How to Hire and Get Hired in Information Security: Expert Advice from (ISC)2 Congress

Imagine walking into a conference session, only to realize within minutes that you’ve chosen the wrong track. That happened to me at the (ISC)2 Congress in Orlando, Florida, when I attended a session titled ‘Hackers Hacking Hackers.’ Initially disappointed, I quickly discovered that the presentation—led by Tim O’Brien from Xerox Equipment and Megan Wu from Rapid7—offered invaluable insights on how to hire in information security and how to get hired in cybersecurity. Despite a lack of chemistry between the speakers, the content was rich with practical advice for both hiring managers and job seekers.

Reevaluating Expectations in Cybersecurity Hiring

The first opportunity for improvement, according to O’Brien and Wu, revolves around expectations. The industry often creates a category of talent it will never hire, overlooking many qualified candidates simply because their resumes lack specific keywords. As O’Brien noted, “We need to readjust our expectations as hiring managers. Start considering what we need versus what we want. Don’t demand skills or qualifications just because—look at the particular role and what it actually needs. Is having a degree or a certification truly important, or is it just what HR is demanding?”

On the flip side, Wu emphasized that candidates must also set realistic expectations. “Even though there’s a skills gap, even though hackers are in short supply, they need to have realistic expectations. Have a list of things you want, and think about what you’d be willing to trade for if it’s not possible. Just because there is an apparent skills gap, we’re not owed anything, so don’t feel entitled.” This balanced approach is crucial for successful information security hiring.

Mastering the Application Process

During the application process, preparation is key for both sides. O’Brien stressed that hiring managers are responsible for nurturing talent for the industry, not just their organization. He advised looking internally and at past applicants, working with marketing to find people interested in your technology, and attending industry events to network. Ensuring your HR department sets the right tone and expectations is also critical.

For candidates, Wu recommended hacking your resume to make it relevant without stretching the truth. “Be careful of buzzword bingo,” she warned. “Use a unique filename for your resume to distinguish yourself. If you use a template, sanitize the metadata.” She also urged applicants to always supply a cover letter explaining why they want the role and why they’d be a good fit. “People that write cover letters will always be the first to get an interview,” she added.

Additionally, candidates can make themselves desirable by getting involved with the community and attending events. “Get your name out there and make yourself more interesting to a hiring manager,” Wu said. She also advised doing due diligence when job hunting: “Research the different types of recruiters and avoid the agencies that just want to fill body quotas. Research the good ones and build relationships.” For more tips on networking, check out our guide on cybersecurity networking strategies.

Acing the Interview: Strategies for Both Sides

Pre-interview, it’s essential for managers to work out relevant questions. O’Brien cautioned against “stump the monkey” questions, which put good candidates off. Instead, he advised focusing on how a candidate tries to mitigate threats, risks, and vulnerabilities. “Avoid closed-ended questions, and use exploratory conversations instead. Quit passing judgment, and stop with the concerns about job-hopping or contract roles—it shouldn’t necessarily be a bad reflection on the individual. Being unemployed doesn’t make a candidate unemployable: don’t discriminate, put aside bias, and listen to the reason.”

O’Brien highlighted key qualities to look for: passion, willingness to learn, and ability to fail well. “Everything else can be learned,” he said. “Use a scoring system to eliminate bias, and remember that diversity in a team is a good thing.” For candidates, Wu recommended observing the company’s dress code and taking it up a notch. “Make sure the stories you tell in the interview are relevant, and have questions ready for the hiring manager. Think of something interesting to ask that will leave a lasting impression.” She also advised going away and researching answers to any questions you didn’t know, then emailing them to the hiring manager post-interview.

Post-Interview Etiquette and Decision-Making

The fourth opportunity is post-interview. For hiring managers, O’Brien recommended being fair with decision-making and using a scoring system. “Don’t leave people hanging either. Have good etiquette, provide feedback and insights for candidates—they may come back for future roles.” This approach fosters a positive reputation and encourages repeat applicants.

For candidates, Wu suggested sending a thank-you card or email to leave a lasting impression. However, she cautioned against sending social media requests. “Respect boundaries, be realistic, and don’t panic—it may take a while to hear back.” This patience and professionalism can set you apart in the competitive field of cybersecurity. For more on building a standout application, see our article on cybersecurity resume best practices.

In conclusion, whether you’re a hiring manager or a job seeker, these insights from the (ISC)2 Congress offer a roadmap to navigate the complex world of information security hiring. By adjusting expectations, preparing thoroughly, and maintaining professionalism throughout the process, both sides can find success. Ultimately, the key to hiring in infosec lies in focusing on potential, passion, and practical skills rather than rigid checklists. For additional resources, explore our comprehensive career guide for infosec professionals.

Why Tenacity and Problem-Solving Matter More Than a CISSP in Cybersecurity

At the CLOUDSEC conference in London back in September 2016, Trend Micro’s vice president of security research, Rik Ferguson, delivered a talk that challenged conventional wisdom about the cybersecurity industry. His central thesis? The so-called cyber skills gap is a myth—the real problem is that employers are looking for the wrong things.

Instead of chasing paper certifications like the CISSP, Ferguson argues that tenacity and problem-solving are far more valuable traits. This perspective, shared during his session titled ‘Take Control: Empower the People,’ sparked a lively debate about what truly makes a great security professional.

The Myth of the Cyber Skills Gap

Ferguson didn’t mince words when addressing the industry’s hiring practices. “There’s not a cyber skills gap,” he stated. “The industry is just looking for the wrong things: It’s looking for paperwork and certifications rather than people and skills.” According to him, employers are hiring certificates, not individuals. This misalignment, he says, leads to teams that lack the creative and analytical thinking needed to tackle modern threats.

Building on this idea, he emphasized that tenacity and problem-solving abilities are critical. In a field where attackers constantly evolve, the ability to think on your feet and persist through complex challenges is more valuable than any piece of paper.

Why Certifications Like CISSP Fall Short

The CISSP (Certified Information Systems Security Professional) is one of the most recognized credentials in cybersecurity. However, Ferguson argues that it shouldn’t be the primary filter for hiring. “They should be looking for tenacity, problem-solving, analytical thinking,” he explained. “These skills are far more useful than a CISSP.”

This doesn’t mean certifications are worthless, but they should not overshadow practical abilities. As Ferguson put it, self-certification is “for losers,” and compliance should be seen as a starting point, not a shield. The goal is to build a team that can adapt and respond to threats, not just check boxes.

Key Takeaways from Rik Ferguson’s Talk

Beyond the hiring debate, Ferguson shared several other insights that resonate today:

• Machine learning is a technique, not a solution: “What is most valuable is the output and what we can learn from it,” he said, warning against buzzword-driven security.
• Ransomware is exploding: In 2015, 29 new families of crypto-ransomware were discovered. In just the first six months of 2016, that number jumped to 79. He criticized companies that offer to pay ransoms, calling it financing crime.
• Past breaches still haunt us: “Data breaches of the past are suddenly haunting us,” he noted, citing the LinkedIn and Dropbox breaches as examples.
• Take control of your systems: “Build a reliable perimeter around everything you can control, and build out from there to the network.”
• Security is an aspiration, not an obligation: “View compliance as an obligation and security as an aspiration.”
• Education is key: “Make sure your employees are educated, aware and engaged.”
• Speed matters: “The fast will beat the slow in security.”

How to Apply These Lessons Today

For hiring managers, the message is clear: prioritize tenacity and problem-solving over credentials. Look for candidates who demonstrate curiosity, persistence, and the ability to think critically under pressure. For professionals, focus on building these traits through hands-on experience, continuous learning, and real-world problem solving.

As Ferguson’s talk reminds us, the cybersecurity landscape is constantly shifting. The people who thrive are those who can adapt, learn, and persist—not just those who hold a certification. For more insights on building a strong security team, check out our guide on hiring for cybersecurity traits and effective security training strategies.

Mobile devices and robots: Why companies must act now to prevent future cybercrime

The digital landscape is shifting rapidly, and with it, the threats that businesses face. Data protection and security concerns around mobile devices and robots are no longer distant possibilities—they are active battlegrounds for cybercriminals. While many organizations have focused on securing traditional desktop environments, the explosion of mobile usage and the rise of connected robotics are opening new doors for hackers. Companies that fail to adapt now risk not only financial ruin but also lasting reputational damage.

The growing threat of data breaches under GDPR

One of the most pressing issues for businesses today is compliance with the EU General Data Protection Regulation (GDPR). Even after Brexit, the UK will remain subject to GDPR requirements. From May 2018, organizations must notify national data protection authorities of any breach within 72 hours. This is no small task—data breaches are becoming more frequent and more severe.

Large corporations that handle millions of customer records are prime targets for blackmail. Hackers steal data and demand hefty ransoms for its return. This tactic is already common in the United States and is gaining traction across Europe. The cost of non-compliance or a successful attack can be catastrophic. Therefore, companies need to put the legwork in now to reduce the risk of this happening as the cost – both financial and reputational – is far too great.

Building a robust data protection strategy is not optional; it is a legal and ethical imperative. Businesses should invest in encryption, access controls, and employee training to minimize exposure. For more on building a security culture, check out our guide on cybersecurity culture best practices.

Mobile devices: A new playground for hackers

Mobile devices are inherently less secure than desktop environments. This is a common theme when speaking to clients and security providers. Unlike corporate laptops, smartphones and tablets often lack the same level of control and monitoring. This presents a fresh opportunity for malicious actors.

There are apps that can take control of a mobile device in seconds, often without the user noticing. A stark example was the launch of Pokémon Go. When the game wasn’t officially available in the UK, users flocked to unofficial app stores—including risky “grey app” markets—to download it. As a result, different versions of the game were installed on some phone models, exposing users to a world of risks. Hackers could easily take control of the phone, access personal data, listen in on conversations, or even activate the camera to spy on the user. It is a scary new world.

This means that businesses must treat mobile devices as critical endpoints. Implementing mobile device management (MDM) solutions and enforcing strict app policies are essential steps. For additional insights, see our article on mobile security strategies for 2024.

The rise of robots and the cyberwar frontier

Finally, the infiltration of robots into everyday life will become more evident. These machines will be connected to the internet at home, at work, and everywhere in between. While there are many benefits—from automation in manufacturing to assistance in healthcare—businesses cannot hide from the fact they will be a new frontier for hackers.

Connected robots could be hijacked to cause physical damage, steal sensitive data, or disrupt critical infrastructure. This could result in a form of ‘cyberwar’ where robotic systems become weapons. The potential consequences are severe, ranging from production downtime to public safety risks.

To prepare, companies should integrate security into the design of robotic systems from the outset. Regular patching, network segmentation, and rigorous testing are non-negotiable. As robots become more common, the line between cybersecurity and physical safety will blur.

Conclusion: Act now to build trust

Ultimately, businesses need to work hard to combat cybercrime by putting the right preventative measures in place now to reduce the risk of breaches in the future. The threats from mobile devices and robots are real and growing. By taking a proactive stance—investing in technology, training, and compliance—organizations can build a culture of trust in these new technology solutions. The time to act is today, not after the next major breach.