Why Tenacity and Problem-Solving Matter More Than a CISSP in Cybersecurity

At the CLOUDSEC conference in London back in September 2016, Trend Micro’s vice president of security research, Rik Ferguson, delivered a talk that challenged conventional wisdom about the cybersecurity industry. His central thesis? The so-called cyber skills gap is a myth—the real problem is that employers are looking for the wrong things.

Instead of chasing paper certifications like the CISSP, Ferguson argues that tenacity and problem-solving are far more valuable traits. This perspective, shared during his session titled ‘Take Control: Empower the People,’ sparked a lively debate about what truly makes a great security professional.

The Myth of the Cyber Skills Gap

Ferguson didn’t mince words when addressing the industry’s hiring practices. “There’s not a cyber skills gap,” he stated. “The industry is just looking for the wrong things: It’s looking for paperwork and certifications rather than people and skills.” According to him, employers are hiring certificates, not individuals. This misalignment, he says, leads to teams that lack the creative and analytical thinking needed to tackle modern threats.

Building on this idea, he emphasized that tenacity and problem-solving abilities are critical. In a field where attackers constantly evolve, the ability to think on your feet and persist through complex challenges is more valuable than any piece of paper.

Why Certifications Like CISSP Fall Short

The CISSP (Certified Information Systems Security Professional) is one of the most recognized credentials in cybersecurity. However, Ferguson argues that it shouldn’t be the primary filter for hiring. “They should be looking for tenacity, problem-solving, analytical thinking,” he explained. “These skills are far more useful than a CISSP.”

This doesn’t mean certifications are worthless, but they should not overshadow practical abilities. As Ferguson put it, self-certification is “for losers,” and compliance should be seen as a starting point, not a shield. The goal is to build a team that can adapt and respond to threats, not just check boxes.

Key Takeaways from Rik Ferguson’s Talk

Beyond the hiring debate, Ferguson shared several other insights that resonate today:

• Machine learning is a technique, not a solution: “What is most valuable is the output and what we can learn from it,” he said, warning against buzzword-driven security.
• Ransomware is exploding: In 2015, 29 new families of crypto-ransomware were discovered. In just the first six months of 2016, that number jumped to 79. He criticized companies that offer to pay ransoms, calling it financing crime.
• Past breaches still haunt us: “Data breaches of the past are suddenly haunting us,” he noted, citing the LinkedIn and Dropbox breaches as examples.
• Take control of your systems: “Build a reliable perimeter around everything you can control, and build out from there to the network.”
• Security is an aspiration, not an obligation: “View compliance as an obligation and security as an aspiration.”
• Education is key: “Make sure your employees are educated, aware and engaged.”
• Speed matters: “The fast will beat the slow in security.”

How to Apply These Lessons Today

For hiring managers, the message is clear: prioritize tenacity and problem-solving over credentials. Look for candidates who demonstrate curiosity, persistence, and the ability to think critically under pressure. For professionals, focus on building these traits through hands-on experience, continuous learning, and real-world problem solving.

As Ferguson’s talk reminds us, the cybersecurity landscape is constantly shifting. The people who thrive are those who can adapt, learn, and persist—not just those who hold a certification. For more insights on building a strong security team, check out our guide on hiring for cybersecurity traits and effective security training strategies.