In the wild wild world of cybersecurity, a good laugh can be as rare as a secure network. But last week, I found myself in an interview that was anything but ordinary.
As I geared up for the interview, I took a dive into the depths of publicly available data about the company, like a digital detective on a reconnaissance mission. Armed with data and insights, even a dash of wit, I began to unravel the organization's inherent risk, decoding the DNA of their security vulnerabilities. With the precision of a cyber-sleuth, I backed into their security program by applying the Cybersecurity Maturity Model Integration (CMMI) to discern their cyber maturity level - an outside-in approach.
similar to a Primary Care Physician (PCP) who would know the profile of a healthy person, very quickly I established their target maturity level.
I enlisted the help of a trusted colleague, a cybersecurity consultant friend of mine to second-eye my work. Once I received the seal of approval – and a dash of hacker humor – I was ready to face the interview panel. "You're going to nail this," my friend deadpanned. "If they don't hire you, they're either deaf or not serious about security."
And so, equipped with my data-driven insights and a boatload of confidence, I logged into the interview session, ready to shake things up a bit. Right after the niceties, without skipping a beat and before they started regurgitating my resume, asking what my plans are “for when I grow up,” I asked them to give me about ten minutes to share my presentation – a cybersecurity practitioner's perspective, I called it.
I laid out the facts – a relatively young company with disruptive technology, multiple patents, over $400M in investment and government grants, etc etc… I revealed their inherent risk followed by their minimum target cyber maturity level along with a to-do list covering their top-ten cybersecurity domains. These were the absolute MUST-HAVE minimum requirements for safeguarding their digital assets before any controls are in place. And just to drive the point home, I made it clear: "If you hire me or any other security practitioner, this is EXACTLY how you should design your security program. And jokingly I added, now that you know what needs to be done, you do not even need to hire me. "
As I wrapped up my presentation, a wave of laughter filled the room – perhaps not the reaction I had expected, but certainly a welcome one. And while the aftermath brought a polite rejection email from HR, it was clear that my unconventional approach had left an impression. Perhaps they are going through my checkist as I type.
As I reflect on that fateful interview, I'm reminded that sometimes, a little humor can go a long way – even in the serious world of cybersecurity. And who knows, maybe next time I'll bring a clown nose. You know, for extra security.
Image by Clem Onojeghuo
