Tips for Getting the Right IT Job - New Cheat Sheet

I published a new cheat sheet, this one offering practical tips for finding and getting the right job in Information Technology, with a slant towards information security. You can view the contents on the web or print them as a 1-page PDF file.

This cheat sheet covers the following topics:

• What to do before you start looking for a job
• How to use social networking as an ongoing part of your career
• Steps towards finding the IT position worth pursuing
• Advice on crafting and polishing your resume
• Tips for negotiating a favorable compensation package

If you have comments or tips related to getting the right IT job, please leave a comment or drop me a note.

— Lenny Zeltser

The Role of a Resume in an IT Job Search

Although people tend to rely too much much on a resume during an IT job search, having a strong resume is still necessary for many job applications and candidates. In my mind, the goal of a resume is primarily to get past the initial screening, which is often conducted by an HR representative or a recruiter.

A good resume allows the candidate to reach the hiring manager and start deeply engaging in the discussions related to the position. This means that having a strong resume is important, but it is just one of many ways in which the candidate will need to demonstrate that he or she is a good match for the job.

The most common mistake I’ve seen on resumes is the candidate merely listing the tasks he or she performed at an earlier job. However, this listing doesn’t stand out. Make sure that every bullet point on your resume answers the question “So What?” That means including not only the text that describes what you were working on, but actually stating what you accomplished. The goal is to have the reader read the accomplishments and exclaim, “Wow! I want this person to do the same for me!”

I encourage people to think beyond the resume when they look for jobs. The standard resume format is designed to make the candidate much like everyone else in the field. On the other hand, if your reputation precedes you, or if you establish rapport with the hiring managers—perhaps even before there is even a job opening—you’ll be ahead of your competition for the position.

Also, consider the extent to which the position you’re pursuing contributes towards your career growth. Make sure that your resume and subsequent conversations make this clear to the hiring manager and other decision makers. When deciding upon your goals, think outside the standard career path that takes engineers towards management. Some individuals might be happier and achieve more professional laurels if they dig deep into one or more technological areas, rather than giving up their technical skills to manage people.

Lee Kushner and I will be presenting a talk about different perspectives on InfoSec hiring and recruiting at the B-Sides San Francisco conference in February 2012. Stop by if this interests you. Also, along these lines, I’m looking to hire a strong software development manager in Dallas; know anyone?

Related:

• Review Resumes to Understand Your Career Options
• Resisting the Gentle Pull of Mediocrity - A Reminder
• 5 Interviewing Tips for IT Job Candidates - What You Must Know

— Lenny Zeltser

Data Mining Resumes for Computer Attack Reconnaissance

It’s hard to avoid leaking potentially sensitive information about the employer in one’s resume. Explaining your experience and skill-set in the world of IT usually involves naming the technologies with which you worked. This information can help computer attackers profile their targets, revealing details about the security measures they may need to bypass.

Looking at resume contents can be a useful step as part of reconnaissance activities, in which computer attackers and penetration testers alike engage in the initial phase of the attack. One way to accomplish this involves looking at targets’ LinkedIn profiles, as I wrote earlier when discussing competitive intelligence gathering practices via LinkedIn.

Attackers can also search job search sites, which index job-seekers’ resumes. One way to do this is to register with such sites as a potential employer, which often involves paying for the ability to search resumes. As we saw in a data breach that occurred at Monster in 2009, computer intruders sometimes pursue the database of resumes directly with the expectation of mining its contents for various nefarious purposes.

Perhaps the easiest way to mine resumes for computer attack reconnaissance is provided by the Indeed resume site, which allows anyone to search resume contents for free and without the need to register. Attackers can locate potential victims by searching for the mention of a technology that might have an exploitable vulnerability in it. In the context of targeted attacks or penetration tests, attackers would probably search for all resumes that mention the desired company’s name.

Consider some of the excerpts attackers might locate in resumes:

• “Managed the implementation of File Integrity Monitoring via Bladelogic 7.6 on all external web-facing applications”
• “Supported systems integration of BEA WebLogic Portal 9.1 with CA Siteminder 6.x for forms-based and CAC authentication.”
• “Veritas Backup Exec, Active Directory, Remedy Ticket Management, Norton Anti-Virus, McAfee Anti-Virus, QIP, Hyena, Compaq Smart Start, Compaq Insight Manager, Cisco Works, SharePoint, DameWare Remote Desktop, Citrix”
• “SourceFire IDS, Nessus, Lots Notes, Wind Rivers Vxworks, Redhat Linux”

By themselves, these tidbits of information might not be significant, but they might contribute to planning and executing other aspects of the attack.

A few suggestions for organizations concerned about resumes being used to inadvertently leak data:

• Design security with the expectation that at least high-level details about the technologies and processes you employ will be known to potential attackers.
• Educate your employees regarding the type of information they may or may not reveal when describing their professional duties outside of the company.
• Periodically search the web in general, LinkedIn and resume sites such as Indeed for sensitive information that may have been exposed about your organization.
• Consider employing specially-crafted “honeypot” resumes with fake information that might deceive attackers and give you a defensive advantage.

— Lenny Zeltser

Review Resumes to Understand Your Career Options

Understanding how you might enter a new field or grow in your current position involves understanding the options and the career paths of other people in the industry. Taking the time to connect with and talk to your peers and the individuals you look up to can help with this. To gain another perspective on the career landscape, explore the resumes of people in your industry.

You can find people’s resumes by searching Google and also get similar data by looking at LinkedIn profile. An easier way of mining lots of relevant resumes might be the new resume-searching feature of Indeed. This is the only major job search site I know that lets you do this for free and without having to register as an employer.

One of the nice features of the site is its auto-complete capability, which helps you identify title variations for a given keyword. The site also lets you limit searches to a particular geography.

You can also look at resumes of people working in a particular company by using the “anycompany:” tag in the search box, such as “anycompany:IBM”. This can be especially helpful if you are planning to seek a job at that company.

I suggest looking for resumes of your peers to get a sense for how your experience compares to them. The most useful aspect of reviewing resumes, though, might be to look at people who are more experienced in the field of your choosing. This way you can get a sense for what awaits you, what type of experience you need to gain and what types of companies and positions you might consider applying for.

Hand-picked related posts:

• Which Information Security Job Titles Are Least and Most Common?
• The Company of Self: A Career Development Org Chart
• Improve Your Information Security Resume

— Lenny Zeltser

Improve Your Information Security Resume

When you craft a resume to pursue an information security job, you are expected to list past responsibilities. The goal is usually to catch the attention of the recruiter or hiring manager and be invited for an interview. Describing your role in a way that helps your resume stand out is hard, but I have a suggestion for a way to tackle this challenge.

The most common mistake I’ve seen on resumes is the candidate merely listing the tasks he or she performed at an earlier job, such as:

• Wrote and maintained information security policies
• Supported the perimeter firewall, updating its rules when requested
• Managed anti-virus deployment for the enterprise

This isn’t all that bad… The task list allows the reader to understand what the candidate might be capable of. The problem is that this listing doesn’t stand out.

The solution? Make sure that every bullet point on your resume answers the question “So What?” That means including not only the text that describes what you were working on, but actually stating what you accomplished. The goal is to have the reader read your accomplishments and exclaim, “Wow! I want this person to do the same for me!”

Answering the implied “So What” question is hard. As you can see, the sample resume excerpt above doesn’t come even close to succeeding at this. The following listing is an improvement:

• Created and fine-tuned security policies, which allowed the organization to pass a regulatory audit. The documentation was succinct, making it easier for the employees to read it and follow its guidance.
• Managed the corporate firewall, improving the response time to implement changes by 50% over the course of the year. Optimized the existing rule set to decrease its length by 25%, making error-free maintenance easier.
• Centralized the management of endpoint anti-virus software, improving the time to respond to a malware infection by 70%. Wrote and deployed a script to validate that anti-virus software is installed on all workstations.

The text is a bit wordy and can use some tweaking. But the idea is that now the reader understands what benefits your tasks provided to your employer. Each bullet point provides an answer to the “So What?” question.

As you look at your current activities, consider whether you can point to any specific accomplishments. If you cannot, check whether there are other, more valuable tasks that you can focus on. Also, examine the extent to which the work you do contributes towards meeting your employer’s business goals.

Moreover, begin collecting metrics that not only provide your organization feedback regarding the effectiveness of its security program, but also help you collect the data you can use to illustrate your success on a resume. (More on metrics.)

If you found this useful, take a look at my other career-related posts.

— Lenny Zeltser

Stop Relying on Your Resume

What if you promise yourself that when pursuing your next job, you won’t provide a resume until after you’ve had a meaningful conversation with the hiring manager? That’s right, no resume until both parties believe there may be a match.

I admit that I’m still under the influence of Seth Godin’s book Linchpin, in which he highlights resumes’ propensity to hide the very attributes that make individuals truly valuable. Instead, he writes, “a resume gives the employer everything she needs to reject you. Once you send me your resume, I can say, ‘Oh, they’re missing this or they’re missing that,’ and boom, you’re out.”

This isn’t as crazy as one might think. A resume is frequently just a tool to get past the initial screening by the HR department. Its format is designed to make you look much like everyone else in the field, and is not a good way to make yourself stand out. On the other hand, if your reputation precedes you, or if you establish rapport with the hiring manager before there is even a job opening, you’ll be ahead of your competition for the position.

If you promise yourself to only use the resume closer to the end of the interviewing process as a mere formality, you’ll motivate yourself to showcase yourself in other ways. You’ll have no choice but to take on projects that make you stand out from the crowd in ways such as:

• Developing tools that showcase your creativity and technical prowess
• Maintaining a blog to share insights in your specific area of expertise
• Sharing your knowledge with members of your favorite professional association
• Releasing a regular podcast that discusses the topics relevant to your field
• Organizing informal meet-up events to help build a community related to your expertise
• Participating on off-line and on-line social networks related to your profession
• Self-publishing a mini e-book that shares your perspective with the world

This isn’t easy. It takes a lot of work.

Maybe making a promise to yourself is what it’ll take to not only become incredibly good at what you do, but earn a job that appreciates and nurtures your skills. Just a thought.

If this is interesting to you, read my earlier writing on IT careers and the interviewing process, which includes my thoughts on why depth of knowledge in IT is not enough to excel.

The focus of this blog is information security. If that appeals to you, consider subscribing to the RSS feed.

— Lenny Zeltser