A friend of mine runs security hiring at a mid-sized fintech. Last year he told me about two finalists for the same role.

The first had the résumé you’d design in a lab: a master’s in cybersecurity, a stack of certifications, top marks in every course. The second had a community-college diploma, no master’s, and a GitHub profile .. a scrappy collection of scripts that pulled alerts from an API, auto-triaged them, and posted a tidy summary to Slack every morning. Nothing fancy. Just things that worked.

They hired the second candidate.

When I asked why, my friend shrugged. “The first one could describe security. The second one had already done it. I could picture him solving a real problem on day one. I couldn’t picture the other one doing anything I hadn’t assigned.”

That conversation has stuck with me, because it captures exactly how cybersecurity hiring has changed .. and why so much of the conventional advice is now quietly out of date.

For a long time, the path looked simple: Get a degree. Learn the theory. Earn a certification. Apply for a job.