25 Hard-Hitting Lessons from 17 Years in Cybersecurity

Dive into the no-filter truths from a 17-year cybersecurity career. These straight-shooting insights will help you navigate the intricacies and paradoxes of the cybersecurity industry.

With 17 years under my belt at the time of writing this, I've seen the cybersecurity landscape from just about every angle as a practitioner.

In short - it's been a rollercoaster.

So I decided to put together 25 hard-hitting lessons that could reshape how you approach your career and the field itself.

  1. Your cyber budget is a better mirror of your company's risk tolerance than any compliance checklist.

  2. If you don't know how your company makes money, you don't know how to truly protect it.

  3. Most companies don't pay for security; they pay to avoid fines.

  4. In the theater of business, cybersecurity is a supporting actor, not the main character.

  5. Hate on GRC functions all you want, but they're the conductors of the cybersecurity orchestra.

  6. There's no talent shortage; there's an imagination shortage on the hiring side.

  7. Cybersecurity is 10% tech and 90% diplomacy.

  8. Cybersecurity is easy to do poorly and hard to do well. See above.

  9. You need a job to get experience, but you need experience to get a job. Welcome to Cybersecurity.

  10. The industry loses sleep over zero-days, but it should be losing sleep over missing patches and basic response processes.

  11. It's not what you know; it's who knows you and what you can do for them.

  12. Certifications get you through HR; experience gets you through life. Use a combination of both to your benefit.

  13. Cybersecurity degrees aren't dead; they're just evolving, and so are the hiring managers.

  14. A cert without experience is like a knife without an edge.

  15. Elitism in cybersecurity is just insecurity wearing a different mask.

  16. The fastest way up the ladder is to hop from one rung to another at different companies.

  17. Cybersecurity conferences are better for catching up with colleagues and making new friends than for shopping for new tech.

  18. Too many cybersecurity vendors in your program can be like eating too much fast food - convenient in the short term but lacking in long-term nutritional value.

  19. Security awareness training is like wearing your seatbelt - it won't prevent all accidents but significantly improves your odds in a crash.

  20. Job security in cybersecurity is as volatile as the threats you’re supposed to mitigate.

  21. Saying 'no' as a security professional is easy; aligning security with business enablement is hard.

  22. The echo chamber is real; critical thinking is your only defense.

  23. The more buzzwords in a security product, the less likely it is to solve your problem.

  24. Cybersecurity is not an IT problem; it's a business problem pretending to be an IT problem.

  25. The best risk assessment tools are conversations, not spreadsheets.

The Takeaways

  • Your cybersecurity budget and understanding of the business model are the true measures of risk and impact.

  • Career progression in cybersecurity is a complex dance between networking, real-world experience, and formal credentials.

  • The industry's culture, attitudes, and subcultures are often a double-edged sword—enabling but also restrictive.

I hope this is helpful to you as you navigate your way through the cybersecurity industry. Do you have any other lessons to share? I’d love to hear them!

Join the conversation

or to participate.