Super Cyber Fridays!
Join us TOMORROW, Friday [05-30-25], for "Hacking Provable Security"

Join us Friday, May 30, 2025, for “Hacking Provable Security: An hour of critical thinking on how to go beyond security ratings and questionnaires.”

It all begins at 1 PM ET/10 AM PT on Friday, May 30, 2025, with guest Sravish Sridhar, founder and CEO, TrustCloud, and Tony Spinelli, former CISO, Capital One. We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT), we'll do our meetup.

Register 

Thanks to our Super Cyber Friday sponsor, TrustCloud

Defense in Depth
Why Cybersecurity Professionals Lie on Their Resumes

A survey found 72 percent of cybersecurity professionals took "creative liberties" on their resumes. Why do so many otherwise qualified professionals feel forced to spice up their resumes to get a gig?

Check out this post by Gautam ‘Gotham’ Sharma of AccessCyber for the discussion that is the basis of our conversation on this week’s episode, co-hosted by David Spark, the producer of CISO Series, and Steve Zalewski. Joining them is Krista Arndt, associate CISO, St. Luke's University Health Network.

Listen to the full episode here.

Verify then trust

The cybersecurity talent pipeline is under pressure, and with it comes a growing tension around qualifications, real and embellished. Mic Merritt of Merritt Collective shares that omitting advanced degrees like a PhD from their résumé led to a 40 percent increase in callbacks, raising questions about how perceived overqualification can hurt opportunities. But Merritt also warns of the opposite problem: “I’ve interviewed candidates with certs on their resumes, only to learn they don’t actually have them.” As a result, Merritt now verifies certifications before interviews. Wout Vlg highlights the broader issue: “Too many are following the advice ‘fake it until you make it,’” and suggested that cybersecurity titles may eventually require formalized credentials, much like accountants or lawyers, to preserve trust and maturity in the profession.

Dishonesty on all sides

Breaking into cybersecurity can feel like a rigged game—one where honesty isn’t always rewarded. Nicholas Stefanowich of Dauphin County Tech School shared a raw frustration familiar to many newcomers: “If you're not given the time of day for ‘entry level’ without 2–3 years of professional experience, where are you gonna get it?” After facing repeated rejections, he admitted that fabricating experience can start to feel like the only viable path, especially in a field where “the only 12-foot ladder to this 10-foot wall” might be deception. Chuck Mackey of Fortress SRM noted that the dishonesty goes both ways: companies often misrepresent “roles, responsibilities, titles, culture,” leaving candidates disillusioned once they’re on the inside. The hiring process, it seems, has credibility issues on both sides of the table.

A lack of flexibility

Gaming the hiring system has become a quiet art—and a troubling one. Aditya Sarangapani of WNS described a tactic to outsmart applicant tracking systems (ATS): Put in degrees and capabilities per the job description, but hide them with tricks like white text on a white background. The ATS picks up the keywords, but the human reviewer never sees them. Keith Jaehnert of CXI Staffing acknowledged a grayer area, where candidates bend the truth just enough to advance. “If someone checks Y to ‘Did you achieve a BA or higher?’ just to get to the next stage—but never lies about it on the resume or in the interview—that is a lot more understandable.” While motivations may vary, these practices reflect a deeper issue: The hiring process is so rigid or opaque that even honest candidates feel they have to game the system just to get noticed.

What about integrity?

In cybersecurity, where trust is paramount, even a small embellishment on a résumé can carry outsized consequences. “The truth will find you out eventually,” warned Seth Coleman of Microsoft, recounting a case where a job offer was rescinded after discrepancies were found during a background check. Muzammil Khan of Bahria University stated it simply but powerfully: “It’s a big question on ‘Integrity,’ an essential part of security.” In a field built on safeguarding truth and trust, personal credibility is non-negotiable.

Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now.

Huge thanks to our sponsor, Formal

Subscribe
Subscribe to Defense in Depth podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "Defense in Depth" into your favorite podcast app.

Security You Should Know
Stopping AI Oversharing with Knostic

Large language models are most useful to your business when they have access to your data. But these models also overshare by default, providing need-to-know information without sophisticated access controls. But organizations that try to limit the data accessed by an LLM risk undersharing within their organization, not giving the information users need to do their jobs more efficiently.

In this episode, Sounil Yu, CTO at Knostic, explains how they address internal knowledge segmentation, offer continuous assessments, and help prevent oversharing while also identifying under-sharing opportunities. Joining him are our panelists, Ross Young, CISO-in-residence at Team8, and David Cross, CISO at Atlassian.

Listen to the full episode here.

Thanks to our podcast sponsor, Knostic

Subscribe
Subscribe to Security You Should Know

Please subscribe via Apple Podcasts, Spotify, Amazon Music, Pocket Casts, RSS, or just type "Security You Should Know" into your favorite podcast app.

LIVE!
Cyber Security Headlines - Week in Review

Make sure you register on YouTube  to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Steve Knight, former CISO, Hyundai Capital America.

Thanks to our Cyber Security Headlines sponsor, ThreatLocker

Cyber chatter from around the web...
Jump in on these conversations

What’s the most trustworthy password manager right now? (More here)

Cybersecurity leaders, I hesitated to post this, but I’m genuinely curious what you think (More here)

Help a newbie understand SSO a little better? (More here)

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.