Security candidates undersell their skills
Considering a move? Ryan Farmer says IT staff don't pay enough attention to the CV
Search online for advice on writing a CV and one of the first things you will read is that it should be no more than two pages long. The last thing a potential employer wants to do is read thousands of words detailing everything the candidate has ever done or thought about doing. Brevity is encouraged.
Follow the old mantras about CV writing down to the line and the document will look pretty on job boards and websites, but it will also often see the candidate overlooked for suitable roles.
A CV is no longer just a record of the candidate's most worthwhile achievements. It is now a digital resource; a way of indexing their experience.
Ask most job seekers what they do with their CV, and I doubt many will tell you that they print it, read the job section of the newspaper, then send out copies to relevant recruiters in the post. Today, they will upload it to their favourite job board or send it to a trusted recruiter.
Too many candidates fail to consider how life is on the other side of the fence, and how recruiters use their CVs. This is particularly true when recruiting information risk management professionals, who can have niche skills and responsibilities.
Whether a CV is on Monster.co.uk or a recruitment database, it is important to consider how it is accessed. If I know you as an information security candidate, I might search for you by name, but otherwise your suitability for the roles I am working on depends completely on your CV's ability to match my search.
Any recruiter with a little training will understand Boolean search strings, and candidates must too.
CV writing should include search engine optimisation (SEO) techniques. Candidates should consider the meta keywords that will bring up him or her in the searches for the roles that interest them.
It is also important to understand the value of your skills. Too often I learn about a candidate's experience with an in-demand technology only after I have invested the time to speak to them. Candidates will often call and enquire why they have not been contacted about a role for which they believe they are perfect.
CVs are not telling us enough. For example, a candidate might simply mention "security monitoring" in one of their roles, when actually they have good knowledge of IDS, IPS and SIEM systems – which are highly sought-after at the moment as they tick a few of the required boxes for PCI compliance.
And what about the information risk hot topic of the day, application security? Expertise in this area can see some candidates command impressive pay rises. While application security expert A gets his pay rise, expert B is failing to get interviews.
The hiring manager or recruiter knows what only they are told, and the CV is the primary form of communication.
Technical skill profiles or project overviews are one way to rank higher in the search results, particularly in product-heavy roles such as IT security engineering.
For some, particularly technical security contractors, writing a longer version of the CV, including a simple disclaimer to the effect that it is a keyword-optimised document, is a good idea.
Another useful measure when uploading your CV to a job board is to use ‘personal summary' or ‘about me' sections to search-optimise the profile which appears. It's time to stop thinking about how the CV looks, and concentrate on how people will find it.
Ryan Farmer is a senior resourcer at Acumin Consulting