Stephen Semmelroth - Resumes are Stupid (but you still need one)

all right let's get started my name is stephan semelroth and today we're going to talk about some things that everyone hates no one likes this stuff who likes writing resumes who likes looking in the mirror at yourself and seeing all of your flaws i don't i don't like it at all i hate my own resume i can't stand it so why by thousands of other people's resumes and stared at them and red penned them to make sure that they can win oh it is frustrating and it's hard and it hurts sometimes but when you get it right it wins and you win and whoever's going to hire you wins or if you're a hiring manager you get to go find

somebody else that's going to be awesome and help you win that's why we're going to talk about resumes today we're going to talk about resumes because it's a thing that you have to do not a thing that you want to do period all right uh there's my linkedin connect with me i'll have that out a couple times my goal is to make sure that the community wins one of my personal goals is that we get to a full up-level community of cyber security practitioners my goal is that everyone in this room right now you they're taking important job so that way you and your family can live in a better way we increase the happiness in the world

can we all agree on that i'm gonna i'm gonna point to you every time thank you you know the more participate the more likely i will uh hand you one of those okay a lot of people are so copyright nothing that i'm going to talk about related to any experiences i may have had or currently still have or anything that's covered under nda and of course continue at your own risk you'll be dragons and don't hack things you're not supposed to okay the guys talk so over 20 years responded to my first cyber incident i didn't value the experience when i did it it was the nimdi virus absorb smb has anybody employed it or responded to smb in the

last year thank you yep it's still out there's still smb flaws and the thing is the 84 hour incident response that i just finished last night i asked the same questions during that instant response that i did 20 years ago because the landscape has really not changed the way that we lead organizations through incident response really hasn't changed and it's all about people which is why we're going to talk about resumes um west point infantry electrical engineering uh we can talk about that later in 2015 i found out i had broken my back and i had to have a spinal fusion and when i woke up from surgery my my friend uh who's hilarious a phenomenal sense of humor

he's standing at the foot of my bed and i can't see what he's doing i said come on doc give me a break he goes no really can you feel this no i can't

it'll probably come back that's what he told me it'll probably come back by it he meant feeling and the ability to walk look what i'm doing awesome [Applause] i don't have that many prizes but keep going um so then i came down here came to the cyber corps got picked up pretty early on which was which is a really challenging part as we were building this community as the cyber center was not here yet the formation of the industry hasn't here hasn't been here there were things that were happening but there was a big structure around it and we got to be part of writing what the cyber corps has come become today in 2019 i ended up getting quickly

retired and i thought how am i going to take what i have done the network that i've built out the amazing people that i know and help them out in their careers what am i going to do what does that even look like i thought oh i'll just do the same thing that i've always done and help people out but i i need to get paid to do that how can i do that oh i'll build a recruiting company so i did 2019 i launched my company um and i thought you know what this will be this will be something i do in my spare time this will be something that i do for fun just

the community so that's where i started really diving into the craft of resume writing and what it is because if you're going to do something the tradecraft that you apply best in the world it must be the best in the world for you to succeed because if you're not competing sorry i walk around a lot you're going to keep you busy if you're not competing then you're just there to show up and competition is what we do because that is how we win in cyber security if we're not competing against the adversary or against corporate against our bosses then how are we really going to win how are we going to sharpen the edge of what

we do in order to get to victory so that was why recruiting cool great became a mastermind craft read damn near every single resumes on the market i talked i went to webinars i went very very frustrated because no one agrees on any of this and we'll touch back on that in a second 2020 um 14 months into launching my company i sold it what holy cow i've only been doing this for 14 months and i've built something that's good enough to sell incredible i didn't think i didn't think i'd be at that point yet i didn't anticipate it i didn't plan on it but it went back to my mission of being able to

get more people amazing jobs to increase their family's happiness okay if that's the case and this aligns with who i am as a person game on let's go no looking back let's go okay um so what i'm doing now is uh after i sold it i'm effectively a vsazo i come in i help my clients understand at the sizzo level what it is their security posture help them through incident response help them through disasters get them back up and going and have a whole lot of fun while we're doing it because i happen to thrive in conflict i really enjoy it so the more conflict there is the better for me because i'm a glutton for punishment but when we can

provide a stabilizing force and we can come together and everyone's freaking out and we say hey let's just take a second let's make sure that we're all on the same page that we're headed in the right direction and what we're about to do will this actually have an impact it will great so because of that i convinced my marketing team that uh mentoring people is a part of marketing so i spent about two and a half hours a week and just mentoring people in this community so if you'd like to connect with me ask we'll we'll find a time to make sure that we can talk about where you want to go with your career so all that to say

resumes why the heck do we even need a resume anymore we've got linkedin we've got a social media profile we have medium where you can go and you can write and you can put out the content that shows that you are the best in the world out there we've got hack the box we've got all these amazing things that uh why do i still need a stupid one slide piece of paper that maybe encapsulates who i am because when we look at it not everybody in the organization knows what those things are so for every one cyber practitioner that's out there there are 10 it people that are keeping the lights on the grass scene and for every 10 it people that

are keeping the lights on the grass screen which is an incredibly challenging thing to do by the way there are 100 developers so think about it from an hr and a recruiting standpoint if you have an hr person their job is to go out and bring in 100 developers and 10 it people and one cyber security person why the hell are they going to know the difference between cissp and sec plus why are they going to take that time when you look at the cyber security certification landscape and there's 105 or so different certifications that could be considered cyber there's 30 on there that i don't even know what they are yet so if i don't know that why would an hr

person especially a junior hr person my brother what's going on good to see you oh man they're just coming in what's up guys i'm not sorry about this but here's something that's really hard to know in the resume world no matter what you do you're going to be wrong the goal is to be the least wrong possible hey stefan i just had i paid 500 for somebody to look at my resume read it and i think i've got a really good that's amazing let me see it who did this for you my cousin's friend's aunt well she's an hr person and she works at uh at a trucking company that is great i'm sure she's the best in

the world she does but she doesn't have the context about bits and bytes that we do so i'm sorry that you spent that money maybe you can go get a refund it's not going to help you in the space hiring managers don't know how to read it and we're going to get a couple other places they don't know how to read it they don't know what it means because the way that it was written was not for them who are the four audiences we talk hiring manager i like this one on the left the 23 year old screener with a couple years of experience in hr who makes the pass oh that's the person that's going to put me

in the yes no or maybe bucket shoot they need to be able to read this they need to be able to read it so if i put my resume in a json format and publish it to my own personal website because then the hiring manager will know it you've missed the other three audiences recruiter there's internal and external recruiters an internal recruiter at a company probably works for hr they might have an idea of what's going on an external recruiter which is what i was that specializes in a pacific area they're going to know funny story the best recruiters that i know that are in the cyber security are all electrical engineers so if there's

any ees out there join the space we'll have a talk i'll let you know how to set up your company the hiring manager that's who we all want to talk to because they know the difference between splunk and elk heyo and then an applicant tracking system who likes applicant tracking systems in here thank you we all hate them unfortunately they are part of this project of uh who are the four audiences so we when we craft a stupid resume when we do the work we have to think about all four of these audiences can i get this past an applicant tracking system can their hiring manager actually get a chance to see it the recruiter saying what the heck am i

writing and then the yes maybe bucket person 23 screener can they understand what this is as well and remember 110 one that's the battle that we're fighting with a stupid piece of paper so again we can't agree here's a couple of books that are out there and i wanted to take a look at just the top you know one of the top lines an objective statement versus a career summary which one's more important should we even have them turns out that's an incredibly challenging problem statement so ladders they're the ones that uh had the quote for the four audiences they said never use an objective statement and you should absolutely use a career summary mistake says never never

crap okay we gotta do more research here's three more sometimes yes never yes sometimes yes ah so what's right well you depends on where you're at here what you have done and where you want to go are you in a major last 20 years taking care of your kids now you're getting back into the workforce are you transitioning have you transitioned out of the military where are you in that in the pipeline and are you going to transition career fields you want to switch from hardcore eyes down tech engineering

ep so based off this objective summary might be right but probably not the way recruiters are um

the objective

just to beat the applicant tracking system often who here has applied for more than 50 jobs online who here's applied for more than 100 who here's applied for more than 200 look around it's a real thing

had resumes aren't the actual answer

okay so what type has anybody heard about a functional resume burn it out of your mind now as a recruiter if i see me i see a functional resume it tells me that

if i have to go through and figure out where the hell you worked for how long you worked there and what you did that takes me more than 15 seconds and you're not worth the time hard truth if i have to do the work to to read your damn resume and figure it out when i have because you're probably trying to hide something and when you do and you go through and you do the case studies of why do you have a functional resume well i heard that it's important getting a general that's why i did it okay what else did you do that's when i was in prison oh okay you actually you legitimately are

trying to hide something and i've got enough anecdotes

great you're all graduates of snl tap let's just talk about something here and this is this is a resume i believe i got all the pi first of what is that like eight lines not gonna read it sorry don't care um classic here's uh nine bullet points about things that i think the applicant track key system wants to learn about me oh good risk management so does everybody else we're in cyber security here hey look i had for a little while and somehow split

what did you actually do there's lots of words here but how do i know that you're a performer how that you actually move the needle at an organization that we took a project and got it from start to finish that we executed that we made sure that our clients were happy making sure that we brought in revenue to the company or that we reduced cost it doesn't say that at all and oh by the way an application system anyone having to talk to a developer that has built an applicant tracking system oh i have that is another story to give you this your best a developer put on the things that are going to make

you money and your interns are the ones that build you out so any time you put in an app a resume and they look at it somebody had a semicolon consistent broker system because we didn't actually do proper scrubbing so anytime there's something that we don't understand we just drop the resume out of our system real talk it's a thing so we don't put silly things like uh graphs tables pictures actually embedded hyperlinks colors we have to keep it simple because an applicant tracking system is one of the stupid four audiences we're writing this for in the first place who's seen this resume it's all over the place right marissa mayer ceo of yahoo this is her resume

no it's not this is not her resume this is a company that designs resumes that decided to make this one as a marketing tool to go through and push it so you all everybody that's seen this and thought that this was a great idea you got social engineered by a marketing team oh it looks like it's a great idea but remember hiring managers is only one of four audiences and also mercenaries don't need no resume she's not gonna need one in the first place okay what do you need in the header because i'm gonna give you some tactical realistic things that you are going to take away with one name you'd be surprised you'd be surprised when i see resumes

and there's no name on it or a phone number or an actual email address huh wait does that say clearance i can put my clearance on my resume you're damn right you can put your clearance on your resume and if you have one and you're applying for a job that requires a clearance and you don't put it on your resume guess which bucket you go into you go into the no bucket but i thought if i was a performer then they can see that by this beautiful piece of paper that i've written they're going to call me and see if i've got my resume and they're going to go check in the sister of my clearance and

they're going to go check in the system no they won't because they don't know if you did and if you don't have it on there you're disqualified that's right conversation i've had literally hundreds of times when you can work available date if you're transitioning you must have it on there if you are already out in the field maybe you need it maybe you don't probably not um if you're going to move where you're going to move to in the current city and i say city i specifically don't say address because what if you're from the wrong side of the railroad tracks are you going to let a recruiter discriminate on you based off of where you happen to put

your head down at night hell no so don't put your address put your city or your region because why would you want to know because of a preconceived notion that they have about you and then of course if you've got linkedin github or website put them on there as well um flat html not an actual link just https colon slash and then again no links no icons no tables no little linkedin little bubble don't do it because it's probably going to break an applicant tracking system okay most important things first we have three resumes here first one on the left education work experience sales certifications and volunteering this is what a junior resume should look like in

terms of order put the most important thing about you first if i have to dig through it to figure out whether you're qualified that's on you that's not on me tell me what i need to know about you first if you just graduated or you're about to graduate from a program put it up there carnegie mellon masters of computer science applied tingles i want that if that's buried way at the bottom because i know out of some programs you're going to be best in the world and if i can't figure that out real quick then again probably in the maybe pile if you're lucky this next one this is maybe somebody that's transitioning maybe they're coming back to the

workforce they're switching around a little bit they've got more skills than they have work experience that's fine so they put their skills up front they put it up front i'm damn good at regular expressions i will crush them okay good now i have an idea of not only what you're best at but where to put you boom this last one this is a senior this is a senior they've got so much work experience i don't care if they've got it or not because i can tell that they're the best in the world like nando and then down there yeah they check the blocks yeah good they've got the they've got the degree of the blah blah blah

okay cool nailed that white space when you see a resume that looks like this that's got all this ton of wasted white space on there when a bullet goes one line and then one word on another line you are self-selecting into the ability to not really utilize that and tell me about you so either write smaller or add enough information to close the gap to get information all the way out there i know oh look at that carry return on the uh the page um about how to write this shorter harder smaller the community the community will help you edit here's another one you see this all the time cool look i've got columns this is only good if you're going into a

job that's ui focused user interface focused design focused marketing focused that's the only time to do columns because again applicant tracking systems can't parse columns oh stay away from them bullets ah this is the this is where we the most red penning happens on the bullets if you're at a company you switch jobs maybe you go from help desk to pen tester at the same company two different bullet sections or two different actual sections the most you get for any role is two to four bullets because any more than that it really feels like you're just you're trying to prove a point that you're good but the more you try to prove the point that you're good the

harder it feels to know like ah so if i you know i deployed puppet across the scenario deployed ansible across the scenario deploy this across the city and each of those is a bullet i'm going to stop reading because you could have put ansible comma puppet comma and then i would actually go okay you're in charge of deployment see the difference there deployed the other thing i like the uh the bullet format so either var or car challenge action result very simple past tense verb ed ed lead which is led by the way not led that's lead led led a team of five engineers to launch a v1 product in a new marketing space boom i got that v1 product awesome

excellent i love it use numbers built a sales funnel of 420 000 a month revenue oh okay discovered four cves boom all right i'm feeling this i'm feeling this okay and then always just like anything else we're going to put the most important bullet first so the thing that you're trying to do next that is that next bullet so remember that kind of career statement where you want to go in your future the next job that you have that's your problem statement and everything else on the resume should be the documentation that shows why you want to go in that direction think of it like an essay i want to go here my next job role is here

okay supporting evidence wow and we get to do that by being brief so use brevity as we write this out like short okay things to avoid here's the work roll that i did the job description and then my four bullets of how i performed no one cares what you were responsible for when i was working with those three gentlemen over there part of my responsibility was to be uh the defense lead for the dark side of the moon and did we succeed did we defend the dark side of the moon yes we did i was responsible for it but we didn't do anything about it no one attacked the dark side of the moon so was i

successful that we did a lot of other stuff we did amazing stuff we set the stage for things that are still happening today set the stage past tense for y'all feel me uh so responsible for again um not starting with verb to add to that three lines of okay and then uh yeah listing every single technology that you touched because that just looks like you're like you pull it up and it's like looking at a cdw catalog of all the different things that you can buy i don't care like let's leave the focus things on the flip side of that things that you know if you have a good recruiter they're going to know what

you're like oscp is if you have that 23 year old screener they're not going to know how cali ties into oscp and they're not going to know that if you've been able to accomplish oscp you probably understand python ruby and what an exploit is and how to netcap so depending on how you craft this and where you're at in your career you may need to have some more of those things um in the skill section and then you can have like you know a couple bullets so the point is kind of add three but be judicious about it again certifications they can be important in the space and they should be important in the space

but they're for the hiring manager they're not for the recruiting team so put them in the right order the most important one first don't put them in timeline so if you have you know a gold standard certification but you earned it three years ago and then you had to for 85 70 requirements you had to go get some other stupid little thing don't put the stupid little thing first put the big one first because then the recruiter gets to understand what the heck it is you actually did um y'all can read i'm not going through this okay thanks stefan you told me not what to do and what do we do next go to my github

it's right here the outcome of reading those thousands of resumes and writing thousands of resumes and red penning thousands of resumes this in my mind and it's free it's open source fork it make it your own publish it take it i don't care i want the industry to be better so it's right there pull it in let's talk about a little bit more okay so when you actually pull it up there's two documents in there there's the guidance one which has a lot of the things that we've talked about in here read through it read through it internalize it understand what it is that you're doing get to know it get to feel it because this is the thing that you will

be judged by whether that is wrong or right whether it feels good or it feels bad so get to know it it's right there there's some of the biggest biggest things that i've seen and then links if you don't believe me to other articles by some of the best people in the world that have been doing this like laszlo bach who ran google's hr program so you don't have to believe stefan you can believe laszlo here's the actual thing um uh the template itself that's shameless marketing for when i still own my company delete the logo you don't have to leave it in i gotta come on you gotta have a little bit of marketing here

um so it's a template here it is pretty simple the red stuff there it is it's right there it tells you in the thing as you build it out i try to make this as simple as possible because i got sick of writing y'all's resumes for you i want to teach you to that's what i want to do here um irony is that on the second i don't think i've got it in this one but uh yeah i listed a bunch of like fake hub repositories and uh one of those called the jager shell um because i thought would be hilarious that no one's gonna believe is actually a thing it's like jagermeister yeager shell so i put it in built it and uh

i've started to see jaeger's shell on other resume formats because people have been copying and using them and then seeing them actually like submitted to applicant tracking systems and people have asked me what's yeager shell it's not a thing it's copy pasta and then oh by the way this past couple days um who here has been contacted by somebody probably from another country offering to do a certification for you it's called cheating [Laughter] um one of my friends and i'll probably do a post on this here shortly one of my friends asked one of those people if she could get certified in jaeger shell so she's denial of servicing the cheaters because they spent out they spent three

days looking for the actual certification agency for something that doesn't exist and i love that that really warms my heart okay so we talked about the four audiences um yeah lame lame could be good could be a good recruiter hiring the target so the takeaway from this one is that recruiters won't read they will scan so give them an opportunity to see the things um objectives are for people that are transitioning careers or people re-entering the job market no by the way and i can't tell you how many times i've had this happen especially uh because most often it's ladies that stay at home take the kids most often from what i have seen quantitatively

steph and i'm getting back in the marketplace oh fantastic i'm excited for you how can i help well i used to be a c-level programmer 20 years ago and and i just don't should i even put that on my resume hell yes you should put it on your resume because funny story c hasn't really changed in 20 years do you still put a semicolon at the end of a line yeah yeah do so put it on uh we talked about chronological one and most presents first and references don't put the phone number or the contact information for your references on your resume because you're just wasting space if i reference i'll ask you for them so

have them but don't put it on there especially once you start publishing your resume now you're doxing your references and they're going to start getting marketing calls because you had kali linux on your resume and whoever database this got dumped into now that person just got associated with cali and so they're going to have pen testing companies calling them to see if they need a pen test because you put their contact information on a resume that became public i wouldn't talk about it if it weren't true okay what is your way ahead first off you can do this now that we've got some direction and we've got a little bit of purpose and we've got motivation

you can do this you can go make your own resume you got it everybody put your hand up in the air i'm not gonna make you swear to anything because i don't do that but just put me under there say i got this say it again one more time thank you you can do it you can get it through you can get it to work and here's the best thing is the community will help discord linkedin slack channels all over the place veterans if you're not a part of the vet sex slack you should be get in there now there's a couple other ones the community will help you with this there's amazing people that they

just love helping people with their resumes and now here's the actual piece it's never about the resume it's never about the resume it's never about the resume because if you are a good hacker you're out social engineering right because if we can attack layer eight then layers one to seven crumble it's the same thing with net uh with with going out and finding a job if you're out networking with the people around you if you're going to mr rodriguez's talk if you're going to mister find uh uh oh my gosh fernando nando there we go if you're going to mr thomas's talk um and you're in while you're here talk to people your goal every week

from here on forward should be to go to two networking events your local python developer group your local whatever group every week go to two it can be virtual it's fine if there's something in florida just log in if there's something in spain just log in meet some people for every two that you go to a week try to have coffee with two people that you meet at those in a year from now think about how many cool people that you will have met so a year from now you've built your network you've had those touch points you're starting to understand who's who in the field and people in the field are starting to understand who

you are and then jobs start happening they'll say hey send me your resume now we've gone from submitting 200 resumes just out there in the wild to yeah give me a resume let me let me go talk to hr that is when the magic happens because it's people process technology if you start with technology you're wrong when microsoft pivoted from focusing on people to the product they slumped and other people start other companies started to microsoft had to go through and rebuild their entire talent acquisition they started having to go pay for the best developers the best project managers the best marketers in the world as they were coming out of college and now we're just

starting to see the point where that emphasis has been building and the fruit of that transition is happening if microsoft can make that pivot so can you people first make the connections shake the virtual hands and eventually you'll start getting job opportunities and then you'll start having too many job offers too many uh here's my linkedin stuff again uh follow me on youtube like subscribe for more icons um giveaways let's so uh l w u s o three six a c h uh ac 1200 wide range i assume that this you can use in promiscuous mode so uh uh don't hit the wall of sheep please um go out check it out it's usbc which i

think is happening see the chipsets they're still old so who wants it

who wants this one let me ask a question anything

look the question is um if you're new to the industry would you recommend things like ctfs and things that you've done on there yes anything that gives me the ability to walk to either a hiring manager or an hr team or where i can say hey you need to talk to this guy or gal and i fly them something and i don't have to say anything else that's a win if i have to explain why someone is good then it's a lot harder so um this is one of my big things for a hackbox if you're top four percent or higher put that on your linkedin profile by the way top 10 per hack usually means

that you're like logging in

four percent means you're better than most or better than half so yeah like think things like that uh if you are if you're doing ctf especially if you're winning ctfs because i go back to three three c's um are you competent uh

that's really easy for me to to like get to the point and get to yes

uh the question if you're going for an entry level position how do you differentiate yourself from other people that are going for differentiate and other entry level positions if you're networking correctly you won't really need to so when i and i say that so let's go back to ctfs um you come to something like this and you go to ctf you get in you start banging on a problem converting emphasis text whatever it happens to be right you get the flag you stand up and you celebrate it doesn't have to be loud or boisterous or anything you just yeah just and then you get another flag you get another flag and then you run into something that you can't get you

start hey can you help me with this flag do you understand powershell you understand python can you help me with this oh that's all it is awesome and then you need a little bit more a little bit more a little bit more and as you as you do that you're building that networking and somebody that is hiring position sees that you're excited about it that you love doing it and they can watch you versus team on the board right and i've seen people like i did not just see like oodles of anecdotes where people walk away from ctfs with jobs you'll see hiring managers walk around sometimes they'll have their corporate shirt on sometimes they won't sometimes

it's like hey let's go get a cup of coffee tell me about that flag cool where are you at in your career send me your resume so that's a great way that's you know red team blue team type things um the more active you are in the community the better so who here can write a hundred a thousand words a thousand words good then you can write a linkedin post that will probably get at least 50 60 likes man i'm on i'm doing oscp and i'm really struggling with the sean box it's ip251 and i just i'm really struggling through it but what i have found is as i go through this process that when i landed on the box

the ip address wasn't what i expected so did i just accidentally pivot into another network am i in the dev network now i am in the dev network okay so here's what i've learned you're basically writing a post that's a write-up of what you're doing that will get attention and as especially as you go things that are difficult if you're honest and you're vulnerable and you write down the things that you are working through people will step in and they'll help you which is great because you'll get to your goal but what they're actually doing whether they realize it or not is they're seeing if they want to bring you to be part of their team

uh the question was how important is it to celebrate failures uh especially on linkedin while you're going through some of that part of pain um this is something that's kind of divided in the the influencer community um i still talk about my failures um i do it because i want people to learn about it so the way that the way that i message about my failures is probably different and i do it in a way that i know will get less likes we'll get less interaction um because unfortunately you know the loudest angriest voices in the community are the ones that get the most interaction so when you do it make sure that you write it while you're upset

but you don't post it while you're upset i'm gonna say that again write it while you're upset but don't post it while you're upset and when you do that you can take a step back go for a walk play with the dog you know grab a cup of coffee come back in look at what you wrote scrub it one more time the content will still be there massage it a little bit and then post it and when you do that and you absolutely should because there should be a lesson there should be a key takeaway from it there should be a call to action on the back side and when you do all that together then i think you've

got something that's much more meaningful that will help the community instead of just and when you do celebrate that failure in a good positive way the community responds usually pretty well and specifically on this one each of the different social media platforms has their own feel to it i can't stand twitter very much i watch it for like cves and stuff that's coming out and announcements about b-sides uh but for me twitter drags me down emotionally so i will still post to it and still engage every now and then but i like to be on linkedin where the community builds you up and makes you feel good about yourself and confirms that you are a champion

and then that perspective helps me drive my motivation to continue helping the community that answer your question

depends on where you're on your career but yes

can you speak a little bit

yeah so the question was if you uh if you've expired res aspire certifications do you put them on your resume or you take them out i usually recommend leaving them on and just putting expired yeah because i mean let's be real cpes are stupidly expensive with some organizations now does stefan pay for his cis p every time yeah yeah cause i don't because i don't do it i don't want to do it again uh and if we're gonna break down different organizations i'm not gonna like you know shoot any nuclear missiles at anybody or anything but there are some that i keep going and there's some that i honestly like they're not really relevant to where i want to go with my

future if there's a point where i have to pivot back to a different career path then i might go back and actually do those search again or whatever the most up-to-date one is it's it is a i don't wanna say it's a risk decision but it's a calculated decision on whether you need to go back or not but i usually do just just put expired because that way at least one point you pass the thing let's give you credit

do you do anything else to get back to the industry i'm sorry the question was um if you're like say you just came out of school you're in your first job how do you set up your resume for your second job do you do anything else in the community are you involved in anything do you volunteer b-sides do you do anything else that could help show that you're a competitor or champion i'm assuming you do so you put those things on there and then if you're not doing those things start doing those things uh i think i'm on four different uh like education boards or not for profit boards maybe it's five now i don't know

join them just show up show up show up to the meetings get there and then at some point they'll be like hey we're looking for new officers for next year anybody want to apply this is a general board seat you don't actually have to run for it if we think you're cool you're in yeah i'll do that and then of those five i think that's probably only about 50 hours a month or 50 hours a year that i i'd invest into those specifically to help outside of participating in them and it's a phenomenal way to really show that that that you're there that you're ready to play ball and that you've got a different perspective that other people

might not have yeah it and it's actually super fun too really fun rewarding

the question is does number of pages matter yes it does uh because that 23 year old recruiter is coming to work probably hungover and they can't read more than a page yep so the uh outside of the cyber industry one standard then maybe another page for a cover letter but i i don't fc uk um in my opinion so yeah one page is kind of the go to usually you can get to one page if you're like a mid or a scene you're no longer to show that you can perform you've already performed and it's so that the tone and the audience are different um if you're a junior or a mid two pages is probably about right

especially when we look at somebody that's really technology focused that's on the blue team side because blue team you have to show proficiency in so many different applications and sets and whether you're on an e5 license and you're working with azure sentinel and you've got a sim that's out based and there's connectors and you have to show that you've got api experience and you can push jsons back and forth and you can power shell you know out of a wet paper bag so there's there are some times you have to go to mine is currently two because i list my conference presentations um so like this one will be on there and that list is pretty stupidly long

um but that's because a lot of what i do is client-facing so it's it's a way to show that uh for somebody with a very technical hard skilled background that i can still talk to people

i'm so sorry

uh the question was if you're changing fields in this case from accounting to to cyber cyber um what should you focus on as you change those fields so i'm not going to give you a specific answer because i don't think it's fair to give you a specific answer i knew that one was coming um i'm not giving you a specific answer because i don't know you yet so let me walk you through the first 15 minutes or so of of the talk that i do with mentors or mentees hi i'm stefan how can i help well sir i i really want to get into cyber security okay why do you want to get in cyber security

okay why they respond why they respond they respond well because i really like i think that i can bring a lot to an organization and i really like seeing the organization change there's the c word change the c in cyber stands for change don't believe me come up we'll talk for hours the scene cyber stands for change now here's the problem as a red teamer very few organizations will actually do what you do who's written an executive summary come back a year later and cut and pasted the executive summary from year before does that feel good does it feel like you were a valuable member of the team did you affect change at the organization when you put your heart and

soul when it was two o'clock in the morning and you finally got root and then you told them and they didn't do shh stuff and you came back a year later and that box is still there and it's up time is 380 days does that feel good did you affect change so if you're joining to affect the capabilities of each of the roles and what it is that you want to do so many organizations the cizo reports to the cio the chief information officer the legit lady or gentleman that runs the entire i.t infrastructure of the organization their job is generally corporate they're adjacent to the developer team the cto runs the developer team the ctos

their job is to get code into prod so then you as the cisso or the person that's reporting to the sizzle you have no du jour authority to walk in to the cto side of the house and say hey we've got three oh days against you right now oh okay how much revenue is that impacting oh it's not cool then we're going to push that into two agile cycles and then the guys that are you know that wrote that code they're on a really important project so you're going to get the answer to fix the problem and it's going to be a band-aid patch and maybe we'll we'll do that but cool so if change is really what you want you

have to find a good organizational place to affect that change the culture of that organization has to be one of change and that comes down to you so that route can be really rough if you really like relationships then you know there's this whole other side of the organization the developer side the cto side of the house they drive revenue the purpose for the company is to make revenue and they are the ones that are going to move so if you're the cto side your life is like then as a vulnerability manager where you're constantly trying to fight and get things to happen and the other people don't want it because it's time yeah different things i think

um

okay ask your question you raised your hand you have to ask a question

so the question was in the cyber skills gap where does it actually sit um and and how is it impacting recruiters and things like that that's why we're starting to see cyber specific external recruiters come to market now we're starting to see people that actually have a background like me that were able to do it that's why i was able to be successful is because i i know the bits and bytes um internal hr usually still how to read it that's why that's why is the success that's why talking to people before you focus on processor profit is the way to win and if you are a hiring manager the most important relationship that you can have

in terms of with your more later good out of this today