#ISC2Congress: How to Hire and Get Hired in Infosec

Written by

You know when you sit down in a conference session and within a few minutes of the speaker starting you realize you picked the wrong track? Well I did that today when I attended the ‘Hackers Hacking Hackers’ session at the (ISC)2 Congress in Orlando, Florida.

BUT, and there is a but, I was too quick to judge. Actually, the session – presented by Tim O’Brien, Xerox Equipment, and Megan Wu, Rapid 7 – contained a lot of really useful insight and advice on how to hire, and get hired, in information security. The execution, in my opinion, could have been better, but the content was good, and that’s the important bit.

Shared presentations do tend to be tricky – I’ve watched hundreds over my ten years reporting on this industry – and their success is usually dependent on a chemistry between the speakers. Today, I think there was a notable lack of this.

Here’s where I went wrong though. I assumed, from the session title, that the presentation was going to be about hiring ex-black hats, an area which I find particularly interesting. As soon as I learned that the term hacker was being used to describe “a highly-skilled computer expert”, I was disappointed. That was my bad, though. I shouldn’t have assumed. But at an event like (ISC)2 Congress, the vocabulary used to describe highly-skilled computer experts tends to be ‘information security professional’ or something similar. Anyway, I digress…

The session laid out four opportunities for improvement in the hiring of hackers (let’s use hackers instead of cybersecurity professionals for the sake of this blog).  Each opportunity was approached from both the perspective of the hiring manager (covered by O’Brien), and the hacker looking for a job (covered by Wu).


Expectation was the first opportunity presented by Wu and O’Brien. The industry is shooting itself in the foot by creating a category of talent that it will never hire, the presenters agreed. So many people are overlooked simply because they don’t have the right keywords in their resume.

“We need to readjust our expectations as hiring managers,” said O’Brien. “We must start considering what we need versus what we want. Don’t demand skills or qualifications just because – look at the particular role and what it actually needs. Is having a degree or a certification actually important, or is it just what HR are demanding?”   

Hackers, too, need to set their expectations, argued Wu. “Even though there’s a skills gap, even though hackers are in short supply, they need to have realistic expectations. Have a list of things you want, and think about what you’d be willing to trade for if it’s not possible. Just because there is an apparent skills gap, we’re not owed anything, so don’t feel entitled.”

Application Process

During the application process, it’s important for both sides to be prepared, the presenters agreed.

“Hiring managers are responsible for nurturing talent for the industry, not just their organization,” commented O’Brien. It’s a good idea to look internally and at past applicants, he advised. “Work with marketing to find people who are interested in your technology and company, attend industry events and network.”

It’s also important to make sure your HR department or recruiter is setting the tone and their expectations right.

On the other side of the coin, Wu said that candidates should hack their resume and make it relevant, ensuring their experience reflects what is being asked for without stretching the truth. “Be careful of buzzword bingo,” she advised. “Use a unique filename for your resume – distinguish yourself. If you use a template, sanitize the meta data.”

Always supply a cover letter explaining why you want the role and why you’d be a good fit, says Wu. “People that write cover letters will always be the first to get an interview.”

Candidates can make themselves desirable by getting involved with the community and attending events. “Get your name out there and make yourself more interesting to a hiring manager,” she said.

Hackers should also do their due diligence when job hunting. “Research the different types of recruiters and avoid the agencies that just want to fill body quotas. Research the good ones and build relationships.”

The Interview

Pre-Interview, it’s essential for managers to work out the relevant questions to ask.

“Stump the monkey questions are not good or fun for anyone, and these tactics put good candidates off” said O’Brien. “Focus on how a candidate tries to mitigate threats, risks, and vulnerabilities instead.”

“Avoid closed ended questions, and use exploratory conversations instead,” he advised. “Quit passing judgement, and stop with the concerns about job-hopping or contract roles – it shouldn’t necessarily be a bad reflection on the individual. Being unemployed doesn’t make a candidate unemployable: don’t discriminate, put aside bias, and listen to the reason.”

The qualities to look for are passion, willingness to learn, and ability to fail well. “Everything else can be learnt,” O’Brien said. “Use a scoring system to eliminate bias, and remember that diversity in a team is a good thing.”

Hackers should prepare for the interview by observing the company’s dress-code and taking it up a notch, said Wu. “Make sure the stories you tell in interview are relevant, and have questions ready for the hiring manager. Think of something interesting to ask that will leave a lasting impression.”

Another piece of advice Wu gave was to “go away and research the answers to any questions you didn’t know in interview, and email it to the hiring manager.”


The fourth and final opportunity is post-interview.

For the hiring manager, this means being fair with your decision-making, said O’Brien who recommended a scoring system. “Don’t leave people hanging either. Have good etiquette, provide feedback and insights for candidates – they may come back for future roles.”

For the hackers, Wu recommended sending a thank-you card or email to leave a lasting impression. “Don’t send social media requests,” she advised, “respect boundaries, be realistic and don’t panic – it may take a while to hear back.”  

What’s hot on Infosecurity Magazine?