10 Resume and Interview Tips from Security Pros
Experts from the DEF CON Career Hacking Village explain how job seekers can build a resume and rock an interview.
Whether you're new to the cybersecurity industry or a seasoned practitioner, chances are good you've heard of the so-called talent shortage plaguing organizations. The problem isn't always that talent isn't there. It's that aspiring candidates have trouble connecting to future employers.
This was a focal point of a DEF CON talk by hacker and security researcher Alyssa Miller, who spoke about job hunting and career development in security. Earlier this year, she surveyed industry newcomers and experienced professionals to learn how long they'd been looking for a job. Her poll got more than 1,500 responses, many of which indicated job seekers have trouble.
Of the experienced practitioners, more than 46% had been searching for zero to two months, which is the expected time frame. However, 30.2% had been searching for three to six months and more than 16% had been looking for over a year. Of the newcomers, 34.5% had been searching for three to six months, 15.9% for seven to 12 months, and 16.7% for more than 12 months.
"We see the same issues here, whether you're entry level or whether you're experienced," she said.
The job search is difficult across industries, and cybersecurity is no exception. Experienced job seekers are challenged with bad job descriptions (35.7%), company culture (18.3%), salary ranges (14.8%), and finding senior-level roles (11.4%), according to Miller's research. It can be tough when applications don't yield a response or when job descriptions demand far more than any individual can do.
In the DEF CON Career Hacking Village, new to the conference this year, industry professionals shared their advice for people struggling with the job-seeking process. Here, we share their tips about building a resume, contacting recruiters, and prepping for an interview. Have any tips you don't see here? Feel free to share them in the Comments section, below.
Resumes remain an essential part of the hiring process, said Kris Rides, CEO of Tiro Security, in a talk about resume tips. A resume/CV is not only a first impression of your professional skills, it's a test of the overall communication skills you'll bring to a role as well as how effectively you communicate in writing. You want to do your best, but it's important you write it yourself.
"This is supposed to be you," Rides emphasized. "You should be the one who's putting your resume together. It represents you and it represents your career history. You must write it."
Can you look at others' resumes for advice? Of course. Rides encouraged chatting with industry recruiters, friends, and contacts to see who might be willing to share their resumes or offer a second set of eyes to review yours. There's no problem in using another resume as a template.
Paying a professional resume writer may be easier but could easily backfire as resumes must be industry-specific. The cybersecurity industry has its own requirements, Rides explained, and most resume writers aren't familiar with the details. A person who writes a generic resume will likely miss critical parts that cybersecurity hiring managers expect.
ob candidates should have multiple resumes, Rides said. One is the generic resume; this is the one you bring to job fairs. Others are more tailored, with details specific to each role.
The generic resume is written for the type of job you'll likely apply for. It will talk about some projects and broad experience to give people a general understanding of who you are and what you've done. It doesn't go into specifics.
Then there is the specific resume, which is written based on a specific job you have in mind. This will include specific details related to the job description, such as the relevant skills, tools, and projects needed for that particular role. If you know someone who works for the company, reach out to learn more about what they're looking for and include it. If they are looking to do a project that you've done in the past, make sure you explain it in your resume.
You may end up with several job-specific resumes, which Rides said is normal but takes a lot of time. "This resume is the one that will get you the job, and it's the one that will create conversation during your interview," he noted. "So take the time [to write it] -- it's worth it."
In her DEF CON talk, Miller described a candidate who was a barista for seven years. This person didn't think they had any place applying for a cybersecurity role because they hadn't worked in tech, despite having a computer science degree and Security+ certification.
But even as an entry-level employee, it's possible to demonstrate technical skills.
Miller spoke to three levels of technical capabilities, or things that show up as requirements. The first is knowledge: You attended a training, researched a topic, and/or read a book. The second is skill: "You've actually taken that knowledge and applied it in some way. Maybe you did it in a lab, maybe you worked in a [capture the flag], or you went to a village or some other hands-on training ... you got to apply it somehow," she said.
Third is experience, or formal, documented examples of applying a skill in a real-life, usually business scenario. Making an inventory of knowledge, skills, and experience "is so crucial," Miller said.
It's important to also record "core skills," or transferable elements that can be taken from one capability and applied to any role. As a barista, this particular candidate had to receive orders, prepare them according to recipes, deliver to customers, and clean equipment. How does this translate? The person processed multiple inputs, translated input into tasks, prioritized for maximum efficiency, focused on efficient delivery, and planned and executed maintenance.
"These are general words that can apply to any job, anywhere," Miller said. "And when you can now take and view your skills in that light, you can take those requirements they're asking for, understand the core skills behind those, take your own core skills, tie them together, and now you can see how you can easily word your resume to highlight the skills and experiences you have from your job to fit into the job you're applying for."
Chances are your resume will have competition. Rides explained the common resume mistakes he has seen in his 20-plus years in the tech industry.
• Resume length: Some hiring managers want to see a long, detailed resume, but most do not. Unless you recently graduated, he said, your resume could be two to three pages. Anything past four pages could mean losing your audience.
• Format: Choose a font and stick with it. Make sure nothing is distracting about the formatting, and be careful when using bold font. When used sparingly, he said, it can be effective.
• Spelling and grammar: There's no excuse for mistakes, Rides said, yet it still proves a problem for many candidates. Read and reread your resume before sending it.
• Missing dates and employment gaps: Be specific about when you held a role and address any gaps up front. If a hiring manager has doubts, you may never get the chance to explain. It's likely people will have taken time off because they were out of work, traveled, or had a baby.
• Irrelevant information: Positions you held 10-plus years ago don't need a lot of detail; if the company is interested, they'll ask in the interview. With respect to certifications, only include those you currently have or are ready to take a test for. If the test isn't in the near future or the cert is expired, it shouldn't be on your resume.
• Don't be dishonest: It always comes out, whether it's in the interview or after you're hired.
While security professionals are usually savvy, many don't think about how social media will affect their job hunt. Public tweets, even those that don't express your current views, could prevent you from getting a role. Disparities between LinkedIn profiles and resumes could appear suspicious to a hiring manager when they decide to look them up online. Many will.
"Make sure the information matches what's actually in your resume," Rides said. "Make sure the job title matches. Make sure the description matches." Think about the information you share: Would your previous employer be happy with it? How about your future employer?
Social media could prove invaluable in meeting people who could connect you with future roles, said Miller, who encouraged the virtual audience to interact with people on Twitter, LinkedIn, Reddit, MeetUp, and other social platforms. Communication is key. As she put it, building a network isn't about following a bunch of people and getting them to follow back.
Twitter is a great place to interact with the infosec community. Follow big names in the industry; as they post things, you can interact and start conversations. Ask questions, offer your opinion, be respectful, and engage with the community. LinkedIn is another place where you can easily find industry pros and reach out. Most are happy to add connections, she said. As long as there isn't a red flag, chances are good they'll accept your invitation to connect.
The cover letter is an opportunity to pull relevant experience from your resume and put it up front, said Rides. If a company is looking for five skills and you have experience with them, you can emphasize that information so it's the first thing a hiring manager sees.
"Make sure they're specific and concise," Rides said. "As you would do in your resume, you have to do the same in your cover letters and cover sheets. Make sure they're specific in the job description. Don't send out generic cover letters. They're horrible."
Think of it as a question-and-answer, Rides advised. If they're looking for a specific skill, what kind of experience do you have that matches? If they're planning a specific project, have you done something similar?
The cover letter is also an opportunity to highlight why you really want a position. What excites you about the job? Why do you want to work for this company? If relevant, you may also include why you're leaving your current role -- as long as you do so in a positive way. Maybe your current company doesn't support going to conferences or they don't pay for certifications.
"If they feel that you're excited about the job, you're excited about working for them, you've done a little bit of background on them, they're going to be excited to meet you," Rides added.
There are many places to look for a new gig: advertisements, your professional network, internal and external recruiters. Some are more effective than others, experts warn.
"Your network is going to be absolutely key," Rides said. Consider the people you know and the companies they work for. Who is recruiting? Who do they know who could help? LinkedIn can be valuable here; connect with hiring managers who may be hiring and write a personal note.
He also suggested looking outside to the local community. Even now, when everything is virtual, cybersecurity groups can be a great way to meet industry pros and build connections. Conferences, whether in-person or online, are ideal for connecting with experienced pros.
Ads are generally the least effective means of finding a job, he said. What's more, it's tough to get cybersecurity pros to send personal data based on seeing an ad, and even if they do, there's no guarantee a person experienced in cybersecurity will respond. "Advertising is broken," Rides said. "You should not rely on this no matter how great your resume is. Don't rely on responding to adverts to be the major part of your job search."
Messaging recruiters on LinkedIn can be tricky, said Kirsten Renner, senior director of recruiting at Novetta. People who open their DMs on social media are making themselves vulnerable. It's important to make a strong first impression -- and quickly.
"You have to compel the people you're reaching out to, to take the extra step," she explained. "You have three to five seconds, so do slightly better than just, 'Hey.'"
It's important to note you have competition here. Most recruiters want to talk and help, but they have a lot of people to respond to. In a DEF CON talk on job hunting in the pandemic, Renner suggested looking up a company's recruiters on LinkedIn. Share your name, the job you applied for, and the job's identifier if applicable. If you don't hear back within a day or so, look for the director of the department where you applied for the role with the same information.
When speaking with external recruiters, Rides suggested building relationships with those who specialize in cybersecurity. Look at their LinkedIn profiles and see how they describe what they do. Those who have credibility can be helpful in connecting you with hiring managers and can speak technically about why you should get an interview.
Your resume passed the recruiter, and now it's in the hands of a hiring manager. "This is where things are crucial," said Miller. Now is the time to be memorable and share your passion.
This is key: People looking for cybersecurity roles should be able to demonstrate why they're excited about the industry. Creating a blog or YouTube channel is an effective way to show you're engaged in the industry and invested in learning and sharing knowledge.
"I don't care if only five people ever read your blog. The fact that you wrote content, you put it out there, immediately demonstrates, 'Hey, I'm doing something in security.' That makes you memorable," she said.
When speaking with a hiring manager, Miller suggested preparing and delivering an "elevator pitch" of one to two minutes, which can explain your key selling points. Locate everything from your pitch in your resume. If they aren't in there, figure out how to add the things you think are most important about yourself.
"Make them know why it is that they want to hire you," Miller said.
When answering interview questions, Renner advised framing your response as a story. If the interviewer asks about your strengths, use an example of a time when they came in handy. If they ask about weaknesses, share a story about a time you failed and the lesson you learned.
Arrive prepared with questions that take a personal angle. "What have you learned here?" or "What concerns did you have about joining this company, and how did they turn out?" can prompt insightful responses from a hiring manager and reveal a lot about the employer. You're not trying to trick them, she noted. You're asking for their personal experiences.
Of course, there's also the little things you should check before and during the interview -- which will in all likelihood happen via a videoconference from your home. Test your speakers and microphone, put your phone on "Do Not Disturb," and close all your files and browser windows. Not only can they be distracting, you may accidentally share personal data.
And because you're home, it also makes sense not to be overdressed; however, you don't want to look like a slob. Be aware of the noises you make, especially if the interviewer has headphones on. Don't shift things around or sip your coffee. Try to look into the camera to make the conversation more engaging.
When answering interview questions, Renner advised framing your response as a story. If the interviewer asks about your strengths, use an example of a time when they came in handy. If they ask about weaknesses, share a story about a time you failed and the lesson you learned.
Arrive prepared with questions that take a personal angle. "What have you learned here?" or "What concerns did you have about joining this company, and how did they turn out?" can prompt insightful responses from a hiring manager and reveal a lot about the employer. You're not trying to trick them, she noted. You're asking for their personal experiences.
Of course, there's also the little things you should check before and during the interview -- which will in all likelihood happen via a videoconference from your home. Test your speakers and microphone, put your phone on "Do Not Disturb," and close all your files and browser windows. Not only can they be distracting, you may accidentally share personal data.
And because you're home, it also makes sense not to be overdressed; however, you don't want to look like a slob. Be aware of the noises you make, especially if the interviewer has headphones on. Don't shift things around or sip your coffee. Try to look into the camera to make the conversation more engaging.
Whether you're new to the cybersecurity industry or a seasoned practitioner, chances are good you've heard of the so-called talent shortage plaguing organizations. The problem isn't always that talent isn't there. It's that aspiring candidates have trouble connecting to future employers.
This was a focal point of a DEF CON talk by hacker and security researcher Alyssa Miller, who spoke about job hunting and career development in security. Earlier this year, she surveyed industry newcomers and experienced professionals to learn how long they'd been looking for a job. Her poll got more than 1,500 responses, many of which indicated job seekers have trouble.
Of the experienced practitioners, more than 46% had been searching for zero to two months, which is the expected time frame. However, 30.2% had been searching for three to six months and more than 16% had been looking for over a year. Of the newcomers, 34.5% had been searching for three to six months, 15.9% for seven to 12 months, and 16.7% for more than 12 months.
"We see the same issues here, whether you're entry level or whether you're experienced," she said.
The job search is difficult across industries, and cybersecurity is no exception. Experienced job seekers are challenged with bad job descriptions (35.7%), company culture (18.3%), salary ranges (14.8%), and finding senior-level roles (11.4%), according to Miller's research. It can be tough when applications don't yield a response or when job descriptions demand far more than any individual can do.
In the DEF CON Career Hacking Village, new to the conference this year, industry professionals shared their advice for people struggling with the job-seeking process. Here, we share their tips about building a resume, contacting recruiters, and prepping for an interview. Have any tips you don't see here? Feel free to share them in the Comments section, below.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024