Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Information security resume do's and don'ts

Get advice, and learn do's and don'ts for creating an information security technology or network security resume.

We all know an employer looks at a résumé for 30 seconds. Here are some surefire tips for standing out in the stack.


Write an appropriate objective statement (or omit it all together).
Most employers will not read on if the objective does not match the position that they are hiring for. For example, if a candidate were applying for a manager of network security position at a financial services company, an effective objective statement would look like this: "Objective: To find a leadership position that enables me to utilize my five years of experience as a lead network security engineer and technical project manager at a global investment bank."

Objective statements, however, are not a necessity. If a company has multiple positions that interest you, don't paint yourself into a corner.

Focus on the position you're applying for.
The résumé should be geared toward the requirements of the specific position. (It's OK to have different résumés for different positions, but be careful about just changing the objective statement--it sometimes leads to a disjointed résumé.)

For example, if the candidate were looking for a position within an industry outside of banking, he would most likely omit the specific items geared exclusively towards financial services firms. In that case, the résumé should speak to his accomplishments in network security and project management, with industry independence.

Explain short stays of employment.
Short durations of employment are the predominant reason qualified people aren't considered for an opening. If you've changed positions frequently, you need to explain the reasons for leaving in one line at the end of the description. Some explanations read: "The position was eliminated," "Recruited by my previous manager," or "Offered a promotion."

Employers react in different ways--candor is the best approach.

Watch the length.
A résumé reflects both your experience and your ability to communicate. It should provide a road map for tracking your career and include all of your major accomplishments and responsibilities. Omit anything irrelevant to the current stage of your career.

For example, a person less than five years into their career would want to list a student job at the university computer lab. To someone with 25 years of experience, this type of a position would be inconsequential.

Here are some guidelines: The résumé should consist of two parts, a summary of career accomplishments (ranging from one to three pages) and a listing of technical skills, certifications, education and related activities (a half page to one page long). For every five years of work experience, you can add another page. The maximum number of pages you should have is four. As you progress in your career, eliminate specific accomplishments from the end of the résumé and replace them with new achievements.


Avoid being redundant.
Redundancy is the main culprit in making a résumé longer than it needs to be.

Listing the same bullet points under each of your last positions gives the appearance that you have not challenged yourself. Be sure to accentuate your most current accomplishments in any position. Reinforce your skills, but avoid overkill. Always point out promotions you have earned, and technical and non-technical skills that you have developed.

For example, if you authored an information security policy at your last three companies, list the accomplishment. However, as you advance in your career, this skill should become a smaller component of your overall job function.

Appear overqualified.
Many people like to embellish their roles and importance in their current and past positions because they believe that it will enhance their chances of being considered for a position. Aside from possibly being dishonest, this is often counterproductive: Hiring managers do not want to give a job to someone who'd be bored with it and quickly leave the company.

Downplay technical skills.
It is common for candidates to put together a résumé that de-emphasizes their technical background to appear more business-focused and managerial. Information security professionals should embrace their technical roots; this is often a differentiating factor when employers make their choices. Include a list of your technical and information security skills as the last page of your résumé.

For the record, I have never been told that one of our candidates would not be offered a position because his technical skills were too strong.

Go crazy with buzzwords.
Be careful how you choose to illustrate your strengths, especially when they relate to different technologies, solutions concepts and regulatory standards. As a rule, do not list anything that you cannot back up with a level of work experience or that you would not be able to have an informed discussion on with someone who has expertise in the area. Chances are that person will eventually interview you.

Appear to be an expert in everything.
One of the best things about information security is that it comprises so many sub-segments that it has created different areas of subject matter expertise. Be careful about claiming to be an "expert" on more than one topic--it may cause some doubts about your level of proficiency. Also, when you claim to be an expert, interviewers will often choose to challenge you during an interview to validate your claim.

Overemphasize extracurricular industry activities.
Being selected to write or invited speak about particular industry topics can make you stand out from the pack. Mention the speeches you delivered at various conferences, or the books you contributed to, during the interview itself; on your résumé, be selective in what you include.

We've all got to start somewhere

We asked some security pros to share their first jobs, proving that even the biggest of fish was little once.

"It was the height of disco when I graduated high school. I went to work for my dad's construction company that summer as a common laborer. That September, I joined the U.S. Navy with advanced training in electronics, specializing in ship-borne radar."
–Tom Bowers, Information Security technical editor

"My first real job was delivering the daily Sacramento Bee when the only early morning paper was on Sunday. I learned a lot about compromise, marketing (soliciting people to take the paper) and setting priorities to business first, play time later."
–Kevin D. Dickey, deputy CIO and CISO, Contra Costa County

"My first job was at an ice cream shop. I was hired as a 'trainee,' which allowed them to pay me below minimum wage until I reached 'sales staff' status."
–Desiree A. Beck, technical lead, CME initiative, Mitre

"I was 14 and waitressing at a coffee shop. I watched people in business suits and wondered what kind of exciting lives they had, and why they never tipped more than a dime."
–Terri Curran, director, corporate information security services, Bose

"My first job was helping test the efficiency of compressors used in air conditioners and heat pumps. Although not related to infosecurity, this was a complex system of measuring devices, data collectors and computers to run the tests and view reports."
–Ron Gula, CEO and CTO, Tenable Network Security

Employers want their employees focused on their position, not on external interests. Make sure a potential employer views these activities as an enhancement to your job, not as a competition.

More information from SearchSecurity.com

Learn how to apply social engineering and other hacking skills to your job search.

Project management skills give applicants an edge over the competition.

Dig Deeper on Information security certifications, training and jobs