I conduct a fair number of interviews, and that means I see a lot of resumes. In my most recent round of interviews, I was interviewing intern candidates. There was absolutely nothing wrong with their resumes. They built exactly the type of resumes their counselors tell them to. In this blog post, I’ll tell you what your counselors in school aren’t telling you about resumes, including hacks to help you land your first security job.
If you haven’t noticed, the competition for security jobs is pretty fierce. It’s especially fierce for entry level jobs. When I interview for roles with a decade-plus experience, I may go up against 150 other applicants. But someone I know who has been a hiring manager for SOC analyst roles recently told me that he receives 3,000 applicants when he has an opening. Yes, almost 20 times as many.
The conventional advice
It’s not what you know, it’s who you know. That’s the conventional advice to job seeking. But I can tell you that isn’t always true. I can think of two times I applied for a position, was the most qualified person in the entire state of Missouri for that position, and I knew people there, and had good relationships with the people there. And I didn’t get the job. I didn’t get the job because I didn’t get an interview.
Don’t get me wrong. Networking helps. During those job searches, I was applying for other jobs at other places where I also knew people. Each time, one of those panned out.
What I’m telling you is that even if you know someone on the inside, you probably still have to get through HR. And that’s where a little hack I do with my resume helps. And my hacks work just as well if you are at the beginning of your career. Maybe even better.
Hacking your resume to get the job
The trick is tailoring your resume for the job you are applying for. Or if you prefer a security term, hack your resume.
I’m not saying that resume you put together for your counselor is bad. Not at all, it is fantastic source material. But it doesn’t use the language of your prospective employer. And due to the sheer number of applicants you are up against, your resume will be read by a machine. That machine will not do a good job of translating. So the more keywords you can use that your prospective employer uses, the better your chances are of having a human being read the resume and give you a chance.
Here’s what that process looks like.
Hacking your past job experience for your resume
First, you make a copy of your existing resume. Leave all of your contact information intact. Leave all the headings intact too. But delete everything you say about each of your jobs and your education. At this point, you may have a blank sheet of paper except for your contact information, maybe a job, maybe an internship, and an educational institution. That’s what good looks like at this stage.
Next, take the job description of that job you are applying for, and paste that into the blank spaces.
Now go to that job and look at those bullet points one by one, flipping back and forth between your existing resume and your new one. Your job is to replace job duties and tools with stuff you actually have experience with, while preserving as much of the prospective employer’s language as possible. You are trying to make the job you had look like all it was doing was preparing you for the job you want. You get 1-2 pages to build your case.
Hacking my restaurant experience
Maybe this will help. My first job was at a fast food restaurant. My second job was at a consumer electronics store. If I were applying for that job at the consumer electronics store, and the only experience I had was at the fast food restaurant, I don’t want to waste my resume space talking about mopping floors, filling the ice bin, and refilling the ketchup dispenser.
Instead, I would talk about answering customer questions about products. See what I did there? I was trying to go from selling sandwiches to selling computers. To do that, my best bet is to convince the hiring manager that I already know how to sell, upsell, and answer questions about products. I did it before, so I can do it for whatever products they sell. As long as I can demonstrate I know enough about computers, if I can sell a sandwich, I can sell a computer.
Hacking the experience you have
So what I’m telling you to do is take that job description, and relate each of those duties to something you have done previously. Don’t lie. Don’t tell them you have Nessus experience if you don’t. But if you have scanned networks with some other product, whether it’s a competing product, a pure network scanner like Nmap, or even something that wasn’t a security product, put that in.
It can help to take the name of each tool the prospective employer is looking for and do a web search on the name of the tool plus the word “competitors.” If you used any of those competitors, rewriting that bullet point becomes easy. And don’t be shy about asking around. Ask your friends, professors, or anyone else you know who knows about computer security if you are pushing things a little too far in rewriting those bullet points. You don’t want to lie. But experience is the currency of getting a job, and you want to make sure you’re getting full value for what you have.
Do the same for each bullet point, and practice explaining how it’s a little bit different from what you are being asked to do, but how it is also very similar, and you are eager to apply the skill that you already have with another excellent tool.
The importance of speaking the right language
The important thing is to make your language match the perspective employers language as much as possible. Here’s another personal example. I am very good at scanning a network with Nessus. But every employer will have their own way of saying that. I went onto Linkedin and searched for a job that mentioned Nessus, and the first job that came up had a line item that said “Hands on in Nessus tool.” So if I were applying for that job, I’d make sure one of my bullet points said something like “Hands on experience in the Nessus tool.” I fixed the grammar, but included the words “hands on” and “Nessus” and “tool,” just in case they value that word more than me.
This means the same thing as “scanning networks with Nessus,” but it preserves their buzzwords. Will everyone reading your resume know that scanning means hands on experience? Don’t count on it.
What if you’re missing some bullet points?
It’s also okay if you don’t have relevant experience for every bullet point. A smart employer knows that you are trying to move onward and upward, and anyone who can do 100% of the job on day one isn’t going to stay long. Make sure you can cover most of it, and where you fall short, have a plan for learning it. If I’m looking for Nessus experience and you come in and tell me you don’t know much about Nessus, but you found the online documentation and you found a 30-minute Youtube video about it, I have to credit your effort.
You will also want to use one bullet point to brag. Tell your new employer why your old employer misses you. And it doesn’t have to be something big. For example, on my last day at one job, I had a manager tell me whenever they saw I was working on their project, they were glad to see my name, because they knew I would make sure I did the job right. If you saved a former employer a ton of money, mention that. But a compliment from a manager plus the story behind it does a surprising amount to set you apart.
Relating your education
So now that you have spun your previous job or jobs to show your prospective employer how you’ve been preparing for them your entire career, now it’s time to show them how your education has been preparing you for this job as well.
Note that this exercise is really only important early in your career. Once you have enough work experience to fill a page, your education can just become 1-2 lines at the end.
But until then, you need to maximize the currency from your education. To do that, look at each of the job duties that they mention, and think of some classes that you took that relate to that duty. If you used certain tools in a class and those tools are the same as or compete with tools this prospective employer uses, make sure you list that. If your class involved a project that relates to the work, list that class and talk about that project.
Hacking my journalism degree for a security job (not recommended!)
If I were trying to use my education to get a job today, I would have a bit of an uphill battle. You see, I majored in journalism and I work in computer security. I’ve taken a lot of flack for that over the years. But let’s keep things positive.
- I took a class on C programming on Unix platforms. Some of the things I learned in that class have security implications.
- I also took classes on web development. And my capstone project in my magazine publishing class was launching a web-based publication.
- I also had to take a class on statistics, which taught me how to calculate what level of confidence one should have in their data.
I’m reaching a bit with all of these. Hopefully you won’t have to reach as much. The more relevant you can make your education, the better.
It’s all so fine to mention extracurricular activities, especially if they are relevant. For example, if you are a member of IEEE, that’s relevant to any job involving computers. If you were on the dean’s list or honors college or anything equivalent, that’s worth mentioning. I’ve only had to tell someone my GPA one since I graduated, so you don’t need to mention it if you think you might have to justify it. But if you think your GPA bolsters your case, there is no harm in mentioning it.
One more benefit
There’s one more benefit to building your resume this way. It helps you control the interview process a bit. Some interviewers try to turn an interview into taking the Security+ exam orally. But when you have the skills they’re looking for, that helps to steer the interview in the direction of a good technical interview, which is more about getting an insight into how you solve problems rather than just making you repeat rote knowledge that’s always just a Google search away.
What about internships?
Like I said before, I’ve interviewed a few prospective interns in my career. My philosophy on intern resumes is a bit different. If you are going to be an intern on my team, I don’t have the same expectations I have for someone with five years of field experience.
I need to see that you have raw tools that my employer needs. Sometimes the things that I key in on aren’t the things that seem the most relevant. Ultimately, I am looking for somebody who is capable of learning how our products work and can then teach other people something about using that product. I don’t speak for anyone else, but on an intern resume, I want to see some irrelevant experience and education. Because that gives me insight into how a candidate thinks and what they find interesting, and clues to help me figure out what questions to ask.
So don’t sweat it too much when it comes to internships. But when it comes to that first job, customize the resume.
One more thing. When you have an internship, and you connect with someone, stay in contact with them. When the time comes to get that job and you need an experienced set of eyes on your resume, reach out to them and ask. In my experience, more security professionals are willing to give a former intern or a former coworker that favor than aren’t.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.