CSO resumes: 5 tips to make yours shine
The current challenges in today's job market didn't stop Phillip Mahan from bouncing back quickly after a setback. Mahan was laid off from his position as manager of information security and risk management at Unisource Worldwide in February. By April he was working again as the business information security officer with ING. There is a reason why he wasn't on the job hunt for very long: He is fanatical about his resume and his career.
"I'm a little unusual in that I update my resume weekly—even when I'm happy," said Mahan. "I use my resume as a measuring stick as to how my career is going. I look at it and say 'Is there anything interesting I have done this week that is more interesting than what I have on my current resume?'"
See a sample security leader resume annotated by a CSO and a recruiter: Sharpen up your security resume
And apparently, his strategy works. Mahan says he is often asked by friends and colleagues to review their resumes and suggest changes so he has seen what works, and what ends up in the trash. He and two security recruiters share their thoughts on what to include on your resume for the best shot at getting to the top of the pile of potential candidates.
1. Be a business person first, a security pro second
The most important thing for a job-seeking security professional to recognize today is that security needs to be seen as an enabler, not the department of 'no.' So it's crucial that your resume reflect that mindset. Mahan, for example, was responsible for the security awareness program at a previous organization, a major corporation, according to him. After an awareness campaign was rolled out under his leadership, the company saw a 60% decrease in security incidents. It is one of several accomplishments highlighted on his resume.
"I can't claim that success all to myself because we don't work in a vacuum," he said "But the point is I can quantify items I have done with business value. A resume really has to say: These are the things I'm good at and these are the ways I've impacted past employers in a positive way."
Jeff Snyder, a security recruiter and president of SecurityRecruiter.com and J.A. Snyder & Associates, says resumes like Mahan's are the ones that get attention in a sea of security job seekers.
"We see at least 20 unsolicited security resumes a day, and most of them are really lame," said Snyder. "We are looking for a real business-focused, value-driven resume. When the resume can show they understand their connection to the business, they are the ones that stand out and the ones that get read from top to bottom."
2. Distinguish yourself and your 'brand'
"The business people looking to fill these security positions are looking for leaders who have come from similar backgrounds," said Lee Kushner, founder and CEO of L. J. Kushner and Associates, an executive recruitment firm that specializes in senior information security management placement.
Security career development strategies
In the past, the bar security professionals have been measuring themselves by has been their peer group, said Kushner. But if security professionals want the kind of respect they have been clamoring for in business, it's time to set a different goal—one makes you seem like you belong in an environment with business executives.
"If you want a seat at the executive table and to be taken seriously, you have to be able to show your peer group is an executive peer group and not a security peer group," said Kushner.
Kushner advises security pros now to make career investments in themselves that will differentiate them from their peer group. For example, while a security certification may mean something within group of security professionals, certifications will not seem as important to business leaders. Look for ways to ramp up your business background instead, whether it's taking on new responsibilities in your current position, or getting some business-related education.
Read more about how the CISO role has changed in the past 5 years
"Quite frankly, people like to hire people who are like them. The companies looking to fill these jobs are looking for security leaders who have gone through professional development that branches beyond security," Kushner said. "When security people are making career investments in themselves they often go for the more commonplace things, like certifications. But it's their branding they need to think about. People have to work at branding and positioning themselves at the level they want to be seen."
3. Emphasize accomplishments up high, not education and training
Snyder said a common theme when he is talking to job seekers who have come from security backgrounds is that they often want to show off the courses they have taken and the professional training they have received over the years.
"I say 'OK, thats great. But what have you done? What have you actually accomplished? Where have you created value?'" said Snyder. "If at the top of their resume there is a page of classes and training, that speaks to me. It tells me they may have a lot of head knowledge, but do they know how to function in a business? But if they have connected security solutions to business needs, I want to read further."
And if your resume lists all of the common programs and software you've worked with, get rid of it. Mahan said he cringes when he sees these types of items on resumes.
"Anyone looking for a mid-level or top-level management position that has a resume with a skill set that says they can use Microsoft Office is a red flag. Employers dont need to know you know Office. If you DON'T know Office, it's a problem."
Instead, Mahan suggests turning this information back into accomplishments.
"I don't want to see that you know how to use Power Point. But I do want to see 'I've given 20 presentations to people in the C-suite in Fortune 500 companies."
4. Don't embellish
This should go without saying&but it doesn't. In a tough job market, it may be tempting to tweak your background to seem more impressive than it really is. Big mistake, said Mahan.
"A lot of people misrepresent themselves and spin their resume too much. The one thing I tell people is never put down on a resume something you haven't actually done, because it will catch you.
Mahan cites a recent example of a hiring manager he knows who called to find out if a job seeker he was considering had actually managed a staff of five in a previous position. Mahan had worked with the person and knew it wasn't true.
"This is a very small community and we all talk. This person claimed to have had several direct reports when they had none. They also claimed to have headed up a security awareness program at the organization, which was also not true. This stuff catches up with you." (CSOonline has previously looked at how to spot fake job references, another disturbing trend that has grown in the tough job market.)
5. Consider getting a mentor
If your resume isn't getting the attention you hoped it would get, look for a mentor who is in a career, and at a level, you hope to be at some day. Snyder said this may be particularly helpful for folks coming from a physical security or government background.
"People coming up from the physical side of security have some of the worst resumes," said Snyder. "The business environment is relationship driven. They come from an environment that is authority driven. That doesn't work in the business environment. They need to understand how to deal with the engineering staff as well as sit in the board room and deal with the C-level executive team."
Finding a professional who has successfully bridged from physical security to a converged position, or from public to private sector, can go a long way into finding ways to make yourself more marketable, said Snyder.
"They need to be connected to someone who has made that transition. Someone who has gone down that rocky road and taken their lumps."
Also see CIO.com's CIO resumes: Compare yours to the cream of the crop