Networking grows your community of supporters, recruiters, and potential colleagues. When 70% to 85% of jobs are filled via network connections, a strong network is essential. Regardless of the connection strength, a strong resume is required to pursue a role at a potential employer.
I have been on both sides of the hiring table, spending most of my career consulting with brand name firms. Last fall, I served as the Acting Chief Information Officer for a client. The business asked me to work with HR to rapidly identify and hire competent technology resources as a top objective. Each hire went through multiple interviews, faced a standard battery of questions, and was rated against a standard job description. We had to move quickly, but throwing talent into a confusing situation was going to hurt more than it would help.
Make no mistake. Referrals, internal champions, and well-placed recruiters make the hiring process faster and easier. Business and technology leaders simply do not have the time to vet every single candidate. However, strong organizations do not simply hire friends and family. Strong organizations that provide a foundation for success and growth hire qualified candidates for clearly defined roles.
Here are the top criteria that I use to make technology and security hiring decisions:
Articulate Your Business Impact.
Organizations that do not have clear and fair hiring standards or promotion criteria will ultimately disappoint you. These opportunities may turn negative quickly, particularly for information security professionals. Use your resume as an opportunity to translate technical terms and jargon into business results and impact.
Will you have the resources and business partnership to accomplish your goals? Do you need a software platform to be successful, or could you build off of what is available? Will you be a part of a dedicated security team or will you be embedded within a business, compliance, or technology function? How do you quantify security in the context of business terms?
I look for resources that can adapt to a variety of situations, platforms, and levels of security resilience. I need to know that you see security as a journey, driven by the business. I want to hear how you took a resistant or reluctant group of colleagues and turned them into a secure unit.
Here are some detailed examples:
Forensics analysis and after-action reviews show that old vulnerabilities remain closed.
Change management skills show an ability to change mindset and gain buy in.
Annual compliance or regulatory findings are being addressed according to a plan.
Security metrics are integrated with business unit performance dashboards.
Red Flag for You:
Use your resume to gauge the appetite of your potential employer for partnership. Have they established business objectives and goals as they relate to security? What is the budget for security resources, training, and infrastructure? Will you be an influencer or a decider? Know what you will be pioneering versus what you will be enhancing.
As you explain your experiences, appropriate for career level and industry, you should establish a dialogue to see how these ideas would translate to the new role and the new culture. E.g., organizations that lack a regular technology or security review will be challenging, but being the catalyst for change can be exciting and satisfying.
Red Flag for Them:
I have attended a number of security focused events that spent a fair bit of the agenda grousing about business inaction. Does security drive profitability or support it? A number of resumes have come across my desk for review that come across as petulant or frustrated.
Interviews have provided a way to clear up any potential misconceptions about their attitude, but several candidates have confirmed a superior attitude in person. Assessing a mutual fit does not give you license to bad mouth a potential employer’s lack of resilience or lay blame. Approach the dialogue with a spirit of confident humility and collaboration.
Tell a Business Narrative.
Strong cybersecurity professional resumes support a narrative that you will enhance in your interviews. List the results that you achieved in security for your business or organization. Here are two examples, one for junior level security professionals and one for senior level security professionals:
As a security analyst, outline how your efforts to reduce phishing helped the business. By working with IT infrastructure and HR, you implemented message filtering and awareness training to cut phishing volume as seen by the customer community by 90%. They still see two or three messages a day, but our customers and colleagues pass phishing tests 80% of the time and there is a clear drop box for suspicious messages to be escalated for analysis.
As a forensics lead, outline how your efforts to secure the business helped drive proactive improvements. You partnered with the business product and engineering teams to integrate security risk reviews into their Agile planning in Sprint Zero (and in subsequent sprints). You participated in demo days, helping the team set aside 20% of their sprint points for security issues or potential defects. The net result was that the number of products going live with critical or high-risk defects was cut from 50% to 5% over 6 months.
I look for resources that can partner with the business, particularly if security resources are constrained. I need to know that you can help my supply chain, retail, and manufacturing departments run securely without breaking business efficiencies. Give a sense of the time, energy, and effort required to get the job done collaboratively.
Our growing distribution business opened a second warehouse. During orientation and training for the new warehouse managers, I sat in the conversations and walked the floor to get a better understanding of how this key operation works.
During the walk, I noticed that a number of employees were using their personal mobile phones to scan packing orders instead of their work issued hand scanners or tablets. I asked why and I learned that the network in the warehouse is inconsistent. The personal devices use a more reliable cellular network. I also learned that customer payment and address information is printed out as part of our pick, pack, ship process.
At the end of the walk, I wrote up some suggestions for securing both warehouses and reviewed it with the warehouse managers. This included fixing the spotty wifi, training employees on how to ensure that they’re using secure wifi and devices, and removing PII and PCI from the pick, pack, ship printouts.
Together, we opened the new warehouse securely without missing the opening date. New hires receive training on a standard process using secure devices and infrastructure. Customer data is protected.
Red Flag for You:
If you are simply the next person in a revolving door situation for an organization struggling with systemic security issues, you need to approach the opportunity with caution. A crisis may create an opportunity, but it could end in catastrophe.
I had a client who refused to meet with me about a project that was behind schedule. I had to literally chase him down in the parking lot with a hard copy of a status report.
In security, a number of business and technology leaders take the head in the sand approach. If your narrative elicits wide eyed stares rather than dialogue about potential partnership, you are probably entering a bad situation.
Red Flag for Them:
Security is an area that can be challenging to de-mystify. Technical jargon, combined with headlines that emphasize an endless barrage of exotic attack methods and spy agencies, can be quickly tuned out.
Work to build your resume in a way that expresses both your technical and business acumen. Weave appropriate language into the larger narrative, but avoid making it the focus.
I look for resumes that reference specific frameworks, processes, and solutions without being beholden to them. Strong resumes show a potential for using the best tools for the job. Weak resumes are single minded or skew heavily toward one particular vendor or provider.