Would you hire someone who's experienced a major security breach?

Absolutely; there are so many things that can lead to a security breach it would be unfair to disqualify them because they went through a breach. I would further the points raised already that a breach is a great learning opportunity.

We always say: It's not a question of if, it's a question of when. I think all companies have gone through breaches, it’s just a question of severity—maybe you were lucky and it wasn’t a major incident, or it didn't reach your crown jewels. You don’t have to disclose these breaches, but there is no such company that hasn't gone through them. We hire more on a fit, and look for people willing to learn from experience. So if they are a fit, then going through a breach is just something to learn from. You know what not to do, which is equally important sometimes, especially in the security area.

I would definitely hire someone who has experienced a breach. You don't really have real world experience until you've been through something like that. And it’s not just the technical response but all the business learnings you gain, which you can use to help prepare the organization for the next time it happens. It might make sense to look for someone that has gone through a breach just for that reason.

I would hire someone who’s experienced a breach because it is a great learning experience. If you interview someone and you can tell they learn from experience, then it's very valuable, so I wouldn't hesitate to hire someone that went through a traumatic episode like that and learned.