The infosec industry is smaller than you may think. It is trivial to reach out to colleagues to verify the content you put on your resume. Oh, and when you come in for an interview, please be positive about the people you have worked with and, in general, don’t give names or positions. I may have worked with or might know the person that you are blaming for something.
- If you took a certain technical certification class but I do not see the certification noted on your resume, I wonder what happened. Took the “Pentesting with Kali” course but no OSCP? Be prepared to explain.
- In some parts of infosec (government contracting), having a college degree can be important. As a person with a liberal arts Bachelor’s degree in Psychology, I really do understand that even though you majored in something other than Computer Science, you still can be very good in our infosec field. Don’t worry about that. Oh, don’t have a college degree? For me, I don’t care about degrees. I care about…well, I’ll get to what I look for in a candidate in a bit.
Skills / Tools
A NoVA Hacker reminded me that this is usually a section people put keywords that they hope will make their resume bubble to the top of the automated scanning tool a recruiter is using.
Unfortunately, when the resume gets to the technical interviewer and we see that there are a bazillion tools listed, it makes us wonder how deep your knowledge is on each. She suggested (and I agree) that you need to have proficient-level knowledge of a tool to put it on your resume. Touch a version of ABC scanner? Nope. Don’t put it on there.
Additionally, each tool you put in here (if you use this section) should have at least one bigger bullet in your resume experience content area explaining how you applied your knowledge in your work (or other activities).Keep in mind that if you put something on your resume and get an interview, you may be asked about it. I’ve interviewed many people that cannot explain much of what is noted in this section on their resume. Don’t be like them. Make this section compact and represent what you have used and know and tell us why it is important.
References provided upon request
What do I look for in an employee
- …managed a group of X people. Tell me how you ensured that they were motivated and engaged (things a good manager does). “Managed” doesn’t really tell me about what you did.
- …monitored some system or process. Explain to me what monitoring entailed and how it is important. Monitoring sounds like you are just watching a screen waiting for something to happen. I want someone that “monitored XYZ system for alerts and also hunted for issues/vulnerabilities/events by …” Show me the active parts of your work. [That doesn’t sound very professional but you get it I think.]
No paid experience? “Show me”
- Show me that you are motivated.
- Show me that you care about learning and growing and applying what you know. In infosec there are many places you can do this.
- Show me the related other things you do in infosec. Don’t have a lot of experience? No problem. We all start somewhere.
- Show me that you are self-learning and not going to require me to hold daily classes to teach you everything that can be Duck-Duck-Go’d or Google’d
- Show me all the cool things you do outside your position to grow your skills. Don’t have any? Try some of these:
- Join a hacker-space.
- Attend/present/participate in local infosec groups (ISSA, OWASP, etc.)
- Join an infosec-related club at your school/in your community
- Do online or in-person CTF (Capture the Flag) competitions: http://captf.com/practice-ctf/ and http://ctf.forgottensec.com/wiki/index.php?title=Main_Page
- Find an open source project you like in a language you can code in (or want to learn) and start contributing.
- Talk to some senior people in the industry and see if they have any projects that they need help on. Many times these people have more ideas than time to follow-through and appreciate the offers of help.
Look to the Interwebs
We all know that “if you can think it, it is already on the Internet”. Some very well respected people in the infosec community have blogged about how to break into our industry.
- Chris Gates (@carnal0wnage) has this post http://carnal0wnage.attackresearch.com/2015/05/answers-on-how-to-get-started-in.html
- Robin Wood (@digininja) posted this https://digi.ninja/projects/breaking_in_data.php
- Leslie Carhart (@hacks4pancakes) wrote a 6 part series on this here https://tisiphone.net/2016/02/10/starting-an-infosec-career-the-megamix-chapter-6/.
- Daniel Miessler (@DanielMiessler) wrote https://danielmiessler.com/blog/build-successful-infosec-career/
Check them out and do what they say.
Keep in mind that recruiters and hiring managers see hundreds or thousands of resumes each day/week. Make your resume stand out. You have the power to help me hire you!