How to write a CV in cybersecurity

Each time after hosting a Nonamecon or OWASP Kyiv event, my mailbox is flooded by messages from people asking if we have job openings. How can one join our company? Here is my CV! And after getting a response, they ask how they can improve it.

Unfortunately, we don’t do constant active recruitment in Berezha Security since we are not huge enough to have open job postings and a competitive selection. When we grow, our subscribers on Facebook, LinkedIn, or Twitter are first to find out about it. However, I read your CV anyway, and I have something to tell you.

Writing an effective resume is a particular skill you could develop. I don’t believe in career couches, though I can imagine some of them are worth their money. I think for a cybersecurity professional having one is overkill. At least for now, as candidate requirements are quite mild due to the scarcity of talent. However, it is still useful to have a good CV, so here is some advice.

Write about your achievements, not just experience

I often read a set of bullet points for each place of work, telling me that the author dealt with this and that tools and methodologies. This information may be useful; however, it could better be summaries in one section of the document. I think you should focus on achievements when describing your job experience instead, which will demonstrate your path in each particular company. For example, you were the first to join the security team, in two years, you established well-functioning security operations and automated the process. Or you started as a junior penetration tester and in a year have grown to an independent unit and led a dozen of projects. Tell something that describes you as a person willing and capable of growing, not just gaining experience.

Avoid lists in CV

Bullets are killing your CV. If you want to provide examples, do it by enumerating them with a comma or semicolon. And don’t try to give a full list! Since our brain absorbs the average impression of any data, it is better to provide a couple of really cool examples instead of a complete list. For instance, you shouldn’t enumerate all your professional certifications, starting with CCNA and Windows 2012 Server administrator. Alternatively, you’d better name the most relevant and recent ones.
Watch your grammar. Grammarly is a widely known tool; however, even an MS Word with Spellcheck switched on will be sufficient. Avoid complicated and complex wordings and terms. If you can simplify or remove a word – you should do it.

Don’t mention incomplete education

Learning without certification is not interesting to anyone reading your CV. If you attended five top courses in the last three years, however, didn’t take an exam – better not mention them in your CV at all until you take and pass it. Having the title of the unfinished course adds ambiguity and raises unnecessary questions the reader will most probably avoid asking. And whatever the reason for you skipping the test was, it will not be in your favor.


If you have a consent to provide names, positions, and contacts in the CV – do it. However, try to limit the list to people you worked with within the recent year or two. Otherwise, they will have a very general idea about your current situation, and you don’t want them to make assumptions. The best is two have recommendations of a direct manager or a customer, which directly benefited from your work.

Volunteer experience and social activity

Even Forrester and Gartner take these aspects into account when they score the companies. It applies even more to us as professionals. If you do good for your professional community – make sure you indicate it in your CV. Firstly, it’s a unique experience. Secondly, it proves you can be relied upon not only because you are being paid.

Media activity

If you have an account on GitHub, Facebook, Twitter, or other social media and use it for professional activity – don’t be shy to mention it in the CV. Learning, teaching, commenting on news and events, contributing to open-source software, talks at conferences – all this could be of interest to your potential employer. It’s highly probable that they look not just for an employee but also for a representative of their company in the media and at events.

If you have questions related to composing a CV – there is a dedicated channel #career-advice on the Ukrainian Cybersecurity Discord server. Juniors can ask, seniors will answer. Privately or even by voice.

I try to help improve as many CVs as I can. I think I should put my experience in selecting more than a hundred security specialists to use. However, please keep in mind that the last time I wrote my CV was ten years ago, so I’m looking at it purely from the employer’s perspective. That’s why I don’t give my CV as an example.

Leave a Comment

%d bloggers like this: