This is part II of a two-part series on getting a job in cyber security. Click here for part I, cyber security career paths.
Dos and Don'ts of Getting Your Cyber Security Resume Viewed
As a federal contractor focused on delivering a wide spectrum of IT, cyber security, and information assurance (IA) services, NJVC recruiters sift through a large volume of resumes from candidates with a wide range of professional experience.
It is a process that often takes hours, usually takes days and sometimes takes weeks. But in all that time, each resume has about as long as your average pop song to make an impact.
Despite the high volume of resumes, it takes only minutes to determine if a candidate has relevant "hard" skills for a subsequent interview. Before applying for a particular position, consider carefully what position best meets your skills and tailor your resume to that position's requirements. We often receive resumes that simply list a broad swath of skills and are not suitable for submission to government programs where we must explicitly match the background of a candidate to a specific job category.
This is an error you're probably making in your resume development: being overly broad. In providing qualified personnel for the exacting needs of the federal government, specifics are everything.
Specifics—listing certifications, software products, devices configured and vendor product experience—are a certain way to get your resume matched to an opening (if you're qualified). While being a generalist may seem like the best way to get your resume noticed by the largest number of hiring managers, the truth may be the opposite. Because job requirements are set by a particular government contract, NJVC must deliver expressly to customer expectations, not simply in the ballpark of these expectations.
Additionally, remember to summarize skills that can easily fit into job family categories, such as junior, mid-level and senior based on years of experience and other qualifying factors. This along with an appropriate degree(s) and relevant certifications determines the best job fit, and helps get your resume to the top of the pile.
Given the nature of the systems NJVC protects and defends, the DoD 8570 requirement is often non-negotiable for employment in a cyber role. To meet our customers' needs, we must address explicit job requirements and have no latitude to waive such a requirement. Hence, you may be able to sniff a WiFi network in any public space and gather user account credentials on all who connect, but skill does not necessarily equal qualification. As a contractor, we do not have the latitude to look at a skill and weigh it higher than classroom certifications obtained without hands-on experience.
What this may mean is a slight step backward to move forward in your career.
In terms of position titles, it may mean a mid-level systems engineer would move to a junior cyber engineer position to develop the skills necessary to move up in the cyber security job family. Once in that new job family, having a multi-disciplined background can actually become a plus, and may lead to qualifying for higher positions, such as cyber security architect, senior cyber security engineer or cyber-related project management.
So, in summary, how do you convince a recruiter, who is only concerned about the achievements in black and white on your resume, that you are the best candidate for that posted job you just came across?
Do: Tailor your resume to emphasize what cyber-related aspects you have performed in each of your prior positions.
Don’t: Simply list system engineering-related activities and think that defining new IT architectures for network bandwidth optimization qualifies you for a cyber security engineering position. Make your cyber experience specific and targeted.
Do: Leverage a technical degree if you have one. Although many people today are pursing actual cyber secuirty or IA degrees, for those of us whose cyber careers span decades, colleges and universities in our time only offered degrees in engineering, computer science, computer management or information systems. It is only within the last few years that degrees have actually brought in an explicit focus on cyber security. You absolutely do not need a bachelor's degree in cyber security to work in the field—although such a degree may be a plus depending on the position you seek and its requirements.
Don’t: Let a non-technical degree stop you. If you have a liberal arts degree, leverage your professional technical job tasks to demonstrate how you can handle similar technical disciplines. Emphasize your soft skills—creativity, innovation or analytical capabilities—to differentiate yourself and your ability to apply these skills to cyber or IA.
Do: Pick a cyber specialty. What areas do you know best? Would you enjoy the creativity required for digital forensics? Do you prefer to work on policies and regulations? Not everyone can be an expert in all aspects of cyber. Operations and maintenance can be a focus. Research can be a focus. Project management can be a focus. Don’t try to be something you are not—it is far better to search for that perfect fit instead of landing a job you may grow to hate over time.
Don’t: Create a general resume that a reviewer cannot discern your expertise. List specific job activities and make sure those task details are appropriately summarized in another resume section.
Do: Leverage social media to build a personal cyber brand. Demonstrate technical competence by blogging on cyber and providing your personal take on technologies or recent events. Demonstrate industry awareness and currency by posting commentary via Twitter. Demonstrate a willingness to share information by joining and actively participating in LinkedIn cyber-related groups. Many of these avenues readily exist, for instance ISC(2) has multiple groups based particular certifications. Market-based groups, such as the Intelligence Community or health IT, also exist.
Don't: Think that by avoiding social media you are creating some type of mysterious persona that employers will want to find out more. Putting your professional cyber-related comments into the wide world of the Internet serves to demonstrate your commitment to the cyber industry, and, over time, information sharing is its own form of contribution to others in the same job family. If you have found something of interest via another's blog post or news article, share it appropriately via a Twitter post or a LinkedIn group discussion—and comment, if you feel appropriate.
Do: Review the websites of companies you are interested. Each probably has some details on the types of work they perform in the field. Smaller and midsize companies usually specialize in products or services. NJVC, for instance, is an IT services delivery company. As a systems integrator, we have relationships with a wide variety of security-related vendor product companies. Having wide product experience can be a large plus for us and a resume differentiator for you.
Don’t: Send a commercially focused resume to a federal contractor without at least emphasizing the specific technical skills that are translatable. Recruiters won't do it for you. Different industries have different ways of discussing the same activities. DoD programs may require a certification and accreditation (C&A) set of activities, while a healthcare organization may require a formal security assessment to establish HIPAA compliance. Both require similar cyber skills, but use different terminology. Be cognizant of this important fact and speak to the targeted market.
Do: Read as much as you can on cyber jobs, activities, projects and news. If this field is a good fit for you, this reading should not feel like work, but instead staying current with your chosen profession. If you enjoy hands-on activities, set up a home cyber "lab"’ where open source software tools can be downloaded and executed in a safe environment. This can be a great way to use those old computers you have laying around in your basement. (You didn’t throw those away did you?) Many of the most capable white-hat cyber engineers started out this way—by installing their own network switches and routers and experimenting.
Don’t: Become discouraged if you're told you're unqualified. Everyone working in a cyber position may have experience or knowledge shortfalls. Look for work tasks that get you closer to a cyber domain, and pursue certifications that both interest and also align you to roles you expect to perform in your career.
Don’t sell yourself and your professional background short. Cyber security is a rapidly evolving landscape of widely diverse skills and job groupings—computer network defense, C&A, cyber network operations—but it is up to you to reconfigure your resume to present your cyber-oriented skills in a way appropriate to the position you desire. Expecting a time-starved recruiter to make that translation will keep you on the outside of this new candy store with your nose pressed to the glass.