4 min.
Created using Perplexity AI
written by Peter Kosel, Talent Community Manager at cyberunity AG
Why “I’m not allowed to say anything about it” often weakens your strongest argument.
Many CVs in the cyber security field share the same pattern:
The projects are highly relevant.
The level of responsibility was significant.
The topics are current.
Yet too little relevant information is conveyed to the reader.
Why? Because everything is phrased too vaguely.
“Project in the banking sector”
“Security project for a large client”
“Handling of a security incident”
Formally correct. Substantively weak.
What does NDA really mean in a CV?
Many candidates think:
I am not allowed to say anything.
So they write as little as possible.
The problem:
A CV without substance does not create trust.
The reader does not understand:
- What exactly was your role?
- How complex was the situation?
- What contribution did you make?
And that is exactly where part of your value is lost.
What you are actually not allowed to say
Clear boundaries matter:
- No client names
- No specific systems or architectures
- No sensitive details about vulnerabilities
- No information that could be misused
But:
That does not mean you cannot say anything.
It means: You need to abstract it properly.
The most common mistake
Many candidates describe projects like this:
Example:
Security Consultant
Project in the financial sector
Conducting security assessments
This sounds clean.
But:
It is interchangeable.
The reader learns nothing about you.
How to create impact despite NDA
A strong CV does not describe the WHAT in detail, but instead:
Context
Role
Challenge
Approach
Outcome
Example:
Weak:
Security Consultant
Project in the banking sector
Conducting assessments
Strong:
Security Consultant
Project in a regulated financial environment
Conducting security assessments within a complex system landscape with high regulatory requirements
Responsible for identifying critical vulnerabilities and prioritising remediation measures
Outcome: Reduction of identified high-risk findings through structured remediation initiatives
→ Before: Generic description
→ Now: Context + responsibility + impact
Security incidents on your CV
Many avoid this topic entirely.
Due to uncertainty.
Or fear of saying the wrong thing.
Yet these experiences are extremely valuable.
They show:
- How you operate under pressure
- How you make decisions
- How you take responsibility
The most common mistake
Example:
Handling of security incidents
This says nothing.
Anyone can write that.
How to do it properly
An incident is not the story. Your handling of it is the story.
Example:
Weak:
Supporting the handling of a security incident
Strong:
Active role in incident response during a critical security incident (ransomware)
Coordinated the analysis phase and aligned stakeholders across IT, security, and management
Prioritised measures for containment and system recovery
Outcome: Business operations restored within 48 hours
The reader recognises:
Pressure
Complexity
Responsibility
Outcome
That is what matters.
The three most common mistakes
- NDA as an excuse
“I’m not allowed to say anything about it”
→ leads to empty CVs - Too technical
Going too deep into tools and systems
→ risk + difficult for many readers to understand - No focus on impact
You describe tasks, but not outcomes
How to review your CV
Ask yourself:
- Is my role understandable even without names or labels?
- Is it clear which challenges I solved?
- Is my contribution visible?
- Am I showing outcomes or just activities?
If not:
Your CV lacks substance in the most critical areas.
NDA is not an obstacle. It is a quality filter.
Those who can present complex and confidential topics clearly and in an abstracted way demonstrate:
Structure
Reflection
and professionalism
And that is exactly what makes the difference.
This article is part of the cyberunity CV series for cyber security professionals in the DACH region.