“Top Ten” Vulnerabilities in Cloud and Cyber Security Resumes
Hiring for security and cloud roles over the past decade, I’ve seen a ton of resumes — probably over ten-thousand. At the moment, I am…
“Top Ten Vulnerabilities” in Cloud and Cyber Security Resumes
Hiring for security and cloud roles over the past decade, I’ve seen a ton of resumes — probably over ten-thousand. At the moment, I am also helping out a number of folks who have been laid off (or who are actively interviewing) improve their resume.
This is a follow-up to a blog I wrote last week on selecting Detection Engineering candidates. This lacks the rigor of the real OWASP Top Ten but it does capture common problems I see in resumes and how to address them. I hope you find this helpful!
CAVEAT: This is definitely an opinionated list. Not all hiring manager (or HR teams) may agree with my list of vulnerabilities and remediations. Use this list as a framework to think about the form and content of your resume. Just as there are no systems free from vulnerabilities, focus on the critical weaknesses.
Here is the list:
- R-01: Unappealing or Ambiguous Hook
- R-02: Poor Content Alignment to Level or Desired Role
- R-03: Inappropriate Abstraction
- R-04: Inadequate Separation between Tools & Accomplishments
- R-05: Excessive Repetition
- R-06: Inconsistent, Unclear, or Cumbersome Writing Style
- R-07: Unclear or Confusing Progression
- R-08: Excessive Up-Front Certifications
- R-09: Lack of External Site References
- R-10: Ineffective Formatting or Whitespace
R-01: Unappealing or Ambiguous Hook
If I were to dig through boxes of old manilla folders in the closet, I could probably find a resume from early in my tech career. It would likely start with “Objective” in Times New Roman and follow with a statement that was predictable and bland. I hope you aren’t doing this in your resume now. If so, stop it! You really need an attention-getting hook below your name that immediately tells me who you are and why I should care.
This critical context about the value you provide with your skills, experience — and who you are as a human — helps me determine whether I should read on. It should tell me something about your story and what you think is unique (or what you want to present as unique) and how you can help my team.
Think of this as the “headline” in your LinkedIn profile that gets my attention or causes me to keep reading. If you can’t come up with something, I’d say skip it entirely.
R-02: Poor Content Alignment to Level or Desired Role
As I’ve gone up and down (or sidewise) in my career, this is something I’ve struggled with. Especially when I’m evaluating multiple roles. What details should I even include in the resume? How do I adapt them to each position I’m applying and interviewing for? Do the details listed under each role support the hook in R-01. This is also where it may be useful to have multiple resumes if the roles you are pursuing are distinct and different enough. Or maybe just tweak the hook a bit for each position you apply for.
In my opinion, you can take some liberty in the job titles (or suffixes with the titles) as long as you are not being dishonest or deceptive. There is sometimes a difference between your official HR title and the title you refer to yourself in your signature block. For example, in a recent role, my official HR title was “Principal Architect” but my role was actually as an Engineering Manager. Both are accurate but each sends a different message. In addition to tweaking the title, you may want to tweak the actual content, but I know this is a lot of work.
Even though the jobs you list will be the same, the specific facts (or level of detail) you choose to include in each role listed on your resume must support your career objective or the story you want to present to the organization.
This is especially important if want to get promoted or move into a more senior role. When seeking a Staff/Principal level role, the types of accomplishment you include on your resume should be the most challenging and leadership-oriented work you have done, focusing on your impact and influence of the work. Perhaps include examples of mentoring or improving the hiring process.
If you are moving from a Security Analyst role to a Security Engineering role, include examples of technology/tools you designed and built vs. those you just used as an end user and “SOC work.” If you were to downshift from a leadership role to an IC role, include more content on some of the hands-on work you did vs. how you influenced others or the organization at large. You get the point.
R-03: Inappropriate Abstraction
One of the most critical resume vulnerabilities I have seen in the wild is the presence of extremely detailed low-level descriptions of everything you did in each role, almost down to the task (or even command) level. While it isn’t that common, it is usually fatal. I have seen up to three-quarter of a page for a single nine-month contract gig. Don’t do this. It really transmits “junior engineer” vibes and makes me question whether you truly understand how your role fits in with the broader team, department, or business.
While you shouldn’t go overboard with the business-speak and you should not attempt to to revenue targets to security roles, you should mind the level of technical details you include and why. Just give me a glimpse that will get me thinking and asking about later during the screen.
For some reason, this vulnerability is particularly prevalent with candidates that have been contractors. Perhaps there are some perverse incentives in the contractor hiring process that encourage this practice. I almost NEVER select these candidates. These interviews nearly always go badly. Just like finding the right abstractions in code, this takes experience and practice. Finding the right level of detail for the given role and hiring manager requires experimentation and testing and it can be challenging because feedback is often not provided.
R-04: Inadequate Separation between Tools & Accomplishments
When I look at the content of your current and previous jobs, I’m looking for a few things. I want to understand not only what you did but the impact that you had while in the role. What challenges did you face? What did you have to overcome? How did you succeed or fail? What did you learn? Yes, I absolutely want to know the specific technology and tools you’ve used, but I’m more interested in the narrative of how you grew and made your team better.
Some resume purists say you should only use active verbs and avoid things like “responsible for” but I’m not too hung up on the occasionally empty word if what follows is accurate and concise and tells me what I need to know.
The more challenging approach is to weave together your accomplishments and tech into bullets or statements. It may be easier to separate the specific tools you used in the role or your overall tech and framework experience in a side box.
R-05: Excessive Repetition
My attention span is short when reading a resume and I actually like reviewing them. Realistically, I will only spend ten seconds before I reject it or determine your profile has potential.
If I see the same skills over and over, I could lose interest or I will assume you haven’t progressed in your career. Even if you did the same thing in multiple roles, mix it up to present a story to show the full breadth and depth of your experience.
R-06: Inconsistent, Unclear, or Cumbersome Writing Style
For an English major, I am terrible at proofreading. I’m sympathetic to some typos here and there, and I certainly don’t belong to the camp that believes a single typo warrants immediate resume rejection.
I am also very understanding of the challenges faced by non-native English speakers, or others those that haven’t had the benefit of a technical writing course. The reality is that many of us have not had any critical feedback on their writing in years or decades.
Readibility matters. There are some basics like verb tense and alignment that are essential for clarity. If you don’t know what parallelism means, Google it! Really focus on a sticking to a consistent style that does not distract the reader. Simplicity is hard. Avoid complexity. If you use complete sentences, be consistent. If you use fragments, keep them the same throughout. You probably want to make sure the verb tense is appropriate. I use past tense unless you are describing work in progress in your current role.
Lint your resume! Take advantage of inbuilt grammar-checking inside Word, Google Docs, or Grammarly. They aren’t perfect but they identify writing “smells” you need to clean up. Writing is hard work. I’m married to a writer and I see revision after revision. Iterate. Don’t give up!
R-07: Unclear or Confusing Progression
Something I will always ask about during an interview is for you to tell your story. Everyone’s career is unique. We stumble into projects which lead to other projects and roles. If my boss at a financial services company hadn’t decided to put me on an identity management project — and had instead put me on a cloud security project — I probably wouldn’t have ended up with my current role today! There is a lot of luck and chance.
I want to see the threads that link your current to your past roles and propel you into the future. Think about what the “connective tissue” is that links your most recent jobs and their responsibilities.
Even if you have to stretch a bit, this helps differentiate yourself and craft the narrative of what you could do for me. What have you applied in consecutive roles to improve your team? Where have you leveled up in terms of tech stack or people stack?
Creating this narrative of progress and growth is especially important if you have been in roles longer than two years or if you may have had multiple roles inside a single company or team.
R-08: Excessive Up-Front Certifications
Maybe I’m unique as a hiring manager, but vendor (or SANS) certifications are not immediately what I’m looking for in a resume.
I don’t want the first page of your resume to be the list of certifications you completed and when you took them. It is appropriate to list them at the end next to education (or maybe in a sidebar) but they are not critical to my hiring decision to have them in such a prominent place in your resume.
R-09: Lack of External Site References
A surprising number of resumes do not include links to peronsal web sites, LinkedIn profiles, GitHub projects, or other relevant sites on the Internet. No, I do not want a link to your FaceBook page , but I do want to see that you have a public presence. This is part of being a technology professional and being serious about your career.
R-10: Ineffective Formatting or Whitespace
There was a time when I only ran Linux. Google Docs was the only word processor I had.
As a result, I always kept the format of my resume simple.
I haven’t updated my resume to something more complex now that I run Windows 10 and have multiple copies of Office installed. I also generally don’t believe in colorful or fancy resume templates. You don’t need to show your smiling (or serious! ) face in the top left corner, but some sense of presentation and aesthetics is important.
Keep it simple. But NOT all Courier New. Do not distract. Your formatting should support the structure and the content of the document. This is the first rule of formatting.
I’ve been guilty of overly dense and excessively long resumes, although I now have a single-page resume with small fonts that probably hurts folks eye trying to read on a laptop screen.
Choose the right amount of spacing to “chunk” the content and help the reader’s eyes make sense of the page and help their brain process the words.