Gray is the New Black: Unconventional Wisdom for Your Cybersecurity Journey (and How Leaders Can Cultivate It)
Are you dreaming of a cybersecurity career, but feel stuck because the conventional path seems out of reach? Or perhaps you're already in the field, wondering how to truly thrive and build a fulfilling life, not just a job? If so, you're in the right place! Insights from recent discussions at THOTCON in Chicago, featuring cybersecurity leaders like G Mark Hardy and Ryan Gooler, reveal that the conventional wisdom for cybersecurity careers — "go to school, get a degree, apply for this job" — is doing us a disservice. The truth is, you have to make your own path.
Ditching the Degree Myth: Crafting Your Own Career Landscape
It’s a common misconception that a cybersecurity career absolutely requires a four-year degree. Many successful professionals, like Ryan Gooler, started their journey in network and system administration, even after dropping out of college, before finding their way into security. While a degree can be a path to success, it's certainly not the only one. You have a multitude of options: you can start your own thing, get in early on a startup, or create something interesting and see what happens. The key is to keep trying different approaches until they succeed, embodying the very essence of hacking. If one "attack" doesn't work, you try something different, understanding that not every challenge has the same solution. Don't ever believe you're "not valuable enough" without a degree; that's entirely incorrect. Chasing a degree you don't truly desire can lead to frustration.
For CISOs and Security Leaders: To truly expand your talent pool and build resilient teams, consider these recommendations:
Embrace Skill-Based Hiring: Look beyond traditional degrees. Prioritize demonstrable skills, practical experience, and a proven passion for learning. Many talented individuals may come from unconventional backgrounds, like system administration, before transitioning to security.
Create Diverse Entry Points: Develop internship programs or entry-level roles that focus on hands-on learning and mentorship, rather than requiring specific academic credentials. This aligns with the idea of making your own path.
Challenge Conventional Wisdom: Actively question internal hiring policies that might be inadvertently filtering out highly capable candidates who don't fit a narrow, traditional mold.
The Power of a Guiding Hand: The Mentorship Multiplier
One of the most impactful shortcuts to career success is finding a good mentor. Ryan Gooler credits his former manager, Nate, with effectively cutting ten years off his career path. A truly impactful mentor is someone who has your interests in mind, not just the organization's profitability. Such a mentor can recognize your "massive thirst to learn," your drive, and your talent. This recognition can lead to incredible opportunities, even being hired multiple times by the same mentor at different companies, knowing exactly what you're getting into and who you're reporting to. This highlights the long-term trust and value built through a strong mentorship relationship.
For CISOs and Security Leaders: Cultivating a strong mentorship culture is vital for talent development and retention:
Formalize Mentorship Programs: Establish clear structures for experienced team members to mentor junior staff. This can accelerate career growth and foster a sense of belonging.
Incentivize and Recognize Mentors: Acknowledge the time and effort mentors invest. This could be through internal awards, performance reviews, or development opportunities for the mentors themselves.
Encourage "Sponsorship": Beyond just advice, encourage senior leaders to "sponsor" promising talent by actively advocating for their career advancement and opening doors to new opportunities, similar to how Ryan's mentor hired him multiple times.
Navigating Your Own Path (and When to Let Go): The Art of Career Zen
In today's dynamic world, you can't simply wait for a predetermined career path or your "master" to dictate your next promotion. We absolutely need to be in charge of our own careers. While it's good to set goals, be prepared to let your hands off the reins and chase what is most interesting and challenging, especially when opportunities accelerate faster than your initial plans. This "zen" approach, letting life unfold organically, can lead you to "amazing places". Ryan, for example, hit his personal and career goals by age 26, far ahead of schedule, and decided to let curiosity guide him.
However, remember that to reach the "next level," you often have to "come down the hill" you're currently on, go through the valley, and come back up again. This transformation can sometimes be forced upon us through restructuring or layoffs, which, while traumatic initially, are common experiences. Furthermore, when you're 80% done with a project, it's often better to let someone else finish it and move on to the next challenge yourself. This mindset allows you to tackle four more projects in the time it would take to perfect the last 20% of one. This approach, exemplified by G Mark Hardy's experience building a large Navy leadership program, allows leaders to create a "finishing stamp" and then delegate, enabling them to take on new, strategic challenges.
For CISOs and Security Leaders: Empower your team to own their career trajectories and embrace calculated transitions:
Foster Internal Mobility: Encourage team members to explore different roles and projects within the organization, even if it means temporary shifts in responsibility or "coming down a hill" to learn a new skill.
Promote Delegation and "Finishing Stamps": Train leaders to identify when a project is sufficiently mature (e.g., 80% complete) to be handed off. This frees up key talent to initiate new, high-impact initiatives and prevents burnout from perfectionism.
Develop "Next Level" Opportunities: Actively identify and create pathways for employees to move into more challenging roles, even if it means designing new positions or cross-functional assignments.
Future-Proofing Your Finances: Building Your Foundation for Freedom
One of the most powerful ways to empower yourself in your career is through financial preparedness. Ryan suggests maintaining three tiers of savings:
Oops Fund: A small, easily accessible fund for minor, unexpected expenses like a flat tire. Aim for about $50-$100 monthly contributions.
Emergency Fund: A more substantial fund to cover periods of unemployment, allowing you to reduce luxuries until you're back on your feet. This fund provides the freedom to "fast" – to wait for the right opportunity rather than taking the first minimum qualifying job out of desperation.
Investments for Later in Life: Long-term savings that you ideally never touch, ensuring future financial stability and preventing reliance solely on social security, which may not be enough to live well.
The secret to building these funds? Automate your finances. Have money automatically transferred and put away, as you'll forget to do it otherwise. Keep these funds in separate accounts or institutions so you're not constantly monitoring them and are less tempted to dip into them. When you get a raise or bonus, don't increase your spending proportionately; instead, live a little below your means and let your savings accelerate. If you receive an unexpected windfall, take 10% to enjoy, and move the other 90% away quickly. This allows for indulgence without eating up all your winnings.
For CISOs and Security Leaders: While not directly financial advisors, CISOs can support financial well-being:
Promote Financial Wellness Resources: Advocate for or provide access to resources that help employees understand personal finance basics, like automated savings and long-term planning.
Ensure Competitive Compensation: A strong financial foundation starts with fair pay. Regularly review compensation to ensure your team is well-compensated, enabling them to build these essential funds.
Lead by Example (Subtly): While not discussing personal finances, embodying principles of financial discipline and long-term planning can subtly influence team culture.
The "Hell Yes" Rule: Choosing Your Environment Wisely
When considering job offers, apply the "hell yes" principle: if it's not a "hell yes," it should be a "no". Just because they said yes doesn't mean you can't say no. This applies to your current work environment too. If you find yourself in a toxic culture that doesn't align with your core values, the best survival technique is often to leave. As Maya Angelou wisely said, "Go where you are celebrated, not merely tolerated". Having your fallback funds (the "Oops" and "Emergency" funds) makes this choice possible, preventing you from staying miserable out of desperation and trading your valuable time for a fixed amount of money in somebody else's plan. A good job isn't just about money; it's about fit and alignment with your values.
For CISOs and Security Leaders: Creating a "hell yes" culture is crucial for attracting and retaining top talent:
Actively Cultivate a Positive Culture: Define and uphold core values that celebrate employees, foster psychological safety, and ensure everyone feels valued and respected.
Address Toxicity Promptly: Don't tolerate toxic behaviors or environments. Leaders must be proactive in identifying and resolving issues that make employees feel merely tolerated rather than celebrated.
Communicate Organizational Vision: Ensure that the company's and team's goals are clear and inspiring, so employees feel a "hell yes" about contributing to the mission, not just the paycheck.
Embrace the Journey: Risk, Learning, and Finding Joy
Risk is not as bad as you think it is, especially when you are young and your net worth is low. When your net worth is near zero or even negative, there's not much to lose, so take that risk and see where you land. Beyond that, actively look for joy and wisdom in the things around you, even in unexpected situations like accidentally booking a seniors' tour to Japan. Approaching every situation, even a "bad job," with a positive attitude, aiming to get everything you can out of it before moving on, is essential. There's something valuable to be learned from any experience, no matter how challenging.
For CISOs and Security Leaders: Encourage a mindset of growth and resilience within your teams:
Foster a Culture of Psychological Safety for Risk-Taking: Create an environment where team members feel safe to experiment, propose new ideas, and even fail fast, especially for junior employees.
Encourage Learning from All Experiences: Promote post-mortems and retrospectives that focus on learning and growth from both successes and challenges, rather than blame.
Promote Work-Life Harmony and Well-being: Support employees in finding joy and balance outside of work, recognizing that well-rounded individuals contribute more effectively.
Become a Perpetual Learner (and Teacher!): The Cybersecurity Imperative
Cybersecurity is a field of constant change. As G Mark Hardy's law states, "Half what you know about security will be obsolete in 18 months". This means if you don't love learning and aren't passionate about continually adding to your body of knowledge, you might struggle. For those starting out, try as much as you can and chase whatever truly captures your interest, even if it diverges from your initial plan. If forensics seems more interesting than pen testing, chase it! Don't rigidly stick to an initial idea if a better, more fascinating path emerges. This broad early learning will be synergistic later.
Finally, always be teaching what you know. No matter how new you are, you have unique stories, good ideas, and knowledge others don't. Ryan Gooler shared an amazing experience of teaching a nuclear engineer how to pick locks, demonstrating that everyone has something valuable to impart, regardless of their overall experience level. Teaching reinforces your own learning, as you'll want to understand the subject deeply enough to answer questions. It’s one of the best ways to explore and master a topic, or as G Mark Hardy suggests, "find something interesting and then go write a podcast". The cybersecurity community, with events like THOTCON and B-Sides, is full of people willing to welcome newcomers and show them the ropes.
For CISOs and Security Leaders: Prioritize continuous learning and knowledge sharing to maintain a cutting-edge team:
Invest in Continuous Education: Allocate budget and time for training, certifications, and attending conferences like THOTCON or B-Sides.
Foster Internal Knowledge Sharing: Create platforms (e.g., internal tech talks, brown bag sessions, wikis) where team members can teach each other what they know. Encourage even junior staff to present on topics they've explored.
Encourage Specialization AND Breadth: While early career professionals should explore broadly, help guide them towards areas where their natural inclinations (e.g., constructive thinking for GRC vs. penetration testing) can truly make them happy and productive.
Lead by Example in Learning: Demonstrate your own commitment to continuous learning and adapting to new threats and technologies, reinforcing that "half what you know about security will be obsolete in 18 months".