Hi everyone,
I recently submitted my Stage 1 application under Exceptional Promise: Digital Technology (Cybersecurity) route, and I’d really appreciate any insight or peer review from those who’ve gone through the process or have seen similar cases. I am a bit of an oddball because I am more of an architect than an SOC person (Though I do it all!).
Here’s how I divided my evidence across the criteria:
Rec Letters
Letter 1 - Executive Supervisor
Letter from CIO at current organization. Focuses on my sole responsibility for building and leading the organization’s cybersecurity program, including federal compliance, SIEM/SOAR deployment, and significant grant enablement. Highlights leadership, measurable security posture improvements, and trust at the executive level.
Letter 2- Director of Cybersecurity Education at a Global Awareness Platform
Speaks to my innovation in training design, particularly behavioral gamification and ARG-style exercises. Mentions my potential to scale these methods in the UK, and describes my influence on both internal teams and external audiences. Provides context for my creative, human-centered approach to security culture.
Letter 3- Strategic Director at a Cognitive Security Nonprofit
Written by a longtime collaborator who supported my doctoral research. Describes my cultural and technical impact through gamified training, compliance architecture, and APT defense. Talks about my work’s resonance with UK cybersecurity strategies and future plans for a consultancy focused on nonprofits and behavioral resilience. Strong on both innovation and UK alignment
CV
3-page CV focused on cybersecurity leadership at a nonprofit research center. Includes sole responsibility for federal-grade security architecture (SIEM/SOAR, NIST 800-171), $125M in NIH grant enablement, APT mitigation, and a mix of technical, behavioral, and public-facing work (e.g. training, speaking). Highlights impact, promotions, and UK-relevant skills.
Personal Statement
Personal statement outlining career journey moving from doing SONAR in the U.S. Navy to beginning my cybersecurity career in 2021, to becoming cybersecurity lead at a genomics nonprofit. Emphasizes human-centric approaches, behavioral training, policy innovation, and long-term plans to consult with UK nonprofits and universities. Ties work to UK needs with a clear focus on accessibility and social impact in digital tech, and aligns with UK cybersecurity initiatives (CyberFirst, etc.).
Mandatory - Emerging Leader:
Proof of high compensation and promotion: Evidence of salary 28% above UK market average, plus promotion to Information Security Manager.
Invited conference speaker: Solo (invited) speaker at the AIRI national conference (shared cybersecurity track with Cisco vCISO).
Competitive public speaking: Selected speaker on cybersecurity topics at Furry Weekend Atlanta (~15k attendees) for a behavioral cybersecurity talk, had to apply to speak and be selected from a competitive track. Included this to show reaching out beyond conventional spaces to make an impact.
Board-level and External recognition: Praise from CIO, peers, and a board member (former Verizon CEO) after achieving a top-tier security rating from two outside, unaffiliated orgs - with documentation on the top tier ratings.
Optional Criterion 1 - Innovation:
Gamified security training program: Designed and implemented an immersive training experience with a 99% approval rating utilizing novel formulae quantifying data that is normally only qualitative. Showed snippets of my formula, industry averages for risk prone percentages and then my org risk percentage as determined by an outside org, 19% lower than the standard.
Innovation Award: Received organizational award for redesigning cybersecurity awareness training using narrative and game mechanics, included this despite being from my org because the award is org wide, and I work at a research institute with genomic scientists literally curing cancer, so non-genomic scientists very seldom get recognized by this. The award is done via selection committee of previous awardees and you must be nominated by someone else to be considered. Amplified this impact by including a letter from an UK educational institution I presented my processes to last year.
Peer-reviewed publication: Solo-author published a journal article proposing adaptable, human-centered cybersecurity policy design during COVID. This publication is peer-reviewed, but is a policy journal, but I felt it important to include to just so show more thought leadership.
Optional Criterion 3 - Significant Contribution as Employee:
SIEM/SOAR and vulnerability program owner: Built and managed entire detection infrastructure and triage response as a one-person security team for a 70PB hybrid environment. Included screenshots of a few of my SIEM dashboards.
Prevented state-sponsored APT attack: Implemented controls that mitigated a critical exploit that was attempted to be weaponized by an APT before the attack occurred (confirmed by CISA). Provided documentation of notification, JIRA screenshot of the vulnerability being patched 10 days before the attack, and my memo to the board about the attempt and resolution.
Wrote SSP that secured $150M in NIH funding: Developed NIST SP 800-171-aligned security documentation that enabled contract approval. This process includes risk management, infrastructure design, cross-functional leadership, etc. Provided documentation of the award amount, requirements, and non-sensitive snippets of what I developed
A few things I’m wondering and would love thoughts on:
My work is largely from a single organization (a U.S.-based nonprofit genomics research institute). Unfortunately, I don’t have a terribly high amount of free time to do too much outreach (but I try!) due to being the sole cybersec person here. Do yall think what I have, and how I have woven my narrative is enough to satisfy diversity of contribution? Additionally, the org’s primary means of keeping the lights on is through genomic sequencing for outside clients (which I am leveraging as product driven), which funds the ability to continue doing research, and I am hoping that isn’t going to look like too much of a stretch. Every piece of evidence has a short narrative bit tying it to my CV, statement, etc.
I’m worried a harsh reviewer might discount some innovation evidence as “internal only” or dismiss my public speaking venues as overly unconventional (e.g., Furry Weekend Atlanta). Is that a known risk?
Anything else people notice, positive and/or negative, feel free to respond!
Happy to offer feedback in return once I’m through the process, just trying to get a sense of whether I’ve covered my bases or should prep for appeal scenarios, my anxiety is through the roof!
Thanks in advance, and good luck to everyone applying 
Timeline so far:
Submitted May 5, 2025 - 12:56 EDT
First Edit: May 8, 2025 - 08:23 EDT
Second Edit: May 8, 2025 - 17:48 EDT