This topic has been percolating for the last four months. So, I am going to take the bull by the horns and address a potentially thorny issue: resume ethics and what that means for digital trust professionals.
Here’s the back story. It started with a post on LinkedIn. Let’s cut to the chase and show you that post (no names, just the post) by an executive leader in cybersecurity, four months ago:
“I let my CISM certificate expire. The $85 a year maintenance fee goes on takeaways, and the time spent listing my annual CPEs goes on Xbox.
If you want CISM—or any other cert—then go for it, but don't feel obliged to keep paying year after year. If you're worried about recruitment screening you can always keep it on your CV with the date you passed it—achieves the same thing without the annual tax.”
This post apparently resonated with quite a few folks. It got 411 “likes” and was reposted four times. It also engendered a number of comments. Many were pats on the back and affirmation that this guy had said what other people were apparently thinking.
But it also generated critical comments. Here is a reply from a CISO who weighed in:
“The annual fee is to support the certification regime, i.e., the system to maintain and log those CPEs and the audit process to make sure that certificate holders are actually maintaining their security knowledge. That's the thing I look for when someone has CISSP, CISM, etc. I'm looking for someone who continues to learn and develop themselves professionally, not someone who took an exam once upon a time. If a professional certificate is not maintained, it's not worth the space on your CV......plus most companies will pay your maintenance fees if it's relevant to your job.”
A cybersecurity director from a multinational company offered this comment:
"I have no issue at all as long as its status is clearly communicated. However, when choosing between two otherwise identical candidates, the applicant with the active certification will likely always win over the candidate with the expired cert. One thing I know—trying to represent an expired certification as valid will likely never get you the job at most organizations that care to check."
And here is the comment that I added to the thread at the time:
“Cybersecurity, IT audit, IT GRC are trust disciplines. A trust professional who offers up a resume that presents a certification with just the exam passed date, when in fact the cert has lapsed, is lying by omission.
With a fast read of the CV (7 seconds to one minute on average) where this detail is missed due to the lack of transparency, the applicant may get into the interview queue; perhaps even win an offer.
BUT, at whatever point the hiring leader realizes that there has been this misrepresentation of the facts or HR calls it out, it is a HUGE hit to the candidate's credibility. I have seen offers rescinded for this. Honesty and integrity are foundational in digital trust. Don't compromise yours.”
……………………………………………..
I have been thinking about this ever since. Research on how many people lie on resumes is shocking. Business Insider reported in February, 2023 that their recent survey of 1250 Americans showed that 72% of respondents said they had lied on their resumes.
The most common area for misrepresentation was educational credentials with 44% of respondents saying they had fudged on their resumes about their education.
There are other corroborating surveys. For example, CNBC reported in December 2020 on a survey conducted by StandOutCV of 1785 American adults that found that 55% of the respondents admitted to lying on their resume. In this survey, the area most lied about (55.4%) was experience.
One has to ask, what might be driving this? No doubt the answer is complex. Lots of factors are in play: ebbs and flows in the economy and the job market at large; regional job market fluctuations; the difficulty of getting a job without experience; and the quest for better pay, to name a few.
I would posit that a major driver is a three-fold frustration with automated recruiting, that is, those pesky Applicant Tracking Systems; the proverbial black hole of corporate on-line job portals; and the lack of response and feedback from recruiters (internal and external) and talent acquisition.
There are numerous articles on how to “beat” the ATS systems with key words and formatting, but without specific feedback on what is wrong with their resumes, candidates may be throwing up their hands and saying, “Let me just get in the door, and then they’ll see what a great fit I am for the role.” In fact, I have heard this from numerous candidates over the years.
In some fields, a bit of misrepresentation on a resume might be overlooked as harmless embellishment or the mistake of a naïve job seeker. What about digital trust? How do hiring leaders perceive a lapsed certification that is not identified as such; the inclusion of a degree that isn’t quite finished without that additional detail; experience that is not what it is stated to be; and other untruths?
I reached out to leaders in cybersecurity, IT risk, IT audit, privacy, and compliance for their input. Here are some things they shared.
First, when reading a resume, hiring leaders are looking for a story that holds together. Dates flow. Gaps are explained. Certifications have dates, and even better, certification numbers. Accomplishments and experience align with years, industries and type of jobs held. Resume content is specific and not at the 10,000-foot level or copy-pasted from a job description.
A degree that is listed as “in progress” or with an extended future date is viewed skeptically. The same is true for certifications that are listed as “in view” or with a future date that might be easily overlooked during a quick review.
These resume items trigger questions. They may also create the perception that the candidate is looking to make their experience look better than it is, which then causes the hiring leader to look more closely and skeptically at the resume generally.
Career history details that seem fuzzy or a little out of the ordinary do not necessarily throw the candidate out of consideration. However, they will engender a deeper dive during the interview.
Interviews are where the rubber meets the road. HR and talent acquisition typically weed out candidates in their prescreens based on legal right to work issues, degrees that aren’t completed or the lack of a required certification.
But, as many hiring managers said, those screening calls with talent acquisition don’t always catch everything. Hiring leaders look to go deeper. Not always in a short screening call, but definitely during longer interviews.
That’s not to say that interviews always surface the whole story, and there could be a time when a candidate skates through without the certification they say they hold or the degree that was listed.
The VP of cybersecurity at a medical technology company had this to say: “If someone states they have, say, an ISACA certification and I think it might be bogus, it’s real easy to check. I just ask them for their ISACA ID number. If they say they don’t know it, my response is, ‘That’s OK, you can log in. I’ll wait.’”
Which brings us to another way embellishing one’s experience can damage one’s professional reputation beyond a single interview. External recruiters are tasked with interviewing candidates and being able to present to their corporate clients with a candidate backgrounder or summary of career facts that is truthful. This is a big part of the service they perform for their clients.
If a recruiter’s candidate is interviewed and the client determines that the candidate’s experience or credentials are not what was stated, not only is the candidate out of consideration, but the recruiter’s reputation with the client will be damaged, too. You can bet that the recruiter will not work with that candidate in future. Why would the recruiter risk further reputational damage? The same goes for internal talent acquisition and HR. Once a lie or overstated experience is surfaced, it will be noted in the company’s candidate database and the candidate will be blocked in future.
As the head of IT risk for a global pharma company noted, “In a community of trust professionals, your reputation is your biggest asset—why would you put this at risk?”
Focusing specifically on putting a lapsed cert on the resume with simply the date the exam was taken—this was viewed as an outright lie. A couple of comments that sum up what many hiring leaders in digital trust had to say:
- From a cybersecurity executive at a major US bank: “A professional certification is the cost of play. Would you want your lawyer or your doctor to let their credentials and CPEs lapse?”
- From a senior controls director with a global financial services company: “If a candidate had attributed a certification to their experience on their resume that was either lapsed or they had not yet achieved, and that was discovered in the interview, that would be a no hire. In the controls space, integrity is one of the things we are supposed to be holding as a standard to the rest of the organization. Are we doing what we say we are doing?”
When it comes to digital trust, your word is your bond from the very beginning of the relationship with a company and hiring leaders, which is your submission of a factual, truthful resume that you can back up with examples and stand by as the truth. This is true globally.
Digital trust hiring leaders say it better than I ever could—here are some of their words of wisdom and guidance:
“How important is integrity? Very important! Cybersecurity professionals are entrusted with very sensitive information, pertaining to individuals and the organization. You have to trust that they will do the right thing even when no one is looking. The meaningful certifications in our industry carry a code of conduct that professionals must uphold.” (Director of Cyber Risk & Resilience, consulting)
“Your resume is a certification of your trustability. In Audit, you can’t break corporate rules even if you don’t agree with them. You have to be above reproach.” (Past IT Audit Manager, now a Cybersecurity Executive)
“If the person is willing to lie on their resume, what are they going to lie to me about at work? We are in the trust business. In the Trust professions, the trust component and culture runs really deep across the world. I would say it is universal. On a personal level, it boils down to your brand integrity. No matter where you are in the world, the community of trust professionals is really small. The lie will be found out and known.” (Global Head of Data Privacy, banking)
“Transparency is critical to trust. That’s what we talk about when we talk about building trust in the organization. The same holds true anywhere we are talking about trust. That means your resume too. A misrepresentation on your CV will eventually come back to haunt you. Why risk that? Why not be transparent? One lie leads to another, and before you know it, you are caught in a web of chaos. As a hiring leader, I don’t want people who are cavalier with the truth on my team. If we are global trust professionals, then the sense of integrity and trust has to be global. That’s why HR doesn’t lower their standards when hiring in different geographies.” (Global Head of Information Risk & Compliance, pharmaceutical manufacturing)
………………………………………………………………………………………………..
Many, many thanks to all the leaders in Digital Trust who contributed their thoughts. It takes the wisdom of the community to upskill and advance the profession.
A final note. We are halfway through year! Now is an excellent time for a bit of career hygiene.
> Are you keeping a project journal?
Here’s how: https://www.linkedin.com/pulse/best-career-gift-give-yourself-year-one-you-make-project-mcgaw/
> Have you updated your resume with your latest achievements?
> How about your LinkedIn Profile?
Got a resume question? Drop me a line: Caitlin@caitlinmcgaw.com