8 tips for a standout security analyst resume

You’ve got your computer science degree from a prestigious university, a couple of security certifications that you earned the summer after you graduated, and almost a year’s experience working with a set of alert monitoring tools for a small company. In your spare time, you volunteer at the local animal shelter.

You like your job, but you’d prefer to work remotely, and you’d ultimately like to move into more of a compliance role. The question is, what’s the best way to pull together a resume that will catch a hiring manager’s eye and ensure a good job match?  

No matter what your situation is, here are the aspects of your education, skills, and experience to highlight to ensure your resume stands out in the crowd.

Focus on processes over tools

Security analyst candidates often list the different tools or standards they know, but more useful to hiring managers are the security processes and activities candidates have had experience with, says Peter Gregory, senior director for cybersecurity at GCI Communication Corp. in Anchorage, Alaska, and former cybersecurity advisor.

Examples include analyzing and triaging security alerts, performing risk analysis, or coordinating and facilitating internal and external audits.

“An analyst who lists some tools is telling me they know how to navigate and operate the tool, but do they know why they were doing it, or were they simply doing things by rote?” Gregory asks. “But a security analyst who talks about functions they’ve performed suggests they understand the process—the work beyond the tools.”

It’s a lot easier, Gregory says, to train someone on a new tool than on a new process. “If they have experience on tool A and I use tool B but they’re familiar with the process, I’ll train them on tool B,” he says. “Training on process is a bigger lift than training on tools.”

It may be a good idea to list tools toward the end of the resume to be noticed by automated resume screening systems that would reject the resume otherwise, he adds.

Estimate the percent of time spent on key tasks

Even better, says Deidre Diamond, founder and CEO of CyberSN, a cybersecurity jobs and career marketplace, is conveying how much time you’ve spent on various activities. If you’ve spent 40% of your time in the last two years on vulnerability testing and 10% of your time performing internal security audits, the hiring manager will have a better understanding of whether the role is a match for your experience prior to the interview.

This is particularly true for a role like security analyst, which can vary greatly from company to company, Diamond says. “Security analysts work on many different levels of tasks and projects, depending on company size, industry, which data they’re protecting, and whether it’s a public or private company or in the government sector,” she says. “Even though it says security analyst all over the resume, and they’re applying to a security analyst job, there could be a one in 20 chance it’s not the security analyst role that’s a match.”

Hands-on experience is a must

Employers increasingly expect to see hands-on experience, says Keatron Evans, principal security researcher at security education provider InfoSec. “Have you done packet capture analysis? Can you understand and parse logs or done incident response in the cloud? It’s important to have that kind of demonstrable hands-on experience verbalized in a resume,” he says.

The expectation is high because even if you haven’t held a security analyst job, hands-on experience can be acquired in other ways today, such as training exercises offered by companies like InfoSec, Immersive Labs, and Pluralsight. “Before, training was mostly certificate-driven—it wasn’t geared toward proving you can do these things,” Evans says. “Now there’s simulation in the training environment, which is turning into a good gateway to get your foot in the door.” If candidates can send a five-minute screen capture of themselves performing a task, “it’s worth more than a thousand words,” Evans says.

Capture-the-flag (CTF) events are another highlight to include. If you’ve placed well in a well-known CTF or completed a penetration test, put that at the top of the resume as well, he says.  

In one case, Evans hired a candidate who had a bachelor’s degree in history and no formal cybersecurity experience but had created a personal website herself from scratch and included the URL on her resume. “It demonstrated things she’d figured out on her own and took upon herself to learn. It piqued my interest,” he says.

Aim for the cloud

If any of the roles or activities on the resume include the word “cloud,” that’s resume gold, according to Evans. “So many companies jumped to the cloud without a plan so there’s a big rush to get people who can do incident response in the cloud, and there are very few of us,” he says. Having cloud experience “will automatically get you pulled out of the resume pile.”

Even if it’s not geared toward incident response or log analysis or a similar security analyst type of role, any cloud experience will make a candidate more attractive because they’ll likely learn applicable cloud incident response and cloud security principles faster than someone without any at all, Evans says.

Don’t overlook volunteer activities

What you do outside of cybersecurity can say a lot about you, especially if you haven’t had the chance to exercise certain skills in a formal job role. In particular, volunteer work can help demonstrate soft skills like “initiative” or “organizational skills” that can come across as trite descriptors on a resume. “What I want to see is initiative—not the word on the resume but something that shows me you volunteered for this, came up with this idea, and then did it. It’s something you can’t train for,” Gregory says.

For example, an experience like reorganizing the filing system for a local nonprofit should be pulled forward on the resume, Gregory says. “In cyber, most organizations are way behind the curve in trying to make order out of chaos, so it’s a good trait to have—the ability to organize, create a process or procedure, formalize something, make it better.”

Volunteer work is also a way to gain hands-on cyber experience. Nonprofits are always looking for cybersecurity help for a low fee or for free, Evans says. Candidates who can say they’ve set up firewalls or done a cloud migration for an actual organizational entity will create a good path for themselves; Evans even suggests invoicing for the work (even if it’s $0 charge) and asking a lawyer to draw up a contract. “It shows you know how to get things done, which matters a lot,” he says.

Consider including salary, visa, and location requirements

Job candidates may fear being passed over if they admit their desire or need to work remotely, earn a particular salary, or be sponsored for a visa. However, they might want to consider including this information if it would be a showstopper for accepting a job offer.

“Why waste time when the money isn’t correct? How many people aren’t the right match because the employer won’t sponsor their citizenship?” Diamond asks. The goal, afterall, is to have a productive conversation and including these showstoppers “enables the employer to screen for all that.”

Including a salary requirement may be more relevant for those with more experience vs. someone seeking entry-level employment, Diamond adds. “Those with experience know what salary numbers will work for them, so employers and professionals stating their salary  expectations can save a lot of time.” 

List the certifications and skills you’re pursuing, not just the ones you have

The desire to continuously learn is essential for any cybersecurity candidate, and one way to show that is to make your goals clear and how you’re moving toward them. “The better candidates are playing the long game,” Gregory says. “They have career aspirations and want to grow and be in a bigger job someday.”

Resumes can express that by including certifications and skills you’re working toward and—in your “objective” paragraph—some specifics on your short- and long-term goals. “Be honest about what you want to do, where you are now, and where you want to be,” Gregory says.

 Keep in mind that if you really want to move into an area like compliance but are applying to a SOC job, it might indicate you just need a job—any job. You should be sure there’s room for that type of growth where you’re applying and other indicators on your resume that show you’ve taken measures to move into that area.

Prioritize experience over education credentials

For most hiring managers, a four-year degree is secondary to a candidate’s actual experience.  The need for cyber skills is so acute that companies are increasingly dropping the requirement for a degree and value candidates who can hit the ground running. “Employers are flexible on education and certifications if you have experience,” Diamond says. While a degree might be a must-have at the executive level, “until then, it’s about experience, and everything else is secondary.” 

Listing a two-year degree can be valuable because, compared with a four-year degree, they can be more aligned with real-world needs. “They’re more adaptable, and there’s not a lot of filler,” Evans says.

At the same time, those just entering the job market should include any degree they’ve earned, even if just to show completion of a challenging goal. “It shows maturity and the ability to do something hard that takes a long time,” Gregory says. “If you’re more than 15 years into your career, I look more at experience than education.”

Certifications are still valued by many hiring managers and are a worthy companion to a four-year degree. When Evans hired the history major, he took note of the fact that she’d earned two entry-level certifications, Network+ and Security+, in less than a year out of college “I don’t over-value certifications typically, but she was ahead of a lot of people with a computer science degree,” Evans says.