How to Build Up Infosec Professionals Through Mentoring: Expert Insights from RSA’s Jeff Silver

In the fast-paced world of information security, finding and keeping top talent is a constant struggle. According to RSA senior security engineer Jeff Silver, one of the most effective ways to build up infosec professionals is through structured mentoring programs. Speaking at the (ISC)2 Congress in Orlando, Florida, Silver shared practical advice for organizations looking to foster a mentoring culture that boosts retention and strengthens team dynamics.

Why Mentoring Matters in Information Security

Retention is a critical issue in cybersecurity. “It’s hard to find good qualified people, and when we lose them it hurts,” Silver noted. He believes that mentoring programs can directly address this challenge. When organizations identify their best security professionals as mentors, those individuals feel valued and are more likely to stay. This, in turn, has a positive ripple effect on overall team culture.

Building on this idea, Silver emphasized that every organization has employees with mentoring potential. The key is to recognize and empower them. By doing so, companies not only retain experienced staff but also create an environment where less seasoned professionals can thrive.

Key Principles for Effective Infosec Mentoring

Separate Mentoring from Technical Training

A common mistake is treating mentoring as just another form of technical training. Silver warned against this. Mentoring focuses on career development, soft skills, and personal growth—not on teaching specific tools or techniques. Understanding this distinction is the first step to building a successful relationship.

Establish Trust and Transparency Early

Trust is the foundation of any mentoring relationship. Silver advised mentors to set the first meeting and lead by example. “If you’re not willing to get personal and be transparent, don’t be a mentor,” he said. Sharing personal experiences, including mistakes and how they were overcome, helps build a safe space for open dialogue.

Furthermore, if the mentor and mentee have opposing worldviews, Silver suggests moving past it. The goal is not to agree on everything but to help the mentee grow as a security professional.

Focus on Career Aspirations and Brand Building

During the second meeting, mentors should explore the mentee’s career goals and current situation. Silver recommends assigning small homework tasks, such as creating a LinkedIn profile, to gauge the mentee’s pace and commitment. Over time, mentors can help mentees build their personal brand by discussing professional organizations, certifications, and industry reading materials.

Another critical area is helping mentees discover their passions beyond core duties. This includes encouraging them to develop knowledge and abilities that benefit both the company and the wider security community. Silver stressed that mentors should never discourage mentees from pursuing additional responsibilities, but they must also explain any associated risks.

Navigating Corporate Relationships and Confidentiality

Mentors can have a significant impact on how mentees interact within the organization. Silver advised discussing the mentee’s relationship with their boss, helping them build a constructive dynamic. Similarly, mentors should explore peer relationships—do mentees understand their role on the team and the importance of team culture?

Confidentiality is another cornerstone of effective mentoring. Silver made it clear that mentors are responsible for keeping conversations private unless the issue involves illegal, immoral, unethical, or dangerous behavior. In such cases, mentors should empathize, offer positive options, and strongly encourage the mentee to speak with their manager. If the mentee refuses, the mentor should facilitate a conversation while supporting the mentee through the process.

Practical Tips for Lasting Mentorship

Silver offered several actionable tips for mentors: understand what technology the mentee is passionate about, remember that you are an authority figure (whether formal or informal), and avoid trying too hard to be liked. The primary objective is to develop a world-class security professional, and genuine relationships will follow naturally.

Mentors should also guide mentees through their next career steps, encourage proactive engagement with the corporate office, and help them set up meetings with people in other departments. These actions broaden the mentee’s network and perspective.

Finally, Silver reminded mentors that they too need support. “Every mentor program needs an administrator,” he concluded. Bouncing ideas off peers—without breaking confidentiality—helps mentors stay effective. For more on building a cybersecurity career path, check out our guide on cybersecurity career development. Additionally, learn how to improve team culture in security teams.

Why Tenacity and Problem-Solving Matter More Than a CISSP in Cybersecurity

At the CLOUDSEC conference in London back in September 2016, Trend Micro’s vice president of security research, Rik Ferguson, delivered a talk that challenged conventional wisdom about the cybersecurity industry. His central thesis? The so-called cyber skills gap is a myth—the real problem is that employers are looking for the wrong things.

Instead of chasing paper certifications like the CISSP, Ferguson argues that tenacity and problem-solving are far more valuable traits. This perspective, shared during his session titled ‘Take Control: Empower the People,’ sparked a lively debate about what truly makes a great security professional.

The Myth of the Cyber Skills Gap

Ferguson didn’t mince words when addressing the industry’s hiring practices. “There’s not a cyber skills gap,” he stated. “The industry is just looking for the wrong things: It’s looking for paperwork and certifications rather than people and skills.” According to him, employers are hiring certificates, not individuals. This misalignment, he says, leads to teams that lack the creative and analytical thinking needed to tackle modern threats.

Building on this idea, he emphasized that tenacity and problem-solving abilities are critical. In a field where attackers constantly evolve, the ability to think on your feet and persist through complex challenges is more valuable than any piece of paper.

Why Certifications Like CISSP Fall Short

The CISSP (Certified Information Systems Security Professional) is one of the most recognized credentials in cybersecurity. However, Ferguson argues that it shouldn’t be the primary filter for hiring. “They should be looking for tenacity, problem-solving, analytical thinking,” he explained. “These skills are far more useful than a CISSP.”

This doesn’t mean certifications are worthless, but they should not overshadow practical abilities. As Ferguson put it, self-certification is “for losers,” and compliance should be seen as a starting point, not a shield. The goal is to build a team that can adapt and respond to threats, not just check boxes.

Key Takeaways from Rik Ferguson’s Talk

Beyond the hiring debate, Ferguson shared several other insights that resonate today:

• Machine learning is a technique, not a solution: “What is most valuable is the output and what we can learn from it,” he said, warning against buzzword-driven security.
• Ransomware is exploding: In 2015, 29 new families of crypto-ransomware were discovered. In just the first six months of 2016, that number jumped to 79. He criticized companies that offer to pay ransoms, calling it financing crime.
• Past breaches still haunt us: “Data breaches of the past are suddenly haunting us,” he noted, citing the LinkedIn and Dropbox breaches as examples.
• Take control of your systems: “Build a reliable perimeter around everything you can control, and build out from there to the network.”
• Security is an aspiration, not an obligation: “View compliance as an obligation and security as an aspiration.”
• Education is key: “Make sure your employees are educated, aware and engaged.”
• Speed matters: “The fast will beat the slow in security.”

How to Apply These Lessons Today

For hiring managers, the message is clear: prioritize tenacity and problem-solving over credentials. Look for candidates who demonstrate curiosity, persistence, and the ability to think critically under pressure. For professionals, focus on building these traits through hands-on experience, continuous learning, and real-world problem solving.

As Ferguson’s talk reminds us, the cybersecurity landscape is constantly shifting. The people who thrive are those who can adapt, learn, and persist—not just those who hold a certification. For more insights on building a strong security team, check out our guide on hiring for cybersecurity traits and effective security training strategies.

Mobile devices and robots: Why companies must act now to prevent future cybercrime

The digital landscape is shifting rapidly, and with it, the threats that businesses face. Data protection and security concerns around mobile devices and robots are no longer distant possibilities—they are active battlegrounds for cybercriminals. While many organizations have focused on securing traditional desktop environments, the explosion of mobile usage and the rise of connected robotics are opening new doors for hackers. Companies that fail to adapt now risk not only financial ruin but also lasting reputational damage.

The growing threat of data breaches under GDPR

One of the most pressing issues for businesses today is compliance with the EU General Data Protection Regulation (GDPR). Even after Brexit, the UK will remain subject to GDPR requirements. From May 2018, organizations must notify national data protection authorities of any breach within 72 hours. This is no small task—data breaches are becoming more frequent and more severe.

Large corporations that handle millions of customer records are prime targets for blackmail. Hackers steal data and demand hefty ransoms for its return. This tactic is already common in the United States and is gaining traction across Europe. The cost of non-compliance or a successful attack can be catastrophic. Therefore, companies need to put the legwork in now to reduce the risk of this happening as the cost – both financial and reputational – is far too great.

Building a robust data protection strategy is not optional; it is a legal and ethical imperative. Businesses should invest in encryption, access controls, and employee training to minimize exposure. For more on building a security culture, check out our guide on cybersecurity culture best practices.

Mobile devices: A new playground for hackers

Mobile devices are inherently less secure than desktop environments. This is a common theme when speaking to clients and security providers. Unlike corporate laptops, smartphones and tablets often lack the same level of control and monitoring. This presents a fresh opportunity for malicious actors.

There are apps that can take control of a mobile device in seconds, often without the user noticing. A stark example was the launch of Pokémon Go. When the game wasn’t officially available in the UK, users flocked to unofficial app stores—including risky “grey app” markets—to download it. As a result, different versions of the game were installed on some phone models, exposing users to a world of risks. Hackers could easily take control of the phone, access personal data, listen in on conversations, or even activate the camera to spy on the user. It is a scary new world.

This means that businesses must treat mobile devices as critical endpoints. Implementing mobile device management (MDM) solutions and enforcing strict app policies are essential steps. For additional insights, see our article on mobile security strategies for 2024.

The rise of robots and the cyberwar frontier

Finally, the infiltration of robots into everyday life will become more evident. These machines will be connected to the internet at home, at work, and everywhere in between. While there are many benefits—from automation in manufacturing to assistance in healthcare—businesses cannot hide from the fact they will be a new frontier for hackers.

Connected robots could be hijacked to cause physical damage, steal sensitive data, or disrupt critical infrastructure. This could result in a form of ‘cyberwar’ where robotic systems become weapons. The potential consequences are severe, ranging from production downtime to public safety risks.

To prepare, companies should integrate security into the design of robotic systems from the outset. Regular patching, network segmentation, and rigorous testing are non-negotiable. As robots become more common, the line between cybersecurity and physical safety will blur.

Conclusion: Act now to build trust

Ultimately, businesses need to work hard to combat cybercrime by putting the right preventative measures in place now to reduce the risk of breaches in the future. The threats from mobile devices and robots are real and growing. By taking a proactive stance—investing in technology, training, and compliance—organizations can build a culture of trust in these new technology solutions. The time to act is today, not after the next major breach.