I see many job postings asking for someone who is ‘passionate about cybersecurity.’ Enthusiastic. A team player. Positive attitude preferred.

And maybe I’m being a bit click-baity here, but they’re hiring for the wrong thing entirely.

The person you actually want exhibits the following:

• Upon receiving a beautifully wrapped gift, immediately wonders who sent it and why.
• Who reads a terms and conditions update and assumes something has quietly gotten worse.
• Who looks at a system that has been running fine for three years and thinks: that’s suspicious.

Optimism, in security, is a liability. Not because optimists are bad people, but because optimism requires believing things will probably be fine. Security requires believing, with some conviction, that things probably won’t be.

Most threat modellers I’ve met are usually not fun at dinner parties. They have already considered four ways the evening could go wrong before the starter arrives. They are not catastrophising… it’s just how they’re wired.

The industry keeps mistaking cheerfulness for competence and then wondering why its detection rates are poor. A happy person sees a login at 2am from an unusual IP and thinks: probably fine, someone working late. The other kind sees the same alert and starts pulling logs.

Passion fades. Suspicion is structural.

Hire accordingly.