Managing Partner, Caldwell Partners

The Chief Information Security Officer (CISO) job has changed significantly in the last couple of years. It has historically been more of a lower-level, tactical IT job, but now has become a higher-level strategic, business-oriented role around enterprise risk management. With that shift in the job responsibilities, the specifications have changed, and therefore how you write your resume should change accordingly.

This primer will provide guidance on how to write a winning resume to help land your next role as a strategic CISO. The most important thing is to demonstrate that you have what is required for today’s CISO position. As you look back through your career, think about how to translate your experiences into a story of what companies want today.  Even if you have had that more technical bent in your previous roles, companies now are interested in your business acumen, your communication skills, and your leadership skills, including how to influence others—in other words, your “softer” skills.

With that in mind, here are some points you want to convey as you highlight your career history:

  • What you learned in your previous roles about leadership and management
  • How you demonstrated that you have strong business acumen and have used security strategies as a business enabler
  • How you helped your business colleagues manage their risk
  • How you used your influencing skills to get people to do things they didn’t necessarily want to do
  • If you are part of the management team, how you have demonstrated “executive presence,” such as presenting before the board or C-level executives
  • How you brought about positive change for your organizations

Tell a good story
The story that must come across is how you bridge the business and technical components of the role—how you are technical but also a leader and an executive manager. Be sure to highlight the unique experiences (at the time) you had in all of your moves. For example, “My team implemented the first cloud security program” or “I built the Security Operations Center from scratch.”
As a differentiator, you can seed your resume with trending hot topics that you have experience with, such as cloud security, privacy, artificial intelligence, machine learning, blockchain, and so on.
Otherwise, your resume should contain the standard fare with as much accuracy and transparency as possible: the companies you worked for, the dates, the job titles, your education. If you feel comfortable, talk about the reporting structure in your jobs, as in “I reported to the CIO.” List the specifics of what you managed. For example, “I managed a team of 20 people and we were responsible for the cybersecurity strategy, policies and operations.”
If you’ve had a lengthy career, the last 15 years in particular are the important ones. For the job roles prior to that, simply list the company, your job title and the dates. There’s no need for any other details about older jobs; they would just make the resume that much longer.
Speaking of length, try to keep your resume to two pages, three at the maximum. No one has time to read a five-page resume. The discipline of the economy of words will help you highlight the most meaningful information. Content is far more important than form.

Explain yourself, if necessary
If you have made a lot of moves in your career – what we call a “jumpy” career – you need to take extra care to explain the moves. In general, employers are wary of people who don’t stay in their jobs very long. For example, a change in companies might be the result of an acquisition, not an actual change in jobs. You might say, “I was at ABC company for 18 months and then XYZ company for 2 years, but it was all the same job. ABC was acquired by XYZ during my tenure.” Such an explanation shows that you are more stable than your resume may make you appear.
You want to list your education and any relevant additional courses, certifications or training. For example, “I attended the CISO Academy presented by the FBI,” or “I hold the CCISO certification.” If you didn’t earn a full college degree, it’s fine to mention that in the resume if you explain why. “I was in my fourth year of college when my father passed away. I left school to take care of my family, and I haven’t gone back to complete my degree.” It’s not important that you didn’t finish, as long as there is a good reason why.
Most people conclude their resume with the standard line “references upon request.” If you can, list the people who are your references—especially if you have someone who is well known and respected in the industry. People want to know who you are close to. It matters, so consider who you use for your references.

Beyond the resume
There are interesting aspects of your career that won’t go on your resume, but you should be prepared to talk about them if you get an interview. For instance, your motivations, what you are good at, what your strengths are, what career lessons you took away from each job role you’ve had. These are great discussion points that you should bring up if the interviewer doesn’t ask.
Make sure your LinkedIn page is current with your experiences. In fact, I recommend you focus as much on your LinkedIn page as on your resume, as many recruiters and prospective employers will find you and learn about you online first before ever seeing your resume. You should be updating your LinkedIn profile every month to reflect the new things you are doing. Make it as real-time as you are. The people in your network matter, too, as employers might take this as a sign of your relevancy. Your network in security is really important because it takes a village to build a secure enterprise.
As you write/update your resume, keep in mind that employers want to see that you are on the right trajectory to be their next CISO. They want to see that you have progressed and learned and have had increasing levels of leadership and responsibility. If you tell a good story, you will be that much closer to the next big step in your career ladder.

Caldwell Partners is one of the world’s premier providers of executive search and has been for more than 45 years. Matt Comyns is managing partner of the firm’s Cyber Security Practice. His focus is on recruiting chief information security officers and next-level-down top lieutenants in information security for large global corporations and fast-growing private companies, as well as cyber security consultants for leading professional services firms and top executives for cyber security technology companies.