6 resume mistakes CISOs still make

Dan Bowden had the right mix of experience and credentials to land his next CISO post, but he wanted to make sure his resume reflected that fact.

So Bowden hired a professional resume advisor at the start of his search. (“It was well worth it,” he says.)

The advisor had him consider what his existing executive colleagues would say about his contributions to their organization—“the events, the activities, the accomplishments”—and then lead with those ideas rather than the technical skills and detailed security work that often dominate a CISO’s resume.

“It helped me get more insight into what is important, what kind of things you should draw attention to and what should go at the top of the resume. And all of the certifications and the education things, they were at the very bottom,” Bowden says. “It wasn’t that [my new resume] was totally different. She used all the information that I had, but she helped me understand what mattered and what should be highlighted. That’s what I missed, that concept of what really mattered. I didn’t understand how to make it pop on a resume.”

Bowden, who is now vice president and CISO at Sentara Healthcare in Virginia—the position he was seeking when he worked with the advisor, says he believes his resume needed to be revamped to reflect how the CISO has evolved into a full executive position.

Recruiters and executive advisors agree: Candidates for CISO positions must design their resumes to showcase their leadership capabilities, not their technical credentials.

Yet experts say many security professionals haven’t embraced that message and as a result are still submitting subpar resumes.

Here recruiters, CISOs and executive advisors describe the common mistakes that candidates continue to make.

Failing to show executive abilities

The most effective CISOs demonstrate five key behaviors, according to technology research and advisory firm Gartner. They initiate discussions on evolving security norms, prioritize updating decision-makers about current and future risks, have a formal and actionable succession plan, collaborate with other senior leaders to define the organization’s risk appetite, and proactively engage in securing emerging technologies. All but the fifth of those behaviors relates to leadership skills rather than cybersecurity acumen.

That’s not surprising, recruiters and executive advisors say, as the top security role has evolved from one focused on providing perimeter defenses to a truly C-suite position that’s expected to fold security into enterprise strategy.

Yet many candidates for CISO positions don’t lead with their executive credentials on their resume, says Nick Giannas, a consultant with WittKieffer, a global executive search firm. In fact, they often leave off information that demonstrates their abilities to formulate a vision for the organization, develop a strategy, and manage risk.

“You need to show that you have executive-level skills,” Giannas says. “Having a thorough understanding of technology and emerging trends is important, but the ability to communicate and translate security into business risk—and being able to portray that on your resume—is even more important. It shows that you can function at a strategic level, that you have senior-level and board-level experience.”

Leaving out achievements

Security leaders tend to leave key information off their resumes, including what exactly they accomplished in their current and previous jobs. They also fall short on details about their prior organizations as well as the size and scope of their responsibilities, the size of the teams they managed, and the budgets they had.

LaSalle Network

“Candidates will sell themselves short,” says Brandon Parezo, a principal in the technology services unit at the staffing and recruiting firm LaSalle Network. “They just don’t have enough on their resume. They don’t talk about what they’ve learned about leadership and management in their previous roles, and the results of their work. But those are points that CISOs want to have in their resumes.”

He and others say they see resumes that gloss over the value that CISO candidates had delivered in past roles. They might state that they matured an organization’s security program but fail to provide details on where and how they did so and the impact that delivered to the enterprise.

“They’re not including measurable outcomes where they talk about their work,” Giannas adds, “but they really should bullet-point their significant accomplishments.”

Getting too techie

Although CISOs must have executive skills and a track record of delivering value to their organizations, they also need to understand the technology environments they’re charged with securing. And they must know how existing and emerging security tools operate and how to deploy them for maximum effectiveness.

That fact, however, doesn’t mean CISO candidates should convey their technical prowess using the techie jargon, buzz words and abbreviations that dominate the cybersecurity profession—and far too many CISO resumes. A fellow security expert will understand the role of a SOC or the importance of SIEM tools, but CEOs and board members reviewing resumes probably won’t.

“The person on the other end might not understand what all that means,” Parezo says.

He says CISO candidates should indeed reference technical skills and accomplishments but they should put them in business speak. So CISOs should list on their resumes, for example, that they’ve implemented a SIEM tool but highlight their leadership role in the project and how the tool delivered measurable value to the organization.

“You want to have the resumes that are more business focused. So talk about how the products impact the business,” Parezo says.

Leaving out experience with breaches and hacks

The 2021 Thales Data Threat Report found that 56% of companies experienced a security breach.

Given that figure, it’s not surprising that both recruiters and the enterprise executives involved in hiring CISOs know that many candidates have likely experienced a security incident during their tenures.

So there’s no reason to leave out those details; in fact, recruiters say that leaving such facts out could be detrimental to the candidate, particularly if he or she worked at a company that had a publicized event.

Robert Half

“I do see avoidance on this topic, but you don’t want someone to know about it and feel like you hid it. So if you worked for a company that experienced a breach, then state it on the resume and then state what you’ve done to recover and make your company more secure. Because if you don’t acknowledge it, someone’s going to search and know that you were there and then it comes up in an interview anyway,” says Ash Athawale, senior managing director for the executive search practice group at Robert Half.

Making too little (or too much) of industry connections

Enterprise executives want their CISOs to be well connected and active with professional associations regionally or even nationally so they can feel confident that their security chiefs are keeping up with emerging trends and new strategies.

Yet many CISOs leave their involvement in professional associations off their resumes or downplay their leadership roles in professional networks.

On the other hand, some CISOs play them up too much.

“They’re overemphasizing their visibility or their public speaking appearances, and over-indexing on that exposure can be concerning,” says Kate Hannon, co-leader of the cyber practice at Spencer Stuart, global executive search and leadership consulting firm. “We have had CISO candidates who emphasized that activity on their resumes, and the [hiring organizations] had questions on whether this individual is more interested in getting their name out there versus focusing on their day job. We’ve had people ask whether that activity demonstrates an appropriate focus on the job and what they’re hired to do.”

Spencer Stuart

To get the balance right, Hannon recommends that CISOs include details about their professional affiliations and their work as subject matter experts in a very thoughtful manner.

“We encourage them to include it as a footnote or a side note. It’s more important to lead with your experience, your capabilities, and what you’ve done at your company,” she explains.

Poor formatting, rookie mistakes and unintended misrepresentations

Executives and board members involved with hiring CISOs still put a lot of weight into a candidate’s resumes—even in this era of LinkedIn, social media and internet search. “Anybody involved in the interview process will likely have eyes on the resume,” Hannon says.

However, many candidates still don’t get the basics of resumes right, Hannon and others say, noting that they still see typos, missing data such as contact information, and poor formatting. They advise candidates to start their resume reviews by paying attention to some basic rules around length, formatting, and accuracy.

Resumes at the CISO level are expected to run at least a few pages but shouldn’t be much longer than that. Parezo says he has seen overly lengthy resumes, including one that run to 10 pages, to accommodate every position the candidates have had over the past several decades. There’s no need for that, he says, adding, “What you did 30 years ago isn’t really relevant.”

Resumes should be well organized, with a focus on executive competencies and business value at the top and most recent positions first. Technical skills, professional recognitions, association affiliations, and educational details should come further down.

And they should be updated and tailored to the particular positions being sought.

Meanwhile, candidates should make sure the information on their resumes matches their LinkedIn profiles and online profiles and publicly available corporate information. Athawale has seen candidates list themselves as CISOs in their current roles when in reality they’re serving as vice president of information security or in some other similar position. Recruiters and employers will verify titles and dates, so it’s critical to present exact information.

As Hannon says: “These are first impressions, so you want to make sure you get it right.”