The Worst InfoSec Resume, Ever

I do quite a bit of InfoSec résumé reviewing and critiquing, both personally and professionally, so I’m repeatedly asked for tips on common problems. In order to ensure that these problems were not exclusive to me, I recently had a lengthy discussion  with a number of InfoSec professionals involved in hiring (thank you!). We discussed our “top 10” pet peeves when reading candidates’ résumés.

So without further ado, here is an illustrated example of some common problems we see on many résumés, and some suggestions about how to fix them.

(If these images are hard to view on your phone or at a specific resolution, you may click them to view them full screen.)



Hair Dryers, Hacking, and Us

In case you’ve been living under a rock for the past several days, IBM posted, then ultimately removed a video promoting STEM fields for women via “hacking hairdryers”, to a great deal of public outcry from STEM professionals. The unhappiness stemmed not only from perceived sexism, but also tremendously poor timing as the ad was released close to the anniversary of the École Polytechnique massacre of 1989.

I will apologize from momentarily veering away from my usual structured technical guides. However, I’d likely to briefly state my own experience and thoughts on the matter, because I feel there are a couple things that still need to be said.

Before I continue, I’d like to make it clear that I see no purpose in badmouthing IBM further regarding their campaign. I genuinely believe they meant well, and I have many exceptional friends (both male and female) employed in STEM fields there. I’m not offended by their campaign; I merely feel disappointment. The ad (probably generated by an unrelated advertising team) was symptomatic of what I perceive as a systemic misconception about how to interest girls and women (and in a larger sense, minorities) in STEM fields.

I’m fairly straightforward about my interests and experience on social media and my blog. I hope I have properly expressed over the years that I truly have keen interest and skill in an array of tech, without compromise. Tech isn’t merely a career for me – it’s something I live. I also publicly enjoy a fair number of things that are often traditionally categorized as ‘feminine’. I own a gratuitous amount of makeup. I enjoy subversively playing with the ‘sparkly’ and ‘pink’ tropes. I will admit that it took time for me to reconcile these things as a young adult. These things are not mutually exclusive, nor are they particularly interrelated apart from my persona.

I’m not a girl hacker – I’m a hacker. I am not a hacker because somebody taught me to hack on a pink keyboard. I learned to hack, code, and solder the same way most everyone else did. I don’t personally know any female hackers or technical professionals who state that they owe particular success or interest to being approached with anything pink, sparkly, or remotely associated with Barbie. Your mileage may vary.

I owe my skill at tech not to campaigns targeted at me as a girl, but to the fact that by the time that people told me that I could not do things because I was female I was already confident in my ability to do them. By the time my sixth grade science teacher reminded me to, “Remember what happened to Joan of Arc”, I had coded my first text based RPG and soldered circuit boards, and I had found that it was something I enjoyed.

My parents never gave me any presumption of advantage or disadvantage in life to being female. It had no bearing. There was an expectation that I would learn to play a musical instrument and appreciate fine arts, but also help fix the car or TV when they broke and have a solid fundamental understanding of science. My parents both firmly held the assumption these were things an informed human being should do. If I showed an interest in something beneficial, they encouraged it.

Outside of my immediate family, who I firmly believe were instrumental in me freely pursuing an interest in a variety of fields, I also can point directly to youth organizations like the Girl Scouts. Although I can absolutely name cases where I’ve seen them stoop to the same fallacy, even in the 80’s and 90’s, their youth programs still offered a wide array of science and tech teaching that was presented in a great, unbiased, non-condescending way. Our telescopes never needed to be sparkly. We just had to know that we were looking at Saturn through the eyepiece in a cramped observatory on a chilly night, and that was enough.

In my experience it’s absolutely an unfortunate reality that women and girls often do face negative pressures, preconceptions, and lack of encouragement from many sources when they demonstrate any real interest in science, technology, engineering, or mathematics. Trying to advertise these fields through gross gender stereotypes is probably not the way to fix this problem. The ability to excel comes from being told it’s OK to pursue almost any interest by the formative people in a child’s life. This includes family, teachers, mentors, and the community. It comes from being provided exposure to varied interests at a young age. We have to counter the societal negative pressures with positive encouragement for everybody.

Give the kids and young adults in your life the exposure and support to explore and pursue things they wish to.

Get involved with the many great organizations like Hak4Kids and DefCon Kids that provide so much education and motivation to youths.

If you’re able, mentor and sponsor people in your community who don’t have support to grow and learn in tech fields.

whois hacks4pancakes

Hi, I’m Lesley. It’s very nice to meet you. You might know me better as Hacks4Pancakes. I think it is high time I introduce myself.

I’m one of these index and I do this for a living:

Photo: Craig SjodinABC Studios ©2007 ABC Studios. All Rights Reserved.OK, not quite, it’s actually more like:indexwith a lot of tardisme

I have been working professionally in Information Security for about 8 years, and have been working in IT for about 15 years, interrupted by stints I spent doing other interesting things like this:

lesley 3

My current profession is leading a digital forensics and incident response team, which sounds exciting and glamorous but mostly means I get to stay up late watching loading bars pensively, and going through deleted internet browsing history looking for bad stuff and figuring out what malware did. It’s what I wanted to be when I grew up if I couldn’t be on the SWAT team, though, so I’m pretty happy.

I also do a lot of this:


I study three martial arts on a (very) dedicated basis and attend seminars as often as I can to gain exposure to other weapons and styles. I also teach firearms classes and enjoy some friendly pistol marksmanship competitions.

The rest of my not so exorbitant free time is spent going to infosec meetups, gaming, reading, meditating, and watching science fiction. I love going to science fiction conventions, and still enter costume competitions with my best friend. Last year I spent 6 hours airbrushing her grey.

I have lots of good friends who also do this:


OK, it’s really more like:


Which is still pretty damn cool.

A whole boatload of people follow me on here: index. I’m not exactly sure why, but I’m pretty sure it’s for my highly serious commentary on the current state of cybersecurity affairs.

So why am I blogging?

When I originally wanted to get into computer forensics, I called something like 30 police departments and colleges for advice, but nobody had heard of the field yet. Still others demanded I have exposure to highly specialized and expensive tools to gain an entry level job. It took years of hard work and a great network of friends in security for me to finally make it into the career I love. On the way, I found I’m pretty good at the sister field, Incident Response, which means organizing the efforts out how computer and computer networks were hacked, what was taken, and how to stop it from happening again. You’ll often see the fields combined and abbreviated as DFIR: Digital Forensics and Incident Response.

Anyway, my problematic experience breaking into infosec means that I always try to go out of my way to help people who are new to the field or interested in learning more about security. I speak regularly and infosec and non infosec conventions about hacking. I write security basics blogs and ebooks which are posted by my employer, as well as helping students interview for their first jobs in the field when I can. I am hoping the blog becomes a resource for more advanced infosec students and professionals who are trying to learn more about DFIR and how to implement associated programs.

I do hope you enjoy my blog and please feel free to let me know what you’d like me to discuss or assist with.

– Lesley

Excuse me I have fallen off the blog boat

A long time ago, in a galaxy far far away, I worked as a SQL developer for a ecommerce company in the 90’s. The commercial internet was relatively new and shiny, hacker culture was in full swing, and even slightly irritating gothy kids could get work in the dot com boom and go to parties straight out of the Matrix with pretty horrible rave music. It was there that I made my first real life connections in the Chicago hacker scene and went from a rather insular computer life to the exciting new uses for the internet.

A colleague approached my friends and I with a novel concept – we were going to start journaling on a private website, writing out our youthful angst and the various horrible things we did to Linux and Windows 9x. Of course, the term ‘blog’ had not been coined yet, and even ‘weblogs’ were pretty unknown. So, we wrote, and wrote. Insomuch I’m a bit glad this was long before the existence of web archiving and I’m a bit glad I can’t read my complaints about school and family. I remember one harrowing birthday where I wrote what seemed to me to be the most profound thing I had ever written, and lost power mid post. (This was also before the existence of drafts or autosave!)

I can’t recall when it all stopped. The dot com bust ruined the glamour of the internet that had no limits – the one that ran in dark rooms blasting Orbital on servers maintained by long haired Linux geeks from 2600.

Many years later, I occasionally considered returning to blogging. I wrote some articles, short stories, and regular infosec articles for my employers. But, I’d never considered until this point that I have anything worthwhile to blog to the community. The internet is full of blogs now. Billions of stories about everything from human rights to breakfast. An archive of an entire society and our human knowledge, (good, bad, and everywhere in between).

But the fact is, my lovely friends have pestered me about posting some stories, articles, and guides in longer form, so I’ve decided to start this blog to share mostly infosec related research and tools I’ve developed over the years. You can still find my regular security basics blogs at Motorola Solutions Fresh Ideas in Public Safety. I’ll use this as a platform to share more in depth resources as they come along.

Thank you for visiting and for your requests!