How to Hire and Get Hired in Information Security: Expert Advice from (ISC)2 Congress

Imagine walking into a conference session, only to realize within minutes that you’ve chosen the wrong track. That happened to me at the (ISC)2 Congress in Orlando, Florida, when I attended a session titled ‘Hackers Hacking Hackers.’ Initially disappointed, I quickly discovered that the presentation—led by Tim O’Brien from Xerox Equipment and Megan Wu from Rapid7—offered invaluable insights on how to hire in information security and how to get hired in cybersecurity. Despite a lack of chemistry between the speakers, the content was rich with practical advice for both hiring managers and job seekers.

Reevaluating Expectations in Cybersecurity Hiring

The first opportunity for improvement, according to O’Brien and Wu, revolves around expectations. The industry often creates a category of talent it will never hire, overlooking many qualified candidates simply because their resumes lack specific keywords. As O’Brien noted, “We need to readjust our expectations as hiring managers. Start considering what we need versus what we want. Don’t demand skills or qualifications just because—look at the particular role and what it actually needs. Is having a degree or a certification truly important, or is it just what HR is demanding?”

On the flip side, Wu emphasized that candidates must also set realistic expectations. “Even though there’s a skills gap, even though hackers are in short supply, they need to have realistic expectations. Have a list of things you want, and think about what you’d be willing to trade for if it’s not possible. Just because there is an apparent skills gap, we’re not owed anything, so don’t feel entitled.” This balanced approach is crucial for successful information security hiring.

Mastering the Application Process

During the application process, preparation is key for both sides. O’Brien stressed that hiring managers are responsible for nurturing talent for the industry, not just their organization. He advised looking internally and at past applicants, working with marketing to find people interested in your technology, and attending industry events to network. Ensuring your HR department sets the right tone and expectations is also critical.

For candidates, Wu recommended hacking your resume to make it relevant without stretching the truth. “Be careful of buzzword bingo,” she warned. “Use a unique filename for your resume to distinguish yourself. If you use a template, sanitize the metadata.” She also urged applicants to always supply a cover letter explaining why they want the role and why they’d be a good fit. “People that write cover letters will always be the first to get an interview,” she added.

Additionally, candidates can make themselves desirable by getting involved with the community and attending events. “Get your name out there and make yourself more interesting to a hiring manager,” Wu said. She also advised doing due diligence when job hunting: “Research the different types of recruiters and avoid the agencies that just want to fill body quotas. Research the good ones and build relationships.” For more tips on networking, check out our guide on cybersecurity networking strategies.

Acing the Interview: Strategies for Both Sides

Pre-interview, it’s essential for managers to work out relevant questions. O’Brien cautioned against “stump the monkey” questions, which put good candidates off. Instead, he advised focusing on how a candidate tries to mitigate threats, risks, and vulnerabilities. “Avoid closed-ended questions, and use exploratory conversations instead. Quit passing judgment, and stop with the concerns about job-hopping or contract roles—it shouldn’t necessarily be a bad reflection on the individual. Being unemployed doesn’t make a candidate unemployable: don’t discriminate, put aside bias, and listen to the reason.”

O’Brien highlighted key qualities to look for: passion, willingness to learn, and ability to fail well. “Everything else can be learned,” he said. “Use a scoring system to eliminate bias, and remember that diversity in a team is a good thing.” For candidates, Wu recommended observing the company’s dress code and taking it up a notch. “Make sure the stories you tell in the interview are relevant, and have questions ready for the hiring manager. Think of something interesting to ask that will leave a lasting impression.” She also advised going away and researching answers to any questions you didn’t know, then emailing them to the hiring manager post-interview.

Post-Interview Etiquette and Decision-Making

The fourth opportunity is post-interview. For hiring managers, O’Brien recommended being fair with decision-making and using a scoring system. “Don’t leave people hanging either. Have good etiquette, provide feedback and insights for candidates—they may come back for future roles.” This approach fosters a positive reputation and encourages repeat applicants.

For candidates, Wu suggested sending a thank-you card or email to leave a lasting impression. However, she cautioned against sending social media requests. “Respect boundaries, be realistic, and don’t panic—it may take a while to hear back.” This patience and professionalism can set you apart in the competitive field of cybersecurity. For more on building a standout application, see our article on cybersecurity resume best practices.

In conclusion, whether you’re a hiring manager or a job seeker, these insights from the (ISC)2 Congress offer a roadmap to navigate the complex world of information security hiring. By adjusting expectations, preparing thoroughly, and maintaining professionalism throughout the process, both sides can find success. Ultimately, the key to hiring in infosec lies in focusing on potential, passion, and practical skills rather than rigid checklists. For additional resources, explore our comprehensive career guide for infosec professionals.

How to Build Up Infosec Professionals Through Mentoring: Expert Insights from RSA’s Jeff Silver

In the fast-paced world of information security, finding and keeping top talent is a constant struggle. According to RSA senior security engineer Jeff Silver, one of the most effective ways to build up infosec professionals is through structured mentoring programs. Speaking at the (ISC)2 Congress in Orlando, Florida, Silver shared practical advice for organizations looking to foster a mentoring culture that boosts retention and strengthens team dynamics.

Why Mentoring Matters in Information Security

Retention is a critical issue in cybersecurity. “It’s hard to find good qualified people, and when we lose them it hurts,” Silver noted. He believes that mentoring programs can directly address this challenge. When organizations identify their best security professionals as mentors, those individuals feel valued and are more likely to stay. This, in turn, has a positive ripple effect on overall team culture.

Building on this idea, Silver emphasized that every organization has employees with mentoring potential. The key is to recognize and empower them. By doing so, companies not only retain experienced staff but also create an environment where less seasoned professionals can thrive.

Key Principles for Effective Infosec Mentoring

Separate Mentoring from Technical Training

A common mistake is treating mentoring as just another form of technical training. Silver warned against this. Mentoring focuses on career development, soft skills, and personal growth—not on teaching specific tools or techniques. Understanding this distinction is the first step to building a successful relationship.

Establish Trust and Transparency Early

Trust is the foundation of any mentoring relationship. Silver advised mentors to set the first meeting and lead by example. “If you’re not willing to get personal and be transparent, don’t be a mentor,” he said. Sharing personal experiences, including mistakes and how they were overcome, helps build a safe space for open dialogue.

Furthermore, if the mentor and mentee have opposing worldviews, Silver suggests moving past it. The goal is not to agree on everything but to help the mentee grow as a security professional.

Focus on Career Aspirations and Brand Building

During the second meeting, mentors should explore the mentee’s career goals and current situation. Silver recommends assigning small homework tasks, such as creating a LinkedIn profile, to gauge the mentee’s pace and commitment. Over time, mentors can help mentees build their personal brand by discussing professional organizations, certifications, and industry reading materials.

Another critical area is helping mentees discover their passions beyond core duties. This includes encouraging them to develop knowledge and abilities that benefit both the company and the wider security community. Silver stressed that mentors should never discourage mentees from pursuing additional responsibilities, but they must also explain any associated risks.

Navigating Corporate Relationships and Confidentiality

Mentors can have a significant impact on how mentees interact within the organization. Silver advised discussing the mentee’s relationship with their boss, helping them build a constructive dynamic. Similarly, mentors should explore peer relationships—do mentees understand their role on the team and the importance of team culture?

Confidentiality is another cornerstone of effective mentoring. Silver made it clear that mentors are responsible for keeping conversations private unless the issue involves illegal, immoral, unethical, or dangerous behavior. In such cases, mentors should empathize, offer positive options, and strongly encourage the mentee to speak with their manager. If the mentee refuses, the mentor should facilitate a conversation while supporting the mentee through the process.

Practical Tips for Lasting Mentorship

Silver offered several actionable tips for mentors: understand what technology the mentee is passionate about, remember that you are an authority figure (whether formal or informal), and avoid trying too hard to be liked. The primary objective is to develop a world-class security professional, and genuine relationships will follow naturally.

Mentors should also guide mentees through their next career steps, encourage proactive engagement with the corporate office, and help them set up meetings with people in other departments. These actions broaden the mentee’s network and perspective.

Finally, Silver reminded mentors that they too need support. “Every mentor program needs an administrator,” he concluded. Bouncing ideas off peers—without breaking confidentiality—helps mentors stay effective. For more on building a cybersecurity career path, check out our guide on cybersecurity career development. Additionally, learn how to improve team culture in security teams.

Why Tenacity and Problem-Solving Matter More Than a CISSP in Cybersecurity

At the CLOUDSEC conference in London back in September 2016, Trend Micro’s vice president of security research, Rik Ferguson, delivered a talk that challenged conventional wisdom about the cybersecurity industry. His central thesis? The so-called cyber skills gap is a myth—the real problem is that employers are looking for the wrong things.

Instead of chasing paper certifications like the CISSP, Ferguson argues that tenacity and problem-solving are far more valuable traits. This perspective, shared during his session titled ‘Take Control: Empower the People,’ sparked a lively debate about what truly makes a great security professional.

The Myth of the Cyber Skills Gap

Ferguson didn’t mince words when addressing the industry’s hiring practices. “There’s not a cyber skills gap,” he stated. “The industry is just looking for the wrong things: It’s looking for paperwork and certifications rather than people and skills.” According to him, employers are hiring certificates, not individuals. This misalignment, he says, leads to teams that lack the creative and analytical thinking needed to tackle modern threats.

Building on this idea, he emphasized that tenacity and problem-solving abilities are critical. In a field where attackers constantly evolve, the ability to think on your feet and persist through complex challenges is more valuable than any piece of paper.

Why Certifications Like CISSP Fall Short

The CISSP (Certified Information Systems Security Professional) is one of the most recognized credentials in cybersecurity. However, Ferguson argues that it shouldn’t be the primary filter for hiring. “They should be looking for tenacity, problem-solving, analytical thinking,” he explained. “These skills are far more useful than a CISSP.”

This doesn’t mean certifications are worthless, but they should not overshadow practical abilities. As Ferguson put it, self-certification is “for losers,” and compliance should be seen as a starting point, not a shield. The goal is to build a team that can adapt and respond to threats, not just check boxes.

Key Takeaways from Rik Ferguson’s Talk

Beyond the hiring debate, Ferguson shared several other insights that resonate today:

• Machine learning is a technique, not a solution: “What is most valuable is the output and what we can learn from it,” he said, warning against buzzword-driven security.
• Ransomware is exploding: In 2015, 29 new families of crypto-ransomware were discovered. In just the first six months of 2016, that number jumped to 79. He criticized companies that offer to pay ransoms, calling it financing crime.
• Past breaches still haunt us: “Data breaches of the past are suddenly haunting us,” he noted, citing the LinkedIn and Dropbox breaches as examples.
• Take control of your systems: “Build a reliable perimeter around everything you can control, and build out from there to the network.”
• Security is an aspiration, not an obligation: “View compliance as an obligation and security as an aspiration.”
• Education is key: “Make sure your employees are educated, aware and engaged.”
• Speed matters: “The fast will beat the slow in security.”

How to Apply These Lessons Today

For hiring managers, the message is clear: prioritize tenacity and problem-solving over credentials. Look for candidates who demonstrate curiosity, persistence, and the ability to think critically under pressure. For professionals, focus on building these traits through hands-on experience, continuous learning, and real-world problem solving.

As Ferguson’s talk reminds us, the cybersecurity landscape is constantly shifting. The people who thrive are those who can adapt, learn, and persist—not just those who hold a certification. For more insights on building a strong security team, check out our guide on hiring for cybersecurity traits and effective security training strategies.