Your Cyber Resume Sucks — Beat the ATS.

Actual photo of someone submitting their resume. Photo by Julia Joppien on Unsplash

I’ll bet you have a spreadsheet with the most recent 40 jobs you’ve applied for. You got the cyber degree, you have a couple years of cyber experience, you picked up all the cyber certs. How many call backs do you have? Probably not many.

It’s not you.

Well actually, it might be but that’s another article for another day. But more likely, you’re not beating what pretty much EVERYONE hates: the dreaded ATS — Applicant Tracking System.

Yes, everyone’s favorite punching bag, the various Applicant Tracking Systems are great for many, many roles out there. But they are not great for security practitioners. Let’s first break down why they don’t meet the needs for security practitioners, and how to get through or around them, and if you should even play the game.

First off, you need to understand that not all applicant tracking systems are created equally. It doesn’t help that the line between ATSs and Customer Relationship Management systems (CRMs) are built to fill different roles but often claim to include or be something they are not. Marketing can be frustrating.

Many ATSs are built inhouse because companies don’t want to pay for what is effectively a bit of automation on top of a database. In those cases, companies that choose to build their own internal ATS are incentivized to keep costs low. That means, that they often assign interns to write the ATS. Don’t get me wrong here: I’m not saying interns can’t perform. What I’m saying is that interns don’t fully understand resiliency, quality, and some basics like sanitizing input properly. They build a minimum viable product, train the team, commit the code, and move on. Then, someone submits a resume that breaks their system. Do they go back and re-engineer their systems to properly handle errors (or malware)? Probably not. They just drop resumes that don’t look normal. For you, that means that you cannot use specialty characters, fancy formatting, or anything that looks clever like code snippets or submitting your resume in json. This will get better with time. We ain’t there yet. You need to play by the rules.

There are a number of great ATS/CRMs on the market. Most of them don’t actually parse resumes themselves. They often subcontract out that annoying task. Right now, only about half of those parsing contractors search and catalogue certifications. Making matters worse, most ATS/CRMs don’t even realize they can request that their subcontractor return certification data.

That’s incredibly frustrating!

Good recruiters can work around that particular hurdle if they don’t have access to an ATS/CRM that breaks out cyber certification data. Also, don’t get me started on the certification debate in general. That’s a whole article series by itself.

The takeaway for you is that you need to make it easy for whatever ROBOT is looking at your resume to actually read it.

All your resume belong to us. Photo by Arseny Togulev on Unsplash

Now, let’s look at the normal HR process when you apply. Your submit your resume to the system, and, of course, probably submit the same information into the system adjacent to your resume because…companies don’t trust their resume parsers. Your resume hits the system. A junior HR person gets a notification. They pull up your profile. If the parser can’t read your resume, what the junior person sees is….gobblygook. Honestly, it’s frustrating trying to read parser output from most systems unless you keep your resume simple.

The takeaway for you is that you need to make it easy for whatever PERSON is looking at your resume to actually read it.

So let’s look at a couple of the finer points.

• Technical resumes should be two pages. If a non-security, non-technical recruiter disagrees, kindly remind them that you are not their target audience.
• Put the most important section, bullet, or list item first. If a bad recruiter only reads one thing, what do you want them to read?!
• Laszlo Bock is Google’s former Chief Talent Officer. He says, “When it comes to resumes…substance definitely matters more than style. He’d definitely prefer to see a simple, traditional, perfectly formatted resume than something creative that’s tough to read. “Unless you’re applying for a job such as a designer or artist, your focus should be on making your resume clean and legible,” he writes.” Quote is from The Muse Editor. Use the same font throughout. Don’t user colors unless you’re a cyber marketing specialist or similar role where it makes sense to break the “rules.”

Jack Kelly —You might not yet trust me but you certainly can trust Jack Kelly who leads one of the largest talent companies in the world. Most of it applies. Read Peter Economy’s interview with Jack Kelly on Inc.com here.

• Jack Kelly’s Relevant Points — “Trim down your detailed work experience.” If your resume is too long, ain’t nobody gonna read it.
• Jack Kelly’s Relevant Points — No one cares about your objective. They care about what value you bring. Your objective will come out in the interview.
• Jack Kelly’s Relevant Points — Get rid of your stupid email address (dogfan97), fax numbers, kid’s achievements, clever titles that don’t mean anything (Chief Cat Herder), your proficiency in Microsoft Word, and other nonsense. I’ll counter him and say that if you’re in security, security better be your hobby so including a section about your home lab might be relevant.
• Jack Kelly’s Relevant Points — Spell check. Please, spell check. And if you mention a technology vendor, make sure it’s correct — i.e. VMware vs VMWare. Sometimes you need to look at their logo. Another common one is Lead vs Led.

Writing about yourself is hard. Photo by Kelly Sikkema on Unsplash

General rules:

• Delete the word/phrases “Responsible for,” “proven,” and “detail oriented.” No one cares what you were responsible for. They care what you DID. Note the difference between these two statements: [responsible for maintaining 99.99% uptime] versus [Exceeded 99.99% uptime SLA over four years]. You may now start the uptime debate in the comments.
• Use the Oxford comma. Oxford commas help readers differentiate between list items. Your resume is a list of lists. You may revert to serial commas for your side gig writing in prose. A, B, and C. Not A, B and C. If you don’t remember the difference and why they’re important, look up memes on the topic.

In the HEADER section

• First off, don’t use the actual header functionality. Remember, most systems won’t look at it. Simply type what would normally be in the header at the top of the page. Keep it simple.
• Don’t put your actual address. It’s actually illegal in some places since it allows companies to discriminate. City or Region and State is probably all you need.
• If you have a security clearance and you’re comfortable putting it on your resume, it goes in the header. You certainly can do that. The risk of not including it is that you’re letting either the ATS/CRM or the junior HR professional put your resume in the trash if you’re applying for a role where it’s required before the hiring manager even gets a chance to look at you.
• List if you’re relocatable.
• Consider a summary (not an objective) that outlines the major things you want both the junior HR professional and the hiring manager to see.

In the BODY Section

• Put the most important section first: education or experience. If you’re junior, certs or education might go first. If you’re senior, experience might go first.
• Go back about ten years of experience. If something further back is relevant, consider using it but realize that whomever is reading your resume probably won’t read back that far.
• Short term jobs get short resume bullets.
• Long term jobs get more bullets, but usually not more than three.
• Each bullet should fill up an entire line. Don’t waste white space. Fill the whole line. Most likely you’ll actually trim out a longer, spilled over line down rather than add more content to fill the line.
• The most important bullet goes first.
• Each bullet should be in the VAR format [PAST TENSE VERB] + [ACTION] + [RESULT] and be as quantitative as possible. This is sometimes called an achievement-based” resume: “Accomplished [X], as measured by [Y], by doing [Z].” in this article by Bill Murphy Jr.
• Again, no “Responsible for” bullets. And get rid of the job description. It’s what you DID that’s important.
• Completely avoid special formatting like columns, tables, line breaks, etc.

If you don’t like the system, go around it. Use a recruiter. Photo by Teigan Rodger on Unsplash

Now there’s another way to beat the ATS: Don’t use it. Build your network so that you can get a warm introduction to the hiring manager directly. Or, more likely, use a recruiter. Good recruiters go straight to the hiring manager and have the relationship with HR that allows them to submit to both simultaneously. The vast majority of recruiter business models means that you don’t commit to them and that you don’t owe them anything. Hiring companies pay recruiters as the cost of doing business. What hiring companies pay recruiters doesn’t impact your salary or benefits whatsoever. In general. I’m sure there’s some model variants out there that do.

If someone comes to you and says that you have to pay them money or that they get paid and then pay you, that’s not recruiting: it’s staffing. Subtle difference, but you should be informed so that you can make the decision that’s best for you and your family. There’s also contract-to-hire but that’s another model entirely.

The moral of the story is that if you want to up your game, you have to play the game. You have to keep your resume simple. You cannot give either the robotic ATS/CRM or a junior HR professional a reason to throw your resume away. Write good. Write short. Write for your audience. Do as I say in this article, not as I did.

For more information check out these articles.

• Analyzing the Art of the Technical Resume — A very deep dive into resumes, the Four Audiences, and the basis for this article.

Analysis by Stephen Semmelroth.

• How to Pick your Next (or first) Cyber Certification — First, you need to know what roles you might be interested in and some of the routes to get there. There are many philosophies on this and this is mine.

Analysis by Stephen Semmelroth.

• How to learn Cyber over the Weekend — The fundamentals anyone interested in starting a career in cyber security should know. Also, great review for anyone about to go through their next interview.
• No Shame Security — Basics for anyone and everyone. Consider using it as a base for general employee onboarding.
• Break into the Field of Reverse Engineer and Tool Development — the title says it all. This is the guide I use to coach candidates explore their next step in malware security.