You\u2019ve got your computer science degree from a prestigious university, a couple of security certifications that you earned the summer after you graduated, and almost a year\u2019s experience working with a set of alert monitoring tools for a small company. In your spare time, you volunteer at the local animal shelter. download Example assettest asset download CIOYou like your job, but you\u2019d prefer to work remotely, and you\u2019d ultimately like to move into more of a compliance role. The question is, what\u2019s the best way to pull together a resume that will catch a hiring manager\u2019s eye and ensure a good job match? \u00a0No matter what your situation is, here are the aspects of your education, skills, and experience to highlight to ensure your resume stands out in the crowd.Focus on processes over toolsSecurity analyst candidates often list the different tools or standards they know, but more useful to hiring managers are the security processes and activities candidates have had experience with, says Peter Gregory, senior director for cybersecurity at GCI Communication Corp. in Anchorage, Alaska, and former cybersecurity advisor.Examples include analyzing and triaging security alerts, performing risk analysis, or coordinating and facilitating internal and external audits.\u201cAn analyst who lists some tools is telling me they know how to navigate and operate the tool, but do they know why they were doing it, or were they simply doing things by rote?\u201d Gregory asks. \u201cBut a security analyst who talks about functions they\u2019ve performed suggests they understand the process\u2014the work beyond the tools.\u201dIt\u2019s a lot easier, Gregory says, to train someone on a new tool than on a new process. \u201cIf they have experience on tool A and I use tool B but they\u2019re familiar with the process, I\u2019ll train them on tool B,\u201d he says. \u201cTraining on process is a bigger lift than training on tools.\u201dIt may be a good idea to list tools toward the end of the resume to be noticed by automated resume screening systems that would reject the resume otherwise, he adds.Estimate the percent of time spent on key tasksEven better, says Deidre Diamond, founder and CEO of CyberSN, a cybersecurity jobs and career marketplace, is conveying how much time you\u2019ve spent on various activities. If you\u2019ve spent 40% of your time in the last two years on vulnerability testing and 10% of your time performing internal security audits, the hiring manager will have a better understanding of whether the role is a match for your experience prior to the interview.This is particularly true for a role like security analyst, which can vary greatly from company to company, Diamond says. \u201cSecurity analysts work on many different levels of tasks and projects, depending on company size, industry, which data they\u2019re protecting, and whether it\u2019s a public or private company or in the government sector,\u201d she says. \u201cEven though it says security analyst all over the resume, and they\u2019re applying to a security analyst job, there could be a one in 20 chance it\u2019s not the security analyst role that\u2019s a match.\u201dHands-on experience is a mustEmployers increasingly expect to see hands-on experience, says Keatron Evans, principal security researcher at security education provider InfoSec. \u201cHave you done packet capture analysis? Can you understand and parse logs or done incident response in the cloud? It\u2019s important to have that kind of demonstrable hands-on experience verbalized in a resume,\u201d he says.The expectation is high because even if you haven\u2019t held a security analyst job, hands-on experience can be acquired in other ways today, such as training exercises offered by companies like InfoSec, Immersive Labs, and Pluralsight. \u201cBefore, training was mostly certificate-driven\u2014it wasn\u2019t geared toward proving you can do these things,\u201d Evans says. \u201cNow there\u2019s simulation in the training environment, which is turning into a good gateway to get your foot in the door.\u201d If candidates can send a five-minute screen capture of themselves performing a task, \u201cit\u2019s worth more than a thousand words,\u201d Evans says.Capture-the-flag (CTF) events are another highlight to include. If you\u2019ve placed well in a well-known CTF or completed a penetration test, put that at the top of the resume as well, he says. \u00a0In one case, Evans hired a candidate who had a bachelor\u2019s degree in history and no formal cybersecurity experience but had created a personal website herself from scratch and included the URL on her resume. \u201cIt demonstrated things she\u2019d figured out on her own and took upon herself to learn. It piqued my interest,\u201d he says.Aim for the cloudIf any of the roles or activities on the resume include the word \u201ccloud,\u201d that\u2019s resume gold, according to Evans. \u201cSo many companies jumped to the cloud without a plan so there\u2019s a big rush to get people who can do incident response in the cloud, and there are very few of us,\u201d he says. Having cloud experience \u201cwill automatically get you pulled out of the resume pile.\u201dEven if it\u2019s not geared toward incident response or log analysis or a similar security analyst type of role, any cloud experience will make a candidate more attractive because they\u2019ll likely learn applicable cloud incident response and cloud security principles faster than someone without any at all, Evans says.Don\u2019t overlook volunteer activitiesWhat you do outside of cybersecurity can say a lot about you, especially if you haven\u2019t had the chance to exercise certain skills in a formal job role. In particular, volunteer work can help demonstrate soft skills like \u201cinitiative\u201d or \u201corganizational skills\u201d that can come across as trite descriptors on a resume. \u201cWhat I want to see is initiative\u2014not the word on the resume but something that shows me you volunteered for this, came up with this idea, and then did it. It\u2019s something you can\u2019t train for,\u201d Gregory says.For example, an experience like reorganizing the filing system for a local nonprofit should be pulled forward on the resume, Gregory says. \u201cIn cyber, most organizations are way behind the curve in trying to make order out of chaos, so it\u2019s a good trait to have\u2014the ability to organize, create a process or procedure, formalize something, make it better.\u201dVolunteer work is also a way to gain hands-on cyber experience. Nonprofits are always looking for cybersecurity help for a low fee or for free, Evans says. Candidates who can say they\u2019ve set up firewalls or done a cloud migration for an actual organizational entity will create a good path for themselves; Evans even suggests invoicing for the work (even if it\u2019s $0 charge) and asking a lawyer to draw up a contract. \u201cIt shows you know how to get things done, which matters a lot,\u201d he says.Consider including salary, visa, and location requirementsJob candidates may fear being passed over if they admit their desire or need to work remotely, earn a particular salary, or be sponsored for a visa. However, they might want to consider including this information if it would be a showstopper for accepting a job offer.\u201cWhy waste time when the money isn\u2019t correct? How many people aren\u2019t the right match because the employer won\u2019t sponsor their citizenship?\u201d Diamond asks. The goal, afterall, is to have a productive conversation and including these showstoppers \u201cenables the employer to screen for all that.\u201dIncluding a salary requirement may be more relevant for those with more experience vs. someone seeking entry-level employment, Diamond adds. \u201cThose with experience know what salary numbers will work for them, so employers and professionals stating their salary\u00a0 expectations can save a lot of time.\u201d\u00a0List the certifications and skills you\u2019re pursuing, not just the ones you haveThe desire to continuously learn is essential for any cybersecurity candidate, and one way to show that is to make your goals clear and how you\u2019re moving toward them. \u201cThe better candidates are playing the long game,\u201d Gregory says. \u201cThey have career aspirations and want to grow and be in a bigger job someday.\u201dResumes can express that by including certifications and skills you\u2019re working toward and\u2014in your \u201cobjective\u201d paragraph\u2014some specifics on your short- and long-term goals. \u201cBe honest about what you want to do, where you are now, and where you want to be,\u201d Gregory says.\u00a0Keep in mind that if you really want to move into an area like compliance but are applying to a SOC job, it might indicate you just need a job\u2014any job. You should be sure there\u2019s room for that type of growth where you\u2019re applying and other indicators on your resume that show you\u2019ve taken measures to move into that area.Prioritize experience over education credentialsFor most hiring managers, a four-year degree is secondary to a candidate\u2019s actual experience.\u00a0 The need for cyber skills is so acute that companies are increasingly dropping the requirement for a degree and value candidates who can hit the ground running. \u201cEmployers are flexible on education and certifications if you have experience,\u201d Diamond says. While a degree might be a must-have at the executive level, \u201cuntil then, it\u2019s about experience, and everything else is secondary.\u201d\u00a0Listing a two-year degree can be valuable because, compared with a four-year degree, they can be more aligned with real-world needs. \u201cThey\u2019re more adaptable, and there\u2019s not a lot of filler,\u201d Evans says.At the same time, those just entering the job market should include any degree they\u2019ve earned, even if just to show completion of a challenging goal. \u201cIt shows maturity and the ability to do something hard that takes a long time,\u201d Gregory says. \u201cIf you\u2019re more than 15 years into your career, I look more at experience than education.\u201dCertifications are still valued by many hiring managers and are a worthy companion to a four-year degree. When Evans hired the history major, he took note of the fact that she\u2019d earned two entry-level certifications, Network+ and Security+, in less than a year out of college \u201cI don\u2019t over-value\u00a0certifications typically, but she was ahead of a lot of people with a computer science degree,\u201d Evans says.