Information Security Manager ATS Optimization Checklist: Get Your Resume Past the Filters and Onto the CISO's Desk

Information Security Manager ATS Optimization Checklist: Get Your Resume Past the Filters and Onto the CISO's Desk

The Bureau of Labor Statistics projects 15% employment growth for computer and information systems managers through 2034 — nearly four times the average for all occupations — with approximately 55,600 openings annually and a median salary of $171,200 ¹. Meanwhile, ISC2's 2024 Cybersecurity Workforce Study found the global cybersecurity workforce gap hit 4.8 million unfilled positions, a 19.1% increase from the prior year ². Despite this acute talent shortage, qualified information security managers still fail to land interviews. The reason is mechanical, not meritocratic: over 98% of Fortune 500 companies route applications through Applicant Tracking Systems, and 75% of resumes never reach a human reviewer ³. Your CISM credential, your GRC program leadership, and your ISO 27001 audit experience are invisible if the ATS cannot parse, match, and rank your resume against the job requisition.

Key Takeaways

• ATS platforms score information security manager resumes on keyword density, contextual usage, and section structure — listing "risk management" once in a skills block scores lower than weaving it through your summary, experience bullets, and certifications section.
• Include both the full certification name and acronym for every credential (e.g., "Certified Information Security Manager (CISM) — ISACA") because ATS keyword matching is literal and may search for either form.
• Name specific tools, frameworks, and standards — "Splunk Enterprise Security," "NIST CSF 2.0," "ISO 27001:2022" — rather than generic categories like "SIEM" or "compliance frameworks."
• Quantify every work experience bullet with metrics: risk reduction percentages, audit findings closed, budget managed, incidents contained, team size led. ATS ranking algorithms score contextual keyword usage higher than keyword-only lists.
• Tailor your resume for each application by mirroring the exact language from the job posting — 90% of organizations report skills shortages on their security teams, and each posting reflects the specific gaps that hiring manager needs filled ².

How ATS Systems Screen Information Security Manager Resumes

Applicant Tracking Systems do not evaluate your resume the way a VP of Security does. They parse, tokenize, and score. Understanding these mechanics is the prerequisite to beating the filter.

Parsing: Extracting Structured Data From Your Document

The ATS converts your resume into structured fields: contact information, work history, education, skills, and certifications. Information security manager resumes create unique parsing challenges because the field relies on dense acronyms (GRC, SIEM, SOC, IAM, DLP, SOAR), framework references with version numbers (NIST CSF 2.0, ISO 27001:2022, COBIT 2019), and certification strings (CISM, CISSP, CRISC, CISA).

Two-column layouts, text boxes, or embedded graphics cause the parser to scramble or drop sections. "ISACA CISM (2023)" in a dedicated Certifications section parses cleanly. That same credential buried in a paragraph may never reach the certification field.

Keyword Matching: Exact Strings and Weighted Scoring

Enterprise ATS platforms — Workday, Greenhouse, Lever, iCIMS, Taleo — use a combination of exact keyword matching and weighted scoring against the job requisition. Recruiters configure required and preferred qualifications when building the req. The ATS scores each resume on how many of those qualifications appear and where they appear.

For information security manager positions, this means:

• Hard requirements (knock-out criteria): Certifications like "CISSP" or "CISM," minimum years of management experience, specific clearance levels for government-adjacent roles.
• Weighted skills: Frameworks and tools — "ISO 27001," "NIST 800-53," "Splunk," "CrowdStrike" — that increase your ranking score proportionally.
• Contextual phrases: "Developed enterprise information security strategy" scores higher than "information security" as an isolated keyword because the ATS detects management-level context around the term.

Ranking: Where You Land in the Stack

After parsing and scoring, the ATS ranks all applicants. Recruiters typically review the top 10–25%. For a security manager posting at a Fortune 500 — where a single req can attract 150–300 applications — the difference between the 80th and 55th percentile is the difference between a call and silence.

The algorithm weighs recency (recent leadership roles score higher than old IC positions), relevance (management titles outperform generic IT titles), and distribution (keywords spread across multiple sections score better than keywords concentrated in one block).

25+ Critical ATS Keywords for Information Security Manager Resumes

O*NET classifies information security managers under SOC code 11-3021.00 (Computer and Information Systems Managers), listing knowledge areas including administration and management, computers and electronics, and customer and personal service ⁴. The following keywords reflect what hiring managers configure in ATS requisitions for this role.

Governance, Risk, and Compliance (GRC)

• Information Security Program Management
• Governance, Risk, and Compliance (GRC)
• Enterprise Risk Management (ERM)
• Risk Assessment and Risk Mitigation
• Security Policy Development
• Regulatory Compliance (SOX, HIPAA, PCI DSS, GDPR, CCPA)
• Audit Management (internal and external)
• Third-Party Risk Management (TPRM)
• Business Continuity Planning (BCP)
• Disaster Recovery (DR)

Technical Security Operations

• Security Information and Event Management (SIEM) — Splunk, IBM QRadar, Microsoft Sentinel, LogRhythm
• Endpoint Detection and Response (EDR) — CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint
• Identity and Access Management (IAM) — Okta, CyberArk, SailPoint, Azure Active Directory
• Data Loss Prevention (DLP)
• Cloud Security — AWS Security Hub, Azure Security Center, Google Cloud Security Command Center
• Vulnerability Management — Nessus, Qualys, Rapid7 InsightVM
• Penetration Testing Program Management
• Security Operations Center (SOC) Oversight
• Zero Trust Architecture
• Security Orchestration, Automation, and Response (SOAR)

Frameworks and Standards

• NIST Cybersecurity Framework (CSF 2.0)
• ISO 27001:2022 / ISO 27002
• NIST SP 800-53
• CIS Controls (v8)
• COBIT 2019
• MITRE ATT&CK Framework
• CMMC (Cybersecurity Maturity Model Certification)
• SOC 2 Type II

Leadership and Strategy

• Security Budget Management
• Vendor Management and Procurement
• Cross-Functional Stakeholder Communication
• Board-Level Security Reporting
• Security Awareness Training Program
• Incident Response Program Leadership
• Security Architecture Review
• Team Building and Talent Development

Resume Format Requirements for ATS Compatibility

Formatting errors silently destroy qualified information security manager resumes. A candidate with 10 years of GRC leadership and a CISM can be rejected before scoring begins if the ATS cannot parse the document.

File Format

• Submit as .docx unless the posting explicitly requests PDF. Legacy ATS platforms (Taleo, some Workday configurations) parse .docx more reliably.
• Never submit .pages, .odt, or image-based PDFs.
• If submitting PDF, confirm it is text-based (you can select and copy text).

Layout and Structure

• Single-column layout only. Columns, sidebars, and infographic layouts break ATS parsing.
• Standard section headers: "Professional Summary," "Professional Experience," "Education," "Certifications," "Technical Skills." Creative alternatives will not map to ATS fields.
• No tables for core content. Never use tables for work history or education — many ATS platforms skip table content entirely.
• No text boxes, headers/footers, or embedded images. ATS parsers ignore these elements.

Fonts, Dates, and Naming

• Standard fonts: Calibri, Arial, Cambria, or Times New Roman at 10–12pt.
• Consistent date format: "Jan 2021 – Present" throughout. Do not use numeric-only dates (01/2021).
• File name: FirstName-LastName-Information-Security-Manager-Resume.docx.

Before/After Work Experience Bullet Examples

Each bullet must follow the Action Verb + Scope + Tool/Method + Quantified Result structure. Information security manager resumes fail when bullets describe responsibilities instead of outcomes. ATS ranking improves when keywords appear in context with measurable impact.

1. Security Program Leadership - Before: "Managed the information security program for the organization." - After: "Built and directed an enterprise information security program spanning 14,000 endpoints and 3 business units, achieving ISO 27001:2022 certification within 18 months and reducing critical audit findings by 72%."

2. Risk Management - Before: "Conducted risk assessments for the company." - After: "Led quarterly enterprise risk assessments across 45 business applications using NIST CSF 2.0, identifying and remediating 38 critical risks that reduced residual risk score by 41% year-over-year."

3. Team Leadership - Before: "Managed a team of security professionals." - After: "Recruited, mentored, and managed 16 security professionals (analysts, engineers, GRC specialists) across 3 time zones, reducing turnover from 35% to 8% over 2 years."

4. Incident Response - Before: "Oversaw incident response activities." - After: "Established and led a 24/7 incident response program that contained 340+ security incidents annually, reducing mean time to containment (MTTC) from 96 hours to 12 hours and achieving zero reportable data breaches over a 3-year period."

5. Budget Management - Before: "Responsible for the security budget." - After: "Managed a $4.2M annual information security budget, negotiating vendor contracts that reduced tooling costs by 23% ($960K savings) while expanding EDR coverage from 60% to 98% of endpoints through CrowdStrike Falcon deployment."

6. Compliance Program - Before: "Ensured compliance with regulations." - After: "Designed and executed compliance programs for SOX, HIPAA, and PCI DSS across 8 subsidiaries, achieving 100% pass rate on 12 consecutive external audits with zero material findings."

7. SIEM Operations - Before: "Managed the SIEM platform." - After: "Oversaw Splunk Enterprise Security deployment processing 2.5TB of daily log data from 200+ sources, tuning correlation rules that reduced false positives by 55% and improved mean time to detect (MTTD) from 48 hours to 4 hours."

8. Vendor and Third-Party Risk - Before: "Managed vendor security assessments." - After: "Implemented a third-party risk management program evaluating 180+ vendors annually using standardized security questionnaires and SOC 2 report reviews, identifying and remediating 24 critical supply-chain risks before contract renewal."

9. Security Awareness - Before: "Ran the security awareness training program." - After: "Redesigned the enterprise security awareness program for 8,500 employees, deploying quarterly phishing simulations through KnowBe4 that reduced click-through rates from 22% to 3.1% and drove a 67% increase in employee-reported suspicious emails."

10. Cloud Security - Before: "Worked on cloud security initiatives." - After: "Developed and enforced cloud security policies for a multi-cloud environment (AWS, Azure) supporting 120+ production workloads, achieving CIS Benchmark compliance across 95% of resources and reducing cloud misconfiguration incidents by 80%."

11. IAM Program - Before: "Managed identity and access management." - After: "Led enterprise IAM transformation migrating 12,000 users to Okta SSO and CyberArk PAM, enforcing least-privilege access that reduced excessive permission grants by 74% and eliminated 3 standing audit findings."

12. Policy Development - Before: "Wrote security policies." - After: "Authored 35 information security policies and 60 supporting standards aligned to ISO 27001:2022, passing external certification audit with zero nonconformities."

13. Board Reporting - Before: "Reported security metrics to leadership." - After: "Presented quarterly cybersecurity risk briefings to the Board of Directors, translating technical KPIs (MTTD, MTTC, vulnerability closure rates) into business risk language that secured a 30% increase in security investment."

14. SOC Oversight - Before: "Managed the Security Operations Center." - After: "Directed a 24/7 SOC staffed by 22 analysts processing 15,000+ daily alerts via Microsoft Sentinel, implementing SOAR playbooks that automated 65% of Tier 1 triage and shifted analyst capacity toward advanced threat hunting."

15. Penetration Testing - Before: "Coordinated penetration testing." - After: "Managed annual penetration testing program across 50+ in-scope systems with 3 independent firms, coordinating remediation of 120 findings with a 95% closure rate within 30-day SLAs."

Skills Section Strategy

Structure your skills section for both ATS parsing and human scanning. Use categorized, comma-separated lists — this format parses cleanly in every major ATS platform.

Hard Skills (Technical Competencies)

GRC Platforms: ServiceNow GRC, RSA Archer, OneTrust, LogicGate
SIEM: Splunk Enterprise Security, IBM QRadar, Microsoft Sentinel, LogRhythm
EDR/XDR: CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint, Palo Alto Cortex XDR
IAM: Okta, CyberArk PAM, SailPoint IdentityNow, Azure Active Directory, Ping Identity
Vulnerability Management: Nessus, Qualys VMDR, Rapid7 InsightVM, Tenable.io
Cloud Security: AWS Security Hub, Azure Security Center, Google Cloud SCC, Prisma Cloud, Wiz
DLP: Symantec DLP, Microsoft Purview, Digital Guardian
Frameworks: NIST CSF 2.0, ISO 27001:2022, NIST SP 800-53, CIS Controls v8, COBIT 2019, MITRE ATT&CK
Compliance: SOX, HIPAA, PCI DSS, GDPR, CCPA, FedRAMP, SOC 2 Type II, CMMC
Scripting: Python, PowerShell, Bash

Soft Skills With Context

Do not list bare soft skills. Provide context that demonstrates each skill:

• Executive communication — quarterly Board and C-suite cybersecurity risk presentations
• Cross-functional collaboration — partnered with Legal, HR, IT Operations, and Engineering
• Strategic planning — developed 3-year security roadmaps aligned to business objectives
• Talent development — built career paths reducing team attrition from 35% to under 10%
• Stakeholder management — translated technical risk into business-impact language for executives
• Crisis leadership — directed executive response during active breach scenarios

Certifications With Issuing Organizations

List every certification with full name, acronym, issuing body, and year. ATS platforms parse certification sections separately and match against required qualification fields.

Certified Information Security Manager (CISM) — ISACA, 2022
Certified Information Systems Security Professional (CISSP) — ISC2, 2021
Certified in Risk and Information Systems Control (CRISC) — ISACA, 2023
Certified Information Systems Auditor (CISA) — ISACA, 2020
CompTIA Security+ (SY0-701) — CompTIA, 2024
GIAC Security Leadership Certificate (GSLC) — SANS Institute, 2023
Certified Cloud Security Professional (CCSP) — ISC2, 2023
ISO 27001 Lead Auditor — BSI / IRCA, 2022

CISM is held by over 48,000 professionals worldwide and was named Best Professional Certification Program in the 2025 SC Awards ⁵. CISSP holders exceed 165,000 globally ⁶. These certifications function as hard ATS filters in the majority of security management requisitions.

7 Common Information Security Manager ATS Mistakes

1. Using "Cybersecurity" and "Information Security" Interchangeably Without Both Forms

ATS keyword matching is literal. If the job description says "information security manager" and your resume exclusively uses "cybersecurity manager," you may not match. Use both "information security" and "cybersecurity" at least once each. The same applies to "InfoSec" — include it as a variant.

2. Listing Frameworks Without Versions or Specificity

"NIST" alone is vague. The ATS may be searching for "NIST CSF 2.0," "NIST SP 800-53 Rev. 5," or "NIST SP 800-171." List the specific framework version you worked with. Similarly, "ISO 27001" is good; "ISO 27001:2022" is better and signals currency.

3. Describing Responsibilities Instead of Results

"Responsible for managing the security team" contains one keyword and no evidence of effectiveness. "Directed a 16-person security team that reduced incident response time by 75% and achieved ISO 27001 certification in 14 months" contains six keywords and proves impact.

4. Omitting Budget and Team Size Metrics

ATS requisitions frequently include qualifiers like "managed a team of 10+" or "budget responsibility of $2M+." If you do not include your budget range and team headcount, you may fail these numeric filters entirely.

5. Burying Management Experience Below Technical Skills

If your resume leads with deeply technical bullets and buries management experience, the ATS may rank you as an individual contributor. Lead with management-level accomplishments in both your summary and most recent role.

6. Using Acronyms Without Defining Them at Least Once

Spell out GRC, SIEM, EDR, DLP, IAM, and other domain acronyms on first use, followed by the acronym in parentheses. ATS systems may search for either form.

7. Failing to Tailor for Industry-Specific Compliance Requirements

Healthcare organizations filter for HIPAA and HITECH. Financial services filter for SOX, GLBA, and SEC cybersecurity disclosure rules. Government and defense filter for FedRAMP, FISMA, and CMMC. Mirror the compliance language from each posting.

Professional Summary Examples

Entry-Level Information Security Manager (5–7 Years Experience)

CISSP and Security+-certified Information Security Manager with 6 years of progressive cybersecurity experience, including 2 years leading a team of 8 analysts and GRC specialists. Built vulnerability management and incident response programs for a 5,000-endpoint environment, reducing critical vulnerabilities by 58% and achieving SOC 2 Type II attestation. Experienced in NIST CSF implementation, KnowBe4 security awareness training, and quarterly risk assessments. Managed a $1.2M security budget with C-suite KPI reporting.

Mid-Career Information Security Manager (8–12 Years Experience)

CISM and CISSP-certified Information Security Manager with 10 years directing enterprise security programs for 10,000–25,000-endpoint organizations across healthcare and financial services. Led 14 security professionals with a $3.5M annual budget. Achieved ISO 27001:2022 certification, maintained HIPAA compliance across 6 business units, and reduced MTTD from 72 hours to 6 hours through Splunk SIEM optimization. Partnered with Legal, HR, and Engineering on third-party risk management and security architecture review.

Senior Information Security Manager / Director-Track (12+ Years Experience)

CISM, CISSP, and CRISC-certified Senior Information Security Manager with 15 years building and scaling enterprise security programs from startup to Fortune 500. Directing a 22-person global security organization with a $6.8M budget across SOC operations, GRC, vulnerability management, and application security. Reduced organizational risk posture score by 45% over 3 years with zero reportable breaches. Delivered quarterly Board-level briefings that secured $2.4M in incremental investment. Deep expertise in multi-framework compliance (SOX, HIPAA, PCI DSS, GDPR) and cloud security architecture (AWS, Azure).

40+ Action Verbs for Information Security Manager Resumes

Leadership and Strategy: Directed, Led, Established, Built, Oversaw, Championed, Spearheaded, Orchestrated, Governed, Chaired

Program Management: Implemented, Deployed, Launched, Administered, Maintained, Scaled, Standardized, Streamlined, Consolidated, Integrated

Risk and Compliance: Assessed, Evaluated, Audited, Remediated, Mitigated, Enforced, Certified, Validated, Investigated, Documented

Technical Operations: Configured, Tuned, Automated, Monitored, Detected, Contained, Eradicated, Recovered, Architected, Hardened

Communication and Influence: Presented, Briefed, Communicated, Trained, Educated, Advocated, Negotiated, Collaborated, Translated, Advised

ATS Optimization Checklist

Print this. Use it before every application.

Format and Structure

• [ ] Resume saved as .docx (or text-selectable PDF if explicitly required)
• [ ] Single-column layout with no sidebars, text boxes, or graphics
• [ ] Standard section headers: Professional Summary, Professional Experience, Technical Skills, Certifications, Education
• [ ] No tables used for work history or education sections
• [ ] Contact information in the document body, not in headers or footers
• [ ] File named FirstName-LastName-Information-Security-Manager-Resume.docx
• [ ] Standard font (Calibri, Arial) at 10–12pt
• [ ] No embedded images, logos, or icons
• [ ] Consistent date format throughout (e.g., "Jan 2021 – Present")

Keywords and Content

• [ ] 25+ information security keywords from the job description included
• [ ] Keywords distributed across summary, experience, skills, and certifications sections
• [ ] Both "information security" and "cybersecurity" forms used at least once
• [ ] "InfoSec" included as an additional keyword variant
• [ ] Specific framework versions referenced (NIST CSF 2.0, ISO 27001:2022, NIST 800-53 Rev. 5)
• [ ] SIEM platform(s) named specifically (Splunk, QRadar, Sentinel — not just "SIEM")
• [ ] EDR/XDR tool(s) named specifically (CrowdStrike, SentinelOne — not just "EDR")
• [ ] IAM platform(s) named (Okta, CyberArk, SailPoint — not just "IAM")
• [ ] Compliance standards listed (SOX, HIPAA, PCI DSS, GDPR, SOC 2 — as relevant)
• [ ] Both full certification names and acronyms included for every credential

Professional Summary

• [ ] Contains target job title keywords ("Information Security Manager")
• [ ] Specifies total years of experience and years in leadership
• [ ] Names 2–3 key frameworks, tools, or standards
• [ ] Mentions top certification(s) (CISM, CISSP)
• [ ] Contains at least one quantified achievement
• [ ] Includes team size and budget figure

Work Experience

• [ ] Each bullet follows Action Verb + Scope + Tool/Method + Result structure
• [ ] Metrics included: team size, budget managed, risk reduction %, audit pass rates, incident metrics
• [ ] Most recent role listed first with 5–8 detailed bullets
• [ ] Management-level accomplishments lead before technical details
• [ ] Job titles match or closely align with target role terminology

Certifications

• [ ] Listed in a standalone "Certifications" section
• [ ] Each entry includes full name, acronym, issuing body, and year
• [ ] Certifications ordered by relevance to the target role (CISM/CISSP first)
• [ ] Active/current status indicated

Tailoring

• [ ] Resume customized for this specific job posting
• [ ] Industry-specific compliance frameworks highlighted (healthcare → HIPAA, finance → SOX, government → FedRAMP)
• [ ] Skills section reordered to lead with the posting's most-emphasized requirements
• [ ] Security clearance level included if the role requires one
• [ ] Terminology mirrors the exact phrasing from the job description

Frequently Asked Questions

What is the difference between an Information Security Manager and a CISO, and how should I position my resume?

The Information Security Manager owns operational execution — managing teams, running GRC operations, overseeing SOC performance, and ensuring compliance. The CISO sets strategic security vision and reports to the board. For manager-level roles, emphasize program execution, team headcount, budget stewardship, and measurable operational outcomes. For CISO-track positioning, add board-level reporting and strategic roadmap development. The BLS reports a median of $171,200 for this SOC code (11-3021), with the top 10% exceeding $239,200 ¹.

How much does the CISM certification affect ATS ranking?

CISM is frequently configured as a hard filter in ATS requisitions for security management roles. The average U.S. salary for CISM holders is approximately $155,000 ⁷. When a recruiter sets "CISM: Required," resumes without that exact string are filtered before ranking begins. Even when listed as "preferred," CISM provides significant ATS score uplift. Always list it in a dedicated Certifications section: "Certified Information Security Manager (CISM) — ISACA, [Year]."

Should I list technical hands-on skills if I am applying for a management role?

Yes — but frame them as management-level competencies. "Configured Splunk correlation rules" sounds like an analyst. "Oversaw Splunk Enterprise Security deployment processing 2.5TB daily across 200+ log sources, tuning detection policies that reduced MTTD by 90%" sounds like a manager who drives measurable outcomes. Include technical skills in your skills section for ATS keyword matching, and demonstrate management-level command of those technologies in your experience bullets.

How long should an Information Security Manager resume be?

ATS platforms parse the full document regardless of length — they do not penalize page count. For security managers with 8+ years of experience, two pages are standard. You need space for management metrics (team size, budget, program scope), compliance achievements, certifications, and a categorized skills section. Do not truncate substantive leadership experience to force a single page, and do not pad with filler. Every line must contain either a keyword, a metric, or both.

How do I tailor my resume for different industries without rewriting it from scratch?

Build a master resume, then create industry variants by adjusting three sections. First, your professional summary: swap in the industry's compliance requirements (HIPAA for healthcare, SOX/GLBA for financial services, FedRAMP/CMMC for government/defense). Second, your skills section: reorder so industry-relevant frameworks appear first. Third, your experience bullets: surface the 2–3 bullets per role that address the target industry's pain points. This dramatically improves ATS match scores because you mirror the exact regulatory language the recruiter configured in the requisition.

Sources

{
  "opening_hook": "The Bureau of Labor Statistics projects 15% employment growth for computer and information systems managers through 2034 — nearly four times the average for all occupations — with approximately 55,600 openings annually and a median salary of $171,200. Meanwhile, ISC2's 2024 Cybersecurity Workforce Study found the global cybersecurity workforce gap hit 4.8 million unfilled positions, a 19.1% increase from the prior year. Despite this acute talent shortage, qualified information security managers still fail to land interviews.",
  "key_takeaways": [
    "ATS platforms score information security manager resumes on keyword density, contextual usage, and section structure — listing 'risk management' once in a skills block scores lower than weaving it through your summary, experience bullets, and certifications section.",
    "Include both the full certification name and acronym for every credential (e.g., 'Certified Information Security Manager (CISM) — ISACA') because ATS keyword matching is literal and may search for either form.",
    "Name specific tools, frameworks, and standards — 'Splunk Enterprise Security,' 'NIST CSF 2.0,' 'ISO 27001:2022' — rather than generic categories like 'SIEM' or 'compliance frameworks.'",
    "Quantify every work experience bullet with metrics: risk reduction percentages, audit findings closed, budget managed, incidents contained, team size led.",
    "Tailor your resume for each application by mirroring the exact language from the job posting — 90% of organizations report skills shortages on their security teams, and each posting reflects the specific gaps that hiring manager needs filled."
  ],
  "citations": [
    {"number": 1, "title": "Computer and Information Systems Managers: Occupational Outlook Handbook", "url": "https://www.bls.gov/ooh/management/computer-and-information-systems-managers.htm", "publisher": "U.S. Bureau of Labor Statistics"},
    {"number": 2, "title": "Results of the 2024 ISC2 Cybersecurity Workforce Study", "url": "https://www.isc2.org/Insights/2024/10/ISC2-2024-Cybersecurity-Workforce-Study", "publisher": "ISC2"},
    {"number": 3, "title": "How to Make an ATS-Friendly Resume", "url": "https://topresume.com/career-advice/what-is-an-ats-resume", "publisher": "TopResume"},
    {"number": 4, "title": "11-3021.00 — Computer and Information Systems Managers", "url": "https://www.onetonline.org/link/details/11-3021.00", "publisher": "O*NET OnLine"},
    {"number": 5, "title": "ISACA's CISM Named Best Professional Certification Program in 2025 SC Awards", "url": "https://www.isaca.org/about-us/newsroom/press-releases/2025/isacas-cism-named-best-professional-certification-program-in-2025-sc-awards", "publisher": "ISACA"},
    {"number": 6, "title": "ISC2 Celebrates 30th Anniversary of CISSP Certification", "url": "https://www.isc2.org/Insights/2024/03/ISC2-Celebrates-30th-Anniversary-of-CISSP-Certification", "publisher": "ISC2"},
    {"number": 7, "title": "2025 CISM Salary and Certification Outlook", "url": "https://www.infosecinstitute.com/resources/cism/average-cism-salary/", "publisher": "Infosec Institute"},
    {"number": 8, "title": "NICE Framework Resource Center", "url": "https://www.nist.gov/itl/applied-cybersecurity/nice/nice-framework-resource-center", "publisher": "NIST"},
    {"number": 9, "title": "2025 ISC2 Cybersecurity Workforce Study", "url": "https://www.isc2.org/Insights/2025/12/2025-ISC2-Cybersecurity-Workforce-Study", "publisher": "ISC2"},
    {"number": 10, "title": "Information Security Analysts: Occupational Outlook Handbook", "url": "https://www.bls.gov/ooh/computer-and-information-technology/information-security-analysts.htm", "publisher": "U.S. Bureau of Labor Statistics"}
  ],
  "meta_description": "ATS optimization checklist for information security managers. 25+ keywords, 15 before/after bullets, resume formatting rules, CISM/CISSP guidance, and scoring tips.",
  "prompt_version": "v2.0-cli"
}