Years ago, I was hired into the IT Leadership Development Program for a multinational manufacturing corporation. These kinds of programs are not uncommon for larger organizations, serving as a means to bring in fresh talent and expose them to different functional areas over time, all while fostering the growth of skills and business acumen. My program, just like others that exist in corporate America, was a 2-year commitment where you, as the enterprising college graduate, rotate across four functions within an IT department. The aim of such programs is that new hires gain experience across technical areas that would’ve have encountered otherwise, eventually settling into a role that fits their skillset and meets a business need. Specifically for the one I went through, a parallel focus was placed on mentorship, where a senior people leader in IT would help shepherd you through your first couple of years.

I underwent four rotations during my time in that development program: (1) networking, which was what I enjoyed most, (2) SAP development, (3) security, and (4) business intelligence/analytics. Networking was something I had studied and practiced in my college classes but I had never been involved in much security work or business analytics in my internship, let alone ever seeing something as monstrous as a global SAP deployment. The networking toil of troubleshooting, hands-on pulling of cable and racking-and-stacking equipment was something I enjoyed. I had some fantastic mentors on that networking team who were also incredibly generous with their time and, fortunately for me, very understanding when it came to working with rookie network admins like myself. But, that six-month rotation onto the Security Team was when I caught the security bug and started looking into security-related trainings.

The security world boasts a cornucopia of certifications on top of a seemingly endless amount of trainings, ranging from free or low-cost to full undergraduate degrees. Among that sea of available training courses, the SANS Institute stands out. I’ve been eyeing an opportunity to jump into a SANS course ever since.

So, when I had the chance to sign up for one, you can bet I jumped right to the front of the line!

Here, I’ll share insight of my SANS training, my study efforts, and my experience with taking the GCIH exam.

Important: What this post is *not* about

Anyone and everyone aiming to earn a certification of any kind hops into Google and types the phrase, “how to pass gcih exam” (lowercase and everything, amirite?). I know I’ve done this for every certification I’ve earned, plus the ones I’ve never even attempted. For me, I’m either looking to tips ‘n tricks or simply doing some research into what the materials and exam entail.

But, there are some people out there who are looking for the easy way out.

This blog post, my friends, is not an easy way out. Nothing in this article you’re about to read will disclose anything that I’m not authorized to share.

The SANS Institute, just like any other legitimate certification body, has a strict zero-tolerance policy for the sharing of course materials or questions/answers from exams.

Any information I share about SANS training or the GCIH exam will all tie back to publicly available information, albeit dappled with insights formed through my own experience. Hopefully you’re not reading this looking for an easy way out, but, just in case it needs to be said, you won’t find anything like that here. This SANS course was wonderful and I only wish to help future students learn from my experiences.

Now, on to the fun stuff, I say! Huzzah!

Why I pursued the GCIH

Selecting the right SANS course for me

In my current work as a security engineer, I find myself bouncing constantly from one thing to another, just like most other security professionals I know. Most of my day-to-day fun involves running security operations, so you never know what you’re going to run into (which is both really cool and really terrifying at the same time). I’ve come to realize that the typical work tasks are the easy part, but, for security pros, incidents demand that you’re ready to execute at your highest level of excellence.

I’ve long been fascinated by incident response, asking myself such questions as:

• What is incident response best practice? Or, is there more than one way to handle an incident in the best way?

• How do high-functioning teams tackle incident response efforts?

• Why is incident response something that most organizations struggle with?

• What skills are required to be a top-notch incident response professional?

When I got the chance to take my first SANS training, the SEC504 course, Hacker Tools, Techniques, and Incident Handling, I was drawn to it right way. The syllabus, detailed here on the same page, outlines a strong mix of the theoretical and the practical.

Even before signing up for anything or putting money down, you can see exactly what you will be learning when you take the SEC504 course. Under the “Course Syllabus”, each “section” shows you a full day’s instruction or focus, including whether or not there are hands-on labs involved.

I love and appreciate this level of transparency. When you are requesting that your employer pay for your training, you need to bring receipts (literally). Anyone who has requested training from an employer knows that the more information you have, the better. SANS does a fabulous job of arming you with well-articulated reasonings to help you justify why your employer should invest in you by purchasing this course.1

For me, as someone with some security and IT experience with an interest in incident response preparedness, this seemed like a great way for me to jump into something I’m interested in while exploring things I wasn’t too proficient at, like attack techniques.2

The GCIH certification

Most SANS courses have a certification based directly on that course’s material. Whenever this is the case, SANS tells you so at the top of the main information page, like here for SEC504:

“Why isn’t it called the, ‘GIAC Certified Incident Handler Certification (GCIH)’ course instead?” I thought the same thing! I mean, does the class itself boost your resume, or the certification? The certification. I remember wondering why the class doesn’t focus on the certification, like most of the security training world does for things like Security+, CISSP, etc.

However, I came to realize that the separation between course and the associated certification is much, much better. When you take a SANS course, the entirety of that course is focused on the material.

The material of any given training should focus primarily on theory, concepts, context, and giving you hands-on practice, not on just passing the exam.3

And SANS did a great job of that based on my SEC504 experience.

Joshua Wright, course author of SEC504 and the instructor who taught my class at SANS Boston, rarely mentioned the exam and I loved this. I’ve taken other week-long trainings before that were geared more towards something like, “Alright, so here’s how you’ll pass the exam… Remember these tips ‘n tricks for the exam,” while my SEC504 experience was more akin to, “We’re more concerned with helping you learn these concepts and making sure you understand how to apply them.”

The result? I was a more confident student because I felt like I was gaining knowledge and skills, not just a paltry toolbox for passing a test.

By separating out the course from the associated credential, every SANS student, whether they are pursuing a certification or not, stands to gain equally from the material presented.

To be in-person or not to be in-person… that is the question

Should “in-person” be hyphenated? I have no clue. Hyphenate the planet!4

There are both in-person and virtual (“OnDemand” as listed by SANS—they don’t include a space, so don’t judge me) options when selecting a course. I selected to learn in a physical classroom with the instructor and other learners

I chose in-person because:

• I wanted to minimize distractions

• Traveling to new places, even if you’re spending 99% of your time in a classroom, is really fun.

• When learning, I like being in the same room as the teacher.

  • I’ve done live trainings where I’m a remote learner but there’s an in-person group, too. It seemed as if the in-person crowd was much more intimate, which I prefer.

  • Being able to interact with a teacher in the flesh, eye contact and all, is so much of a difference in my experience when learning.

• I get energized by those learning around me!

  • All walks of life will likely be in your classes (management, executives, foreign government workers, tech company employees, security people, non-security people, etc.)

  • It’s motivating to me when I’m around other serious students. You can ask each questions and meet/get to know new faces.

While I chose that option for myself, the SEC504 course did have a remote cohort learning at the same time. Here are some things to be aware of with SANS’ live, virtual class:

• The instructor teaching the class has a camera and microphone setup, so all students can see them, the slides/screenshare, and hear them clearly.

• Designated chat apps, set up by SANS for students, is available to all for discussion and live asking of questions.

• In SEC504, there was a designated Teaching Assistant. This person was highly qualified and able to help with answering of technical questions, assist with labs, etc.

• Students attending remotely means that they can experience the live course from anywhere in the world.

SANS OnDemand

No, you eagle-eyed reader, “OnDemand” is not missing a space! That’s how SANS has branded their online learning option.5

After completing the six-day SEC504 class I had the OnDemand course made available to me as part of my learning package. Just like the experience of in-person learning with SANS, this was my first time taking in their virtual material.

I was quite surprised by the quality of the OnDemand instruction! Particularly:

• *Zero difference in the amount of content or caliber of content!

  • I was in class for every minute of instruction while in-person and also watched the entirety of the OnDemand course. If anything, the OnDemand content held more detail than what I experienced live.

  • It gave me confidence that the virtual SANS experience could be just as powerful as the in-person one.

• High quality sound and video. The instructor is mic’d up at all times and, at least to me, understandable and clear.

• Screen sharing is also clear, as are presentation slides.

  Thanks so much for reading! I write this free of charge for all. Subscribe to show support and get notified of future posts.

  
  

Studying & Procrastination

Studying has long been my nemesis. I’d like to assume, or, rather, choose to believe, that everyone else is like me and has difficulty studying on most days.6 Not being good at studying has less to do with being a good or bad student and more to do with motivation. If you don’t feel compelled to study or aren’t driven to study, then what’s the point? Why pretend to study if you’re not really getting anything done?

I have never been the best student. Go back in time and ask my 4th grade teacher and she’ll tell you the same.

Where I find success in learning new things is by separating out the motivation requirement and replacing it with discipline. I then couple discipline with the thing that I do best in this world: procrastinate.

Next I’ll breakdown how I studied and why I feel that procrastination is something to embrace.

Studying

Study Materials

For the GCIH exam I relied solely on the official study materials provided by SANS as part of the SEC504 course. These materials included:

• Printed course books

  • For SEC504, I believe they totaled over +1,000 pages.

  • Digital copies are also made available to students.

• OnDemand course videos

  • You may access course videos through the browser or through the phone app.

  • I found the phone app incredibly helpful as you can listen to just the audio or watch the videos like normal.

• Virtual machine (VM) files

  • These were compressed, yet still quite sizeable. SANS gives you a heads up that you’ll need over 100 GB of hard drive space and they’re not kidding.

  • There were supplemental materials included, too, but the vast majority of what you download and install is VMs.

That was it! I didn’t see the need in purchasing or looking up additional materials not produced by SANS.

To be honest, I’ve had great luck with the official course materials for certifications. If the certification body (SANS, Cisco, CompTIA, etc.) publishes an official study guide (almost all of them do, by the way), then you know that you hold all of the information that could be found on the exam itself.

Study Approach

1. Watch or listen to the entire course via OnDemand.

   1. I did this while shooting hoops, vacuuming, working out at the gym, and raking leaves. If you’re able to learn something from a podcast while performing another activity, then this could be a great for you, too.

   2. The virtual course was incredibly rich with detail. It felt as if I was back in the in-person class.

   3. The videos helped me realize what topics I was familiar with and, more importantly, which ones I was not familiar with. I’d be mowing grass or something, listening, only to stop midway through Joshua Wright speaking through my headphones. “Alright, so I definitely have no clue about pivoting…”. Those kinds of mental notes were so helpful.

2. Practice the hands-on labs.

   1. I personally didn’t have to get the GCIH certification. I was more concerned with actually being able to do what’s covered in the material. The labs were my favorite part!

   2. In Joshua Wright’s SEC504, he’s prepared a variety of labs ranging from bite-sized labs all the way to lengthy, meaty labs that involve multiple systems. In this case, there was bonus material included with each lab as well additional tips ‘n tricks in the labs themselves.

   3. I cannot emphasize enough how important it is for you to gain familiarity with the material through hands-on work.

3. Create an “index” for use during the exam.

   1. GIAC exams are notoriously open book. However, if you believe that you can waltz into an exam unprepared, believing you will be able to lookup every answer, you are dreadfully wrong. Those 4 hours go by faster than you may think. There’s simply too much material for you to not prepare at all. Do you think, without studying, that you can find a given answer amidst 1,000 pages or more?

   2. If you’ve never heard of an “index” in this way, here, an index refers to a document you create that tells you where a particular topic, keyword, tool, or command is discussed within the SEC504 books. This is the trick to helping guide you as you thumb through materials come exam time. You can print this out and take it into the exam with you.

   3. This took several hours. I didn’t do a marathon session of index creation. I chiseled away at it, bit by bit, thumbing through every page of the course material.

4. Take a practice exam *WITHOUT* an index. Yes, that is my advice!

   1. Why you should try the practice exam without an index:

      1. You’ll quickly get a taste for how prepared you actually are. When you hit questions you don’t know how to answer, what do you react? Do you get frustrated or anxious or anything like that? It’s critical to train your mind and body for how to handle situations where you’re uncomfortable (not knowing something) and are under pressure (time constraints + many more questions, possibly).

      2. You may be familiar with a topic or tool, but how much can you execute from memory? It’s like being on stage in an acting rehearsal and going off-book for the first time. There’s a massive gap between having your next line on the tip of your tongue versus knowing the lines and being able to perform when the time comes.

   2. I took the first practice exam without and index, knowing I wasn’t fully prepared at all. I’m not kidding when I say that those 4 hours went by faster than I could count while also being extraordinarily difficult to fight through.

      1. I did excellent with the written portion by looking everything up, yet I chewed up tons of exam time leaving no time at all for the several hands-on questions (aka CyberLive in GIAC parlance).

      2. What was funny was how the hands-on portion felt like my most confident section, but I ran out of time leaving some questions unanswered. This was a valuable lesson in both preparedness and time management.

   3. Unless you’re just wicked smart (“wicked smaht” for my New England friends),7 you want to be well aware of your strengths and weaknesses. There’s no need to fool yourself into preparedness. Just take the time to prep and be willing to learn where your weaknesses lie, knowing you can then improve those areas.

   4. Seriously, this is perhaps the best thing that I did and I learned so much.

   5. I passed by the skin of my teeth and that was without completing a handful of CyberLive questions at the end. This showed me how much more I needed to study and how unprepared I truly was.

5. Take the 2nd practice exam a few days before the exam, this time *with* your freshy minted index.

   1. Don’t take a practice exam the day before and definitely not on the same day. Even if you don’t take advantage of the full 4-hour time period, completing an entire practice exam requires lots of mental exertion. You’ll be tired, both mentally and physically.

   2. Taking it close to the exam allows you to treat it as a dress rehearsal for the real deal, while also giving yourself time to rest before the big test.

Procrastination

If you somehow are magical and do not procrastinate, (1) I don’t know how on Earth you do it, and (2) I know you’re most definitely not me. Growing up, I’d always heard mention of procrastination as a negative thing. I know I interject humor throughout these posts8, but there are potential positives to procrastinating! I love Psychology Today’s articles, including this one where they explore how procrastination can be a good thing.

Now that I’ve sold procrastination as an important skill, let me complain about why I hate it sometimes. Motivation is not permanent and us humans are biologically engineered to take the easy way out.

The couch and a Playstation sound like a lot more fun than reading those boring course books. Yes, of course you simply must rewatch all prior seasons of “Stranger Things” on Netflix prior to the series finale. Throwing back a brewski while watching the football players do football things is a heck of a lot more attractive than realizing you don’t know how to prevent name resolution in Nmap scans.

In my armchair-psychologist of an opinion, it’s about balance.

You should replace motivation in your studies with discipline instead. That way, it’s not about listening to your heart for when it’s time to get to work. No! You know that taking 20-30 minutes to practice labs or watch/listen to the course will help you more than doing nothing.

You’re not a machine, so you do require time to take your mind away from work, studying, or whatever else. Do non-security, non-study things: take a walk, play video games, lift weights, lay on the floor and count the ceiling tiles, soak in the glory that is The Great British Baking Show. Just like your body requires sleep, your brain requires rest, too. Procrastination can sometimes help steer you towards non-work activities as a means of balancing out your more brain-intensive activities.

Discipline is not easy, don’t get me wrong. And procrastination is something I struggle with, most definitely. As a tl;dr here:

• If studying is hard for you, chunk out your study efforts in small increments. This has been huge for me! Work to do something related to your studies for 15, 20, or 30 minutes, then walk away.

• Make time to do things for yourself, don’t try to force your efforts. Garden, bake a cake, hang out with friends and family, hang out away from friends and family, just do something that recharges your brain batteries. Treat yo’ self and refresh yo’ self.

Reframe “procrastination” away from something that’s purely negative and into something that, in moderation, can help you achieve greater success within your studies.

Procrastination is my best, natural talent, so let me know if you want any tips. :)

Taking the GCIH Exam

I chose to take my GCIH exam at a local testing center. It’s the same one that I went to for my Cisco CCNA years ago, so I was familiar with the location.

There are plenty of YouTube videos and Google results for choosing the best location for your exam, so I won’t go into that here. Personally, I wouldn’t spend too much energy worrying about what location to pick. Regardless of where you decide to go, you’ll be a larger room with multiple people and be using a PC with a standard keyboard/mouse at a tiny cubicle.

Exam Tips & Advice

Based on my experience with this exam and others in the past, here are my recommendations:

• Take off time from work for the test

  • If you’re able to, take the day off of work. The exam is 4 hours long and you’ll need to travel to/from the testing center. That alone is a full day!

• Select a time that works best for your daily routine

  • Seems obvious, I know, but it’s important.

  • Consider: when you go to bed, what time you normally wake up, when/if you can take off work, how to accommodate schedules or your partner or dependents

  • For the GCIH, I selected a time that was an hour-ish before my normal lunchtime. I knew that an appointment late in the morning would give me time to sleep, time to eat a breakfast, and time for my coffee to kick in and give me magical, caffeine-powered intellectual energy (not a thing).

• Schedule the exam far out enough for you to be sufficiently prepared

  • While you have permanent access to downloadable course materials and all of your printed materials, you have take your exam within four months!

  • Some people prefer to take such exams very soon after the course, while some (like me) prefer the flexibility of scheduling it out into the future.

    • A word of caution: Be UN-like me and don’t set aside the material for a long time after the class (which I did, unfortunately). Give yourself time, but keep the momentum with the material by picking an exam time that’s not too far out. If I had to do it again, I’d pick an exam like 1-2 months out from completion of the course.

• You can—and should—take breaks!

  • GIAC affords you 15 minutes of break time. This can be taken all at once or across a maximum of two breaks for a total of 15 minutes.

  • Honestly, I didn’t think I’d need them, but when I took a quick bathroom break about two hours in it felt amazing to stretch my legs.

General advice

• Practice the material—Practice. Practice. Practice.

  • Practice can be reading. Practice can be creating/memorizing flashcards. Practice can be running a lab. Practice can be creating colorful tabs to attach to your books. There’s endless room for you to be creative and figure out what works best.

  • The point, though, is that you’re doing something with the material. Doing something is always better than nothing, right? So, do it!

  • I didn’t use flashcards for this test, but I know that many find them highly effective.

• Strengthen areas of weakness, maintain areas of strength9

  • After you complete the course, immediately take note of where you’re weakest. This will be helpful as you’ll know what you need to work on more and what you may already be confident with.

  • For me, this was basically everything offensive: Hashcat, vulnerability exploitation (SQLi, SSRF, XSS, etc.).10

My main takeaways from this experience

The SEC504 course and the GCIH exam placed a glaring spotlight on my knowledge and skills as a security pro.

What I realized most was how much weight I had placed on theoretical knowledge versus practical knowledge. I knew what SQL injection was, in theory, but I hadn’t tried exploiting it before. I was familiar with the broader concepts of the incident response steps recommended by NIST, but I hadn’t considered how an organization could work to move away from a purely linear process to introduce greater flexibility. I knew was Metasploit was, yet I’d never really fired it up and used it before.

I’ve long been fascinated by hacking, so getting my hands dirty with some of the basic tools of the trade was just so, so fun. I loved it! I realized that the hands-on, practical portions of the course were my absolute favorite.

Overall, this experience was a blast.

Not only did I build some technical chops, I did so using offensive tools in a way that has bolstered my confidence as a security professional focused on defending others from harm. SEC504 doesn’t cover everything, not at all, but for me it was a big step in the right direction. I built upon existing theoretical knowledge and gained much more theory in new ways, all while solidifying a skillset I didn’t have before.

Life is interesting, isn’t it?

Our lives have a clever way of stimulating us through the experience of these funny things called “feelings”, whatever those are. These dastardly little emotions, as I’m told they are called, pop up throughout the day like a neverending haze of mental gnats in one’s noggin.

In Atlas of the Heart, Brené Brown provides a list of 87 such feelings that “define what it means to be human”; love, hurt, amusement, betrayal, pride, joy, fear, connection, reverence, humility, envy, belonging; that feeling one gets when they’re not sure whether they used a semicolon correctly or not.

Ever since I saw Clint Gibler’s opening keynote at BSidesSF 2025, “Sharing Vulnerabilities”1, I have been on this kick of trying to reframe the security profession in a more human light. In his talk, Clint challenged everyone to embrace the vulnerabilities of our humanity, not run away from them. I walked away from that talk thinking more about how security professionals should care to look out for one another’s humanity, just as much as we strive to protect and care for the focuses of our work.

The fwd:cloudsec 2025 conference did not have me experiencing most of the negative emotions listed by Brené, but I did feel a wide range of emotions as I sat and listened to the material presented and most especially as I reflected on what I had learned.

In a feeble attempt at a segue, I wanted to share the feelings, thoughts, and takeaways I experienced at this year’s fwd:cloudsec 2025 conference.

What is fwd:cloudsec?

Pronounced, “Forward Cloud Sec”, fwd:cloudsec is the shorthand for the Forward CloudSec Association, a 501©(3)2 non-profit organization focused on cloud security. fwd:cloudsec, founded in 2019, brings cloud security professionals together once a year for an annual conference, hosting an event in North America since 2020. 2024 saw the first year of a fwd:cloudsec conference in Europe.3 Full information and recordings for each talk are available through their archives.

This year’s North American conference was held in downtown Denver, Colorado, occupying the entire third floor of the Embassy Suites.

The focus

The stated focus of fwd:cloudsec is, “At this conference you can expect discussions about all the major cloud platforms, both attack and defense research, limitations of security features, the pros and cons of different security strategies, and generally the types of things cloud practitioners want to know, but that don't fit neatly into a vendor conference schedule.”

This truly was a practitioner-focused conference. All talks held technical content. All talks were given by security practitioners. Some talks were presented by founders/co-founders, yet all of those founders or business leaders were still practicing technologists. These ingredients came together nicely for two full days of talks that were relatable to practitioners.

fwd:cloudsec says that they are vendor agnostic and this proved true, as there were talks that covered all three of the major cloud service providers.4

The non-profit entity also aims to provide support for open-source software, with several talks either mentioning the use of open source tooling or announcing the release of new open source projects.5

All talks were categorized according to one of the four categories created:

• Mapping the frontier: supporting new clouds and technology

• Surveying the wilderness: attacks and vulnerabilities, defensive practices

• Packing your gear: tools for operating safely

• Forming a fellowship: organizations and community

  • I think this category was lone-wolf as there was only one talk here

The format

Over the two-day conference, the majority of talks given were held in a “lightning”-style format, covering a maximum of 20 minutes. This meant that both the talk itself and the question-and-answer session with the audience had to take place within that 20 minutes of time.

I enjoyed this format so much! The resulting experience for me was feeling as if the day had flown by while also feeling as if I had absorbed as much content as I possibly could. I took much more away from speakers trimming down talks to 20 minutes than I have at most conference where speakers soak up 50+ minutes of time.

By fwd:cloudsec prioritizing brevity, I think this forced speakers to chip away at unnecessary details and focus on what they thought were the most substantive bits of their subject matter. Some speakers had to cut out live demos for time, while some speakers limited spoken word in favor of demonstrations.

There were a handful of longer, 40-minute talks, which is a timeframe more in line with what you see at most conferences. I could tell that these speakers were handpicked, since they seemed experienced, knowledgeable, and well prepared for the time they were allotted. One first-time speaker, Naor Haziz, did such a nice job with his talk and live demo that I would’ve never known this was their first time speaking.6

The end result was a wide range of experiences as a listener where everything carried a meaningful focus, which made the event much more enjoyable.

And I don’t think I was alone in feeling this way, as many of the talks prompted insightful questions from the audience, a strong sign that attendees were engaged with material presented.

The speakers

Many different walks of life took the stage at fwd:cloudsec. I saw co-founders, CEOs, CTOs, security researchers, and security engineers, among others. These professionals came from companies large and small. The full list of speakers at fwd:cloudsec 2025 is available for you to check out.

I don’t often enjoy talks given by speakers who are leaders at a company. This isn’t because their experiences are any less valid or that they don’t have technical skills to contribute (definitely not the case at fwd:cloudsec), it’s just that leaders often seem to aim their talks to other leaders; the primary goal is to catch the ear of a leader who makes purchasing decisions, not to keep the attention of a practitioner. However, I didn’t get that feeling at fwd:cloudsec, which was a wonderful surprise! The general vibe was much more like a local BSides that was aimed only at cloud security topics.

RSAC Conference and Black Hat USA loom over smaller security conferences like the behemoths that they are. I find myself hunting for meaningful talks to attend, often striking out and/or feeling as if the material lacked a practitioner’s focus. I didn’t get that feeling at fwd:cloudsec, as very little of the conference itself felt like a waste of time at all. If I was sitting in a room listening to a talk, I was soaking in something interesting about 85% of the time.7 Rarely, if ever, did I feel as if someone was talking over me simply because I didn’t hold decision making powers.

Takeaways from fwd:cloudsec 2025

IAM is a big, big problem

…and IAM not kidding around when I say that.8

Identity and access management (IAM) is a massive problem regardless of company size, industry vertical, or the cloud service provider in question. Talk to any security engineer with any amount of experience and I’d bet they would agree with the sentiment that IAM is hard and that there’s no one-size-fits-all approach to the problems that IAM present.

Nine different talks included explicit mentions of IAM in their title or in the abstract of their talk. So out of 42 talks, over 20% of the them involved IAM as a direct point of focus.

This comes as no surprise to security practitioners, who all seem to struggle with the complexities and nuances of IAM permissioning. Jason Kao, founder of a cloud security startup, shed light on the fact that Amazon Web Services alone offers 18,000+ permissions for use across 200+ services in his talk, "The Duplicitous Nature of AWS Identity and Access Management (IAM)”. That’s an insane amount of configuration options, which means that there is an incredible amount of room for misconfiguration. Now, what if you have a multi-cloud presence, or if your company engages with more than one cloud service provider? The complexities involved increase exponentially. In Jason Kao’s case, he outlined how AWS alone provides extreme granularity, but how the granularity itself can make application of that granularity quite challenging.

I’m not sure what I was expecting, but I can say that I didn’t expect to hear so much “IAM” speak at a technical conference. I guess it helped to remind of just how technical IAM is and can be, with a reassuring nod from others, a pat on the back that no one has this whole IAM thing figured out.

IAM is hard

As we’re all pushed to adopt new technologies faster and to create and push out new products more quickly, we have to understand that it’s paramount to include proper permissioning. The final 40-minute talk I heard, “What would you ask a crystal ball for AWS IAM?,” by Netflix’s Nick Siow, gave me two takeaways:

1. IAM is hard and it’s especially hard at scale, and

2. It takes keen, focused effort and the willingness to tackle IAM head-on as a technical challenge.

I’m definitely guilty of placing IAM towards of the bottom on my mental list of “cool things in tech”. This year’s conference has me looking at IAM with a new level of importance.

There’s no escape! Oh wait, whoops. Yes there is…

I saw two talks centered around “escapes” of different kinds: (1) container escape, and (2) hijacking, or, “escaping” low-privilege roles to take on higher-privileged roles from other containers.

The first talk on escaping, reported and presented by researchers at Wiz, was a pretty cool one, featuring a container escape vulnerability present in NVIDIA’s container toolkit. Because this toolkit has been widely adopted, it allowed the researchers to hack 10 different cloud service providers (CSPs) through this one vulnerability. The presenter, Andres Riancho, talked about their experiences with three different CSPs out of the 10 involved, Azure, Replicate, and Digital Ocean. It was interesting to hear how each provider reacted differently (Replicate’s blue team detected the lateral movement, shutting them down) and how far they were able to go with each verified exploit (Digital Ocean’s environment allowed for full service takeover). The full service takeover hearkens back to IAM and permissions, as permission limits were not set to prevent the hack from being successful (like Azure, where they were unable to gain cross-tenant access).

• Check out Wiz’s full blog post for full details, How Wiz found a Critical NVIDIA AI vulnerability:  Deep Dive into a container escape (CVE-2024-0132)

In the second talk, ECS-scape - Hijacking IAM Privileges in Amazon ECS, Naor Haziz did an interesting deep dive into how he was able to discover a similarly over-permissive state with containerized environments. As a new speaker, Naor was wonderfully engaging, tossing in lots of humor on top of his technical talk that culminated in a short demo of the exploit. Here, similar to above, a lack of hardening made the attack possible. He offered advice for general protections against this:

1. implement task-level hardening

2. minimize task role permissions

3. separate high-privilege and low-privilege workloads

Isn’t it funny how containers, something intended to house something else, was the thing highlighted multiple times as being unable to successfully house something else?

The ‘S’ in LLM stands for ‘security’

As in, there is no security in LLMs.9 That’s a phrase pulled off of a slide during Jeremy Snyder’s talk, “Challenges Around AI-as-a-service Logging” (I wish I was that clever).

I wasn’t shocked to see that AI crept up many times across the talks I listened to. The rest of the world is doused in AI so it would make sense that security professionals are, too.

Considering the logs of AI services, Jeremy Snyder, founder and CEO of FireTail, painted a picture of a task that’s seemingly impossible—getting proper logs of AI services used across your company and workforce. Snyder talked about how difficult it was to both collect logs and to analyze logs dynamically. Gathering logs is a challenge because you can’t log what you don’t know exists (“shadow AI”, services unknown to security and IT teams).

Then, automating analysis across logs is tough because, as he outlined, there are vast inconsistencies in logs from service to service, then even inconsistencies across the same logs in the same services.

Estimated that 90% of AI use across companies falls under shadow AI

If you’re reading this and thinking that endpoint-based solutions are the answer here, there are issues with that approach. Namely, you’re at the mercy of the logging mechanisms for whatever endpoint security agent or DLP system you have in place. Snyder described how endpoint agents are great at capturing network requests made, but usually truncate log data to limit the amount of bandwidth needed to send that data to the main system.

The point I appreciated most was when he said, “Things are likely to get worse before they get better.” I didn’t view that statement through the lense of FUD (fear, uncertainty, and doubt). I took it as a refreshing bit of honesty because I feel that he’s right. Security practitioners need to be ready in case things don’t magically improve on their own. And, even if they’re not prepared in full, the acceptance of things getting potentially worse can allow them to move on more quickly towards solutions when going gets tough.

The atmosphere of modern business is rich in its thirst for adopting new technologies and scarce in desire to secure those new technologies. I know, I know, we need to move quickly, scale more aggressively, and pump out products so our businesses can grow, but at what cost, in terms of security? I’d argue that the cost is incalculable because you can’t calculate what you don’t know, simply because there are so many unknown-unknowns when it comes to securing AI.

I know I mentioned “FUD” before and I surely do not want to be a contributor to that! I strongly believe that it’s possible to embrace the potential power of new technologies while still allowing yourself to think critically.

Hey, no worries, AI don’t know what I’m doing either

Get it? “AI” instead of the word “I”? Ugh, maybe this is a sign that I need to wrap things up…

When it comes to AI, I was comforted by the realization that no one speaker has perfected it within the realm of cloud security. And, let’s face it, since 99.9% of us are using AI-as-a-Service tools, all of those fancy AI apps fall under the umbrella of cloud security. There were a few talks at fwd:cloudsec that discussed how to approach securing AI, plus how to incorporate AI into security-type tasks.

Jake Berkowsky of Snowflake described how to approach MCP server security in his talk, “Securing Remote MCP Servers”10. He mentioned MCP servers as simply a spec for writing APIs with documentation built-in; while it is technically a new thing, his point was that we should just look at it through the view of API security, not as something completely unknown. Berkowsky advised the use of an API gateway to offer protection and inspection, plus the incorporation of session restrictions at both the server and client levels.

One really neat talk centered on how to train LLMs to detect anomalous activity in cloud logs. Yigael Berger, technologist and entrepreneur, walked the audience through how LLMs take in log data, how they might handle structured log data, and how they can be trained to handle log data more effectively. Using a tool called Transformer Explainer, Yigael showed how changes to the context provided to the LLM generate different levels of probability for the “correct” output. He showed how he has found increased success with LLM-assisted log analysis by using LLMs that are trained specifically for logs. He acknowledged that this wasn’t a perfect process, since any changes to the logs themselves would necessitate a retraining of the underlying model used for analysis, which isn’t a scalable process at the moment. However, his talk gave me hope that future LLMs could help security teams/security products pull out meaningful insights from structured data more easily.

We use AI to write the code for new things, we leverage AI to help secure those things, then it’s only natural for us to use AI to analyze logs for everything right?

GRC, representing at a cloud security conference?

I was pleasantly surprised to see AJ Yawn’s name pop up on the fwd:cloudsec schedule, and not only was I surprised to see his name (as a GRC pro & person of influence) but I was excited to see that he’d be talking about GRC Engineering.

In his talk, “Introducing GRC Engineering: A New Era of AWS Compliance”, AJ came right out and said that GRC is changing and that GRC professionals have a unique opportunity to level up their technical game. Instead of coming in after the fact, through audits and reviews, or before the fact, through planning and policy, there’s space for GRC pros to insert compliance mechanisms directly into the tech stack. Rather than making recommendations that tech teams implement, GRC people can take the bull by the horns and equip themselves to implement such compliance checks themselves. He had some harsh criticism about SOC 2 audits11 that I agree with, but his main point was that SOC 2 control checks identify many things that could be automated or auto-detected prior to the audit. He’s advocating for GRC teams to be engineering enablers, not a burden to engineering staff come audit time.

I’d be remiss if I didn’t callout how AJ’s talk coincided with the release of his new book, GRC Engineering for AWS. Check it out and connect with AJ on LinkedIn. I’m sure he’d love to hear feedback on the book.

Overall, a fantastic conference

Remember when I talked about feelings earlier?

I felt a range of feelings while attending fwd:cloudsec:

• Wonder

  • There are a lot of really smart people out there in the world. Most of the talks were impressive, both in terms of substance and speaking ability.

• Comparison

  • I’ll be honest—I see the work of others and I immediately compare it what I do, or what my team is doing. That leads to other feelings, but, if I’m honest, I feel it!

  • I found myself thinking, how does what I’m hearing compare to what we’re doing? What are we doing right? What could we improve, based on this info?

• Trust

  • I felt as if I could trust the word of the speakers I listened to and the people that I chatted with. You can recognize when someone’s on top of their game, and if they’re willing to share some wisdom with you then you better be open to learning!

• Belonging/Connection

  • As a chronic sufferer of imposter syndrome, I relish opportunities to feel as if I belong. At fwd:cloudsec, the overall vibe, the friendliness of individuals and vendors, and the talks themselves made me feel as if I belong. Not necessarily that I’m on par with the technical abilities of the people I’m surrounded by, but that my existence as a security practitioner matters.12

  • That feeling of belonging is powerful. I found myself wanting other people in the security world to feel it, too.

• Excitement

  • In general, I walked away from fwd:cloudsec excited about the possibilities of the cloud security space and the work being done from all kinds of security professionals.

  • I’m motivated to continue learning and dive back into some cloud-focused studies.

While I think that BSides San Francisco is the absolute best bang-for-your-buck security conference in existence13, I now have to say that fwd:cloudsec comes in at a close second. For just over $100 USD, you get two days chock full of talks.

Did I mention that the lunches were delicious? Who knew that you could eat a salad for lunch and still have an awesome day?14

But seriously, overall, I found this conference to be an amazing experience that was well worth the trip. In two days’ time I got to listen to several talks, meet new professionals, and actually enjoy a conference where vendors weren’t literally grabbing you to pull in sales leads.

So, massive kudos to the Forward CloudSec Association for the conference product you put on for others. I’m already looking forward to next year.

Summer has descended upon us here in the United States and the flowers are welcoming the season in full bloom. Unless, of course, said flowers have the unfortunate privilege of being under my personal care, where—it pains me to say—many plants have fallen victim to my lack of care.

Regardless, I noticed the other day how some of my flowers that are somehow still alive have bloomed recently are blooming later than others. These flowers are no less beautiful than the flowers that blossomed earlier in the season, they are, you know, just fashionably late to the party.

Some people, like our fauna friends, are anticipatory and able to glide into the currents of the time at their peak. Does this make the late bloomers any less meaningful? No, not at all. In fact, late bloomers often bloom after many other blossoms have faded. It’s as if different kinds of plants are in an ecological tag team match, trading places to maximize effectiveness from those precious rays of sun.

And so, just like how some flowers bloom late in the season yet still thrive, and just like how my voice didn’t drop until sophomore year and yet I somehow survived high school, I present you with writings that come after the cool kids have already done the same.

Together we will walk through the Verizon Data Breach Investigations Report to explore the findings uncovered within. I’ll also share some opinions of my own because, well, this is a blog and what good would a blog be without opinions? I didn’t just scan headings in an attempt to point out the obvious, I sat down to look for specifics in the report that jumped out to me, hoping to find points to elaborate on and discuss.

The goal was to organize my notes into something useful that could help guide someone else’s understanding of the full report. An analysis of the analysis, a study of the study, an investigation into the investigation, an examination of the actual examination, a breakdown of the lowdown as written through the voice of a security practitioner with too much time on their hands.

I now introduce you to the Verizon 2025 Data Breach Investigations Report (Report).

This one’s for you, fellow late bloomers.

The Verizon 2025 Data Breach Investigations Report (Report)

Like the annuals freshly planted each year, Verizon gifts the cybersecurity community with an annual, crisp, ever-so-creatively designed report called the Data Breach Investigations Report (DBIR—I’ll refer to it as “DBIR” from here on out). And, in a world that grows more and more concerned with cybersecurity, this report provides security practitioners and leaders with valuable insight into real-world incidents. Data driven, statistical information is critical for security leaders as they communicate with business leaders, boards, and communities.

These insights aren’t conjecture on the part of Verizon. No, not at all! They are backed up by cold, hard data supplied by a variety of cybersecurity industry partners.

First, some housekeeping

The Verizon team includes guidance on how to properly cite the data, graphs, facts and figures for those individuals who would like to cite their report (hey, they’re talking about me!). I must cite the source of this write-up as the “Verizon 2025 Data Breach Investigations Report”. It’s been a million years since I looked up how to formally cite something, so, here goes: aside from a few smidgens of outside sources, everything in this article is sourced from the Verizon 2025 Data Breach Investigations Report. I do like to define words with links to additional material and the inclusion of such resources, aside from the DBIR, will be clear.

The Verizon team also points out a few more important details when it comes to referencing the report:

• They ask that people not directly distribute the report (as much as I would like to)

  • Go to https://verizon.com/dbir, enter your name and email, and a PDF magically appears

• “Exact quotes are permitted, but paraphrasing requires review.”

  • I will include quotes and aim to make it clear when I’m offering my own information as additional color to the Verizon data

  • I’ll put on my best-fitting journalist pants here and make sure to do this properly

    • No, I don’t actually know what “journalist pants” are. Are those made by JNCO Jeans1?

    • Verizon, please yell at me as appropriate.

• Figures and graphs are free to use, as long as they’re presented as they are in the report.

Basically, anyone can use the DBIR as a source as long as proper citation is provided, as requested, and that the materials found in the report are not altered in anyway. This is why they ask to review any paraphrasing, aiming to preserve the integrity of the report itself.

Do yourself a favor - stop, take a second, then download the full report! My poor man’s prose may have already turned you away, but I promise that the original report is well worth your time. If you do keep reading (hugs to you), you can look the information up yourself as we move along.

Alright, enough housekeeping. Let’s get this party going!

A picture is worth a thousand words

Does anyone know who actually said that line? I sure can’t find anything.2

Anyway…

In August 2020, Randall Munroe hit the nail on the head with his comic, “Dependency”, published on his marvelously simplistic website, XKCD.com. “Dependency” is a funny comic, sure, especially if you’re at all familiar with what open source software is and how the for-profit software sector relies on way too much on freely available software packages.

Where Munroe hits the bullseye dead in the center is in depicting the size of an individual piece of open source software in proportion to the rest of the software product that relies on it. The first half of the joke is that all of the digital realm is overly reliant on a tiny piece of software outside of their control, with the second part of the joke being that some hapless Midwesterner is keeping that code up to date with no recompense at all from companies profiting off of their work (oh god, did I just explain a joke… yikes, sorry about that).

The comic above can be used to tell the story of other critical dependencies in tech, too. That’s where the artwork for the Verizon 2025 DBIR comes in.

No, the cover art for this blog post isn’t the original art (you’re just all the unlucky victims of an affordable subscription to Canva and the fact that I do not have a social life).

Look at the actual DBIR cover and see if you can spot any similarities between Munroe’s “Dependency” comic and what the artists chose to illustrate:

It’s pretty darn similar, right?

Though, rather than software dependencies alone, that red, towery-thing was designed as a depiction of heavy third-party involvement as “ever-present” across breaches in 2024.

According to the authors, the Verizon DBIR design team “rose to the challenge of representing the balancing act an organization’s security programs have to perform with the growing dependence on those third parties.” And

“If the impossibly balanced shape on the cover makes you uncomfortable, you have begun to understand the challenges modern Chief Information Security Officers (CISOs) face in the current environment.”

That shout of “Amen!” you may have heard was voice of every security leader from here to Timbuktu cheering in unison.3

If you’re in security, name me one security program that doesn’t rely on:

• Third-party tooling

• Open source software (maintained outside of the organization)

• Third-party intelligence

• Third-party software to business and/or product operations

• Thoughts, prayers, and creative incantations, hoping that your organization isn’t the next target of some threat group’s ire

Okay, so I’m kidding with that last one (sort of), but could you think of anything? I sure couldn’t. That’s because the reality is, whether by the natural state of things or by us all becoming victims of genius marketing tactics, that third-party tools make the security world go ‘round. Even if such tools aren’t owned by security, third-party tools are deployed across every business.

Each and every third-party connection or integration represents an extension of the attack surface for a given organization. That’s just how the world works nowadays.

I applaud the design choices this year, but I do think that the Verizon DBIR team missed the mark in giving kudos to Randall Munroe.

Howdy, pard’ner!

One major thing that sets the DBIR apart from other reports in the security industry is the reliance on data sources from other reputable organizations aside from that of the publishing organization. Other companies do publish wonderful work, yet their work is usually catered towards their ideal customer profile and/or limited to only the data they have through their company or their product. While, yes, Verizon’s own data is included in the report, the DBIR relies heavily on outside contributors to provide information.

These datasets come from around the world, spanning several governmental agencies (United States Secret Service, CERT-EU, National Cybersecurity Agency-Thailand) and a breadth of tech companies, including many recognizable names with massive global footprints (Okta, Zscaler, Akamai, Tenable, Qualys). This diversity of inputs allow Verizon to have an extremely rich set of data, providing for a unique glimpse into security attack trends around the world.

A few general thoughts

Before we dive into the waters that Verizon made warm for us, I wanted to share a few overall impressions of the DBIR as a whole.

Personality, style, and overall fabulousness

I LOVE the personality sprinkled throughout this report. The primary focus is on objective analytical insights, yes, yet the DBIR team finds room to pepper their personalities here, there, and everywhere while still giving us the statistics we crave. I love it. The incorporation of a more approachable writing style makes the report fun to read while still painting the picture of what the data was describing over the past year. Many of the headings are clever and the bulk of the paragraphs are a mixture of direct, objective writing and witty banter amongst nerdy colleagues.

There’s also clarity of tone across the document. I’m not sure if the DBIR team are all trained writers, or if their work was edited to be as clear as possible, but there’s no mistaking when the team is giving us a chuckle versus when they are telling us something serious. I took this writing style as a major learning moment and something I’d love to emulate as I keep writing my own things.

Footloose footnotes

Footnotes are either something to be avoided or something to be looked at without actually reading—but, let’s face it, you saw the footnote and just had to take a glance, only to lose your place in the text, then you realize that you may not have been paying attention to what you’re reading for the past 5 pages or so (ADHD, anyone?).

I typically look forward to reading footnotes with about as much zeal as I give towards a 30-foot long Walgreens receipt. “Hold my beer,” says the Verizon DBIR team.4

Here’s an example of the playful footnotes they used to garnish their prose—even lacking context, the personality is plain to see:

Some papers are written with the personality of a bloated whale carcass.5 The DBIR is a prime example of how you can incorporate a healthy helping of pizzazz while still saying important things effectively.6

So many charts, so little time

In past years, I’d be lying if I said that I did anything more than skim the DBIR for the cute little charts, maybe scooping up a headline or two along the way so I sound intelligent in some future conversation. The DBIR team goes out of their way to paint fashionable charts with lots of color, likely because, I’m assuming, most people are just like me and are scrolling through to see the pretty pictures. Behind every one of those “pretty pictures”, though, is troves of data and lots of analysis.

Having data alone is a great first step. Having data that is relevant and useful is a solid Step #2. Then, perhaps most important, is knowing how to relay that data to others in a way that both (1) accurately depicts the objective interpretations supported by the data itself, and (2) helps you achieve your aims.

If you want a super big, gold star for using data awesomely, then you’ll find ways to add pretty pictures into your PowerPoint slides. The Verizon DBIR gives us all a masterclass in how to do this through innovative data visualization. Watch and learn, folks!

The bummer is that not all charts are created equally well. I was looking forward for the “Industry” breakdown section, where the team breaks apart the data set in accordance with the various industry verticals. Here, they produce these gigantic charts that, while interesting, are extremely difficult to read. In the example below, which takes up a full page in the report, notice how the x-axis is only listed at the bottom of the page, meaning that you have to perform Olympic levels of eyeball ping pong in order to see which column you’re looking at.

For my plebeian brain, this was disappointing. The heat mapping of totals and the level of detail is impressive, yet it’s a bit of an airball to me, like a jump shot that looks perfect as it leaves the player’s hand, even with a perfect trajectory through the air, only for the ball to just miss the rim entirely. The above is an example where perhaps too much thought produced an over-engineered chart which misses the mark.7

I do also like how they include the n=123 (or whatever number) at the bottom of each and every graph, showing the size of the dataset used for that specific measurement. This is so helpful for readers as it prevents people from having to lookup numbers elsewhere, like in footnotes, allowing them to continue moving about the cabin as they read.

Still, even through my peckishness, I thoroughly enjoyed the visuals. Even if you don’t take the time to read the whole report, do yourself a favor and take a look at the stories as told through the charts alone.

Ain’t no party like a third-party party, ‘Cause a third-party party don’t stop

An example of this report’s fabulousness is the first image in the gallery above, shared at the beginning of the report itself, presented under the headline, “It’s third party, and we’ll breach if we want to”. The team took the word “party” and then used birthday cakes in the accompanying chart because everyone knows that you can’t have a party without a cake8. Fab-u-lous.

Unfortunately, less fabulous is the heavy increase in third-party involvement in this year’s data set. The DBIR states, “we found third-party involvement of some sort in 30% of all breaches we analyzed, up from roughly 15% last year”. That means that there was some form of third-party contribution to data breaches9, not just to more incidents more broadly.

The birthday cake chart is just the first of a 1-2 combo as they then hit us with how 81% of third-party breach involvement involved vulnerability exploitation (System Intrusion). Companies of all sizes struggle with vulnerability management, so why should a company’s vendors be any different?

The difference is huge. When one company relies on another company as a vendor, particularly in B2B SaaS, there’s both contractual obligations and implicit trust. The contractual obligations part is literally what the vendor promises to deliver in a binding agreement, while the implicit trust occurs as no one is keeping tabs on all vulnerabilities for all of the vendors. The customer trusts that the vendor will do what’s needed in order to keep their house in order.

Vendor security assessments and vendor risk assessments are an impartial science at best. Even those companies with the strongest vendor security posture are susceptible to third-party events as soon as that first connection is made from between one product and another, or, as soon as they begin entering confidential data into that product.

Third-party software providers have to balance the need to expand their product and their customer base with an expanding landscape of vulnerabilities across their own third-party services and software dependencies.

If you are providing software to another company, you are responsible for identifying, tracking, prioritizing, and remediating vulnerabilities within your product. Period. As the Verizon DBIR states, “although there are a lot of mitigating controls and factors to help prevent a breach initiated by a software vulnerability from happening, the core issue—the vulnerability even existing—links back to the software vendors.”

Some of these third-party weaknesses could be easily solved through improved software development hygiene. Credential reuse is, sadly, a gray cloud that continues to hang over all companies, though it was shocking to see them say, “our research found the median time to remediate leaked secrets discovered in a GitHub repository was 94 days.”

The median time to remediate leaked secrets discovered in a GitHub repository was 94 days10

Zero-day vulnerabilities are one thing. Taking three months to pull published secrets from your repo? That’s another thing.

Want to be even more upset by that statistic they uncovered? Look at the chart of the dataset below.

If you’re currently working as an engineer and you’re not shocked by the chart above, I don’t know what to tell you.11 I’m not sure about you, but an incident like what is shown above would be a big deal at any company that I’m familiar with and would likely be for yours, too. Third-party risks are finicky and pervasive enough without poor software development hygiene revealing preventable problems.

Third-party risk—the gift that keeps on giving!

Your information classification destination

One of the meatiest sections of the report is titled “Incident Classification Patterns”. Pages 37-6512 categorize the incident data into generalized terms that are approachable to most. I recall a time where I didn’t know what these terms meant, so I’ve included links that hopefully help introduce the category to someone new to the field:

• Basic Web Application Attacks

• Denial of Service

• Lost and Stolen Assets

• Miscellaneous Errors (falls under insider threat13)

  • I like Crowdstrike’s use of “Negligent insider threat” for this one

• Privilege Misuse (intentional insider threat)

• Social Engineering

• System Intrusion

  • Includes ransomware and malicious software/malware

• Everything Else14

  • This is a very small percentage of classified activity

“These incident patterns serve to cluster the similar incidents into categories that make them easier to understand and recall,” they say, and I agree. I think this categorization is helpful to readers.

Check out this chart where they depict all of the different categories, separating incidents from breaches, showing us which types of activity occur for each. Super cool.

Need a guide? This report shall provide

Well, not this report. Not mine, but the cool Verizon one. You know what I mean.

The caboose attached to the end of each category is recommendations from the Center for Internet Security (CIS). CIS flexes their technological muscle to create and share free resources like the CIS Controls and CIS Benchmarks, made available to all and references by most security tooling.

Here, the team lists CIS Controls that may help detection, mitigation, and/or remediation activities for that given genre of attack type. What a blessing! If a particular category catches the eye of the reader, then, poof! There are easily referenceable materials to help improve your company’s security posture in that area.

The inclusion of freely available, meaningful control suggestions makes this report immediately actionable.

You may look at the control listings in the report and think that some are pretty simple, if not obvious. Though, I have trouble recalling a time when the small things weren’t included in a breach report or root cause analysis. Often the obvious controls are the very routes that provide an inlet for initial access or a slew of other actions.

System intrusion

For “system intrusion”, they explain how it’s an intentionally broad category, saying, “System Intrusion encapsulates all the breaches and incidents that leverage a diversity of techniques, predominately hacking techniques and malware, with a dash of Social Engineering. Think of this pattern as the ‘hands on keyboard’ type of attackers, in which they’re using a combination of automation and craft to breach organizations’ defenses and compromise their environment, largely with the purpose of deploying Ransomware, which accounts for 75% of breaches in this pattern.”15

They make a point to highlight ransomware payments, which is particularly interesting given the addition of cyber insurance data into the dataset this year. Decreasing from last year, the “median ransom paid comes up as $115,000.” It’s funny how they choose the phrase “comes up” to showcase a metric that has objectively gone down, but who am I to judge?

The team takes care to mention Magecart in this section, which is a piece of malware that vacuums up sensitive information, namely credit card information, from victim e-commerce sites. “They represent 1% of System Intrusion breaches and 80% of breaches involving payment cards.”

Wow. I’ll be honest, so much of my security life has revolved around attack vectors at the enterprise level that I often forget how prevalent cyber attacks are at the consumer level. The compromise of a single payment card for a single person carries the potential for devastating consequences, especially in the United States. Effective software like Magecart only makes easy targets even easier to victimize.

• Guidance from the U.S. Consumer Financial Protection Bureau, “What do I do if I’ve been a victim of identity theft?”

Trust, you must, even if I am sus

-piciously, potentially, just maybe-ly not who I say I am.16

Social engineering gains prominence as the second category brought into the spotlight of the DBIR. And for good reason, as 85% of the 4,009 incidents17 involving some form of social engineering resulted in a data breach. Think about an 85% success rate in any sport in the world: a batting average of .850, kicking the ball into the sports net 85% of the time, making 85% of your three-pointers in basketball, heck, even 85% of your free throws would be a huge deal. That’s an incredible statistic.

Stalwarts like phishing and pretexting take the cake, still (remember how we talked about the small, little things?). Criminals leverage these methods because they are incredibly effective.

Why would I spend my blood, sweat, and tears trying to gain entry from a technical standpoint when I can just give you quick call, send you phishing email, or hit you up on LinkedIn pretending to be someone I’m not?

For social engineering, I love Rachel Tobac’s work, insight, and approach in teaching others. Here’s an interesting Q&A that she did with HackerOne, with a million other bits of content involving her work elsewhere online. She’s great and you should follow and support her! Check out her company, SocialProof Security. We need more empathic security professionals like Rachel on this Earth.

Have you ever found yourself analyzing a report, then writing a report on that report you were analyzing, only to see that your report on the report is almost as long as the report itself? Well, that’s me. Right now. In this moment. Thank you for bearing with me thus far!

Different attack patterns for different industries

The second-meatiest section of the Verizon DBIR is that entitled “Industries”. Using the North American Industry Classification System (NAICS), something I didn’t know existed until reading this18, the team separates the data into applicable chunks within each industry. They unpack a lot of information that I will not regurgitate here (fortunately for us all), so it’s worth a glance.

I found the introductory table fascinating in and of itself. You can see the separation of “incident” versus “breach”, business size, plus industry category.

What I found myself doing for all of these stats is looking at the total number of incidents and then the total number of breaches for each respective point of focus. I’m struck by the efficacy of some incidents in regard to their ability to cause a material breach of data.

Look at Healthcare above. 1,542 out of 1,710 total incidents resulted in a breach. That’s an incredible success rate. Another, albeit smaller group, was Retail, with 439 breaches out of a total of 493 incidents. These are startling numbers.

Perhaps, like many of you, I have benefited from experience in more than one industry vertical. I found myself thinking back to the different companies I’ve worked for, thinking, “What would {XYZ company} have done?” as I read through each industry.

As I move on to my next point, please do not take my limited writings on the “Industries” section as a minimization of it’s importance. There’s another table on pp. 71-72 that spotlights actor motives, top attack patterns, and the types of data compromised.

Empathy for all those in security

Perhaps my most meaningful takeaway from this report, above all else, is how much more empathy and compassion I felt for my colleagues across various industries, namely those in the healthcare and education spaces.

Think about it: while healthcare rakes in an insane amount of money each year, I am not aware of any healthcare institution with cyber capabilities that rival other security-heavy industries, like international banks. Sure, some of the larger healthcare chains may have mature security departments, but how does that compare to smaller healthcare chains, single hospitals, or under-funded rural health providers?

If you’re a criminal that’s simply looking to make money, would you try to take down Goliath immediately, knowing the high amount of effort it may take, or would you strike at the target that’s less defended. It’s not rocket science. Threat actors will strike at whatever prey is available and the continued use of ransomware against healthcare providers is proof that many criminals do not care about the wellbeing of patients.

Similarly, educational institutions are quite likely to be extremely budget conscious while coming under increased fire from malicious actors. Security teams at colleges and universities around the world, with but a few exceptions, do not have tons of cash at their disposal to spend in the event of a material incident, especially a breach. A disruptive cyber incident may result in an increased security budget in the end, but that’s not to say that budget increases alone are enough to curtail the threat, let alone ease the burden of stress on security practitioners.

I’m walking away from the 2025 Verizon DBIR with a heavy heart. Not a defeated heart, mind you, just an increased awareness that other cyber defenders are encountering perilous situations on a constant basis. In an industry like security where stress is an unwanted yet omnipresent benefit of the job, we should take care to reach out and make sure everyone is okay.

40,000. What does that number mean to you?

Numbers are thrown at us from all directions, every day, whether we like it or not. They’re a constant presence in our lives, our actions, and our thoughts. So what comes to mind when you think about numbers? Maybe it’s the cost of something you saw in an ad, reading the time, trying to pretend you actually brush your teeth for two minutes every time, or maybe numbers are that series of digits on your weight scale that seem to creep higher and higher each time (is it just me?). Numbers are unavoidable. Numbers have meaning. Numbers have power.

Now, what about that 40,000—Did anything come to mind?

Maybe you thought about money, thinking about how $40,000 is just shy of the average starting salary of teachers in the United States. Maybe Wikipedia’s definition of the number 40,000 came to mind, which is, literally, I’m not kidding, the “number that comes after 39,999 and before 40,001”. Maybe you recalled that 40,000 is the number of McDonald’s franchises around the world. Or, maybe you thought about the 40,000 calories eaten by one man in order to experience what a tiger shark’s diet is like (this is real).

Regardless of what may have come to mind, 40,000 means something specific when it comes to RSAC Conference. Here, 40,000 refers to people. 40,000+ human people descending upon one city and one conference, all for one purpose—cybersecurity.

I, as a human person, was one of those human people.

Let’s jump into what RSAC had to offer this year, as well as my take on what topics were top of mind, as well as my experiences on the vendor floor.

40,000+ people is a lot of people

40,000—That’s over twice the capacity of the Chase Center (where the Golden State Warriors play) and almost 2/3rds the capacity of Levi’s Stadium, where the 49ers do their sports-thing. 40,000 people is a heck of a lot of people.

In the context of RSAC Conference, that means that 40,000+ cybersecurity professionals gathering together to listen to talks and gain industry know-how. RSAC Conference attendees range from the unemployed and the entry-level all the way up to corporate executives and government officials from around the world. In 2025, RSAC boasted 730 speakers across 450 different sessions, along with a maze of vendors. 650 vendors, to be exact.

To be fair, the real number of attendees this year is actually around 43,500, but once I found that story about a man eating 40,000 calories, I just had to keep it at 40,000 for coolness reasons.

NOTE: If “RSAC Conference” seems potentially redundant, it’s not; it’s actually on purpose. RSAC went through a formal rebranding in 2025, updating their name to “RSAC Conference” from the previous “RSA Conference”. This updated naming also helps to distinguish between RSAC and RSA Security, a separate entity.

Those 43,500+ attendees get funnelled into San Francisco’s Moscone Center, an enormous complex of what is three separate buildings, Moscone North, Moscone South, and Moscone West. In 2025, RSAC added a fourth location into the mix, the YBCA (Yerba Buena Center for the Arts). This gave RSAC a nice, second stage for keynotes so they can hold large talks in two locations.

2025 Areas of Focus

Artificial intelligence AI-n’t going anywhere

“Old McDonald had a farm - AI, AI-Oh!”

The consistently hot theme across 2023 and 2024 was AI and, drum roll, it’s still AI. AI is everywhere and that was definitely the case at RSAC. The San Franciscan air itself hung thick with AI. A million different ads across buses, bus stops, windows, walls, and airports clamored for attention, all shouting about some kind of AI capability.

Of course, “AI” is a really broad term, isn’t it? I mean, at least it is to me, where I’m at like Level 2 out of 100 when it comes to deep knowledge of artificial intelligence systems (and I don’t think I’m alone). “AI” can refer to any manner of artificial intelligence and is unhelpfully non-specific. Most of the material that I experienced was approachable and not very technical, but keep in mind that there were many, many talks covering this topic. The subgenre of “Artificial intelligence/Machine learning” included 130 sessions.

Dozens and dozens of talks this year fell under some kind of AI-related theme, indicating that there is both heavy interest and heavy concern about the how to secure this sprawling AI landscape.

As business leaders and teams buy more and more AI products, do security teams know all of the risks involved?

Do teams know how to secure these AI systems or implement governance mechanisms that help ensure proper use?

For AI, RSAC sessions covered such topics as:

• AI tools are introducing new attack vectors

  • Tools, like code copilots, introduce novel attack vectors

  • Since most organizations are not building their own LLMs, are they aware of how LLMs themselves can be weaponized or poisoned?

• Managing risk as AI proliferation continues

• Unrestricted models like FraudGPT and WormGPT are enabling less technical threat actors

  • Minimal intelligence + simple prompts can equal exploit code they wouldn’t have the know-how to produce

• Governance concerns

  • Your company has AI tools deployed, but do you have governance mechanisms in place? Do you have applicable policies in place, let alone enforceable policies?

What I found validating was that other security professionals are very concerned about AI systems in general; how do we keep our companies, our colleagues, and ourselves secure?

Geopolitical & regulatory impacts

It’s no secret that companies must conduct business in accordance with laws and regulations (duh, I know), but how do companies translate such legalese into actionable guidelines? Laws like GDPR outline what must be in place, but it doesn’t detail how companies reach compliance. That is up to individual companies to implement or not implement. With non-compliance penalties that force companies to pony up real-world dollars, security and security-adjacent functions are often on the hook.

There are always talks about the intersection of international law and security. I found it interesting that the fallout of the 2020 Solarwinds attack is still top-of-mind enough to warrant discussion in 2025, focusing on the litigation against Tim Brown, the Solarwinds CISO, that resulted from federal investigations. Perhaps this is because CISOs continue to face uncertainty about whether or not they may be held personally liable in the aftermath of a major compromise. For CISOs, the worry alone has to be a tremendous burden to bear.

It’s also no secret that nation states engage in unrelenting digital reconnaissance and espionage, constantly seeking an edge over friends and foes alike. I have loved the talks given by Kevin Mandia, a man who is quite literally in the room after major incidents occur, as he has a unique view into the global threat landscape.

His keynote this year, Cybersecurity Year-in-Review and the Future Ahead, paid particularly attention to China’s state-sponsored threat actors. I found myself shocked at how directly he mentioned China and its ongoing support of cyber efforts directed against the United States. Various reconnaissance and malware campaigns have long been attributed to Chinese-backed APTs, yet Mr. Mandia’s callouts this year had an urgency to them—at least from a U.S. perspective, China has gained footholds across the country, especially within critical infrastructure. Sometimes the motive for infiltration and lateral movement throughout victim organizations is unclear, which is troubling. This year, Kevin also sat down with Nicole Perlroth to have a conversation that is worth the watch (look for it to be released on YouTube this summer!).

One session carried an interesting title, asking, “Autocracy or Democracy: Which is Better at AI?” While I did see this session, I found the title itself rather profound. I don’t think I usually consider different systems of government in regard to artificial intelligence development. I think it’s a fabulous question that is worth pondering.

• What do you think?

  • How might any given system of government better enable technological development?

In the days following RSAC I’ll be watching more of these sessions as I try to learn more about the regulatory and geopolitical realms of cybersecurity.

Supply chain pains

There were 37 talks this year under the subcategory of “Supply Chain”. Supply chain concerns are nothing new to security practitioners, especially with the wildfire of AI tooling that never seems to stop spreading. Supply chain worries are varied and the RSAC sessions reflected this, with topics ranging from firmware, to AI/LLMs, to potential issues with SOC 2 reports.

You can’t run a company today without some kind of third-party supplier, software, or hardware, but the incorporation of third-party technologies is the incorporation of risks outside of your control. For tech companies, the inclusion of third-party code into a codebase is something that should be of paramount concern. Talks this year seemed focused on helping others identify and wrangle the myriad of supply chain troubles that plague security teams.

I’m not surprised that supply chains didn’t get as much attention as AI, yet I’m encouraged in seeing that it’s still a high priority for many professionals.

North Korean employee fraud

Last year, security training company KnowBe4 shocked the world by announcing that they had duped into hiring a North Korean software engineer. Being alive in the late 20th to early 21st century means that you’re likely aware of North Korea’s cleverness when it comes to perpetrating fraud and criminal activity. The ever-connected, online world has opened the door for them to steal and launder funds in order to finance their totalitarian state. The BBC produced a brilliant podcast about this called the Lazarus Heist, exploring illicit North Korean cyber activity.

According to the Google Threat Intelligence Group, KnowBe4 is most certainly not the only victim. North Korea has weaponized remote work and remote hiring practices to trick legitimate companies into hiring North Korean employees. Fake personas and paid middlemen around the world work with the North Korean government to get their workers hired, usually in some form of IT or software engineering capacity. Once hired, these North Korean employees can whatever access is at their disposal to harvest intellectual property, maintain internal visibility within possible future targets, and plant footholds into system for future weaponization or data exfiltration.

I heard this situation mentioned multiple times across RSAC and I feel that the emphasis is warranted.

How can your company best verify potential hires without being discriminatory? What technical and non-technical controls are in place to monitor systems activity and, hopefully, alert to potential malcompliance?

This presents a unique opening for security teams to work with their HR partners to learn about what measures are in place, what measures should be in place, and how such efforts can scale.

Vendor Trends

If you want to know what companies want you to know about their products, I’ll give you a hint: it’s two letters, starts with an “A” and ends in an “I”. Yup. AI continues to reign supreme. The video above is fair representation of my my experience on the vendor floor. If I had played a drinking game where I take a sip each time I saw “AI” then I wouldn’t have made it 5-1/2 feet before passing out.

Those that attended last year’s RSAC may have felt as if they, too, were drowning in references to “AI” but I’d have to say that companies outdid themselves this year with even more AI speak than before. Words like “generative”, “agentic”, and “LLMs” hung in the air like a strong perfume. You couldn’t shake it. You couldn’t even make eye contact with a vendor without them tossing out some sort of spiel about their native artificial intelligence capabilities.

The end result of this AI-centered chaos is rather disappointing.

Think about a time when you were at a bar or a restaurant that had loud music playing, or maybe where conversations were loud and energized, making it hard to hear. Were you able to easily talk to the person next to you? Could you hear what you wanted to hear? Do you find yourself wishing for a different environment where you could engage more thoughtfully with those around you?

For me, the end result was noise. Lots and lots of noise.

There are so many companies singing the same song that it’s impossible to filter through to what’s most meaningful—whether or not a company has a novel approach that solves a problem I/my team/my company is facing.

There are security companies at RSAC that are tackling security problems well. The bummer is that the overly aggressive messaging around AI is starting to get tiring as everyone still seems to be riding the tidal wave of generate AI popularity that shook the Earth in 2023.

The challenge for companies in 2025 is nothing new. Companies need to find out how to rise above the noise to shine a light on the solutions offered within their product.

Pushy salesmanship

If you know me at all, you may not be surprised to know that I find it hard to turn down a good chance at small talk. If I see you, I want to smile and nod. If I talk to you, I want to ask you how you’re doing and have a chat. If someone at a vendor booth offers me something, I usually take it. My personality makes me ripe for the picking out on the vendor floor. I feel like a gazelle surrounded by lions.

I try to jump onto the vendor floor with a purpose. I swear, I really try. While my main interest is the sessions and talks themselves, I have to admit that the vendor floor is a cool place to see. I’ll bop over to the vendor area during lunch or as soon as the vendors are open at the end of the first day (after the keynotes).

Walking around the booths reminds me of how I felt when walking around Toys ‘R Us in the 1990s (RIP, Toys ‘R Us). I’m walking slowly, head tilted up, likely mouth-breathing without meaning to, staring in awe at all of the lights, sounds, and gizmos around me. However, unlike my younger self who just liked shiny things, at RSAC I’m walking around because I genuinely want to find companies and/or products that stick out, that warrant attention. Not because they have the brightest lights but because their solution is worth the time.

There were several times where I was walking around, gawking at the sights and sounds around me, only to be pulled aside by a vendor that I didn’t really want to talk to.

Don’t get me wrong, I understand that salespeople and customer-facing engineers fill these booths and are expected to lure people like myself in to gather marketing leads and potential prospects. They have a job to do. I get it. My issue isn’t with them doing their job, my issue lies with how they go about doing it.

General reflections on vendor experience

Here are a thoughts from my experience with vendors this year:

1. I felt caught in the dragnet (sometimes)

   No, not the cop show from the ‘60s. By dragnet, I mean the manner of fishing which pulls in a large amount of the target catch along with other unintended victims. These victims are usually other wildlife and/or vegetation that simply become collateral damage. This happens because of the chosen method, not because of fishing itself. The vendors that take on this approach just want to lure people in, potentially with some super sweet swag (under the reciprocity rule of persuasion psychology, perhaps), solely to meet lead quotas. I can’t tell you how many times I was scanned, only to see that the booth added no notes to my lead information. The few vendors that didn’t take this approach were thoughtful and used any questions to better guide the chat and demo, at least promising to continue the conversation using context I’d already shared. Pardon me as now I look around for verbal self-defense courses... This experience is nothing unique to RSAC, mind you, as this has been my experience elsewhere, too.

2. Everything, everywhere, all at once

   That’s what the booths felt like—there was so much going on; everything, everywhere, all at once. Blinky lights, full-size monster trucks, 20-foot tall action figures, conversations, laughter, and oh so much noise. I was fine, but it was all overwhelming. I found comfort in the booths that didn’t have amplification or crowding due to booth attractiveness alone. For example, Wiz always has killer booth designs, yet, while there, I was bumping into more people looking at the booth itself than people who were genuinely learning about the product. Crowdstrike is a partial exception for me, here. Yes, their booth was insane this year. However, they seem to always hold their in-person talks at the backside of their booths, away from the other lines and demos. In general, though, the over-ornamentation feels cheap. I think that companies can still have large, attractive booths without overdoing it.

3. Will people remember your booth or will they remember your product?

   Yes, expensive booth investments may garner more leads which may lead to more sales. Yes, branding is a critical part of any business, most especially tech startups. But, unless you’re a large, established org (insert any big security company name here), it appears as if there’s a heavier focus on the brand itself rather than on product quality. If I leave your booth more in awe of the booth than the product that was described/shown, then where’s the return in the long run?

4. I appreciated the catch-and-release companies

   Some companies caught my eye due to booth awesomeness alone. Some companies were ones that I was seeking out intentionally. And some companies caught me off guard by reading my name tag, saying my first name, and making enough eye contact while greeting me that I felt too much pressure to not engage. For those companies where I wasn’t interested in the product but were effective at snagging us security pros as we drifted downstream, I appreciated them for releasing me back into the water. After a brief chat and some back and forth, it’s easy to see whether or not your product is a fit for my use cases. Or, maybe I outright say that I’m not interested. Just because someone is talented at reeling you into a booth doesn’t mean that you have to feign interest in return.

Companies have an incredible opportunity to invest in their sales and marketing strategy. While everyone else is adding more blinky-blinkies and trinkets, you should start with the people on the ground, brainstorming, trialing, and standardizing more effective in-person demonstrations.

Whenever someone new enters a booth, whether warm (where someone approaches the booth) or cold (where a booth rep pulls someone in), booth workers have a chance to set the stage for the conversation. The visitor may have preconceived notions of your company or they may not know your company at all. Regardless of what they know or don’t know, that first interaction that they have with your booth should immediately have them feeling welcomed and listened to. Don’t scan them right away. Make an effort to create a comfortable space between them and your company. If they’re comfortable, they’ll be honest with you, and maybe that honesty is a “No thanks, I’m not interested.” Great! That’s fine. The point is that you’re setting the stage for success on both sides by allowing them room to be honest.

Focus on that first impression and then have the meaningful solution to keep the conversation going.

Negative first impressions are hard to shake, but strong first impressions are just as sticky.

Conclusion

Alright, so this post is already much longer than I had planned (and by “planned”, I mean that loose outline that I was forming while writing this). Let’s wrap this up!

I’ve been fortunate to attend RSAC Conference for the past two years and have really enjoyed the conference. I may have had a lot of feels about my vendor experience this year, but all in all the experience is strongly enjoyable and one that I’ve found fruitful.

With perhaps one or two exceptions, everyone I bumped into at RSAC Conference was willing to have a chat. Every speaker session or panel I attended had the speakers ready and willing to take conversations outside afterward. They are always willing to talk shop, answer additional questions, or offer to connect beyond the conference. Just like a kid who is looking for role models, I’m always on the hunt for security professionals that I can look up to. RSAC Conference gives me the chance to meet my heros in the industry and identify new ones.

There’s an energy that hangs in the air for the two years that I’ve attended. From the expo floor to talks large and small, the overall atmosphere is one of comradery. I guess that an electricity forms when people are united by a common interest and a common cause, charging conversations and opening folks up to new acquaintances and opportunities.

I attend conferences because there’s a motivating humility that comes from being so close to others who have profound levels of expertise and knowledge. I always leave with new ideas, new things to bug my boss about, new concepts, and a refreshed feeling of purpose.

If you’re considering attending, then let me help you—you should! I’ve gained a great deal from my first two experiences at this conference and will be looking forward to many more.

[AUTHOR, seated in his favorite writing chair (you know, one of those wooden ones that look, like, really cool yet uncomfortable), stares intently at his laptop’s screen. The eyes behind his glasses blaze with the fire of confidence, a confidence that rises from knowing he is about to craft another masterpiece, ready to sculpt his words from the marble of the blogosphere. He delicately lowers his hands onto his laptop, like a pianist setting the scene for the first note of Chopin. He begins to type.]

Merriam Webster’s dictionary defines “security engineering” as "isn't in the dictionary"…

[AUTHOR curses the dictionary gods. He lifts his gaze, staring into the distance, shocked that this dictionary-less thing is to be the focus of his next work.]

“Well, crap. No one’s ever started writing something by just copying a dictionary definition. I was sure I’d be the first… Now how am I supposed to start this post?,” he mutters to himself.

Surely there must be something just as brilliant as a copied dictionary definition for him to use?

[AUTHOR coughs gently into his right hand, hoping the reader doesn’t notice him frantically regathering his thoughts]

“Ahem,” he says, betraying his embarrassment ever so slightly.

“Let’s try this again, shall we?”

[AUTHOR begins typing once more.]

Many moons ago, when I first began crossing the river of career change, I remember how unsure I was about exactly what kind of career I wanted in tech. Working my way through school doing IT support, I knew I loved helping people, but I knew that tech support itself wasn’t my passion. I knew I enjoyed networking, especially the hands-on components (both CLI and with physical equipment), yet working with truly passionate network engineers I knew that likely wasn’t my place. Coding was incredibly rewarding and challenging, but something told me that I didn’t want to only program things for the rest of my life.

Eventually, as part of a two-year, corporate IT rotational program, I landed a six-month stint on my company’s enterprise security team. This was my first true exposure to security in a professional context and, through that rotation, I was afforded opportunities to conduct analysis, program solutions from scratch, and jump into real-world incident response efforts. I was hooked. From then on I knew that security was where belonged.

Here, I will dive into what I understand about the world of security engineering from my own experience. Also, I’ll rely heavily on reputable, not-me sources that are freely available so that you can form your own understanding of security engineering, too.

What actually is security engineering?

Raise your hand if you’ve ever started a school assignment or speech with something like, “Webster’s dictionary defines…”. I know I used to! And, while I was trying to give a snarky nod to ye olde tried-and-true method of beginning writing, the first step many of us take is to seek definitions for new terms, right?

Long, long ago, before the world was Google-fied, printed materials like dictionaries and encyclopedias were the first place people may go when seeking information on something new. You could thumb through the pages to get a researched summary about your topic of interest. Even in the early days of the internet, those trusted tomes that sat atop shelves were still what people would visit first, albeit digitally.

But, here we are in the year 2025, where trying to define something as new as “security engineering” is somewhat daunting. There are countless resources available, those well written and not, objective and not, and authentic and not. The challenge is that you, as the gatherer of knowledge, are supposed to determine what sources are reliable.

How does one start? How would you start?

Like any good blogger is wont to do, please allow me a moment to pretend that I have the knowledge coherently:

Now that I’ve gotten that moment of pride out of the way (bless you for letting me do that), here are some excellent resources that help paint a picture of what security engineering entails.

As LeVar Burton used to say in Reading Rainbow, “You don’t have to take my word for it!”

“Security Engineering” - Third Edition

This textbook, written by an English professor named Ross Anderson, was first printed in 2001 and revised twice more before his unfortunate passing in 2024. While Anderson had always made several chapters available for download, for free, through a University of Cambridge website, the university made all chapters fully available a few months after his death (a lovely gesture, I think).

• Download all chapters of this seminal work here

  • Physical copies are available for purchase (I recommend only buying the latest edition with the green cover)

Ross Anderson was a stalwart presence in the global security community and his first chapter is devoted to the very purpose of defining security engineering. He begins Chapter 1 with:

Security engineering is about building systems to remain dependable in the face of malice, error, or mischance. As a discipline, it focuses on the tools, processes, and methods needed to design, implement, and test complete systems, and to adapt existing systems as their environment evolves.

Notice his use of broad terms like “building,” “systems,” and “tools”. As you explore security engineering as a topic, keep in mind how “security” encompasses many things, technical and not, and how “engineering” is not specific to coding alone.

• Think about systems - What are some examples of technical and non-technical systems?

  • How might security factor into those systems that come to mind?

Also, take note of how Anderson calls out the constant need for evolution in security. Very few things in this world remain static and unchanging, so security engineering demands that professionals be nimble, adaptive, and capable of meeting the security needs of the moment.

The opening of this book is powerful as he eloquently states the purpose, need, and expectations of security engineering. His second paragraph continues on:

Security engineering requires cross-disciplinary expertise, ranging from cryptography and computer security through hardware tamper-resistance to a knowledge of economics, applied psychology, organisations and the law.

What a range of skills, right? He goes on to explain why a technical mindset alone is not enough:

System engineering skills, from business process analysis through software engineering to evaluation and testing, are also important; but they are not sufficient, as they deal only with error and mischance rather than malice. The security engineer also need s some skill at adversarial thinking, just like a chess player; you need to have studied lots of attacks that worked in the past, from their openings through their development to the outcomes.

In two paragraphs we have been told that security engineering demands that a slew of skills and acquired knowledge from many different areas. I’m a fan of Anderson’s definition in Chapter 1 because he gets straight to the point. He is telling us all that security engineering is remarkably complex, demanding, and, most importantly, that it may not be exactly what you think it is.

Side note: I swear I read beyond the first two paragraphs.

• For aspiring security engineers and/or security professionals, this book is, hands down, my primary recommendation

  • It’s both FREE and fantastically thorough. For real. It’s a beautiful combo, right?

  • I just wanted to add another bullet—That first reason is reason enough!

  • Seriously, download this book (or purchase a copy).

Let’s jump into another resource for defining security engineering.

NIST

While Ross Anderson’s book above is the best recommendation I can make for anyone, NIST provides perhaps the most succinct and appropriate definition for security engineering:

An interdisciplinary approach and means to enable the realization of secure systems. It focuses on defining customer needs, security protection requirements, and required functionality early in the systems development lifecycle, documenting requirements, and then proceeding with design, synthesis, and system validation while considering the complete problem.

That’s it. Like I said, it’s succinct!

However, look at how NIST highlights “interdisciplinary” in a similar way to Anderson. Security engineering truly demands a focus across multiple disciplines.

Also, I love their phrasing of, “enable the realization of security systems”. In my own terms, I say “building”, but, I’m also not a well-staffed governmental organization full of fabulous professionals with stellar vocabularies. “[Enabling] the realization” of systems may mean planning, may mean research, may mean systems design, or it may mean a thousand other things.

My main point with these first two sources is to challenge your thinking of the term engineering and hopefully broaden your concept of the term.

The GitLab Handbook

GitLab is a code repository management platform that is available both in open source and paid flavors, depending on your use case. Their product relies primarily on Git, a file management system that also allows you to manage the versioning of files under its control. GitLab now bills itself as a wholistic DevSecOps management platform, but, for our purposes here, the main differentiator for GitLab is that you can use their cloud offering or host it yourself on your own systems (as opposed to GitHub, which is cloud-based).

• Interested in learning more about Git?

  • Codecademy offers a free interactive, introductory course: Learn Git & GitHub

• Looking for a completely open source offering for Git?

  • Check out Gogs - 100% free and open source

In addition to making their product open source, GitLab has graciously offered their GitLab Handbook to the world. Their handbook, shared publicly, houses all kinds of knowledge about GitLab from the mundane to the detailed, from typical “company handbook” kind of language to deep dives into internal workings, values, and decision making. For job seekers, GitLab posts detailed information about each role, and not just about the role itself, but every level of that role.

Speaking of levels, GitLab lists Security Engineer roles as a “grade 6” role, an intermediate position in GitLab parlance. You will very rarely see security engineering positions set to a lower grade.

Their handbook is a monstrosity (in a good way), so take some time to swim around.

Fortunately for us, those curious about security engineering, they pull back the curtain to reveal how they define security engineering at GitLab.

What I love about their write up is how they separate hard skills that are necessary for the role, explain the general responsibilities to be expected, and showcase the different areas of focus that exist for security engineers at GitLab. Their general requirements are:

• You have a passion for security and open source

• You are a team player, and enjoy collaborating with cross-functional teams

• You are a great communicator

• You employ a flexible and constructive approach when solving problems

• You share our values, and work in accordance with those values

• Ability to use GitLab

Aside from the final bullet, the rest of this is very run-of-the-mill when it comes to job descriptions you’ll see when job hunting. However, what’s great is how they have made these basic requirements so broad that it opens the door for a wide variety of educations, experience, and expertise.

Let’s highlight a couple of these generic points:

You have a passion for security and open source

If I were to ask you, “Do you have a passion for security?”, what would you say? Do you think that listening to podcasts is enough, or do you have a portfolio that you could share which demonstrates your passion?

• For job seekers, this is critical - take time to reflect, brainstorm, and put pen to paper on exactly how you’d articulate your passion for security.

  • Practice your reply! No, seriously. Stand in front of a mirror and practice. Build your confidence in both material and tone of voice (written or spoken) so that you nail it come interview time. This is especially true for entry level/lower level roles.

The open source community is a global community that is a passionate one in and of itself. While contributing to an open source project is a major feather in your cap, don’t think that you have to be an open source maintainer in order to know about that world of tech. There are many open source products that you can install yourself, run locally, then learn as you go. Simply being familiar with and knowing how to use different open source offerings will add an extra dash of sparkle to your resume.

I know this article isn’t about passion, but, think about it—if you were to say you were passionate about something, could you explain why you’re passionate? In the tech world, you will hear everyone say that they’re passionate about one part of their job or another. Make yourself stand out by being prepared to explain and showcase why you’re passionate about tech.

You are a great communicator

Boy, do I love GitLab so much for including this! Kudos!

As a security engineer, you will be expected to communicate equally well with both technical and non-technical audiences. You may even be expected to share information with broader audiences, or perhaps the entire company. Please don’t be fooled whenever you see that communication skills are mentioned as “soft skills”. The ability to excel in communication is absolutely a hard skill, just as important as coding, and will be vital your career.

• Think - How well do I communicate ideas, feelings, analysis/reports, etc. to others? Is my message clear? What is my tone and how are my communications impacting others? Can I adjust

Now, back to the technical stuff. We’ll keep leveraging the GitLab handbook because it’s awesome (and you should be leveraging it anyway)

Specialties within Security Engineering

GitLab also shares several specialties of security engineering.

This is helpful because, yes, you may be a security engineer, but at most larger companies you will have a primary area of focus. Depending on company size, you may be the only person within that specialty, or, if you’re lucky enough, part of a larger team that’s devoted to one thing in particular.

For the energy impaired (i.e. “lazy”, like me) I’ve included links below to the different specialties they list as I think it captures most of the specialties you’ll encounter in the wild:

Application Security

• The cool kids call this “AppSec” for short (tech has a thirst for three-letter abbreviations of words - it’s a thing)

• AppSec engineers tend to have strong backgrounds in software engineering, if not formal software engineering experience.

• All companies have a given tech stack that they work with and list their tech within job descriptions. AppSec professionals need to have relevant experience and expertise in whatever the applicable tech stack is, or the ability to upskill into the tech of focus.

• This is usually a highly technical role and may be deeply embedded within engineering teams.

  • Some excellent articles on AppSec (listed as the respective publishing company):

    • Palo Alto Networks, Wiz, GitHub, Okta, Snyk

• There’s an amazing set of Stanford lectures that is 100% worth a watch if you’re interested in foundational concepts. It’s a few years old but worth it’s weight in gold (19 videos in total). The course is CS 253 - Web Security:

Product Security

• Just like with AppSec above, this is another heavily technical role that involves tons of time within a given codebase.

  • AppSec and Product Security are very closely related. As this article from CSO Online states, “Product security expands the scope of traditional application security well beyond testing and into the realms of advocacy, collaboration between business groups, design thinking, threat modeling, architectural planning and true risk management.”

  • However, Product Security engineers may be more heavily involved in the design and development stages, making sure that security is baked into a product from the onset.

• This is a newer role that has grown out of the broader AppSec realm.

• You may be assigned to a particular product or an specific part of the larger product your company builds, then be responsible for improving and testing its security. You could also easily be the Product Security Engineer for multiple projects at once.

• This is another role that’s deeply embedded with software engineering. Software teams will rely on product security engineer to stay current with potential attack vectors, potential risks within the software supply chain, and any other security considerations that may be relevant for the assigned product.

  • NOTE: Hardware products are a thing, too!

• You may be called upon as the go-to security resource should customers or prospective customers have questions about your product’s security.

• Snyk offers a nice breakdown of the differences between Product Security and AppSec:

  • Product Security vs. Application Security: What’s the Difference?

• Here’s an area where I, too, want to learn more about! Check out these resources that I found informative:

  • OWASP Product Security Guide, Shopify blog

  • Adobe has its own “Adobe Product Security Incident Response Team” (pretty cool)

    • In looking at potential resources, I noticed how large companies like Adobe have product security-specific IR teams, which is awesome.

  • Article by McKinsey & Company, Product security: Navigating regulations and customer expectations

• This RSA Conference talk is interesting and serves as an primer for the field of Product Security: Infosec Makeover: Love it or Leave it, Product Security is Here to Stay

Signals Engineering

• GitLab chose the word “Signals”, which I like, as it is generic to cover almost anything. You may also see '“Detection Engineering” or something similar at other companies. Some companies have signals engineering mixed in with broader security engineering roles.

• There is plenty to dive into here - often you are expected to be, or become, a subject matter expert in your company’s SIEM tool and other tools that are responsible for handling event subscription data from many different systems

• This easily ties into a realm that most are familiar with, Vulnerability Management, as many alerts correlate directly to a CVE/CWE or a specific vulnerability within a given technology

• Just like how AppSec and Product Security engineers will also need to be abreast the latest vulnerabilities within a codebase, signals engineers will need to stay vigilant in regard to threat intelligence and security bulletins from reputable agencies

  • Most signals tooling will help greatly (breathe a sigh of relief in knowing you don’t need to know everything)

• Depending on the company, you may be expected to have expertise concerning their SIEM of choice.

• Further resources for signals/detection engineering:

  • Best article I can recommend: On the Road to Detection Engineering from the TrustedSec blog

    • A team member at TrustedSec gives insightful career advice, plus offers numerous resources for folks to dive into

  • Crowdstrike blog (can you tell yet that I like their stuff?), Wiz blog post (their blog is gold, always)

• Here’s a really cool MITRE course that’s available for free on YouTube (33 videos in total): MAD20 Threat Hunting & Detection Engineering Course

SIRT - Security Incident Response Team

• Any company with a security program will have some mechanism of incident response (sometimes called “IR”), even if it’s just listed in dusty policy documents somewhere.

• Wiz maintains beautiful documentation on IR, so check it out: Incident response team depth chart

  • Atlassian also has wonderful information here, too, with many layers of detail.

• “SIRT” itself isn’t a standard naming convention, with each company tending to have some flavor of that acronym. “CIRT” is also common. The name itself is less important than having an actual plan in place for how to handle an incident.

• There may be dedicated incident response team members at a company, but what’s more likely is for security teams to have specific responsibilities, should an incident arise.

  • This means that they’re doing engineering or analyst work most of the time and only performing IR duties as needed.

• Members of an incident response team may take on any number of responsibilities (see the Wiz article above). Here are some:

  • Incident commander = This is the primary point person for a given incident. They ensure that incident handling procedures are followed and are responsible for coordinating incident-related efforts. Communication skills are crucial for success in this role.

  • Tech lead(s) / Subject matter expert(s) = Your company’s policies may enforce the inclusion of specific technical team leads/company leads by default, but, typically, there are one or more technical experts brought into an incident if technical elements are involved. They may perform technical tasks directly or responsibly delegate tasks to their teams.

  • Communications lead = This individual brings communications expertise to the group and may be responsible for communicating to internal stakeholders, external parties (like customers), or the company at large. They are the ones who paint a picture of the incident to a given audience, likely taking information from other incident responders and carving a message that is both effective and appropriate. Communication skills are (obviously) critical here.

  • Legal / HR = This individual, or, more likely, these individuals, may be read-in depending on the type and scope of the incident at hand.

    • Legal counsel, whether full-time attorneys who work for the company or outside legal assistance, may be brought in to assess obligations according to the law, potential legal ramifications (if applicable), and general consultation.

    • HR is typically involved if there is direct impact to employees/employee information, or as a consultative resource when employees are involved with an incident. HR professionals may assist with gathering legal requirements or handling internal discussions.

• There are many roles that a company may choose to assign, but, in the very least, incidents usually demand:

  1. Someone to lead/coordinate the incident effort

  2. Someone with the requisite skills to help (diagnose, fix, analyze, etc.)

  3. Someone to communicate effectively, efficiently, and in a timely manner.

  • NOTE - One person may take on multiple duties (smaller organizations), or each team member may have specific responsibilities that are narrow in scope (typically larger organizations)

• Incident response is a tremendously broad category (which might make a good article in the future…). Check out more information on IR from these companies:

  • SentinelOne, FireHydrant, CISA IR job role (pretty cool), National Cyber Security Centre

• For a friendly, beginner-level introduction to incident response work, here’s the Incident Detection & Response videos from Google’s Cybersecurity Certificate (the best beginner certification, in my opinion).

  • They brought all of the individual videos together from the curriculum, combining them into one, long piece of content.

  • The supplemental materials are available for free in the description.

  • Google did amazing work in crafting this curriculum. I can’t recommend the Google Cybersecurity Certificate content enough for new learners.

In my opinion, the categories above are what most security engineers typically fall under. However, like I said before (props to LeVar Burton), “You don’t have to take my word for it”.

As GitLab demonstrates in their handbook, security engineers come in all shapes and flavors. Here are the other categories that GitLab lists as falling under the umbrella of “security engineering”:

• Trust & Safety

• Security Assurance

• Security Architect

• Product Security Risk & Metrics

Impact of Security Engineering

If you already have experience of some kind in a security discipline then you know that the term “security” is a broad term that yearns for specificity. Why? Because you can apply security practices, and therefore security engineering skills, to any number of areas within an organization.

This is why I spent so much time walking through GitLab’s security engineering specialties. People need to know that security engineering is more than just one discipline or set of skills. The real world demands agility and the ability for engineers to apply their problem solving skills to a range of issues.

That’s it—problem solving. If I were to write a job posting for a security engineer today, I’d make sure to say how a great security engineer is a problem solving security engineer. And “problem solving” is a great way to put it. Separate those two words into their own categories and you have engineers that tackle the best of both worlds: investigate, analyze, and diagnose the problem while always ideating, proposing, and building the solution to the problem.

Security engineering, apart from a specific role, could easily be a mindset that you adopt as you dive into issues begging for a solution. Any realm of security has room for engineering excellence.

What a Difference a Title Makes

Before I release you from this temporary prison of overly long articles, I want to make a point about job titles. Some of you may already be engineers by title, and some of you may be sitting in other, non-engineering roles and seeking to work into the engineering field. There also might be a portion of you who don’t even work in security at all and are soaking up knowledge, preparing for career change.

Words don’t do justice for how excited I was when I promoted to Security Engineer (also, I don’t think I have enough brain juice left after writing to add anything flowery enough). I was seriously overjoyed! And, in all seriousness, one of my main drivers nowadays is to help others achieve their career aspirations, knowing how much it meant for me to achieve one of mine.

However, while titles are important, they do not define you. Security engineers rarely only engineer. I’ve seen security engineers do project planning, incident handling, customer communications, audit planning, and even the super thrilling work of documentation writing. As with any role, the organization and/or the situation may demand sets of skills that lay outside of security engineering itself. This is a major reason why I love the wide net that GitLab casts when it describes its security engineers. GitLab recognizes how security engineering skills touch across many, if not all, areas of the business.

Furthermore, you could be performing security engineering tasks without the title of Security Engineer. I’ve seen IT Help Desk teammates jump into automation work, Security Analysts script solutions that check for compliance tasks, and I’ve seen many software engineers who have a knack for security and incorporate those principles on a daily basis.

If you’re not a security engineer and you want to become one, start looking for areas of opportunity to apply security within your day-to-day work. I can’t encourage this enough! Widen your perception of “engineering” to be “building” instead and you will start to see a world of possibilities before you.

In general, I know that my tech career journey is not very unique. Lots of people transition from non-technical careers into tech and lots of people get their start in IT support and work their way up. Then, lots of people are dedicated to breaking directly into security itself. For me, I stumbled into security and then fell in love with building solutions that solve security problems and I enjoy my work. 10/10 would recommend.

Am I an engineer? Absolutely. Are there many different kinds of engineers? Absolutely.

Am I the best engineer I know? Absolutely NOT (there are people I know who could beat me in their sleep).

Do you have to be a god-level techie before you can become an engineer? Absolutely not.

Hopefully this post has helped to tickle that itch of curiosity you had for security engineering. Please share your thoughts below or reach out!

A Gladiatorial Christmas

If you and I were hanging out together and I asked you to name the movies you like to watch over the holidays, what movies would you include? National Lampoon’s Christmas Vacation? The Santa Clause? The Muppet Christmas Carol? Elf? Home Alone? Home Alone 2? Die Hard? All of these are likely to catch some air time in my home.

Sometimes, though, my family and I feel ambitious and decide to watch a new movie, like maybe rent something on-demand that was recently released. We felt that tickle for something new, so we decided to go for it. After some brief browsing we quickly settled on something we knew wanted to see…

Gladiator II.

$20 later and we were in, ready to enjoy the theatrical experience from our couch. I thought the original Gladiator was an epic adventure of a film, so I was excited to sit and experience Roman warfare on the big screen once more.

However, my excitement soon faded into a soft surprise. Then confusion. Then disappointment.

It wasn’t long before I found myself questioning what was happening in the movie:

• Why does it seem like just a remake of the original story?

• Why do some interactions in the scene just seem… odd?

• How is every archer able to shoot perfectly every time?

• Why does Denzel’s performance stand out?

• Why did two bannermen at the end lower their banners when no one else did?

These are just a sample of the many questions that flashed across my mind throughout the film. I wanted this film to be good and I seriously wanted to enjoy it.

There were many times when it seemed like this movie was almost too like the first, so it seemed like an imitative retelling as opposed to a standalone, new chapter to the story. I couldn’t shake how there were many moments on screen where the acting was poor, or just awkward. There were even strange bits of editing (not a spoiler - there’s a moment later in the film where a wound has magically vanished between scenes) throughout that had me wondering if this was rushed through production. And Denzel Washington, a fabulous actor of legend, stood out because he was by far the best actor in the room. However, it seemed like he was trying to pull more out of the script than the script itself had to offer. Even the music felt cheapened to me, forecasting the emotions to come or not quite matching the scene it accompanied.

And seriously, the arrows don’t miss. Ever. Like, weirdly accurate. They just don’t make archers like they used to, I guess.

All in all, it just wasn’t a good movie to me. Period.

Not Space Jam 2 terrible, mind you, but it was not at all the blockbuster film I hoped it would be.

If Gladiator II Can Make It…

After watching the film, I just couldn’t shake the feeling of being cheated by the hype. Looking online afterward, I saw that Rotten Tomatoes had given it a “Certified Fresh” rating of 71% by critics, not far away from the original film’s score of 80%. The “Popcornmeter”, the name for audience ratings on Rotten Tomatoes, sat at 82%. I was shocked!

Has my taste in cinema changed over the years? Am I not able to recognize what’s objectively “good” anymore? Am I losing it?!

[NATHAN CRIES OUT TO THE HEAVENS - EXITS STAGE LEFT, SOBBING]

Fortunately, I have a partner that agreed with me - they couldn’t believe how bad it was, either.

I’m sure that someone reading this will have seen Gladiator II and enjoyed it (if you’re one of those people, please, please tell me how on Earth you liked it). And that’s great! We all have different tastes and opinions when it comes to creative productions like music, movies, and art. It’s okay to disagree, or for one person to enjoy what another does not.

In questioning my life after enduring that slog of a feature film, I thought:

If Gladiator II can be greenlit for production, then anyone can do literally anything. Anything is possible.

Seriously. More than one person sat in a room together, or in many rooms for many different kinds of togethers, in order to give the thumbs-up to make this movie happen. More than one person, possibly many persons who had given the okay for successful films before, allowed this film to be bankrolled to the tune of over $300 million USD. As far as I can tell, worldwide box office gross has at least given people their money back, but it’s a far cry from the 4x return on investment received through the original movie that debuted in 2000.

I’m being harsh in my critique, I know. I do think there’s a lesson to be learned here.

In less than the time it would take for you to view this Roman, filmic tragedy for yourself, I will expand on three points:

• That something can be “good enough” without having to be perfect,

• That imperfect things can still be successful things, and

• Embracing imperfection is key to successful security

So, in a way, Gladiator II did bring some positive mental motions into my life as it forced me to wrestle with these ideas.

Thank you, Ridley Scott. [insert fist bump]

.

Perfectionism vs. “Good Enough”

The Labor of Creativity

Years ago, as a young, wee lad in music school, I clearly remember the torturous task that was creating music. Sometimes, this torture was rapture, what I’d probably liken to being keenly “in the zone”. You’re tortured because you can’t focus on anything else (relationships, important classwork that may be due the next day, etc.) yet in a state of bliss as you surf along waves and waves of creative thought. I was no Mozart, who was able to pull fully formed symphonies directly from his brain, but I was passionate. And that passion could keep me focused on writing music for hours and hours on end.

More often than not, however, the torture of music writing was not rapturous, but more like, well, torture (and who says “torture was rapture” anyways? Yikes, Nathan…). I wish I could count the number of days spent staring blankly at an empty piece of plain manuscript paper. I knew the paper was just begging me to write something, anything, yet my pencil would not budge. My hands would not move. It wasn’t torture because my mind was blank and I had nothing to write, it was torture because I had so many ideas in my head. Too many ideas, perhaps. I wasn’t sketching to catch a breeze of inspiration that might generate my next big idea, I was trying to strike gold before my pen even hit the paper.

I only wanted to write the “best” music possible, which at the time meant writing something that I thought other people would like. I wanted to just, create, but not as badly as I wanted other people to appreciate what I had created.

I’ve written many pieces of music in my life, that’s for sure. Yet if I were to throw my stack of unfinished pieces at you it might get me arrested for assault because there’s so many of them, plus I don’t think I’m strong enough to lift it (also papercuts are the worst, right?).

What I mean is there are many more pieces I didn’t complete or continue with just because I didn’t think they were good enough. I was taking the step of labeling my own work a failure before that pie of creativity was even in the oven.

Fearing Failure

Eventually I would come to learn that even some of the most highly regarded composers of all time were perfectionists, often discarding the work if they deemed it subpar. Brahms did this, for example. Now that I’m older and removed from those music days, I think that it was mixture of perfectionism and a fear of failure in general. Sometimes I was able to write from the heart to create something that felt genuine and sometimes I found myself plagued by the fear that other people wouldn’t like what I had made. This was dreadful for me at the time. It was a driving fear, a constant anxiety, a shadow that loomed across my creative process.

Having a fear of failure is nothing new to me personally, I know that. And I would hazard a guess that you know the exact feeling I’m talking about, too.

In looking at the 10 Signs That You Might Have Fear of Failure, you’d think that I should have “fear of failure” as a line item in my medical history. I find comfort in knowing that this is a common cloud that hovers over many people’s lives and not just the lives of musicians. It’s helped me to learn that there are ways to help one’s self overcome such a fear.

For a sample of how you can work to cope with the fear of failure, the University at Buffalo’s School of Social Work has shared a guide with approachable steps that anyone can tackle (heads up—the link points directly to the PDF).

Accepting “Good Enough” as “Enough”

When it comes to creating something, is it okay to just throw ideas away? If you’re like me and don’t rely on creative outputs to pay the bills, then, sure, because it’s not the focus of my day-to-day work. I have the luxury of a steady job that pays the bills and keeps a roof over my head. But, if your livelihood depends on you both creating and producing something, there’s an inevitable compromise to be made between perfection and meeting the requirements of the moment.

In tech, this has long been understood as a reality. Minimum viable products (MVPs), and minimum viable products within products, are everywhere, same as “just ship it” which is decreed constantly in various forms, ensuring that updates to code and new features get pushed to production.

While this kind of approach is rarely free from errors, often rife with them, the “just ship it” attitude is a true positive from the perspective of this Gladiator II recovery group that I’m holding here today. This path to releasing work into the wild helps to eliminate the barriers that come with perfectionistic tendencies, where you’re afraid to let go of something before it’s flawless. Once it’s been produced, imperfect as it may be, you have the opportunity to continually improve on the software, cultivating a cycle of continuous improvement while also bringing in new things over time.

It’s not perfect. And that’s the entire point.

This blog is not going to be perfect. For sure. Even though I hate the thought that there’s the potential for you to come across misspellings and whatnot, publishing this blog is my attempt to practice what I preach. To push my work out of the nest and into the world.

“Good enough” occurs all of the time in the creative arts, software development, and throughout life. Musicians have to release new music on a deadline or perform concerts even if every song isn’t up to par. Actors have to go on stage for specific performance dates, whether their lines are ready or not. I, as an amateur gardener may rehome a bush in the yard without guarantee that it will stay alive once I replant it (spoiler alert: the bush didn’t make it—it never makes it).

Once there is a commitment towards an idea, a path or plan of some kind is then laid out, leading to an end goal that is a deliverable something. Something must be produced. Similarly, sticking to a rigid schedule or expecting that all possible blemishes be removed is less important than actually delivering the product itself.

Finding Success Through Imperfection

Yes, there’s a natural fear that what you release is less than stellar, but the mere existence of faults does not mean that something is unsuccessful because of such faults. Charlotte Sidebotham expressed this mindset wonderfully, “Good enough is not mediocrity, or merely good. It simply means that, at the current time, all things considered, there are sufficient benefits, and no critical problems.”

Now, I’d challenge the implication that Gladiator II “sufficiently benefits” anyone at all, but I shall restrain myself… from arguing with myself?

Oh well, moving on.

What Drives Perfectionism

While I am not the person people go to for firm definitions of psychological behaviors, I’m lucky to have a slew of Internet articles to help me grasp this topic more completely. One’s perfectionism can be driven by one or many factors. If this is something that you struggle with, I encourage you to share this with a psychological professional who can help you pinpoint potential root causes.

If someone says that they fight with perfectionism, please do not make assumptions about what may or may not influence those thoughts for them. Everyone’s experience is unique and deserves respect. I’ll only share findings here that have been found to be broadly applicable.

External Validation

Perfectionism often stems from a yearning for external validation, a desire for others to affirm that what you’re doing is “good”. This is something that many people may be able to relate to.

You’re seeking external validation whenever thought patterns consistently guide you towards imagining what others may expect from you, likely outweighing the confidence you have in yourself and your work. You could seek validation from specific people in your life or career, or be fearful of validation from a more general, undefined “other”.

Tech companies are not immune to this, nor is any company. Companies are made up of groups of humans, with each one of those humans carrying the burden of their own psychological baggage, regardless of the size of that burden. All teams are made up of individuals and, mostly, teams rely on the approval and guidance of a single leader. Those leaders are also humans themselves (I promise) and who are likewise vulnerable to this mental self-trickery.

Have you ever:

• Feared what your boss or manager will think of your work?

• Been wary of showing others what you’re working on, afraid of what they’ll think?

• Felt that you didn’t know enough to share your knowledge with others?

• Written an email, deleted it, only to write it again and painstakingly read and reread it until it’s artisanally sculpted to the finest level of quality, even though it was just you replying in kind to a teammate?

Congratulations, you are normal. We’re proud to count you amongst us.

Having these thoughts and/or thinking you tend to lean towards perfectionism does not mean that there is anything wrong with you. Not in the slightest. Myself, for example, is sitting here wondering (and worrying a bit) about what people will think of what I’m writing in this post. Recognizing this about myself does not automatically equip me with the ability to work healthily with these feelings, but I feel like it helps for me to accept that these feelings exist and to move forward from there.

Security is Never Perfect

This is a security-related blog after all, isn’t it?

If you’re not in tech or not a security professional, think about a time when you purchased a piece of software, or bought a video game, or watched a live stream where something went wrong. Maybe the software was buggy, or the game graphics were glitchy (I’m thinking of you, Cyberpunk 2077), or the live stream’s quality of service resulted in a pixelated mess or lack of a stream at all (Netflix’s recent boxing spectacle, for example).

If you’re thinking about something in the time of the Internet era, then patches were likely (hopefully) released for that software, updates were pushed to that game to improve performance, and we’ll say that the live stream company learned from their mistakes and beefed up their infrastructure for better streams down the road.

For many people in tech, regardless of role, they understand that imperfections are just part of the game. You’re constantly making adjustments to upcoming software releases, product roadmaps, and business opportunities. At best, you catch the imperfections yourself and take action, at worst, you put out fires from customers with issues or from troublesome actors who target vulnerabilities. Whether proactive or reactive, working in tech demands agility.

Security is never perfect and perfect security doesn’t exist. I don’t say this as a cheap grab for attention. This is just the nature of the beast. We’re only able to secure what we know exists to secure and can only provide security to a level possible by those implementing the security measures.

Out-of-the-box tooling is available to help you and I gain visibility over our environments, receive alerts regarding misconfigurations or undesired activity, and actively manage endpoints. Security professionals, in turn, learn to analyze tool output effectively, identifying anomalous activities that warrant attention, pinpointing errors in code that might present security concerns, and providing steadfast response to incidents of all shapes and sizes.

Think:

• What security tool is “perfect” at what it aims to do?

• What security professional or team of security professionals is “perfect” at what they do?

• Does a definition for “perfect” security exist?

Imperfect Security is Security

When I was studying choral conducting some years ago, our professor used to always share a bit of wisdom with us, “Music demands perfection while simultaneously denying it.” (he would always repeat this about three times whenever he said it)

He would then go on to explain how, even with the most diligent practice, there was always the possibility of imperfections in music. One person in the choir could mispronounce a word (you’d be amazed at the power of a single person singing a loud “s” in the wrong place), a pianist’s finger could slip to the wrong key, the air temperature could be too high and make the performers uncomfortable on stage - anything. That was his point. You work so hard to present a polished, perfected work of art to an audience, yet, no matter how hard you try, imperfections have the chance to pop up at any moment.

But, here I am thinking that this phrase applies perfectly to security: Security demands perfection while simultaneously denying it. This is a profound realization for me, how, regardless of effort, collective expertise, or the capabilities of tools we deploy, there will always be room for us to improve the security measures we put in place.

The owner of a company I used to work for would hold daily meetings each morning. It was a small company, so he would huddle each day with us to hear updates and to help think of ways to solve customer issues, production issues, or general business issues. He used to say that any problem boils down to one of three things. Years later, I’ve found these three things apply beautifully when identifying root causes to security issues:

1. Human error

   1. Human error can account for an incredible range of security issues. Actions could be intentional, unintentional, or could be intentinonal acts manipulated through the influence of bad actors.

   2. I’m happy to follow many professionals who lead and conduct research in this burgeoning “human factors” segment of security. This area goes well beyond simple security awareness efforts.

2. Process error

   1. Did the SDLC process not identify the vulnerability in time before release? How come the IT team didn’t escalate that incident more quickly? Why do we have more than one process we’re following for incident response?

   2. Here, the root cause boils down to a lack of detail or foresight within in the process itself. Fixing the process immediately helps to mitigate future, similar instances from occurring again.

3. Machine error

   1. This could be any number of issues that stem from an endpoint of any kind. Misconfigurations, outdated software or operating systems, hardware malfunctions, etc. There are tons of possibilities.

   2. Some of these errors can happen through simple “wear-and-tear” of a device, where things can be repaired or replaced in whole. Or, some errors are possible to fix with sufficient visibility and healthy processes to identify issues in advance..

No one can claim to have a crystal ball, so no one can claim that they have foreseen all possible security issues both now and in the future. Since no one can see this future, no one can protect against everything that might happen to those you’re trying to protect.

While it’s unhealthy and unwise to demand that security be perfect, it is healthy to expect that security be as strong as possible given the budget, skills, and tools that are available.

Because security is constantly imperfect, we must continually work to stay informed, stay aware, and keep ourselves educated on emerging threats. As my mother used to say, “You do with best you can with what you’ve got.” In security, we do that all the time, don’t we? Here, doing your best directly involves action, motion, taking steps forward. Notice how “your best” has nothing to do with perfection itself.

Think of “The 5 P’s”: Proper Practice Prevents Poor Performance.

Imperfect security is still security, since that is the only kind of security that we know. And that’s okay. What’s not okay is to fail to take action because you don’t have a perfect solution on-hand, or you haven’t published a fully-formed process/policy.

Take steps forward now and improve as you go. A small protection now can be made more robust and more effective over time, iteration by iteration.

Constantly im-perfect, you say?

Perfect. That means we’ll always have room to improve.

The Bottom Line

When all else fails, when you find yourself down and out, when you are struggling to see that you belong in security, when you don’t see yourself creating anything that’s good enough for yourself, let alone perfect for someone else, remember—someone, somewhere, believed in Gladiator II. Someone, somewhere, said, “That’s good enough,” and released it to theaters, even if they thought it wasn’t the best film they had ever made.

So if Gladiator II can make it, so can you. Literally anything is possible.

Late winter clung to the delicate afternoon air, pulled away gently by the sun that shone bright. I cast my gaze upward, surveying the heavens for any clues as to my fate. No luck. The sky hides my fortune.

Fine by me. I will forge my own destiny on this day. I lower my gaze and continue on.

Steady.

This day, which may seem to be but any other day, was far, far away from any other day, for this was the day that I had chosen for battle. This was the day I had been training for, been steeling myself for, been steadily readying myself for, knowing the fight that lay ahead. This day was that day, the day for victory.

I continue towards the battlefield, eyes front, stalwart, unyielding. Sweat teases down my brow and along my back, either from the rising intensity building within my soul or from the heavy sweatshirt I was wearing. Who knows.

Steady.

“Focus,” I tell myself, eyes narrowing. “Focus.”

As I approach, closer and closer, I am already waging war with the beasts that lay within. Each quickening pulse brings a stab of fear, a prick of doubt, a seeming torrent of piercing anxiety. My mind parries each ambush of distractions as my body drives me closer, knowing that my wits are occupied. I tighten my grip on the wheel and guide my chariot forward. Forward to where I will taste my triumph.

Steady.

The fortress begins to grow out of the horizon. I can see it probing my soul, taunting me to encroach upon its hallowed ground, to dare and try to succeed. I meet its stare, in, like, a really cool way.

“You won’t scare me. Not today,” I whisper into the ether, moving closer. The building seems unphased by my words, growing only more colossal with each second.

Steady.

I’m here. As soon as I cross the threshold, I know there’s no going back.

My hands, somewhat clammy, betray the forest of nerves I hide within. I grip my car door. My brain, electrified in nervous thought, cries out for reassurance. My heart, though resolute, pounds through my chest. Training has prepared me to face this moment, and I was ready to fell the beast, to slay the foe, to emerge as victor.

Courage lies not in the absence of fear, but in spite of fear. I take one long, steadying breath, open my door, and march into the fray.

Ready.

Why I’m Writing This

Don’t worry, this whole post won’t be written like that! Even though it did feel like a battle, and, yes, even though I did wear a sweatshirt that was way too warm for the day, I felt really prepared come exam time. Now that I’ve passed the exam on my first try, I wanted to take some time to organize my thoughts, hopefully in a way that others find useful.

The CISSP is world-renowned as a security certification, so there is no shortage of websites, trainings, books, and YouTube videos. However, information about how to jump into studying and best prepare yourself is scattered and I know I had to take a long time just to develop a strategy for how to approach this beast.

Overall, my goal is to share my approach for preparing for the CISSP exam. I didn’t take any expensive trainings, I simply studied hard on my own time and drew upon my experiences in IT and security (experience I gained since changing careers back in 2016).

Here’s what I’ll cover:

• Bracing for Battle: My Studying Journey — my approach, how I had a plan(-ish), my struggles

• Weapons of Wit: My Study Resources — breakdown of what was helpful and everything I used

• Battlefield Brawl: My Exam Experience — the testing center, how I felt going in, my feelings during the test, etc.

• Post-Clash Clarity: Tips, Takeaways and Advice— the lessons learned post-exam; mostly me pretending that I know how to relay wisdom effectively

I’ll assume that you are already aware of the CISSP exam and what it entails. If you’re not familiar with the exam, I’d encourage you to start with the official ISC2 site and branch out from there.

And, okay, maybe I’ll pepper in a dose or two of dramatism just for the hell of it because it’s fun to write. Those sections will be marked with the giant capital letter thingy at the start of the paragraph, with dividers in the text, in case you’d prefer to skip. I’ll only be slightly offended.

Bracing for Battle: My Studying Journey

No certification undertaking is a small commitment because every commitment in this realm involves resources and sacrifice. Putting aside the cost of study materials and exam fees, the biggest commitment you make is always that of your time. With time being your most finite resource at any given moment on any given day, how you choose to devote your time is important.

“Well, Nathan, why did you take the CISSP?,” you may wonder.

For me, the Black Hat USA 2023 conference last year was my inflection point. Throughout 2023 I had been searching for a personal development goal and had thought about the CISSP a bit here and there. But, being at Black Hat, surrounded by multitudes of dedicated professionals and exciting tech, I decided to jump in and commit myself once and for all. If I was going to excel at this whole security deal, I shouldn’t wait for anyone to create the opportunity for me. I wanted to set a goal and see it through.

I’m fortunate enough to work for a company that is supportive but not prescriptive when it comes to personal development, which I treasure. I chose the CISSP to kind of kick my butt a little bit and to re-energize my study habits in general.

I’m of the feeling that everyone should be able to explain exactly why they are pursuing a specific effort, especially for certifications. I’ve learned, through personal experience and that of friends and coworkers, most people get certifications for the following reasons:

• Make a case for promotion — Certifications, in the correct work setting, can help people make their case for career advancement

• Make a case for that next job — positions they are applying for or will apply for

• It’s required (in federal government and military scenarios, for example)

• Personal development — Certifications may not be required, but they use them to upskill and as a means of continuous learning

I will always support people who choose to get certified in whatever way, however I will also always tell people to ask themselves, (1) “Is this certification absolutely required for my current position, or the position that I want?,” (2) “Does this certification align with my goals? Will it put me on track for success or distract from what I really want?”, and (3) “Is this certification going to be the best use of my time, energy, and money?”

Spend your time, energy, and money wisely!

Spend your time, energy, and money wisely! Most people that I know are not blessed with endless wealth (myself included [insert crying face here]), and, money aside, most people I know have families and partners that they help provide for. You should consider the impact that your studying commitment and your spending on materials will have on your finances, your mental health, and your relationships. There will always be an impact, even if that impact is as small as robbing you of your free time. Taking time to consider these factors will leave you better prepared for when unforeseen stressors pop out at you at the least opportune time.

On the whole, my study journey lasted about six months in total, though most of that time I was not studying seriously. Only the last two months were heavily focused and disciplined, where I was studying each day. Here’s a breakdown of my study process in those two months.

If my study time was a deep dish pizza, I’d say it felt like 7 out of 8 slices were devoted to highlighting the entire OSG. And I do mean the entire thing! This was possibly the most mind numbing experience of my life, yet it turned out to be a great way for me to work through the study material.

To take breaks from highlighting, I started pouring flashcards into Quizlet. No kidding, I’m pretty sure I created thousands of them when all was said and done. Quizlet has been my study buddy ever since getting my CompTIA A+ years ago, so it’s my go-to when there’s a need to study. I’d flip through flashcards on my laptop and almost every night in bed on my phone. Did I use all the flashcards I created? Definitely not. They were still very helpful to have at the ready.

This process of reading and skimming over flashcards and material I’d read previously lasted for about 1–1/2 months. Then, for the final two weeks, I focused on drilling practice exams and study questions. I would do one LearnZApp practice exam each day, review any missed questions, and began working through the domain-specific questions (in the book of official practice exams) for the domains where I struggled. I’d always prioritize domains where the LearnZApp indicated areas of weakness. I never got below 70% on any practice exams or chunks of domain-specific questions, did better one some exams, and barely passed on at least one. This helped build my confidence that my study plan was working and I was going to be ready come exam time.

Treating my CISSP studying like practicing piano really helped reframe things for me

When you practice piano, you always have the “not fun” things that are fundamental for any pianist and a part of your daily routine. For example, major/minor scales aren’t exactly the sexiest thing you can play for your friends at parties, but they’re crucial for skills development. Finger exercises, scales, and arpeggios, among others, are just something that you know you have to do, that you should do, in order to build up your skills holistically.

Studying frequently felt like a punishment, let’s be real. Sometimes I felt like I was really into the material, sure, but more often than not it was like when you’re a kid and your Mom forces you to eat your vegetables. You don’t want to do it even if you know it’s good for you. Since my Mom wasn’t here to make me eat my CISSP vegetables, I shifted my approach to studying from thinking about it simply as reading to the more involved mindset of practicing. Flashcards were my new piano scales and reading study guides was like me learning a piano piece for the first time. Slow, intentional, methodical practice, chunking out material, and supplementing with other sources when needed, all with the goal of absorbing the material and making it stick.

I’m no wizard of discipline! Not in the slightest. Yet, the discipline I do have propelled me to get some studying done on the tough days. There will be days where you’ve had a long day at work. There will be days where things at home distract you, both good and bad. There will be days where studying is the last thing you want to do and you might even feel like you truly can’t study.

A piece of advice I heard from a professional bodybuilder, of all people:

“Remember the Five P’s: Proper Practice Prevents Poor Performance.”

It’s not “perfect” practice — not at all. Get perfection out of your head and forget about it. Remember that while your goal is to learn as much as you can, chasing perfection isn’t what will earn you your CISSP, but that 70% mark (that’s common for most certifications). All you need to do is demonstrate 70% proficiency on the exam. While I passed at 125 questions, my passing score is exactly the same as someone who passed at 175 questions. What’s cool is that it doesn’t matter! If you pass, you never even see your grade anyhow. Any two CISSPs will be the same because no one knows their actual score.

My advice is to go into your studies with the mindset that you’re practicing, not simply reading. Establish a routine of building the fundamentals and the discipline will build over time. Then, when motivation falters (because it will — motivation is not permanent) you’ll have your discipline to fall back on.

If you’re like me and the word “studying” can give you the willies, check out this free Coursera course, Learning How to Learn.

Weapons of Wit: My Study Resources

I remember what it felt like to receive that first CISSP study guide in the mail. I’d used the McGraw Hill “all-in-one” training guides in the past, so I went ahead and ordered the CISSP All-in-one, too. When I received it and realized how monstrous of a book it was, that’s when it finally hit me just how much knowledge I’d be expected to know when I sat for the exam. It was intimidating, if I’m honest.

In hindsight, it wasn’t so much the sheer amount of material to be covered alone, but the combination of that plus a fear of the unknown type of deal. I was diving into a certification effort that was wholly new and looking to learn while also earning a credential that carries a lot of weight.

To help address that fear of the unknown, I Googled like I had never Googled before:

• I looked up the official CISSP site on ISC2, pulled down copies of the objectives, read about the Computerized Adaptive Testing (CAT) system, and everything else they offered about the exam and what the exam covered.

• I dove into Reddit. Reddit can be a wild place, but it has a vibrant CISSP subreddit, r/cissp, where tons of Redditors have shared their stories of success and failure. Not every post is created equal here and the advice from post to post may conflict, but some of them were tremendously helpful. I can’t stress enough how helpful this subreddit was to my preparations (and encourage you to exercise due diligence whenever accepting a stranger’s advice regarding study practices). Active members within the subreddit are very supportive of one another.

• Using different sources, including Amazon/book site reviews, I settled on study resources that I thought would help (full list below).

Speaking of study resources, I bought that McGraw Hill All-in-one shortly after Black Hat. After I started reading that CISSP All-in-one book, though, I quickly began to wonder about my study strategy.

“I should start with the official study guide, if anything,” I thought to myself.

I decided to buy the official CISSP study and the official practice exams (<$50 USD at the time). I’d focus on the Official Study Guide (OSG) and use that as my study Bible, my source of truth. Any conflicting information anywhere else would be disregarded and I’d always default to the OSG. For practice exams, I would rely on the official practice exams book to gauge the style and difficulty level of questions I may encounter come exam time. Anything else would supplement those sources of truth. Thus began the steady purchasing of materials throughout the fall of 2023.

Here’s a list of all study resources I obtained (paid resources marked with $):

• CISSP All-in-One Exam Guide, Ninth Edition $

• Cybrary — Kelly Handerhan’s CISSP Course $$ (she is the BEST, I love her explanations)

• (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide & Practice Tests Bundle $

• Destination Certification’s Destination CISSP: A Concise Guide $ (don’t let the name fool you, it’s a large, beautiful textbook; another excellent resource)

• Thor Teaches — CISSP by Thor Pederson $$$ (can buy on his website, or individually through Udemy, I personally did Udemy)

• Thor Teaches — ALL CISSP questions by Thor + Boson $$$

• Pete Zerger’s CISSP Exam Cram Full Course on YouTube (crazily helpful video)

• Kelly Handerhan’s Why you will pass the CISSP on YouTube (to be watched close to exam time)

• Wiley — free online study questions and flashcards (simply register following the process in the OSG)

• LearnZApp $ (mobile/desktop app)

• Luke Ahmed’s How to Think Like a Manager for the CISSP Exam $

• Mike Chapple’s Linkedin Learning CISSP courses $ (this was free, thanks to my library card — you should look to see if your local library offers something similar)

• Mike Chapple’s One-time Practice Exam $

• Mike Chapple’s CISSP Last Minute Review Guide $

• The Official (ISC)2 CISSP CBK Reference $

Now, everything above is hundreds of dollars in total. Trust me, I am definitely not rich. For me, the idea is that online reviews are one thing, but I want to see something for myself; dip my toes in the water of each resource and deem it useful or not.

By the way, it’s also important to note that I did not find all of these resources useful. And no, my list above is not a comprehensive list of all the good resources available, either. I’ll share more on that later when I get into the lessons learned.

My pulse, accelerating. My mouth, dry with anxiety. My muscles, tense, galvanized for action. My mind, honed, sharp, and ready. My ears, oddly sweaty from the noise-blocking headphones. The battle is on. No going back now.

Focus.

Thoughts of doubt, lying in wait, leap at my concentration from the shadows. The armor of preparation holds fast. Their attack, hellbent on my derailment, is unceasing, testing my defenses at every turn.

Click. Easy question — I parry the blow. “Nice try, CISSP,” I say with a smirk. Click. Another easy one.

Click. Click, click. Clickclickclickclick. I wiggle my mouse with a hushed, frustrated fury, clicking on emptiness all over the screen as the question before me evades my understanding. My opponent fights valiantly, earning my respect.

The monitor in front of me is my battlefield on this day, my mouse, my sword. Staring ahead I see only a minefield of logical snares, clever traps of comprehension, hidden, ready to strike, waiting for my misstep within its interface. “Not today…”, I tell myself.

Focus.

Each question, a wave of attack. My enemy is deft of hand and keen of strategy. I counter a weak strike yet soon suffer wounds from the next, poisoning my concentration with fear. They are too strong… There’s too many of them. This fight was testing my strength.

Training instilled in me the goal of 125 foes. 125 conquered enemies must fall before I may taste victory, or feel the pangs of defeat. Yet, I knew that up to 175 attacks may be launched before this battle was through.

I tighten my grip on the mouse and repeat the mantra that has seen me through before. I will not be defeated…

Focus!

On the Battlefield: My Exam Experience

I, like many of you, I’m sure, fight back imposter syndrome more often than I may care to admit. And while people talk more openly about their failures than they may have in past decades, the fear of failure is still a powerful force. While studying, I’d be lying if I said I wasn’t worried about failing. That kind of fear is, unfortunately, a thing, but it’s something that many people can empathize with.

The best thing I did to combat those feelings was to practice and prepare. That way, when I walked into Pearson Vue, I would know that I was ready.

My experience at the Pearson Vue testing center was quite pleasant. The facilities were clean, the staff was friendly and professional, and the testing area itself was nice and quiet. If you’ve never been to a Pearson Vue testing center, you should go and simply ask for a brief tour. At worst, they may say, “No,” but at best you will get a chance to see where you will be taking your exam.

On the day of your exam, I’d recommend that you:

• Arrive at least 30 minutes early. This allows plenty of time for you to use the restroom, handle the paperwork, and take care of other security measures. This alleviates any stress which could come with being in a rush.

• Eat filling, healthy meals and mind your liquids. You are able to take breaks during the four hours of the exam, but you do so at the cost of your total time. The clock will not stop, so mind your caffeine and liquid intake, and, if possible, try to go into the exam fueled with a good meal a reasonable amount of time beforehand.

• Pause and take a minute or two to collect your thoughts before going in. You may very well feel nervous and anxious. Taking a second to experience the calming effect of a few deep breaths and introducing some reassuring thoughts into the mix might help you enter the testing center in a healthier mental state for excellence.

For the test itself, they had a pair of these gigantic, noise-blocking headphones that were like an unexpected gift from the heavens. Even though everyone else there seemed to be very polite, making almost no noise, having those headphones on brought me back to my happy place. I’m always wearing headphones at home so it made me feel comfortable, just like when I was studying.

The room itself was comfortable — not too warm, not too cold. There was also a nice hum from the air system, like the brown noise that’s popular for meditation/focus (check it out and see if you like that kind of sound).

I didn’t take a bathroom or snack break, but, had I done so, I knew that the bathroom was close by. This was because I went to the bathroom immediately beforehand (mind that liquid intake on test day!) to wash my hands, take a breath, and psych myself up in the mirror.

Again, remember that you are able to take breaks during the exam but those breaks will count against your time. The 4-hour timer will not stop. There’s nothing wrong at all with taking breaks as needed, just be aware of the time remaining!

Of course, if you have any questions or concerns about time and/or breaks going into the exam, be sure to ask the staff. The staff at my location were extremely polite and answered any question I had right away.

Post-Clash Clarity: Tips, Takeaways, and Advice

First, I want to mention something that I think is important: I can only speak to my own experience. This is also true for anyone else whose advice you may read regarding the CISSP exam. Know that there are many resources out there that make hefty promises, or lob catchy titles meant to drive traffic to their site. I mean, some people even have fully fledged business enterprises out of helping people train, which is, of course, completely fine. However, you don’t have to take an expensive training course, and you don’t have to use any particular training material. Just know that your precious dollars are the object of many an entity’s eye, so be judicious in whose advice you follow (including from me!). Sermon complete. Moving on.

As you take the exam, you will know right away whether or not certain training materials helped prepare you sufficiently. For me, some materials soared while others floundered.

Some materials soared while others floundered

In an attempt to help you save some dough, here’s my list of resources that I would consider absolutely essential to your exam prep:

1. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide & Practice Tests Bundle: Just get the bundle! Besides, you should purchase both the OSG and the official practice tests. The OSG is always your source of truth.

2. LearnZApp: This app is endorsed as the official training app for the CISSP and it’s worth every penny. It’s not perfect. For instance, the UI isn’t my favorite at all, and block text is often presented with little space or separation. While there is duplication of training questions between the app and the official practice exams, there are thousands of questions available. The included practice exams, which are 125 questions each, are an excellent way of gauging your preparation!

3. Pete Zerger’s CISSP Exam Cram Full Course on YouTube: First, it’s free (woot, woot!). Pete provides almost eight hours of content. What I love about this video is that he focuses on the important stuff without dwelling on unnecessary details. He covers important points for every domain topic. I couldn’t recommend this video enough.

4. Cybrary — Kelly Handerhan’s CISSP Course: A monthly Cybrary subscription can be a little pricey, but it’s worth it to experience Kelly’s course. While Pete Zerger covers only the essentials, Kelly dives deep into each topic, explaining everything clearly and thoroughly. Throughout her course, she reinforces how you should approach different topics and helps build what some refer to as “the CISSP mindset.” After her CISSP courses, I’m a huge Kelly Handerhan fan. She’s a wonderful teacher.

5. Kelly Handerhan’s Why you will pass the CISSP on YouTube: Continuing on the Handerhan fan train, this is only something you should watch the day of your exam or perhaps the day before. Assuming that you have studied sufficiently for the exam, Kelly provides assurance that you will pass the exam, walking through a few key points in this short, 10-minute video. This was surprisingly helpful!

Now, here’s the set of resources that I found helpful as supplemental but not quite as helpful:

1. Wiley — free online study questions and flashcards: Within the OSG, they give you instructions on how to register for access to free online study questions and flashcards provided by Wiley. The coverage wasn’t comprehensive, yet the content, including the practice questions, was helpful. This is another free resource that should be taken advantage of.

2. Luke Ahmed’s How to Think Like a Manager for the CISSP Exam: You’ll likely see many mentions of this book throughout different posts on the Internet, as did I, which is why I bought it. I only skimmed through the book and read the first couple of pages. The book dives deep into example questions to explain, in detail, how to approach CISSP questions and to “think like a manager”. For the money, I think it’s a bit expensive for how small of a book you get.

3. Destination Certification’s Destination CISSP: A Concise Guide: The OSG is the OSG — you get lots of dry, informative content. But, literally every official study guide is like that. The Destination Certification team delivers a gorgeous textbook (in full color, no less!) that is an amazing bang-for-your-buck buy. I’d still recommend having the OSG as your primary focus as this book dives into additional details that aren’t found in the OSG.

4. Mike Chapple’s One-time Practice Exam: What’s nice about this exam is it doesn’t allow you to go back to previous questions, just like how the CISSP exam will be. That made me nervous and seems to make a lot of others nervous, too, so this one-time exam was a good practice. I recommend taking this exam a couple of days prior to your actual exam date.

As a quick note, I know that I listed the CISSP All-in-One Exam Guide, Ninth Edition in my resources list earlier, but I never really gave it a fair shake. Soon after I started reading this I had a lightning strike of realization about how I should probably start with the OSG first. I never got back to this book, deciding to use Destination Certification’s book as my secondary study guide. I didn’t see any issues with the All-in-One and it was well written at a fair price point.

There were a few things I paid for that were somewhat disappointing. The list below represents a few hundred dollars that I should have spent elsewhere:

1. Thor Teaches — CISSP by Thor Pederson: Now, you’ll see that others have found a lot of value from Thor’s material as he’s well known in the CISSP prep world. But, for me, after listening to several hours of his courses, I came to the realization that the content was simply not effective; too expensive for what you get. His real world experience allows him to speak intelligently on most topics, but after all those hours of watching/listening I noticed that there was added levels of detail that didn’t seem applicable, so I switched to Mike Chapple’s online course. Preview Thor’s material and decide for yourself!

2. Thor Teaches — ALL CISSP questions by Thor + Boson: So while Thor’s training courses just weren’t for me, I will say that the practice questions are not a great value. Yes, they will reinforce important topics across the eight domains. Yes, they will be challenging (even some of his “medium” questions) and make you think. However, both the Boson questions and his own were nowhere close to the quality and type of questions presented in the OSG and official practice exams (toss LearnZApp in there, too). You pay a lot of money for access to these questions that ask you about technical details you won’t really need to know for the CISSP. The way the questions are designed are also not helpful for practicing the finding of an answer given a particular scenario. Again, try them yourself and come to your own conclusion.

Perhaps the biggest tip that I can give you is to no be discouraged when motivation is low or life throws a wrench into your study plan. I rescheduled twice (yup, that was $50 per reschedule) because I knew I wouldn’t be prepared. Whatever you’re feeling in any given moment where times are tough, whether you’re unsure of yourself, you’re questioning your abilities, or you feel as if you just don’t have the energy, my advice is to do something on those difficult days. Skim the OSG, close your eyes and listen to a video course, flip through flash cards on your phone and drill terms in your head, just do something. I guarantee that you will wake up the next day knowing that you went out of your way to keep up your study grind, and you’ll feel all the better for it.

My second tip would be to accept, not deny, feelings of nervousness or anxiety. Imposter syndrome is a thing. Feelings of inadequacy may creep up as a natural part of your humanity. Totally understandable anxiety about preparing for the exam and taking the exam may pounce at you constantly. This is normal! Soldier forth while accepting that such feelings don’t make you weak, they are just a part of life.

There ain’t no shame in the having feelings game!

Allowing yourself to feel those feelings in an honest way will help erase the baggage that can accompany them. I, for one, was insanely nervous sitting for the exam. I likely burned 1,000 calories just bouncing my legs up and down in that exam chair and lost about five pounds of sweat through my hands alone. You’re not alone and anyone else who’s readied themselves for something like this, CISSP or not, can relate.

So, this turned out to be about 3–1/2 miles longer than I originally intended. If you’re studying for your CISSP, first of all — awesome! I sincerely hope that you’ll find this content helpful to you in some way.

Best wishes to all of you and here’s to an exciting 2024. Cheers!

Last year, at my old company, I was fortunate enough to emcee an event focused on the topic of “belonging”. I was on a committee for the LEAD by Women employee resource group (ERG) and we had enlisted the talents of Roy Gluckman, a fabulous speaker, to tune in virtually from his native South Africa and deliver the keynote for the day.

Roy presented “belonging”, generally, as something that we as humans seek naturally; the innate desire within us to find safety, to find comfort in the spaces in which we inhabit. His use of the word “spaces” was intentional, as “spaces” can be created through various means. Organizations provide a space of collaboration towards a common goal, working towards whatever that organization is looking to achieve. And, whenever we join an organization, Roy surmised, we are immediately looking for how we need to act in order to belong.

One of his main points, I remember, is that a human’s desire to belong is so strong that we will automatically tune our behaviors towards belonging. Many of us, upon joining a group or organization, will change how we act based on our perceptions of what is expected and accepted. Like a radar pinpointing an object’s exact location, we will affix ourselves towards behaviors that allow us to fit in, regardless of whether or not those behaviors are true expressions of who we are.

The opposite of modifying how we act to better assimilate with a group was, of course, feeling that we naturally belong to a given space. The challenge here is for those who feel they do belong to look inward at the environment their groups create, or they themselves may have the power to create, and ask, “Does everyone feel as if they belong here? Are we leaving room for everyone to feel welcome and comfortable?”

What does it mean to belong?

The title of his talk that day was, “What is Belonging — Really?” And that’s an extraordinary question. I mean, what is it? What does it truly mean to belong to something?

Think about it, if I were to ask you, “What’s the weather going to be like today?”, you would likely pull out your phone, pop open the pre-installed weather app, and lob some meteorological details my way. That’s an example of a question that you’re ready to respond to. But, if I were to ask you, “What does belonging mean to you?”, I’d hazard a guess that there wouldn’t be an automatic answer. The question is now not about something with an objective answer, but about what something means to you.

When I was at my old company and the focus of our ERG work that year was on the word “belonging,” I noticed how a word can suddenly be both familiar and unfamiliar at the same time. I knew the word yet didn’t know what it really meant to me.

If you were to ask me to define “belonging” for you, I’d likely have no problem trying to think about the word’s formal definition, maybe trying to work in what it means through context. My answer would be my honest answer. But, if you asked me if I feel like I belong, that would probably give me pause. As I imagine it, I’m not sure I’d know how to answer right away. This isn’t to say that I wouldn’t be honest with you, but you can see how vastly different defining a word is from reflecting on the embodiment of the word itself, belonging’s presence in real-world form. To me, it’s a striking difference and a difference worth reflecting upon.

I guess it’s too late for me to say that I’m not trying to get all “deep” on you, here? Whoops. Oh well, I’ll just keep going with it.

Kim Samuels wrote in Psychology Today about how Maslow’s famous hierarchy of needs comments on belonging, with Maslow describing it as the need for “friendship, intimacy, family, and connection.” We want to connect with others in a genuine manner, aligned and attuned to the group. Samuels herself describes belonging in a beautiful way, stating,

Belonging is a principle that gets to the essence of what makes us human.

*Chef’s kiss* 👩‍🍳

So, if belonging is part of what makes us human, how do we handle belonging at work?

I added “changing careers” to the title of this post because, as a career changer, that’s where I go to first when I think about belonging in the workplace. Going from absolutely feeling like I belonged as a music teacher and musician, to feeling like an outsider in the world of tech, is an easy example for me to share with others. Many other kinds of career shifters, though, may be able to relate with the struggles of belonging:

• Former military members, transitioning into the civilian workforce

• People going back to school, feeling the struggles of being an adult student while also juggling the pressure of launching a new career

• People jumping from one company to another within the same field or role

• A person switching teams within the same company, still in the same building, yet leaving behind what’s familiar

These are but a few of what I’m sure could be countless examples of when times of transition force us to reckon with belonging. Even if we’re not conscious of our efforts that propel us to belong, like a finely tuned algorithm we are immediately absorbing, processing, and deciding our behaviors whenever we join a new workplace environment. We want to be a part of the group and we want others to know that we’re invested, same as them.

In his talk, Roy Gluckman talked about how the responsibility for belonging falls on both the individual’s shoulders and that of the organization’s leaders:

• Leaders are responsible for creating a welcoming space where people feel they are free to belong as themselves, and

• Members of a group, especially those who feel as if they belong, have a precious role to play in ensuring that a welcoming environment is built and maintained

There’s a third point to be made, too, I feel, where people need to give themselves grace and allow themselves to see that they deserve to belong.

Imposter syndrome — Belonging’s evil step-sibling

Even in the most welcoming of spaces, if you do not allow yourself to believe that you can belong, you may mistakenly kneecap your ability to grow. Doubt can seep into how you view yourself, your skills, and how much you deserve to occupy a given space. Just like in the picture above, you can find yourself alone in a lake of self-isolation. If this were a scary movie script, this is when that foul beast, imposter syndrome, would enter the room.

Imposter syndrome is that kid in class that’s always stepping on the heels of the shoes of belonging, laughing as belonging trips in the hallway.

The modern business world is rife with talk about imposter syndrome (or, as one National Institute of Health page lists it, “Imposter Phenomenon” — love it). Imposter syndrome occurs when an individual feels as if they do not belong where they are, regardless of whether or not they deserve to be where they are. This syndrome can afflict everyone from beginners to high-performing professionals with years of excellent achievement.

Now, please note that I am no psychologist myself, but the word “syndrome” here is not used to denote a formal, psychological condition. Imposter syndrome is just a term that has fallen into the mainstream vernacular, describing periods of time when you may doubt yourself in the professional realm. You should know, though, that:

Everyone struggles with doubt at different times in their career.

When I first changed careers, I felt that everyone would know I was a career changer, so therefore everyone would see through my facade and know I’m a fraud. My struggle with imposter syndrome was heavy and followed me like a cloud. I just knew that people would know that I’m inexperienced and unsure, in spite of my personal studies and all the hard work I put forward to develop my skills.

Then I realized this was all wholly untrue.

Not only did people actually have faith in my abilities, but most people also never had a clue that I came from a completely unrelated career path! The manager I had at my last job, whom I had known for years, had no idea (for better or for worse) that I had other degrees and fruitful experiences from a past career. Even at my current job, some people do not know my full background unless it’s shared in conversation.

In looking back to those first few years post-career change, I wonder how much more I could have grown in that organization had I simply removed some of the barriers I was imposing on myself. I wish I had freed myself from the self-imposed shackles of doubt which were doing nothing but limiting my ability to grow, to let myself feel like I did belong to be there.

One does not cut a trail to belonging solely on their own, but self-doubt may blind you to opportunities you were unwilling to let yourself see.

Allowing yourself to belong

Sometimes, something like imposter syndrome can sprinkle doubt into our day to day, posing as a heightened sense self-awareness like a wolf in a sheep’s clothing. We may think that we’re being honest with ourselves and realistic, but, in reality, we are likely being too harsh on ourselves based on unaccepted, perhaps unacknowledged, fears we still harbor. DDS Dobson-Smith, in a Harvard Business Review article, encourages us to be kind to ourselves and work towards self-acceptance of who you are and what you can bring to the table.

Working to appreciate yourself, or in the very least, working to not doubt yourself, can help you feel like you’ve removed a barbell of worry from your back.

In all fairness, there will likely be times where you realize that you do not belong somewhere and that’s okay! As Roy talked about, all of the different kinds of spaces we interact with every day either enable or disable belonging for some individuals.

Looking at our immediate spaces with honest eyes will help us be more empathetic to how others may be experiencing the worlds we live in and how we may or may not fit into those worlds, healthily, ourselves.

Recognizing areas where you do not belong can be empowering. Such recognition may lead to you seek fresh opportunities or allow you to become a catalyst for change within your organization.

Based on my no-research approach, I’d say that most of the people you work with in your day-to-day have struggled with belonging in their professional lives. Some may still struggle with feeling as if they belong, whether it be at their company in general, their team, or the position they hold.

Thinking about belonging again has helped me realize that empathy is a fantastically mighty tool that we should all keep handy more often.

Here’s hoping that we all continue working to accept ourselves for who we truly are and forge spaces that allow everyone to feel welcomed and comfortable.

This spring, Google announced that they had a brand new professional certificate course, the Google Cybersecurity Certificate program. I am not the target demographic for this course, as I am already working in security, but I was so excited to check it out that I took it myself!

What follows below are my thoughts after completing all coursework for this new and exquisite offering from Google.

“But soft, what light through yonder window breaks?
It is the east, and Google’s Cybersecurity Certificate is the sun.” 
— Shakespeare(-ish)

For years now I have seen countless posts from individuals who have been searching for a job in cybersecurity. Often times aspiring security professionals vulnerably share how they have been searching for junior/entry-level security positions with no success. They may speak about how they have never heard feedback from potential employers after a rejection, or reflect on the frustration they feel after filling out hundreds and hundreds of applications for seemingly no reward.

Do you want to know what the large majority of people jumping into security have? The CompTIA Security+ certification.

Now, this is no knock on achieving this certification. Becoming certified after long hours of study, investment into study materials, surrendering lots of your own time, then sitting down to pass a long, formal exam, is absolutely something to celebrate! If you earned certifications then you should be proud of your accomplishments. But, many people earn certifications, especially the Security+, thinking that a specific certification is the gateway into a new job or breaking into a tech/IT career. Thinking that certifications will equal a new job, or a promotion, mayor frequently lead to disappointment.

The Security+ isn’t going away any time soon. So, what are people to do?

Below I will talk about how I think Google’s new Cybersecurity Certificate program far outshines self-study for the Security+ alone. I’ll share my thoughts on why I think the Security+ alone should carry less weight with learners, why Google’s new training is top notch, and how this new course and the Security+, when combined, could make for a very strong candidate.

What gives… you’re against the Security+?

No, not at all! The crux of my argument is not so much against the Security+ itself — as it is a valid certification granted from a legitimate body, CompTIA, and an actual requirement for some government/military positions— but against the perpetuation of the idea that the Security+ is the best way to get started as you jump off the diving board and into

The Security+ will definitely help you get familiar with fundamental security knowledge and get you into the professional vernacular, but it won’t help you develop skills.

A quick bit on learning

Allow me to digress for a second (sorry, I get really excited about this stuff!).

I have always felt that the pursuit of knowledge is a noble pursuit; an educated individual is an empowered individual. However, when it comes to one’s professional life, one must consider whether or not knowledge alone is the best path forwards toward career development and future success. This was the case in music and is certainly the case in tech. If you are going to work so hard to build knowledge, like with studying for the Security+, you owe it to yourself to be equally prepared to work just as hard on skills development.

Knowledge, separate from application, is theory; having knowledge by itself means that you have theoretical knowledge. Knowledge directly applied towards something, tied directly towards something you can do, means that you have a practical means of applying that knowledge. Thus, practical knowledge.

Knowledge + Intentional application of knowledge = Skills development

Am I a behavioral science expert-person? No. But, I am a person who learned an entirely new set of skills as an adult and knows how learning is a battle. I also know that time is limited, so picking the best route towards learning is crucial.

Regardless of discipline, building knowledge, devoid of a practical approach in how to apply that knowledge, is a lonely endeavor. What good is having tons of knowledge if you have no way to demonstrate that knowledge, other than reciting facts or taking an exam? If you’re learning something just to gain the knowledge, there’s nothing wrong with that, but when it comes to professional development you want to have that practical piece of the puzzle, too.

That’s my main point. Studying for the Security+ may net you new knowledge about security concepts and terminology, but the Security+ in and of itself leaves you naked in the cold when it comes to skills. You worked hard for that piece of CompTIA paper, yet may not have the skills to back to up. Worse yet, training courses are geared towards helping you pass a test and may not be geared towards teaching you the concepts in full.

Perhaps there are better ways to gain a proper security knowledge foundation aside from simply grabbing a Security+ book.

That’s where Google’s Cybersecurity Certificate program comes in — trying to teach you new things while also allowing you to apply those new things.

Google’s Cybersecurity training is great and you should take it

What I’m advocating for is not to cut out the Security+ entirely, or to even circumvent job requirements in some way when the Security+ is expected. What I am encouraging is, if we were to think of a learning journey in phases, put the Security+ certification effort as a Phase II in your learning journey. I believe Google’s Cybersecurity Certificate could be Phase I.

Why am I saying this Google training is great? Because I took it myself and I think that is great!

I was familiar with almost all of the material, but I treated it like a refresher, a chance to help fill some knowledge gaps in my fundamentals.

I wanted to finally have something solid to recommend to entry-level people and to know that my recommendation comes from me doing the work, diving into it myself.

I won’t go into tons of detail about the Google course since I have an entire blog post about it, but I will share the main points that make Google’s curriculum an attractive one.

Below are six reasons why I think this course is great.

Reason you should take it #1: You craft a professional portfolio

Almost immediately, Google has students preparing a professional portfolio. The entire curriculum is geared towards a total beginner who may have little to no technical knowledge or experience. Google had this in mind, I believe, since Google knows that demonstrable skills can come in handy when formal experience is limited. After all, Google and other companies are known to hire standouts who can perform extremely well but who may not have a specific academic pedigree. By the end, students will have a professional portfolio that includes, among others:

• Completed risk assessment

• Dashboards of security metrics

• Incident response journal, with details from several different incidents

• Writings about Linux commands and how they may be used in the workplace

• And lots, lots more

Now students who complete the program will have a diversified, professional portfolio they can showcase to prospective companies. I love this approach, as the end goal isn’t just to say, “I took Google’s Cybersecurity Certificate program,” but to say, “I took Google’s Cybersecurity Certificate program and here’s a link to the portfolio of my work!”

And I think that’s really neat.

Reason #2: You’re handed a full curriculum

Not everyone is a self-study superstar. I know people that can pick up concepts remarkably quick and are extremely intelligent folks, but us mere mortals may struggle with approaching new topics.

Even if you have all of the best learning materials, from study guides, to practice exams, to online lab portals, you still need to formulate an approach for how you will start learning something new. Some people may do this naturally, yet many may struggle.

Google does that hard work for you by having a ready-made curriculum covering all of the important, foundational security topics. All you need to do is follow their lessons step-by-step.

Think about it like baking a cake. If you want to research how to bake a cake, I’m sure you could find tons of content online about appropriate ratios of different ingredients, how much or how little flour is needed, what goes into creating flavored batter, etc. I have no doubt that you’d learn so much in doing that. But, if you buy a box of cake mix, what do you have on the back? All you need to do is follow the steps, add a couple small ingredients, pop it in the oven, and voila! You have a delicious cake.

Google’s security course is like buying the cake mix. Let them do the hard work required to flesh out lesson plans. All that’s required from you is to follow the path they’ve laid out for you and complete the steps.

Great, now I’m hungry for cake!

Reason #3: Google covers Security+ content

The normal approach to studying for your Security+ certification is to buy the official study guide (many people buy more than one study guide), buy/find a video course to watch, and perhaps adding on expensive performance-based question labs.

Aside from the labs, which are extremely limited in functionality, you’re simply absorbing, memorizing, and attempting to comprehend new content that is separate from application (remember me mentioning Theoretical vs. Practical?). There’s a possibility that you’ll learn many new things, yet the aim is to pass an exam, not to set the groundwork for security skills.

So, why not go after a study path that begins with a combination of listening to and watching content, in addition to the hands-on goodness of labs? Reading about things is great but you need that practice of applying something in order to soak everything in. You may read about Linux permissions and memorize them for the test, but will you remember them when it comes time to modify a user’s access in production?

Google’s coursework touches on the Security+ objectives and them some. The inclusion of heavy Python material is amazing, since programming is a skill that many security professionals rely on.

If you ask me, I’d use this course from Google as Phase I of my Security+ prep, then dive into full-on study of purely Security+ material as Phase II. That way you have a foundation of how to apply everything before you drown in a myriad of dry certification material.

Important: if you take Google’s course and want to jump into getting your Security+, you should absolutely grab a study guide or two. Google’s classes are wonderful, but I would by no means recommend that someone take the Security+ after taking their classes alone. Supplement that learning with Security+-specific study and you’ll be good to go.

Reason #4: For the money, it’s the best way to start

A Security+ study guide, depending on which book you buy, will likely run you $25–50 USD. One month of Coursera Plus will run you $59 USD (at the time of this writing).

If you dedicate 1–2 hours per day, plus several hours of your weekend each week, I believe most people would be able to work a great amount of the Google Cybersecurity content.

The goal isn’t to take the course, or any on-demand course, as quickly as possible, the goal is to take your time. Take advantage of on-demand learning to learn at the pace that works best for you.

I say it’s the best way to start for the money because, if you’re truly entering the course from Level 0, you’ll be given a more gentle introduction to topics AND be given the chance to be hands on with Linux and other important tech. Remember, too, that you’ll be building a portfolio as you complete certain assignments. Pretty cool, right?

If you spend your hard-earned money just on a Security+ book alone, you may have an excellent resource on your hands, but you’ll miss out on the chance to gets your hands dirty with the tech itself. For someone new, getting hands on experience early can make learning something new all the more exciting.

Reason #5: Finish Google’s course, get 30% off the Security+ exam

Let’s say you really want to earn your Security+. That’s the goal. Well, consider that paying for one CompTIA Security+ exam voucher will cost you $392 USD (as of this writing — check out the official exam page here for current info). Completing the Google certificate will net you a 30% discount off of the exam cost.

$392 x 0.3 = $117.6 USD off of your exam!

For a lot of people, that’s a huge discount, especially considering how most people who switch careers have bills to pay, perhaps even a family to take care of. How to wisely invest your money towards your learning should always be a part of your plan.

Reason #6: Not everyone actually needs to get the Security+

You will see the Security+ listed on tons of security-related roles, but, is it required? Examples of positions that may formally require this certification are roles within the United States’ federal government or jobs within the military. Here, you have to either hold the certification prior to being hired (you won’t be considered for the role if you don’t have it), or you commit to earning it within a certain timeframe after starting the job. This is what most Security+ training is aimed towards, since there are thousands and thousands of people who truly need to get the certification to get, or keep, their jobs.

If you don’t absolutely have to get a certification then I would consider if the cost, both of your money and time, is worth it. Your resources are finite, so I’d encourage you to see if a position you’re aiming for will require it or not. If not, there’s no harm in learning the material without committing to taking the exam.

I respect how each person’s journey is their own. As you take the time to figure out how you will learn, you’ll likely see varying opinions from individual to individual.

“Nathan,” you may say, “I completely disagree with you and I’m going to go straight for my Security+ certification.” That’s great! You will likely see posts and opinions that differ from my own, as you should. You are responsible for doing your homework and taking a look at your current situation, needs, and resources. You need to follow the path that is best for you.

Regardless of what you choose to do, go after it! Be tenacious in your learning and the knowledge and skills will come.

Recently, Google launched their Google Cybersecurity Professional Certificate, a certificate training program designed to take an individual with no technical experience and help prepare them for an entry-level role in cybersecurity in six months or less. Delivered through their formal partnership with Coursera, learning materials are made available for free (auditing the class, as it’s called, which would not grant you the certificate), or full course access and completion is available at a subscription cost of $49 USD/month (after the initial 7-day free trial).

Offerings like this are extremely vital to breaking down barriers to entry for cybersecurity! These barriers exist for people looking to find entry-level roles, for individuals interested in switching careers, or for students looking to augment grade school or university studies. Such courses are not a silver bullet for addressing the cybersecurity jobs gap, but they help.

Google does not mislead potential learners in what their offering will lead to, mind you. They do not claim to take you from Level 0-to-CISO in six months, since that wouldn’t be reasonable for any mortal. What they do claim is to be able to sufficiently prepare someone for an entry-level role, regardless of experience level, within a six-month timeframe. That is quite the challenge and I think Google has championed the task quite well.

Why six months…?

I get it, I was wondering the same thing.

This timeframe comes from Google’s own estimated time of completion, should a learner work on their course for 10 hours or less per week. With those numbers, they estimate that completing the course would take you six months of part-time effort, costing you $300 USD in total if you pay $49/month. I advise that you take these “hours” estimates with a grain of salt, at least until you have a taste for the course and can gauge the speed in which you’ll be able to tackle the material.

My take: Most students and/or career switchers I’ve known are particularly hungry and ambitious, so 10 hours of work per week is the least amount of time a motivated individual may put towards the certificate. If you have days off of work/weekends, you could easily devote 10+ hours of dedicated study to the course, keeping in mind their coursework completion estimates factor in time that you may or may not need. You’d be surprised how much you could accomplish with a focused hour of study each day!

What Coursera may designate as one, two, or three weeks of material is achievable and digestible within a few sittings. Trust me, I’ve done it! And that was without pulling all-nighters or anything crazy.

Knocking out this coursework in less than six months, while still taking in material appropriately (and, most importantly, maintaining your sanity), is 100% doable.

Why is it important, though?

I think in my last blog I kept asking myself questions as writing prompts, so I’ll just keep riding that wave here, too…

The world of tech is awash with certifications of every shape and size, with everyone from the major tech giants (Google included) to startups offering their own certifications, training certificates (training certificates are not the same as a formal certification, FYI — these are akin to what you may receive at the end of a Udemy or LinkedIn Learning course), and their own courses which relate to their own certifications.

Each one of these certifications have training materials that cost money, often in the form of colossal books and/or web-based labs, plus the cost of attempting the certification exam itself. Many, many companies are also designed around offering full blown training courses, based entirely around certifications, which cost upwards of several thousand dollars. For some of the most basic of certifications, like CompTIA A+ or CompTIA Security+, which are expected for many entry-level IT jobs,

one CompTIA exam attempt alone costs more than if you took six months’ time to study Google’s Cybersecurity Professional Certificate!

Here again, in my opinion, I think many learners would be able to complete the course in less time than that. Imagine how much you would be able to accomplish as a learner through the guided curriculum and perhaps supplementing with other quality materials over six months of study. There’s a slew of high quality books and materials covering Python, security fundamentals, pen testing, etc. with which to supplement your learning, too.

Please note: Certifications, like CompTIA and Cisco, are still very much in demand. I will always recommend that you only invest in a specific certification path if the job you’re aiming for requires it (e.g. the U.S. federal government, cloud security, risk management, the list goes on). The choice for how you invest your money and time will always be yours, but make that investment wisely!

Here, Google only requires that you complete the required training material, which includes many, many quizzes, hands-on activities, and end-of-segment/course exams. If you sufficiently pass each module within each course, then congrats! You have earned the Google Cybersecurity Professional Certificate.

The Curriculum is Important

Aside from cost alone, what Google covers is wonderful and on point. Starting with the basics, they guide you through concepts that gradually become more advanced and toss professional portfolio material into the mix as well.

Most Coursera certificates rely on you completing not just one course but a bundle of related courses aimed at a certain learning objective. Google’s Cybersecurity Certificate is no different as you will be expected to complete 8 courses in all. Here are the courses, in learning order:

1. Foundations of Cybersecurity

2. Play It Safe: Manage Security Risks

3. Connect and Protect: Networks and Network Security

4. Tools of the Trade: Linux and SQL

5. Assets, Threats, and Vulnerabilities

6. Sound the Alarm: Detection and Response

7. Automate Cybersecurity Tasks with Python

8. Put It to Work: Prepare for Cybersecurity Jobs

I think Google does a fantastic job of introducing people to a variety of security roles and letting people know that there are a variety of roles/ways to enter the security field.

Keep in mind that each and every course contains several glossaries of key terms and external links to outside, supplemental materials. The first course alone introduces you to resources like the NIST Cybersecurity Framework and Risk Management Framework, as well as closely related topics like data privacy, which are important for any security professional to know.

Remember how I mentioned CompTIA’s exam costs above? Well, Google claims that their coursework will simultaneously prepare students for the CompTIA Security+ exam! Students that complete the certificate will be eligible for a 30% discount on the Security+ exam, which I think is a wonderful side benefit to the curriculum. Good job, Google team.

[Insert high-five here. Or fist bump. I’m cool with either one.]

CISSP Domain Integration

Google has incorporated a certification into the mix that has been omnipresent in the security world for quite some time now: the CISSP.[pause for dramatic effect]

Created by (ISC)² in 1994, the CISSP is arguably the preeminent security certification across the corporate world and is quite common for mid-level, senior, or management level security professionals within large security departments. The CISSP’s material is split across eight different domains and security pros must have at least 5 years of experience, prior to passing the exam, in order to become a fully certified CISSP (provisional status is granted to folks who pass the exam but don’t yet have the experience).

The integration of CISSP domains into the curriculum is super cool, I think, because right away the student is thinking of something other than entry-level material, whether know so or not. If they are truly entering this course with no prior experience, they are being exposed to certification material that carries a lot of weight on one’s resume down the road and may give them a goal post to set for themselves. Students are passively exposed to long-term goals by virtue of having their curriculum already aligned with CISSP domains. Awesome.

Real Stories from Real People

Sprinkled throughout the courses are small nuggets of wisdom from actual Google security personnel who come from all manner of backgrounds, technical and not.

They share 1–2 minute stories, related to the topic at hand, from their own personal experience. One specific cloud security architect (a career changer herself — woot, woot!) had a beautiful example of responsible security ethics in the workplace. How cool is it that they sought to bring ethics early into the conversation? Kudos on that move, Google.

They openly share anecdotes from their work lives. They describe events from their careers, security related or non-security related. They give encouragement to those who think security may not be for them.

People transitioning into tech and young students need to know that they will be working with all kinds of different people, from all kinds of walks of life, perhaps from all around the world. I think Google does a solid job of bringing in both a variety of roles and a variety of workplace representation, which allows for compelling stories and may broaden the perspectives of some learners.

Additionally, people need to see that career changers also find their way into big companies like Google and find success. The folks who share within the course videos come from all walks of life and humbly tell of how they had no idea they would be working in the field, or at the company, they are today.

Career changers need positive examples like this so that they may see how much is possible and that success is within their grasp.

Complete the Certificate — Get Introduced to Employers

Students that complete the program have the option to present their resume to the Google Career Certificates Employer Consortium. As Google says,

“The consortium includes more than 150 employers including American Express, Colgate-Palmolive, Mandiant (now part of Google Cloud), T-Mobile, Walmart and Google. Members of the Employer Consortium consider those who have earned our Certificates for entry-level jobs.”

Super cool, right? That alone is reason enough to complete the certificate. All of these companies have competitive talent pools, I’m certain, but having a direct line to submit your achievement and resume is worth the shot, I say. Plus, career preparation is part of last course segment in the series.

What I find even more exciting is that these major companies, as part of the consortium, are letting Google know what they need from entry-level cybersecurity pros.

Think about it. A company as influential as Google will naturally be able to partner with companies on a scale that few others can, so when I look at this curriculum I think it’s an honest reflection of what an employer could expect from an entry-level professional in the security arena.

Another Reason Why This Cybersecurity Certificate Matters

Google’s course offering, in a field ripe with job opportunities that also offers the promise of financial reward via high salaries and benefits, breaks down barriers to entry, like I said before.

High quality, accessible education for all - matters.

My path to career change started because I found high quality coursework from Harvard via Edx.org, where Harvard and now many other institutions make their course content available for free. Their introductory computer science course, CS50 (massively popular now as a MOOC), changed my life. Even though I didn’t pay for the full course I still listened to the lectures and did the exercises on my own before deciding to enroll in school again full-time.

While I am still a proponent of a well-rounded education whenever possible, the reality is that not everyone can afford the time demands or the financial burden involved with going back to school.

Google’s cybersecurity certificate offers an affordable pathway for people who want to learn about security to do so without sacrificing quality of instruction, without sacrificing too much of their time, and then giving them a verifiable credential at the end of the process.

All you need is a computer with a basic network connection and you’re good to go!

Any group that makes high quality content this accessible, while also working to connect learners with potential employers, will continue to garner my support.

It’s a Thursday afternoon like any other Thursday afternoon. Perhaps it’s a quiet day, where the atmosphere around you is settled and the air seems still. Mouse clicks and keyboard taps are the arrhythmic soundtrack of the day, just like every other day.

Or, maybe it’s not a Thursday, perhaps it’s a Tuesday, or a Monday. Maybe you’re at the office or you’re at home. It could be any day.

The point is how, at this point during this particular afternoon, all is strikingly normal. Agonizingly normal. This feeling of normality may have rushed past you unnoticed on any other working day, but, today of all days, you notice that the normalcy has a weight to it.

As the days go by, you realize a growing sense of self and the pang of normalcy that struck you on that day. Your awareness level while at work begins to rise, like the feeling of slowing opening one’s eyes, and you realize that you are noticing more of what is around you. Perhaps you see how your manager truly interacts with your team while in meetings, or how disengaged you feel with your work when you are supposed to be on task, or that each day is beginning to feel just like every other day, or that you’re realizing you are never really happy at work, or...

Whatever you are beginning to realize, the point is that you are realizing something isn’t right. And you begin to think that the bubbling feeling of realization may just be the need for change on the horizon.

The first step in knowing that change is possible is realizing that there is room for change to take place.

While what I just described above may or may not apply to you and your situation, part of it is truly what happened to me. Before working in tech I had worked extremely hard to reach a certain level of skill in music and in choir directing, but, suddenly while teaching, realized that a career shift was going to be necessary for me in my life.

The key for me was the sudden realization that a change was needed in the first place.

Trust me, I wrestled with myself for a long time before surrendering to the truth that I:

1. Was not happy in the teaching profession

2. Had worked incredibly hard to be a strong musician and people leader, and

3. Had zero clue what to do next

I felt lost. I felt ungrateful for the opportunities I had worked for and had been afforded through my education, networking, and sheer luck. But, as I sat on my couch after a long day at work and was truly honest with myself, at some point I had reached the point of no return; I understood my time as a teacher was limited and it was time to strike out and discover my next adventure.

The first step in knowing that change is possible is realizing that there is room for change to take place.

Before moving forward, I want to make a few things crystal clear. I’ll break down the following three points in detail later on:

• Changing careers is 100% possible, regardless of age or the industry vertical you want to enter into.

• Career change is achievable at any age. We’ll revisit this later, don’t worry (I mean, it is kind of in the title after all if it’s “never too late”!).

• Changing careers will take courage, discipline, and perseverance.

“Nothing worth having comes easily,” said Someone Famous, right? And, they’re correct! I wanted to articulate those three points because, if you hear it from no one else, I want you to hear it from me — you can absolutely succeed in changing careers. I say that because I have not only walked-the-talk myself but I have seen many others do the same.

Now, on to the juicy stuff!

Changing careers is 100% possible

So you’ve had your moment(s) of epiphany, taken the leap, and realized that a major change is needed in your career. Woohoo! Now what do you do? Well, I’m glad you asked.

The way I see it, the people that decide to change careers roughly fall into three camps: (1) Some people already maintain “side hustles” (cough second jobs cough) that simply turn full-time, (2) others may already have some idea of what they want to pursue, and (3) others may know that change is necessary and have no clue (like me!) of what they should go after. All of the above are correct and totally fine.

Once the spark of desire for change is lit, my #1 suggestion is:

• If your current job doesn’t put your mental and/or physical health at risk, keep it (pay those bills!)

• As best as you can, keep money coming in as you learn about career paths, gain new skills, and search for new jobs

On top of that, here’s my advice:

1. You’re 100% sure of what to do next — Amazing (in hindsight I’m very jealous). You are still taking a big leap but you have confidence that comes from knowing exactly what you want to do! I’d still encourage careful research in how you conduct your next steps. The key for this cohort is perseverance and commitment to see it through.

2. You have some idea, but not sure. Here is where patience is key, if possible! Maybe you’re thinking about cybersecurity because you’ve heard it has great earning potential, but then you’ve always wanted to go to law school to get that JD and be an attorney. Whatever your personal choices, I would suggest making a compare/contrast for each of your options. What is the salary potential for each position? Is work-from-home important to you? Would you be willing to relocate for that particular new position? Take these questions into consideration, among many others, and let them stew for a while. Bonus points if you ask professionals in your area, or on LinkedIn, for informational interviews to learn more about what they do. The idea here is to better broaden your horizons by chasing after the ideas you already have. Take notes and take action.

3. Alright, so you have NO idea what you want to do. You are my people. Please know that I’ve been in your shoes and you have my full heart’s worth of empathy. I know it’s tough. For you, my suggestion is to start doing some soul searching to see what excites and what you think may ignite your ability to learn and grow in a different field. Here there are no wrong answers because all the options are available. For this group, inaction is your enemy. Taking action, of any kind, towards your goal of seeking career change will help establish the momentum that will carry you forward. To help, I curated a couple things to get the creative juices flowing. Follow along as we dive into this Group #3 some more.

For this last group, Google is both your friend and your foe as there is an ocean of resources our there. I’ve looked for a few resources which may be helpful, but know that there are many more that may be of benefit to you:

• 5 Tips for Changing Careers | Harvard Extension School — My favorite is how their first tip is to start with a self-assessment. Where are you now? Where do you want to go?

• The Right Way to Make a Big Career Transition (hbr.org) — This one is a big read, but, as you read, he really pushes you to think and brainstorm. And no, I have all but zero affiliation with Harvard, this just happened this way, I promise.

• How to Change Your Career | Guardian Jobs (theguardian.com) — This arose from the 2020 COVID pandemic era yet is quite relevant. The Guardian provides a short read that offers insights into reasons why people change careers, the benefits, and the risks involved.

• Time for a career change? | Robert Half — This! Part of this article has you taking stock in your current skills and talents. Remember, you’re changing careers, so you already have a valuable set of skills with which to populate parts of that next career’s resume!

Career change is achievable at any age

Since everyone asks ChatGPT everything these days, I asked, “How old is too old to change careers?” ChatGPT actually gave a very friendly and encouraging reply, which I will share a snippet of here:

There’s no specific age that’s “too old” to change careers. It really depends on various factors such as the individual’s health, financial stability, job market demand, and their willingness to learn new skills.

Not bad, eh? I agree! I don’t think one is ever too old to say that it’s time for something new in their professional life.

I know I shared how, when I realized I needed a career change from teaching music, I had zero idea of what I wanted to do. Well, eventually I started taking free computer science classes online and realized that I enjoyed the science and the analysis portions of that material. Plus, programming stuff and making things happen on the screen was pretty cool, so I decided I’d jump into tech.

When I made the decision to pursue a career in tech, I knew that traditional education was my preferred method of learning. Higher education, while expensive and requiring loans, provides a highly structured learning environment, applied internships (for most technical programs, at least), and is often an easy gateway into full-time employment. Since I already had a Bachelor’s degree and knew that enrolling in a graduate program in an unrelated field would require 1–2 years of prerequisite work, I enrolled in a post-baccalaureate program at a large, public university. This meant that I would earn a full Bachelor’s degree, but I would be exempt from taking all non-core classes within the curriculum (which was amazing, I can’t lie).

While back in school, students in my class ranged in age from 18 to 60+.

Some were fresh out of high school, some were adults who worked full-time and pursued their degrees at night, and some were members of the armed forces who served and were utilizing their G.I. Bill to earn their degree. I was amazed by the diversity of ages in each of my classes, in addition to the extreme range of experience levels.

I had convinced myself that I would know less than everyone else in every class, simply because I was a career changer. In truth, that was never the case.

Psychologists call this the “spotlight effect”, where you think everyone else notices you for what you notice internally within yourself. However, just like I realized that there was a need for change, I eventually realized that everyone else struggled with learning just as much as I did sometimes, and there was no need to feel inferior just because I had started back from Square 1 on the career ladder.

Currently I work in information security for a stellar company, doing work that is both engaging and meaningful. Now that I have worked in tech for some years, I have seen many, many people older than myself on LinkedIn earn CompTIA certifications like A+, Network+, and/or Security+, which is amazing to see (if you’re not in tech/IT, those are IT certifications). Also, I’ve seen countless adults pursue ethical hacking and/or penetration testing studies on LinkedIn (if you’re not a security person, no worries — those are just tech topics/skills), which is simply wonderful. It’s exciting to see.

Do not let your age define you. Do not let your age prevent you from thinking a career change is not within reach. Yes, take stock of your situation, and, yes, always evaluate your options and analyze decisions carefully before taking action, but know that a career change is always 100% within your grasp.

Changing careers will take courage, discipline, and perseverance

Look at the photograph above. Sometimes, the choice to change careers will have you feeling like you are the lone tree in the desert. You may feel isolated, alone, and you may feel like the world is watching you (remember me mentioning the psychology of the “spotlight effect” earlier?).

Please know that I don’t depict these things to scare you. Not at all! I share only in the hopes that you may be prepared for what may lie ahead.

So, you may be wondering why I mention “courage, discipline, and perseverance” in the title of this section. Well, thank you for asking! Let’s break it down a bit:

Courage

The first step in the process was coming to the realization that change was needed, right? Well, I don’t know about you but I consider that a massive leap of courage. Even if you realized you needed to change careers and didn’t tell anyone, that’s still courageous!

Sometimes changing careers means you’re making a decision to do something that may be hard for people to relate to, and that’s okay.

“You’re quitting your job?”, “Why would you walk away from those benefits?”, “What do you mean you’re changing careers, after all those years in college…?”

Maybe it’s a partner who questions you, or maybe it’s a spouse or parent, or maybe it’s simply yourself. Whoever it may be, the questions are inevitable and courage is required to confront those questions, in kind, with honest answers. Courage is required to think about stepping away from what’s known and into the professional unknown.

Courage is not an expression, by the way. Courage is something that comes from internal fortitude and strength. That same courage that will propel you to know that change is necessary will be called upon again as you encounter difficulties throughout the change process, for instance:

• Networking / reaching out for informational interviews

• That first interview in a brand new field, with brand new skills

• Landing that first job and overcoming imposter syndrome (totally a thing, trust me)

Discipline

I think I mentioned “stick-to-it-tiveness” earlier and I’m fairly certain that’s a word, but I am doubly-certain that discipline is required in order to achieve a successful career change.

If you jumping into a completely unrelated field where the learning of new skills is required, then get ready for an oil change of the discipline engine because you want to make sure that baby is running smooth as you get work. Learning new skills, especially after you have been working full-time in a field where skills may feel comfortable to you, takes lots of effort, and you’ll need to rely on discipline to see you through.

“Nathan”, you may ask, “why not include ‘motivation’ here instead of ‘discipline’?”

You know, I’m not sure why I’ve stuck with this format of making up questions that made-up readers may ask, but let’s just keep rolling with it. “Motivation” is an extremely powerful thing that can be combined with discipline, yet they are different forces:

• Motivation = desire; desire carries the potential to be fleeting so is therefore unreliable on a consistent basis

• Discipline = regimen (definition #2 in the link); your ability to demonstrate specific behaviors consistently over time

The motivation will lift your spirits and have you cruising on the good days. Your discipline will keep your nose in the books or have you filling out job applications on the bad days, when your motivation is low.

If you rely on motivation alone then changing careers will be extraordinarily difficult. By cultivating discipline, you can better set yourself up for success as you transition.

For discipline, I would say here that what’s important is to really know yourself, first and foremost. What times of day are you most alert/most effective? Do you think going back to school would be best for you, or a different path? What is your tolerance for learning new skills, applying for new jobs, and working your current job at the same time?

Here, the most important thing is to try. By trying different behavior patterns you will learn what activates your brain the most and what does and does not work for you. Do this over time and you will eventually hone a disciplined approach for tackling your career change.

Speaking of time, this dovetails nicely into my final point, perseverance.

Perseverance

You’re courageous — you realized that change was needed and were brave enough to acknowledge that fact.

You’re disciplined — yes, you rode that tidal wave of motivation after realizing that change was needed, but you capitalized on that to craft a disciplined approach for yourself. You’re chipping away steadily at your goals, making steady progress without overburdening yourself.

Now… what do you do?

Here’s where our final champion, perseverance, steps into the arena.

The road to changing one’s career looks different for all of us. For some of us, it’s a path that takes years, including going back to school, new degrees and new cities. For others, maybe the timeline is shorter but tough decisions still remain part of the career changing game. The process is not any easier or any more difficult based on the factor of time alone.

Without perseverance, I’m not sure if myself or anyone I know would have been able to successfully transition into our new careers. Even with the support of my partner my career transition was still extremely difficult. I worked at a steel shop as much as I could while back in school full-time, pursuing additional studies on the side and working full-time in the summers to make my transition as successful as possible. There are individuals I knew through school who did it all themselves with no help from friends or family, and I applaud them to this day for such an effort.

Just like how you can’t put all your eggs in the basket of motivation, knowing that motivation will eventually wane, in times where your motivation is lacking you can draw on your discipline and perseverance to see you through.

Perseverance, by the way, is not simply you thinking positively when times may be tough. Not at all. Your ability to persevere is your ability to see things through in spite of the obstacles that life may throw your way. And, trust me, life has a way of keeping you on your toes!

I really wish I had a bag of tricks for helping you to build perseverance, but I’m not sure that I do. And, to be honest with you, I don’t want to be shallow and share things that I Googled and didn’t trial myself.

You will, no doubt, know the tough times when they come. Perseverance is when you accept that the tough times are here, take a breath, and then decide to keep moving forward. That is perseverance in action.

Changing my career into tech truly changed my life for the better. If you’re on the fence about whether or not a career change is right for you and your situation, know that no one else but you can make that decision for you.

However, know that change is always possible. I hope this article was a small step in helping someone.

If this helped you in any way, please do share with someone you know.