Hello! If you’re reading this, the chances are you’re writing a CV and want some help. The aim of this short document and information is to enable you to do as much of this as possible yourself, avoiding the most obvious and frequent pitfalls that most CVs fall into.
You’re currently reading Version 1.0, which may or may not satisfy every requirement, but is very much a work in progress that I will continue to develop.
It's worth adding that this isn’t intended to be an exhaustive resource for every job in every industry. It’s a broad swipe at a Cyber and Technical CV, that has some relevance to Information Security and Compliance as well, and with a little tweaking may satisfy a number of IT / Support / Engineering CVs and roles.
Let’s start at the beginning. Front and centre, with your name in the LARGEST font on the document. Through this document I’ll use borderlines to show example text.
firstname.lastname@example.org – Github link – Linkedin Profile
07TELEPHONE No – Address (either in full, or town, postcode area)
Right to work status – Driving Licence status (if relevant)
The address field of a CV is becoming a somewhat contentious issue atm, as those expecting to work from home and therefore not including ANY address details are often being discounted. You don’t need to share your house number or street name if you don’t wish, but some remote jobs that might require occasional office visits, or client travel will benefit from the inclusion of this info.
In a technical role (dev, admin, pentest, etc), you may have an interesting GitHub, (personal or professional, that may include frequently used scripts or small projects to showcase your learning journey). Or perhaps you produce some interesting and relevant content through social (business) media, like LinkedIn. If this is the case, this is a good place to include those links. For development or cyber roles, I would generally consider an active and well-presented git / repo to be an interesting and eye-catching addition to most CVs, and a lot of hiring managers enjoy seeing these.
It's sometimes worthwhile including your right to work, especially if your academic or work history indicates any overseas time.
DO NOT share exploit code, or a very poorly populated / neglected repo. Perhaps consider your LinkedIn profile content if it shares inflammatory opinions or has a lot of personal info you might not want a new employer to see, or a photo that might not be considered professional. DO NOT use inappropriate or suggestive email addresses, eg, ‘luvdabudz@xxxx’ or ‘bubblebutt@xxxx’ for obvious reasons. A lot of candidates create ‘burner’ emails, like ‘email@example.com’ which are easy to identify for the recruiter and manager, and you can easily discard if they become too spammy later.
There is no longer any need to include a DOB, but you may do so if you wish. Most employers do not wish to see it, to avoid unconscious bias etc, and sometimes clients ask for it to be removed before applications are made.
NEXT – The personal introduction. These are often QUITE a challenge for our technical candidates, where we see a high degree of ‘imposter syndrome.’ I believe there’s a few easy ways to approach this.
- What would someone else say about you? You don’t have to use superlatives, or degree adverbs, like ‘VERY,’ ‘EXTREMELY,’ ‘THE BEST’ etc. Just stick with simple and factual descriptions.
- I personally like a three-phase intro. Where you’ve been. Where you are now, and where you want to go. Sounds easy right?
Let’s try one here…
A technically skilled candidate, with 5 years’ experience and training in the administration of Linux, hybrid infrastructure and common cloud technologies, who’s spent the last 2 years working on an increasingly greater proportion of cyber and security technology. After some considerable personal and professional time invested in learning new skills, now looking for an opportunity to find a role dedicated to this area of great interest, particularly in defensive/offensive cyber. Keen to work in a progressive and growing technical environment where learning, innovation and dedication are rewarded with great opportunities and recognition.
I’ve written this one in 3rd person, but without a name. SOME managers and recruiters still like 3rd person, and you can even use your own name, e.g. “Martin has 5 years experience in…”. Personally, I find it a little stuffy and dated, and it can become very convoluted and difficult to write without grammatical acrobatics. First person e.g., ‘I am a…’ is also perfectly fine, so long as you stick to one or the other. DO NOT mix these up. Make sure it reads easily and flows.
Let’s do a first person one too, for illustration.
I’m a Computer Sciences Graduate 3 years into my professional career. I’ve really enjoyed working in development / system admin, where I’ve learned how to troubleshoot live systems, in a dynamic and varied technical environment. I find myself at a stage in my career, where I’d like to specialise in XYZ, and use my skills to move into this in the longer term. I’m studying abc/123 a lot in my personal time (please see details below) and I’ve found something that really captures my passion. I’m keen to find employment where I can bring my work ethic, dedication and energy into a new role, and work with XYZ daily.
There are no hard and fast rules on length, but I’d make this easy to scan read in 15-30 seconds. Keep it fact-filled, punchy and ‘warm’ in tone.
There are many ways to write this, and it’ll depend on your personal style to a degree. It’s likely to be the most challenging part of a CV for a lot of techies who don’t like talking about / selling themselves that much! 🙂
NEXT – Key skills. This is the first place a reader will start to get a taste for what you can deliver in a job. I’d typically break this into a couple of subsections, depending on the skills, and jobs you’re applying for. Something like, Technical, Personal, Project, and maybe industry if you have industry specific skills / experience.
Technical Skills: - (Here you can write your daily // bread and butter skills. I've tried to group them loosely, but you can list more freely if you'd like, or group by other factors).
- Penetration testing - Strong experience with Internal / External Inf, API, Web Application, Mobile (iOS + Android), some basic experience with code audit, currently learning to root embedded devices.
- Security Frameworks / Reviews - Cloud Security controls in Azure and AWS, FW build reviews, some 27001, IASME Audit, PCI Awareness
- Operating systems - Linux, Debian, RedHat, MS Windows NT-10 to Server 2009-2022 to admin level
- Scripting, Programming - Bash, Shell, Perl, Python, Golang, learning some C, C++
- Cloud / Inf skills - Azure, AWS, some Google Cloud, Kubernetes / Containerisation, VM, Zen, various virtual machines
- Misc. - Embedded devices, Arduino, soldering, PCB, lockpicking.
If you’re learning more skills CURRENTLY, you can include these in the above or a separate section, but clearly denoting that these are just ‘currently learning’ and aren’t yet commercially tested. No manager or recruiter will thank you for bunching these together and claiming expertise.
Personal Competencies: - (Transferable, universal. Maybe these will seem too obvious to add, but see how you feel reading these?)
- Excellent communication, written and verbal. Strong technical reporting, presentation skills and very comfortable in client situations.
- Great project leading / Coordination / supervisory / delegation skills and experience
- Strong commercial awareness, and experience in the commercial process, RFI / RFP and value proposition in the tender process, relationship building, influencing outcomes.
- Excellent problem-solving skills - Able to identify and overcome roadblocks in projects, commercial negotiations, personal and professional relationships.
In some cases, if you’re a consultant, or a salesperson you might want to include something like the sectors you’ve worked in. EG, NHS, ISP, Healthcare Provider, Petrochemical, Central Government, Local Government, Police, Banking, Insurance, Retail, etc. This makes sense if these different sectors have different idiosyncrasies that an employer might value.
NEXT section. Education, Certifications Memberships. This is an important section for a lot of us. If you do not have any professional or higher qualifications, you may want to consider moving this section further down the CV, and relegating to a few lines, perhaps after the employment section.
Let’s look at the components and what’s important here.
Professional certs are important in a lot of cyber roles. List them clearly here, along with the dates gained, the relevant governing body (if relevant) and any variants. If you’ve RECERTIFIED to a certain level several times, this is sometimes worth mentioning. It looks like consistency / dedication. If you’ve held very important certs that have lapsed, in certain cases it might be relevant to include them at the end of this list, along with the valid dates, clearly stating that they are lapsed. This may help you appear in certain key-word searches where the skills gained through the cert are relevant, but a current cert is not. For example a lapsed PCI-QSA would generally have a solid grasp on PCI standards, but the cert isn’t relevant outside of a QSA consultancy / certain merchants.
Certificates and Memberships
- Add your highest / most impressive certs at the top. Date gained
- You’re welcome to include the issuing body if relevant Date gained
- Perhaps including relevant memberships (not Blockbuster) Date gained
- You’re welcome to include lapsed certs, CLEARLY stating that. Date gained
In terms of academic education, most employers are only really interested in the HIGHEST or most recent demonstration of this. Most often a Degree / Masters / PhD. If you’re fortunate to possess ALL 3, mention them along with the grades, in 3 succinct bullet points. This might come as a surprise to a lot of people, but if you miss the grade from a degree, the assumption from anyone that reads it, is that you have a 2:2 or a 3rd. If you have better, then state it!
- University Name, Location, Course, Title, Grade
- College Name, Location, Course, Title, Grade
- Summary of grades in short form, School Name, Location
This isn’t the place to go into details about modules, or dissertations, unless it’s something EXTREMELY relevant to the role you’re applying for. You may if you desire, and the grades are good / worth sharing, talk about your A-levels or GCSEs, but as a bullet point at most. “10 GCSEs, A*-C” or “English, Maths, Economics A-Levels, Grades ABA” for example. It’s not usual to break this down further, and uses a lot of valuable space on the first page of a CV.
SO, to one of absolutely the most important parts of the CV. The employment history which should include your current or last role. Think about; What you are doing today? What are your daily use-skills? How are you applying them?
Let’s TRY to get this at the bottom of the first page. The lead up to this, through your intro, certs, quals, are all in readiness for this. This is the make or break for the CV, for most recruiters and recruiting managers.
Job Title Company Name – www.companylink.com - Location
Dates of Employment (TO and FROM - Months and Years)
Here, give us a short overview of the company's business / services, and a sentence or two on your areas of responsibility.
- Provide a highlight of the key achievements you have made in your job.
- QUICK project technical snapshot esp if anything additional to the key skills above.
- Try to share metrics wherever suitable, such as percentage increases, financial figures, values, or durations of projects / sales / successes.
- Don’t share anything that a new employer might consider intellectual property.
- Try and keep examples relevant to the role you are applying for, prioritising those that are THE MOST like the type of role you’re trying to find.
So, there’s some varying views on the market in relation to this section. I’ll share some of these here.
Account for gaps in employment always. Managers and recruiters may be concerned by unaccounted for gaps. Address them upfront and maximise your chances of a call. If you’ve taken time off, or being struggling to find work, that’s fine, especially if it’s after a long intense period of employment or redundancy but do be clear about them. For example.
Sabbatical time with Family / Time off between roles after redundancy – Feb 23 – Present.
Took a few months during the spring to spend with my new son, and deal with some DIY tasks I’d been putting off for some time. I had a rare chance to update some of my certs without work deadlines looming and used the opportunity to study my Microsoft AZ900, AZ104, AZ204, to reflect the recent work I’d been delivering in Azure and Cloud tech.
Even if the time off was unplanned, it’s wise to complete the story in chronological terms, perhaps with some info about how that time has been spent. For example, if you’re a passionate techie that’s spent hours a day on Hack the Box, then tell us about it!
A worthwhile point that a previous hiring manager used to drill into me, is that the technical content of the roles should in some way reflect the content of the ‘key skills’ bullets. Otherwise, we’re not showing the reader how we are using these skills. It’s all well and good claiming them on the front page, but let’s talk a little about how we’ve applied these? Ideally, with some further embellishments, maybe more detail. This all builds to give the idea of competency not just exposure / awareness.
- Depending on how long your tenures have been at each role I would aim to do this for 2 or 3 roles, covering ideally about 3-5 years minumum. Stick to the same formatting, the same bullets, the same spacing etc.
- A lot of people like to include ‘reason for leaving’ and I think this can be relevant in shorter tenure, or in the case of redundancy. I do not think it needs to be universal and consistent throughout the job history, and may attract the wrong kind of questions.
- Try not to repeat the same bullets for multiple roles, even if the job is loosely similar.
- If you have contract AND permanent employment, state that. There’s little more concerning to an employer than a candidate moving permanent jobs every 12 or so months.
- Older, but still relevant roles, can have shorter descriptions / fewer details.
- If you’ve got earlier, but unrelated roles, then compress them into a few lines, with relevant dates. Believe it or not a surprising number of experienced recruiters and hiring managers will want to know what you did in your early career. It might indicate your commitment to work and earning, your resilience in hard jobs, with long hours, and unpleasant conditions. This is especially true with military training, or other extremely taxing physical roles.
- CLICHES to avoid where possible. Good teamwork / project management skills (everyone is in a team and has projects), results oriented (so what are we doing if there’s no results?) If you’re talking about responsibilities ideally use examples that aren’t the bare minimum requirement for your job. Use examples that are ‘above and beyond’ what you were expected to deliver. If you find yourself wanting to use these terms, perhaps consider what makes you good at teamwork?
- Footnote to add to this section: certain jobs want specific details on project you’ve worked, that match theirs. It’s ideal if you can edit a few bullets to reflect that in the CV, but don’t mess up the document formatting when you could add “please see additional covering info provided” where you can go into detail more easily.
Penultimately… Personal Interests / Hobbies. Let me be frank. This isn’t going to affect the outcome of an application, in my humble opinion. It MIGHT give you a little common ground with an interviewer or provide subject matter for a short ‘warm up’ chat. That said there’s a few basics to keep in mind.
Write these in the same perspective as your personal statement in either first or third person, in a friendly and casual style, perhaps with a little humour, modesty. I’ve seen any number of these, and those that stick in mind are things like "I have been learning golf for 22 years and I'm still awful". Or "To the continued disgust of his wife, dog and neighbours, Tony began learning the trombone in his 40's". Maybe you’re not a comedy genius, so the below might be useful:
- If you’re applying for a leadership / training role, being the captain of a rowing team, or a volunteer football coach is probably relevant and worth a mention.
- If you want to appear reliable and benevolent, charity work, animal rescue, etc, are eye-catching, but don’t stretch the truth.
- If you’re part of a greater tech community, then being involved in non-profit conferences, writing training resources, sharing your free time, resources, really paints your commitment and passion for joining an industry.
- Better not to big-up achievements or lie here. If you claim to be something you’re not, and someone asks questions (or God forbid has the same interests) then you might come off looking not only a wally, but also untrustworthy. It’s just not worth the damage in trust for a potentially tiny gain.
Finally. References. Consider what information you want in the ‘wilds’ of the internet. If you intend to use someone’s name and number, make sure you have their approval first. It’s almost a given that you’ll be referenced as part of a job offer, so the easiest, and most common thing is to state, "References Available on Request.”
So, here we reach the end, my friend.
I’m open to feedback, and I’ll be updating the document over time.
There’ll be several more guides coming from me moving forward, including some good advice for juniors, or intermediate people who are disproportionally the most affected by the current squeeze.
Thanks for reading 🙂