The Spanish National Cybersecurity Institute documented ransomware campaigns targeting Spanish speakers using natural, regionally appropriate Spanish generated with AI assistance — delivered through Google Drive links disguised as financial documents. The social engineering worked because the language read correctly. A monolingual analyst reviewing that email in a log sees foreign-language content and flags it by pattern or script. A bilingual analyst reads it and identifies the technique.
That is not a soft skill. That is a detection capability.
Spanish is the second most spoken language in the United States. The attack surface that represents is not theoretical. Cybercriminals are using AI to generate phishing content that bypasses the instinct that catches poorly written foreign-language email — the grammar errors, the odd phrasing, the word choices that signal machine translation. A Spanish speaker receiving a well-crafted phishing message in natural regional Spanish has fewer automatic defenses against it. The security team monitoring that environment has fewer automatic defenses against missing it.
Security awareness training that runs in English only is not measuring actual exposure. The employee who clicks through a phishing simulation was not careless. They were trained in a language that is not their primary one and processed the material at a disadvantage.
I have taught AP Computer Science and Cybersecurity for years. Explaining a security concept in Spanish to a student who struggled with it in English changed how they absorbed the material. The concept did not change. The language it arrived in did. That dynamic does not disappear when students become employees.
My background in Spanish is not conversational. I learned Spanish at home before I learned English. English came in PreK and kindergarten. We never spoke English at home, which means no accent in either direction. From first grade through twelfth, I took Spanish every year — writing, reading, and literature — alongside every required English course. Fourteen years of formal instruction in both languages at the same level. That is not a line item on a resume. It is a functional capability that monolingual candidates cannot replicate.
What hiring managers overlook when they pass on bilingual candidates for security roles is specific. The bilingual analyst can conduct security awareness training in Spanish for Spanish-speaking employees. They can communicate with a Spanish-speaking user during an active incident without a translator in the chain. They can read threat intelligence from INCIBE and other Spanish-language sources. They can identify social engineering techniques in Spanish-language phishing content that the rest of the team processes as noise.
None of that is incidental to the security function. All of it closes gaps that exist in the team whether or not anyone has named them.
If you are bilingual and your resume treats it as a footnote, the Resume + LinkedIn Review is $97 and examines whether your profile is presenting what you actually bring to a security role.
Written by Mario Martinez Jr. (ku5e / Gary7) | TryHackMe Profile | ku5e.com/blog