I published a new cheat sheet, this one offering practical tips for finding and getting the right job in Information Technology, with a slant towards information security. You can view the contents on the web or print them as a 1-page PDF file.
This cheat sheet covers the following topics:
If you have comments or tips related to getting the right IT job, please leave a comment or drop me a note.
Although people tend to rely too much much on a resume during an IT job search, having a strong resume is still necessary for many job applications and candidates. In my mind, the goal of a resume is primarily to get past the initial screening, which is often conducted by an HR representative or a recruiter.
A good resume allows the candidate to reach the hiring manager and start deeply engaging in the discussions related to the position. This means that having a strong resume is important, but it is just one of many ways in which the candidate will need to demonstrate that he or she is a good match for the job.
The most common mistake I’ve seen on resumes is the candidate merely listing the tasks he or she performed at an earlier job. However, this listing doesn’t stand out. Make sure that every bullet point on your resume answers the question “So What?” That means including not only the text that describes what you were working on, but actually stating what you accomplished. The goal is to have the reader read the accomplishments and exclaim, “Wow! I want this person to do the same for me!”
I encourage people to think beyond the resume when they look for jobs. The standard resume format is designed to make the candidate much like everyone else in the field. On the other hand, if your reputation precedes you, or if you establish rapport with the hiring managers—perhaps even before there is even a job opening—you’ll be ahead of your competition for the position.
Also, consider the extent to which the position you’re pursuing contributes towards your career growth. Make sure that your resume and subsequent conversations make this clear to the hiring manager and other decision makers. When deciding upon your goals, think outside the standard career path that takes engineers towards management. Some individuals might be happier and achieve more professional laurels if they dig deep into one or more technological areas, rather than giving up their technical skills to manage people.
Lee Kushner and I will be presenting a talk about different perspectives on InfoSec hiring and recruiting at the B-Sides San Francisco conference in February 2012. Stop by if this interests you. Also, along these lines, I’m looking to hire a strong software development manager in Dallas; know anyone?
It’s hard to avoid leaking potentially sensitive information about the employer in one’s resume. Explaining your experience and skill-set in the world of IT usually involves naming the technologies with which you worked. This information can help computer attackers profile their targets, revealing details about the security measures they may need to bypass.
Looking at resume contents can be a useful step as part of reconnaissance activities, in which computer attackers and penetration testers alike engage in the initial phase of the attack. One way to accomplish this involves looking at targets’ LinkedIn profiles, as I wrote earlier when discussing competitive intelligence gathering practices via LinkedIn.
Attackers can also search job search sites, which index job-seekers’ resumes. One way to do this is to register with such sites as a potential employer, which often involves paying for the ability to search resumes. As we saw in a data breach that occurred at Monster in 2009, computer intruders sometimes pursue the database of resumes directly with the expectation of mining its contents for various nefarious purposes.
Perhaps the easiest way to mine resumes for computer attack reconnaissance is provided by the Indeed resume site, which allows anyone to search resume contents for free and without the need to register. Attackers can locate potential victims by searching for the mention of a technology that might have an exploitable vulnerability in it. In the context of targeted attacks or penetration tests, attackers would probably search for all resumes that mention the desired company’s name.
Consider some of the excerpts attackers might locate in resumes:
By themselves, these tidbits of information might not be significant, but they might contribute to planning and executing other aspects of the attack.
A few suggestions for organizations concerned about resumes being used to inadvertently leak data:
Understanding how you might enter a new field or grow in your current position involves understanding the options and the career paths of other people in the industry. Taking the time to connect with and talk to your peers and the individuals you look up to can help with this. To gain another perspective on the career landscape, explore the resumes of people in your industry.
You can find people’s resumes by searching Google and also get similar data by looking at LinkedIn profile. An easier way of mining lots of relevant resumes might be the new resume-searching feature of Indeed. This is the only major job search site I know that lets you do this for free and without having to register as an employer.
One of the nice features of the site is its auto-complete capability, which helps you identify title variations for a given keyword. The site also lets you limit searches to a particular geography.
You can also look at resumes of people working in a particular company by using the “anycompany:” tag in the search box, such as “anycompany:IBM”. This can be especially helpful if you are planning to seek a job at that company.
I suggest looking for resumes of your peers to get a sense for how your experience compares to them. The most useful aspect of reviewing resumes, though, might be to look at people who are more experienced in the field of your choosing. This way you can get a sense for what awaits you, what type of experience you need to gain and what types of companies and positions you might consider applying for.
Hand-picked related posts:
When you craft a resume to pursue an information security job, you are expected to list past responsibilities. The goal is usually to catch the attention of the recruiter or hiring manager and be invited for an interview. Describing your role in a way that helps your resume stand out is hard, but I have a suggestion for a way to tackle this challenge.
The most common mistake I’ve seen on resumes is the candidate merely listing the tasks he or she performed at an earlier job, such as:
This isn’t all that bad… The task list allows the reader to understand what the candidate might be capable of. The problem is that this listing doesn’t stand out.
The solution? Make sure that every bullet point on your resume answers the question “So What?” That means including not only the text that describes what you were working on, but actually stating what you accomplished. The goal is to have the reader read your accomplishments and exclaim, “Wow! I want this person to do the same for me!”
Answering the implied “So What” question is hard. As you can see, the sample resume excerpt above doesn’t come even close to succeeding at this. The following listing is an improvement:
The text is a bit wordy and can use some tweaking. But the idea is that now the reader understands what benefits your tasks provided to your employer. Each bullet point provides an answer to the “So What?” question.
As you look at your current activities, consider whether you can point to any specific accomplishments. If you cannot, check whether there are other, more valuable tasks that you can focus on. Also, examine the extent to which the work you do contributes towards meeting your employer’s business goals.
Moreover, begin collecting metrics that not only provide your organization feedback regarding the effectiveness of its security program, but also help you collect the data you can use to illustrate your success on a resume. (More on metrics.)
If you found this useful, take a look at my other career-related posts.
What if you promise yourself that when pursuing your next job, you won’t provide a resume until after you’ve had a meaningful conversation with the hiring manager? That’s right, no resume until both parties believe there may be a match.
I admit that I’m still under the influence of Seth Godin’s book Linchpin, in which he highlights resumes’ propensity to hide the very attributes that make individuals truly valuable. Instead, he writes, “a resume gives the employer everything she needs to reject you. Once you send me your resume, I can say, ‘Oh, they’re missing this or they’re missing that,’ and boom, you’re out.”
This isn’t as crazy as one might think. A resume is frequently just a tool to get past the initial screening by the HR department. Its format is designed to make you look much like everyone else in the field, and is not a good way to make yourself stand out. On the other hand, if your reputation precedes you, or if you establish rapport with the hiring manager before there is even a job opening, you’ll be ahead of your competition for the position.
If you promise yourself to only use the resume closer to the end of the interviewing process as a mere formality, you’ll motivate yourself to showcase yourself in other ways. You’ll have no choice but to take on projects that make you stand out from the crowd in ways such as:
This isn’t easy. It takes a lot of work.
Maybe making a promise to yourself is what it’ll take to not only become incredibly good at what you do, but earn a job that appreciates and nurtures your skills. Just a thought.
The focus of this blog is information security. If that appeals to you, consider subscribing to the RSS feed.