In this newsletter, I’ll walk you through a simple, step-by-step framework using an MCSI exercise. It’s deliberately basic — because that’s the point. I want you to see that even the most advanced practitioners rely on clear, repeatable processes.

This method isn’t just for beginners. It’s designed to scale. Whether you’re troubleshooting daily threats or navigating enterprise-wide risk, the goal is to give you a process you can apply to any problem — especially the hard ones you’re facing at work.

Step 1: Identify the Parts of the Problem

Let’s start with one of the simplest exercises from MCSI: set up two virtual machines, connect them on a shared network, and verify they can communicate.

It’s a basic lab—but it trips up a lot of newcomers. Many have never done hands-on technical work or have only worked in pre-built environments. So building something from scratch is brand new territory.

Step one: slow down and read the exercise description carefully. As you go, identify every “part” that stands out. Don’t overthink it—just mentally note each element mentioned.

Below, you’ll see a diagram with the parts I identified. They’re unorganized for now; we’ll tackle that next.

But before you move forward, pause. Ask yourself: “Do I actually understand every part listed here?” If there’s anything you don’t fully grasp—like the command “ping”—this is where the real learning begins. Your job is to stop, research it, and build a basic understanding before continuing. That’s how professionals grow.

Step 2 - Organize the Parts into Logical Wholes

Now it’s time to organize the parts into logical groupings — or “wholes.” The diagram below shows one example, but it’s not the only way to do it. There are multiple valid ways to structure the same system.

Notice how I introduced a new whole labelled “Hypervisors.” That wasn’t identified in the previous step.

The process isn’t rigid — it’s flexible and based on logic. As you deepen your understanding, new groupings or relationships may emerge. That’s completely normal and you can edit your diagrams as much as you need.

If there’s still a part you’re unsure about — where it fits or what it even means — that’s your growth moment! Stop. Do the research. Ask questions. This is how you build real understanding.

Remember, these diagrams aren’t for decoration. They’re tools to help you validate your own thinking about the problem you’re solving.

Looking at the diagram, a few things should be crystal clear by now:

• You need to set up two virtual machines—one Windows, one Linux—which means you’ll need the right ISO files.

• You have three hypervisor options to choose from.

• You need to configure network connectivity and confirm it works using the “ping” command.

The next step is to take these elements and assemble them into a functioning system.

Step 3 - Organize the Parts into a System

Now it’s time to build a system diagram. The goal here is to show how all the parts come together into a working system.

In this case, I created a simple system diagram: two virtual machines connected to the same NAT network using VirtualBox.

Anyone looking at this diagram should immediately understand what needs to be built. And that’s the whole point.

By creating a diagram like this, I’m confirming that I understand every part, every whole, and every relationship. It’s a self-check. I can even share it with a colleague or mentor to get independent validation—make sure nothing’s missing or off.

Once it’s clear, I’m ready for the last step: validate the system solves the end-goal.

Step 4 - Validate Approach Solves the End Goal

To meet the requirements of this exercise, I need to accomplish four specific goals.

So I’ve added each of them directly onto the system diagram to keep the outcome front and center:

Each goal is now mapped directly onto the relevant part of the system. This makes it crystal clear where each action needs to happen and what needs to be done.

And again, this step is a check. If I’m unsure where a requirement fits, that’s a red flag. It means I’ve either misunderstood something or missed a part entirely. That’s my cue to pause, dig deeper, and fill the gap.

Conclusion

What I’ve just walked you through—step by step—is exactly how cybersecurity professionals think. They might not draw it out every time, but they mentally break things down into parts, organize them into wholes, see the relationships, and build the system in their head.

This is why the IT industry is filled with diagrams. They’re mental models that reflect how someone understood a system at a specific point in time.

If you want to solve harder problems, you need to get better — and faster — at thinking this way.

And here’s the key: there’s no “one diagram to rule them all.”

There are infinite ways to map a system. What matters is whether the diagram helps you think clearly and act confidently. It’s a tool for understanding before execution. And it’s a tool for feedback—something you can share with a teammate or mentor to check your thinking and sharpen your approach.

If you’re serious about levelling up your problem-solving and critical thinking skills to grow your cybersecurity career in 2026, now’s the time to act.

Use code EOY25 before year-end to get access to one of our top-rated cyber courses. You’ll work through real-world problems, get direct, personalized feedback from expert instructors, and start seeing massive improvement fast.

Don’t wait - invest in your growth now, so you’re ready for what’s next.

Over the past six months, we’ve trained hundreds of experienced IT professionals. Confident, technical, capable - yet almost all of them struggled with cybersecurity. And I kept wondering: why?

To get answers, I sat down with one of our lead instructors. For an hour, she unpacked the same frustrations and roadblocks she sees every week - the moments where seasoned IT veterans suddenly feel lost.

As we talked, something clicked. We realised there’s a simple mental model that explains why cybersecurity feels like a completely different universe, even for highly skilled IT professionals:

Most IT professionals walk in expecting cybersecurity to look like the rest of their toolkit: clean GUIs, neat dashboards, predictable workflows. They expect the work to be linear, human-centred, mechanistic, and orderly.

But cybersecurity refuses to fit that frame.

The structure of cybersecurity looks like this:

• Volatile: Techniques, tactics, tools, and entire technology stacks evolve constantly. What works today may not work tomorrow.

• Complex: Cybersecurity sits at the intersection of systems, networks, software, human behaviour, the law, economic incentives, and adversarial intent. Everything is connected, and small details matter.

• Uncertain: Most cyber problems are investigations. You don’t know the answer upfront; you uncover it by researching, testing ideas, and proving your solution all the way up to 100% correctness.

And the biggest surprise for these IT veterans? Technical cybersecurity work is low-level. No dashboard. No wizard. Just raw analysis using hex editors, disassemblers, packet captures, log dumps and file headers.

It’s better to think of it as reverse engineering rather than the “drag-and-drop” or “click-and-connect” IT they’re use to.

This mismatch between expectation and reality is where the struggle begins.

How Instructors Learned Cybersecurity

After mapping the IT veteran’s mindset, I asked our instructors to write down their own mental model for how they learned the field:

They had faced the exact same challenges as the IT veterans when they started learning cybersecurity. But instead of getting frustrated, they adapted. They understood the actual structure of the field, so their mindset aligned with its reality.

They approached every problem with curiosity and a desire to investigate. They enjoyed uncovering how things worked. And over time, that mindset sharpened their problem-solving skills. They became more capable, more confident, and more eager to tackle deeper, harder, low-level challenges.

The difference wasn’t talent.
It was mindset.

The Secret

So what’s the secret to learning cybersecurity?

Align your mindset with the structure of how cybersecurity really works.

Lean into curiosity. Treat every problem as something to explore, not something that should already be solved for you.

Once you adopt that mental model, the path becomes clear: work through a series of problems that gradually increase in difficulty and variety. With each one, your skills grow, your confidence builds, and the journey stops feeling daunting and starts feeling exhilarating.

Yet, despite this reality, opportunity has never been greater.

In this post, I’ll show you how to rethink the cybersecurity job market, understand what’s actually happening beneath the headlines, and position yourself to take advantage of the real opportunities that exist right now.

Reality Check: Growth Happened, Not the Hype

The image below shows a 2022 study by ISC2 reporting that the cybersecurity profession needed to grow by 3.4 million individuals worldwide to close the workforce gap.

This is one of many studies that estimate workforce demand based on survey responses, such as: “72% of respondents expect their cybersecurity staff to increase somewhat or significantly within the next 12 months.”

The reality is that cybersecurity has grown. Industry associations are larger than ever, and major enterprises that once had security teams under 100 people now operate with several hundred.

The misconception for graduates came from two places.
First, many believed employers would hire and train university graduates for roles that actually require hands-on skills and a deep understanding of technology.
Second, the projected explosion in open roles never reached the scale those studies predicted.

This doesn’t mean you can’t break into cybersecurity today. It means you need a different mindset - one that understands how the market really works and how to create an edge.

The Real Problem: You Were Never Properly Trained

At Mossé Security, we offer an internship position that requires zero prior cybersecurity experience. Our goal is to identify newcomers with talent, critical thinking ability, and strong problem-solving skills.

Each year, we receive between 600–800 applications. We don’t read CVs or review LinkedIn profiles. Instead, we send candidates a technical aptitude test to determine whether they meet a minimum baseline of practical skills:

Some years, we already have enough interns, so we simply ask candidates to re-apply in six months. Other years, we’ve sent the aptitude test to every single applicant. What we consistently discovered is that only 5–15 people per year can pass this baseline test.

Since the launch of ChatGPT, we noticed a shift - candidates who previously struggled began leveraging AI to complete the assessment. To adapt, we raised the bar slightly. We now evaluate whether a candidate can use tools like GPT effectively without becoming dependent on them. The goal isn’t to exclude AI-assisted applicants - it’s to identify those who understand the technology well enough to incorporate it intelligently, not hide behind it.

The biggest challenge for most graduates is simple: they don’t yet have skills that solve problems worth paying for. If you’re expecting employers to train you from scratch, you’re putting yourself at a disadvantage.

Companies aren’t hiring to run training programs - they’re investing in automation to scale existing teams, outsourcing where quality allows, and prioritizing efficiency. Most employers don’t see themselves as training organisations. They expect contributors, not apprentices.

The Market Rewards Problem-Solvers — Massively

The cybersecurity market has experienced explosive growth and forecasts show strong continued expansion:

The opportunity isn’t just large — it’s enormous. There is more than enough demand and capital in this industry for capable problem-solvers to achieve their financial goals.

Look at the largest companies in your region, and the fastest-growing ones. Every single one of them needs competent cybersecurity talent.

To win opportunities you need three things:

1. A champion inside the organisation

2. A clear point of view on how you will solve high-value problems for their business

3. Proof that you can deliver, not rhetoric

The hardest part of this formula is finding a champion. Everything else is within your control right now — no permission needed, and with skills you can build to become unstoppable.

Nothing stops you from learning application security and threat-modelling the software built by the companies you want to work for.

Nothing stops you from researching vulnerabilities in a specific technology and reaching out to CTOs, CIOs, and CISOs whose organisations depend on it.

The key is in how you communicate. You don’t push. You don’t demand a meeting. You don’t ask for money.

You write in a way that shows you’re here to help, to build trust, and to take initiative on meaningful security problems — if they decide it matters. And they will.

Before you build a business, build yourself.

You don’t earn trust, shift mental models, or close deals by winging it.
You do it by becoming an expert—on your industry, your customer, and your solution.

That takes reps. Study. Client work. Reflection.
Put in the hard work now, so when the moment comes, you're ready.

Want to build a real business?
Start by becoming someone worth buying from.

Check out our certifications, pick one, and work on becoming an expert.

Desperation breeds creativity. Olsen forged a police clearance and faked IT certifications, allegedly downloading sample images and pasting his name onto them. This crude forgery was enough to land him the role of IT Security Manager at Racing & Wagering WA (RWWA).

According to sources familiar with the case, Olsen billed himself on his CV as “The Hacker from Hell” — a kind of self-awarded badge of honour to brag about his cybersecurity skills. Before his crimes surfaced, he was highly rated by his employer, recommended for several pay rises, and even considered by one staff member to be the best IT security manager RWWA ever had.

His downfall came not from routine checks or industry gatekeeping, but from his own overreach: he was jailed for 18 months after framing a colleague to secure his six-figure salary.

When I first learned of Olsen’s story, I wondered: would professionalisation have stopped him?

It didn’t take long to realise that Olsen’s story is not an argument for professionalisation, but a warning against its hollow promises.

First, RWWA’s HR department never checked his credentials. Nor, it seems, did any recruiter. Even in 2008, major certification bodies offered simple online verification tools — a certificate reference code, a database, a click. No one bothered.

A register is only as useful as the people who choose to consult it. If HR departments won’t validate credentials today, what fantasy suggests they’ll religiously cross-check a register of accredited professionals?

Second, if Olsen’s version of events holds any truth, the cost of legitimate certification may have helped lock him out of the market in the first place. When qualifications are prohibitively expensive, some will always find cheaper ways to meet expectations — including fraud.

Professionalisation risks erecting yet another financial barrier to entry — one that incentivises the very behaviour it claims to eliminate.

Third, even today, Olsen would not be stopped from re-entering the cybersecurity market. He could become a bug bounty hunter. Offer cybersecurity services overseas. Professionalisation cannot fully close the market; it only raises costs for those who try to enter it via professionalisation’s pathways.

Olsen’s story reminds me of a scene in the excellent Netflix documentary on Bernie Madoff. Called before the SEC in New York, Madoff handed over account numbers that could have instantly exposed his fraud. Except no one checked.

They had the truth in their hands — and they didn’t check.

The proponents of professionalisation promise to cleanse the industry of charlatans. But Olsen’s case — like Madoff’s — shows the real problem is not lack of regulation.

It is human laziness, bureaucratic incompetence, and blind faith in processes that no one actually enforces.

I wonder what the professionalisers will say when they realise employers and businesses aren’t even using the tools they so proudly built.

Or much worse: when they realise that professionalisation has not driven out the charlatans — it has enabled a new breed: chartered charlatans.

Particularly the type that will want to climb onto the board of the professionalisation body to advance their own interests under the banner of “standards”, “ethics” and “protecting businesses.”

Professionalisation may yet give us a more orderly industry — but if it also gives power to those who never earned it, then we will have traded chaos for capture, and called it progress.

Sources:

• Court finds man guilty of hotel funds theft, ABC News, 26 March 2004

• Corruption trial starts, ABC News, 29 Sep 2009

• Former RWWA manager convicted, The West Australian, 23 October 2009

• IT Manager jailed for fabricating evidence against colleague, ABC News, 14 January 2010

What I’ve come to understand, and what isn’t said nearly enough, is this: trying to find a job in cybersecurity can be a profoundly disorienting and even traumatic experience. Not because people aren’t trying — but because so much is out of their control. And too often, what is in their control is never clearly explained.

Let’s speak plainly.

Location Matters

Where you live still determines how far your skills can take you.

MCSI has users in over 80 countries. If you're based in a region with no tech sector, or one where remote work is viewed with suspicion, the road ahead is harder.

Even in the West, students from rural or economically stagnant areas are at a disadvantage. Some employers still won’t hire remote workers unless they’re known quantities. Why? Because to them, you're an unknown. In the worst-case scenario, a security risk.

None of this is fair. But it is real.

Gender Matters

For many of our female students — particularly in countries where women face legal or cultural barriers to work — the struggle is not about skill. It's about permission.

Some of the most technically gifted people I’ve seen in our program are women who are legally barred from practicing the very craft they’ve mastered. It’s enraging. But pretending otherwise helps no one.

Skills Matters

This may sting — but it must be said: you might not be as good as you think you are.

In cybersecurity, value is measured by your ability to solve problems worth paying for. If your skills aren’t at the right level, employers notice quickly. Even if they don’t say so.

Cultural Fit Matters

You can be technically brilliant — and still get rejected because you didn’t “click.”

Workplace culture is a real factor. If you come across as a “social risk” — you might never hear back, no matter how strong your CV.

The Market Matters

Sometimes, it’s just timing.

You can have the right skills, the right attitude, and still miss out — because the market has turned, or budgets have frozen, or some senior leaders just received some new information and decided to “pause hiring.”

It’s not personal. But it feels personal. That’s what makes it so brutal.

Connections Matters

Many cybersecurity jobs come through referrals and reputation. If no one knows your work, getting hired is harder — plain and simple. Even with connections, there are no guarantees.

Networks open doors, but they don’t carry you through.

No Guarantees. Only the Real.

No one — no program, no credential, no institution — can guarantee you a job in cybersecurity. That’s not cynicism. It’s the Real. And coming to terms with it is the first act of freedom.

If you’ve enrolled in a bootcamp, a degree, or a certification on the promise of guaranteed employment, you’ve been misled — and perhaps, if you're honest, you've misled yourself.

It’s a hard truth. But far better to face it now than build your hopes on a foundation of sand.

At MCSI, we make no promises of employment. What we offer is harder — and more honest.

We teach real skills: the kind that solve problems, not just impress recruiters. We simulate the pressures, the ambiguity, the stakes of the work itself. And we keep our training as accessible as possible — because talent shouldn't depend on wealth.

Still, some of our students struggle to find jobs. Not because they failed — but because the world is not fair. Bias, timing, geography, gatekeeping — these aren't footnotes. They're structural.

But here is the line you must cross:

To stop asking for guarantees.

To let go of the fantasy that the system will reward you for doing everything right.

To see the Real — the contingency, the arbitrariness, the indifference — and decide to act anyway.

That’s not optimism. It’s not resignation.

It’s courage without illusion.

And it's where real growth begins.

This essay aims to call out these spectres so they can be examined in themselves but more importantly so that their influence on how we’re approaching professionalisation can be properly examined.

We do not summon the spectres, and even if we choose to ignore them, they still exist.

The Spectre of Racketeering

Someone must pay for professionalisation to be possible – no matter how the fees are presented or who does the presenting.

Here’s published research from legal scholar Rebecca Allensworth that provides empirical evidence from other industries that professionalisation can become a racket: book and podcast.

You can also read her provocative 2013 research paper titled “Cartels by Another Name: Should Licensed Occupations Face Antitrust Scrutiny?”. Here’s a quote from the abstract:

“It can't surprise when licensing boards comprised of competitors exclude competition and regulate in ways that raise their profit. The result for consumers is higher prices and less choice, as licensing raises wages by 18% and bars competition from unlicensed workers. For African-style hair braiders, the result is either an illicit business or thousands of hours of irrelevant training imposed by a cosmetology board. For lawyers, the result is less competition from tax accountants, paralegals and out of state lawyers.

The great accomplishment of the Sherman Act has been to make cartels per se illegal and relatively scarce. Unless the cartel is managed by a professional licensing board. Most jurisdictions consider such boards, as creations of states, to be exempted from antitrust scrutiny by the state action doctrine, leaving would-be competitors and consumers no recourse against their cartel activity.”

Now that you have seen this research, and there’s a lot more of it, the idea that cybersecurity professionalisation could never become a racket on the industry, businesses, or consumers, is no longer certain, no matter how much evidence supports its benefits.

Professionalisation can never fully prove itself “pure” or “just”, as the risk of it becoming a racket is always present. This risk will always be present.

Payment sustains professionalisation yet places it in doubt, creating a cycle of uncertainty. It raises questions about who benefits, whether it delivers value, and if those paying can ever stop.

The Spectre of the Authoritarianism

The rules will be decided by a few for the many, even with industry consultation. And it is all too easy to dismiss inconvenient voices. Hard choices will be made, some ideologies will dominate, and certain voices will be ignored. Some decisions will rely purely on claims of authority – accepted as the "right thing" without proof or concern for opposing views.

Power and authority enable professionalisation but also undermine its credibility. Participants are always left unsure if their interests are valued or if those in power are pursuing another agenda.

The Spectre of Insufficient Control

Imagine a terrible person who commits a serious crime. Their cybersecurity license is revoked, yet they can still write, teach, sell, and profit from the very businesses and consumers professionalisation claims to protect.

Now imagine a small MSP – a two-person company that services micro and small businesses. None of its staff are accredited under the proposed professionalisation scheme. One of their clients requests support to meet Essential Eight Level 1 requirements. Could professionalisation stop the MSP from implementing Airlock, enabling MFA, building an asset inventory, or patching Windows machines? Of course not.

Professionalisation promises protection by controlling who can participate in the market, yet it can never fully deliver – its control is always limited. What and who is being protected then?

The Spectre of Illegitimacy

To prove professionalisation’s legitimacy, supporters point to a 2022 AISA survey showing one in two people in favour. What they overlook is that the survey’s report doesn’t specify the number of respondents, their demographics, or how informed about professionalisation they were. AISA itself chose not to proceed with professionalisation after the survey.

The problem of legitimacy runs deeper than it seems. People may embrace professionalisation today and reject it tomorrow. Legitimacy is never stable – it shifts, stumbles, and resists control.

The push to professionalise cybersecurity in Australia rests on a single, debatable survey. Is that enough to claim legitimacy? Perhaps professionalisation survives not by proving itself, but by insisting we believe in what it cannot prove.

The Spectre of Disbelief

Having a credible group of people run the scheme is critical, yet also impossible because the conditions that establish credibility are always provisional. Credibility can come and go in the blink of an eye. All attempts to assert credibility can be challenged, questioned, or reinterpreted.

Therefore, whoever wins the government’s grant will be trapped in a constant performance, striving to prove their credibility by mimicking the language, structure, and tone of authority to create the illusion of legitimacy. Yet credibility is always haunted by what it denies — the lingering presence of doubt and disbelief.

The Spectre of Endless Regulation

The US DoD’s professionalisation scheme, the DoD Cyber Workforce Framework (DCWF), defines 72 cyber-related roles, with more added every few months. Will it ever stop growing?

With no clear boundaries neatly surrounding cybersecurity, the DCWF includes roles like IT Investment Portfolio Manager, Product Support Manager, Program Manager, Cyber Legal Advisor, Service Designer User Experience (UX), Data Steward, and AI Adoption Specialist.

Professionalisation does not simply expand — it survives by remaining unfinished. Each new role claims to define cybersecurity, yet each addition reveals new gaps that demand yet more definitions. The system sustains itself not by achieving closure, but by taking advantage of the fact that cybersecurity doesn’t have any clear boundaries.

Regulation follows the same pattern. Each rule attempts to impose order, yet every rule creates new uncertainties that call for even more regulation – think of workplace safety standards for example.

Professionalisation does not expand because boundaries are unclear – it expands because no boundary can ever be final.

The Spectre of Insufficiency

Cyber professionalisation pursues ideals like protecting businesses, consumers, and progress itself. Yet these ideals can never be fully reached. When will the public be truly safe? When will progress arrive?

Professionalisation’s desired outcomes are shaped by unreachable ideals – always shifting, arbitrarily defined, never perfectly definable.

How many businesses must be protected for professionalisation to have succeeded? Why this number and not a bigger number? Is success ever knowable at all?

Ideals provide a mechanism for professionalisation to protect itself from scrutiny and accountability: when it benefits the scheme, success can be defined by what has already been achieved. When the scheme needs to justify its continued existence, success can be defined by what still needs to be done.

Professionalisation therefore survives by exploiting ideals. It creates an endless race where participants convince themselves they must keep running. Does that sound familiar?

The Spectre of Exclusion

Which voices are amplified, and which ones are devalued? Professionalisation is an ideology that has winners and losers. It causes a perpetual fear of being on the losing side at some point.

Read my essay about the ideology of professionalisation to learn who and what it devalues. The devaluation works by elevating certain ideas, rewarding conformity, and shaping meaning.

The Spectre of Failure

Other cybersecurity professionalisation schemes have failed or fallen short – what will make this one different? For example, CREST ANZ is now considered illegitimate by some:

CREST UK and CREST ANZ are no longer affiliated because of a dispute over the CREST brand and a $10M dollar grant awarded to CREST ANZ under the Australia’s 2016 Cyber Security Strategy:

Any new professionalisation scheme carries the shadow of past failures, scandals, or poor leadership. People may not want it to fail, but the scheme cannot outrun failures from this or other industries, nor put to bed concerns that have arisen from these.

The Spectre of Accountability

Promises of oversight, ethics committees, and whistle-blower policies create the impression that someone can be held to account, yet accountability can never be guaranteed. Therefore, it lingers in doubt, kept alive by the hope that someone, somewhere, might be held responsible – if everything works out. And if accountability does come, to who’s standard?

Each time we inquire about accountability, we reveal its uncertainty. It is a promise that might not be kept. Yet it is also a promise that can have power over us. It controls us by comforting us, at least temporarily, until it fails – and then what?

Conclusion

The spectres cannot be avoided. They haunt everything tied to professionalisation. As a result, for many, professionalisation lives in a place of limbo – they are “unsure” (AISA 2022 Survey).

The deeper we look, the more professionalisation reveals itself as a paradox. It promises control, protection, progress, legitimacy, credibility, inclusion, sufficiency, and accountability, yet it can never fully deliver any of these – neither for itself or nor anyone associated with the industry.

Those who pursue professionalisation would do well to understand the spectres.

Whoever leads the effort to professionalise cybersecurity will be haunted by the spectres. We should empathise with the personal and relational costs they may face in this endeavour.

For the right leaders, the spectres could become an opportunity to listen deeply to the concerns that haunt professionalisation — not to dismiss or control them, that’s impossible, but to create the conditions where people feel safe enough to face those doubts together.

What is the cost of this devaluation, and who pays the price? To answer this, we will look to a case study of the UK’s cybersecurity professionalisation scheme, specifically the UK Cyber Security Council Competence & Commitment (UK CSC SPC). We’ll refer to UK CSC as “the Council,” as that’s how its creators describe themselves.

My end goal is to encourage reflection and questioning throughout the industry. By thinking critically about professionalisation, we can reflect on our ethical responsibilities toward those who are devalued or excluded – and decide whether change is necessary.

1) What is professionalisation’s ideal and how is it used for power grabbing?

The first objective of the Council is to “promote high standards of practice in the cyber security profession for the benefit of the public.” (p. 5)

This ideal of protecting the public sets up the entire justification for the Council’s existence. It is repeated in different ways throughout the document, such as on page 7 “Society necessarily places great faith in its cyber security specialists” – implying once more that the society needs cybersecurity professionalisation and, through deduction, the Council.

It’s worth noting that all cybersecurity professionalisation schemes legitimise their existence using a similar ideal. For example, in Australia, AISA talks about “protecting consumers” and Home Affairs about “protecting businesses”.

Whilst the wording might change, the mechanism is the same: an ideal is stated, made absolute, and it becomes the reason for forcing the entire sector into a professional licensing scheme.

But what else might lurk under this ideal aside from good intentions? Before we can answer this question, we must first expose the instruments of power used by professionalisation schemes.

2) How does an ideal impose itself onto an industry?

The Council uses the following mechanisms to operate the scheme:

• Registers of cybersecurity professionals

• Three titles that establish a hierarchy: associate, principal, and chartered

• Licensees that assess and recommend individuals that can be added onto the register

• A professional standard, a certification framework, and commitment statements

• A Code of Ethics

The Council can take “any action it deems necessary to protect the integrity of the Registers and to ensure that its post-nominal designations are used only by those Registrants entitled to do so” (p. 5).

It is now clear that the document enacts tools of power, but against what or whom?

3) What is valued and devalued under this ideal?

The premise is clear: unprofessionalised cyber professionals are inadequate for society. The Council therefore sets out to professionalise them. This process begins with an ideology of devaluation:

Is this ideology truly stable and absolute? Of course not. We will now examine an example in detail to show how professionalisation cannot exist without the elements it devalues.

4) Institutional Validation above Self-Taught Expertise

The Council has divided cybersecurity into what it calls “specialisms,” such as penetration testing and incident response. But where did the knowledge behind these specialisms come from? It came from individuals who thought of new ideas and taught themselves solutions to solve problems. Only decades later did the Council appear, and declared itself the legitimate authority over who knows this knowledge and what the right pathways are.

For example, the first documented case of antivirus removal was in 1987 by Bernd Fix, who holds a degree in astrophysics. Bernd was involved in computer virus research and even wrote viruses himself, something some might now see as controversial. However, his work played a key role in launching the field of cybersecurity. Reviewing his online CV, I noted that he does not list any cybersecurity certifications despite working in cybersecurity for 39 years.

I did a search for “Bernd” across the Council’s and CyBok’s websites but could not find any reference to his work – even though many of the specialisms were shaped by his contribution (i.e., digital forensics, cyber threat intelligence, incident response and intrusion detection).

Industry innovations come from people like Bernd – those who dare to step outside established ways of thinking. They challenge existing mindsets, ideas, ideals, and ideologies, teaching themselves new approaches to tackle problems that others can’t solve. Should we be devaluating people like that? What opportunities might be missed in doing so?

Proponents of professionalisation claim they do not devalue self-taught approaches – of course! Yet, by promoting an institution that defines who qualifies as a cyber professional, what knowledge matters, and which pathways are valid, they create a system that shapes meaning. This system elevates certain ideas and practices while pushing others aside, ultimately rewarding conformity and limiting what people can do, think, or imagine.

Such an institution forces people to consider whether it approves of their curiosity, creativity, ethics and ideas. What does that do to a person? What will that do the industry?

Unfortunately for the Council, no matter how much authority over knowledge and norms it claims, it remains dependent on the very self-taught people its ideology covertly devalues.

5) Professionalisation or “Profanessionalisation”? Which is more accurate?

No matter the Council’s discourse, it depends on the people and ideas it devalues:

• Leaders emerge from merit-based, non-traditional pathways that later become codified

• Pioneers start in open environments, later making standards for regulation possible

• Self-created norms are first recognized by peers as valuable before being normalised

• Competence is first achieved by unregistered experts, only later absorbed into a system

As a play on word, I propose we rename professionalisation to “profanessionalisation” – because it is the profane, the devalued, the excluded, the unregistered and the unlicensed, that enables professional licensing and sustains it via appropriation.

6) What can Australia learn from the UK Cybersecurity Council?

Now that we have shown that professionalisation’s ideology is neither stable nor absolute, that it devalues what it depends on and even excludes those who made it possible in the first place, what should we do?

We must resist the authoritarian pull of ideology itself. We must give voice to those who are devalued because their contributions are essential to professional licensing, society, businesses, consumers and the industry as a whole. We must commit to self-criticism, challenge our norms and question our ways of thinking to prevent absolutist ideals and ideologies from taking hold unchallenged.

Professionalisation seeks to cement a power structure, a hierarchy between professionals, an economic model that benefits some more than others, and even exclude entire categories of industry contributors. Its ultimate victory will be making people think that no alternatives ever existed – or that they were unrealistic, incomplete, maybe even naïve. But was that really the case?

Therefore, we must create ways to encourage behaviours that defy our preconceived ideas of right and wrong. This demands a politics of constant renegotiation with ourselves and with each other. In this way, professionalisation’s true strength becomes its incompleteness. Whereby acknowledging it as a system that always fails makes innovation, ethics and progress possible.

Who will do the honour of challenging the Home Affairs, AISA, and others into a renegotiation?

Original post: https://www.benjamin-mosse.com/professionalisation/2025/03/12/professionalisation-as-the-profane-made-sacred.html

The 2023-2030 Australian Cyber Security Strategy includes a recommendation to professionalize the industry, with an active $1.9M grant to design, test, and promote a national, self-sustaining cybersecurity professionalization scheme.

Following the publication of this grant, 40 senior cybersecurity leaders shared their points of view on LinkedIn. I used that data to perform a sentiment analysis which revealed that 7.5% of them are firmly in favour of the scheme, 2.5% mostly in favour, 15% are ‘in the middle’, 50% mostly against and 25% firmly against.

The key themes identified from their perspectives are as follows:

Theme #1: There is mixed support for a professionalization scheme

In addition to the Sentiment Analysis in this paper, a 2022 AISA survey found that 53.1% of members supported regulation and accreditation, 26.4% opposed it, and 20.5% were unsure, indicating divided opinions within the industry.

This means that the scheme is at risk of not being adopted by at least 1 in 2 cybersecurity professionals – possibly more than that.

Theme #2: Many are concerned that vested interests will hijack the scheme

There seems to be no consensus on the best entity to implement the scheme – ideas include non-profits, government agencies, or quangos. Leaders also raised ongoing concerns about risks of vested interests. This suggests that senior leaders view the risk of the scheme being hijacked by vendors or unscrupulous parties as very high, which could pose a significant threat to the entire industry and the success of this project.

Theme #3: The scheme oversimplifies a deeply complex profession

Cybersecurity is an exceptionally complex and dynamic field, with frameworks like NIST NICE identifying over 50 work roles and DoD Directive 8140 listing more than 70—and these numbers continue to grow. The field encompasses numerous distinct domains of expertise, and it is uncommon for individuals to master even a few, let alone all, of these areas, particularly given the rapid pace of change.

Simplifying job credentials into broad categories such as “associate,” “principal,” and “chartered,” tied to pre-selected certifications, degrees, and years of experience, oversimplifies this complexity. Such an approach fails to capture the diverse roles, specialized domains, and competencies required of cybersecurity professionals.

If the goal of the professionalization scheme is to clarify individual competencies, this kind of oversimplification may have the opposite effect: create more confusion and undermine its intended purpose of providing clarity.

Theme #4: There’s a misalignment between the scheme’s goals and proposed solutions

Expectations for the scheme are widely varied, ranging from:

1. improving classroom education

2. increasing the availability and quality of teachers

3. increasing gender diversity

4. establishing ethical standards

5. removing underperforming or delinquent actors from the marketplace

6. either creating or eliminating barriers to entry (depending on whom you ask)

7. and many other claims

These diverse objectives make the scheme’s goals overly ambitious.

This lack of clarity suggests that, for many, the scope of the professionalization scheme is uncertain, making its value equally unclear. A poorly defined scope risks either failing to achieve its goals or focusing on the wrong objectives, ultimately preventing the intended value from being realized.

Theme #5: The scheme’s return-on-investment (ROI) lacks evidence

There is no clear, first-hand evidence to show that a professionalization scheme for the cybersecurity sector can effectively address or alleviate the root causes of the problems it seeks to solve. This means the scheme might be set up to fail from day one.

Theme #6: Malicious actors will game the system without mastering the skills

Past cheating scandals, such as the CREST UK cheating incident, highlight risks of the malicious actors finding loopholes in the system to gain a marketplace advantage:

If the goal is to ensure that individuals accredited under the scheme are truly competent, but the scheme is easy to cheat, then it has fundamentally failed. Even worse, a cheating scandal could tarnish the reputation of the entire cybersecurity profession and undermine decades of effort spent building credibility across business, government and society.

Here’s a screenshot from LinkedIn of a bad actor taking industry tests for a fee:

Theme #7: The scheme ignores the broader context within which professionals operate

Cybersecurity professionals lack not only the legal backing but also the enforcement mechanisms at all levels to ensure secure practices are upheld.

Voluntary frameworks such as those proposed by associations (e.g., the ACS) rely on employer goodwill and carry no penalties for noncompliance. Consequently, organizations often ignore basic security measures – like enforcing multi-factor authentication – because it’s cheaper or more convenient, leaving ethical practitioners helpless or risking their careers by “blowing the whistle.”

Moreover, current legislation is rarely enforced, enabling companies to treat breaches as tolerable risks rather than obligations. Even the Australian government resists adopting its own cybersecurity standards.

In the absence of robust legislative enforcement and binding industry standards, efforts to ‘professionalize’ cybersecurity might not achieve its goal of improving the protection of both ethical practitioners and the public.

Conclusion

While this summary highlights what I believe to be the top 7 concerns raised by senior leaders, I have collected a total of 28 unique criticisms. This suggests to me that more consultation and research is needed.

You can read my full paper here, with approximately 4 pages of recommendations.

I submitted my paper to the Department of Home Affairs on January 27, 2025. Today, they issued a formal response, and I look forward to the opportunity to discuss my recommendations with them in greater detail.

Don’t believe me? Check out the start-up Culminate Security:

Traditional Cyber Education Is Obsolete

Most cybersecurity degrees and certifications are already outdated and fail to meet employers' needs. As AI begins to replace a significant number of junior roles, these courses will become entirely obsolete. Why invest time and money in learning skills that AI can and will perform more efficiently and cost-effectively?

Here’s a list of tasks currently done by juniors, which will soon be entirely done by AI:

• Automatically sorting and prioritizing security alerts to identify genuine threats

• Conducting automated scans to identify potential vulnerabilities in systems and networks

• Identifying and blocking phishing emails and malicious links

• Automating the provisioning and de-provisioning of user access to systems and data

• Conducting automated audits to ensure security policies and controls are in place and effective

If you're considering pursuing cybersecurity classes or certifications, ask yourself if the skills you’ll acquire will remain relevant in a world where AI automates tasks traditionally performed by junior professionals.

The Opportunity You Need to Capture

Personally, I believe it's fantastic that AI will soon handle all the repetitive, mundane tasks. I look forward to a time when we no longer have to spend our efforts on these activities. Instead, we should focus on honing our critical thinking, problem-solving, and interpersonal skills. Moreover, I don't think it's important to have certifications that test the memorization of concepts and terminology—AI will manage those aspects for us.

If you want to advance your cybersecurity career in 2024 and beyond, here are key areas to focus on:

1. Project Management: Can you successfully deliver a project on time and within budget?

2. Problem Solving: Can you collaborate with other people to tackle critical issues effectively?

3. Critical Thinking: Can you analyze and evaluate situations to maximize the business value of a project?

4. Communication: Can you clearly articulate your ideas and findings to both technical and non-technical stakeholders?

5. Interpersonal Skills: Can you build and maintain positive, productive relationships with colleagues and clients?

By honing these skills, you'll be well-equipped to thrive in world with AI.

How Is MCSI Adapting to New AI Capabilities?

At MCSI, we are passionate about AI. We use GPT and other advanced tools daily and encourage our users to master these technologies as well. We believe that universities and other institutions that fail to fully embrace AI will be left behind.

We recognize the significant impact AI has had on our users. Tasks that were once challenging became manageable with the introduction of GPT, enabling users to complete exercises they previously struggled with.

A key strength of our platform is our ability to quickly and efficiently update our exercises. We are currently undertaking a comprehensive catalog update to reinvent our exercises, focusing on critical thinking, problem-solving, and creativity. Additionally, we require students to write reports, briefings, and presentations, as we believe these skills are essential for modern cybersecurity professionals.

Here’s a snippet of one of our threat intelligence exercise:

Notice how we have our students work with recent industry threat reports. They analyze these reports and apply critical thinking to develop testing hypotheses for designing a Red Team engagement. Finally, they must write a detailed report explaining each hypothesis and providing supporting documentation. This type of high-value work is essential for human analysts to master in 2024.

Here’s a testimonial we received this week:

If you haven’t already, browse our list of courses and pick one that interests you.

While I'm not a psychologist, my 20 years of experience in cybersecurity have given me a deep understanding of its highs and lows. In this week's newsletter, I will highlight some of the industry's key issues and offer practical solutions to help foster a healthier work environment.

Perverse Incentives

Cybersecurity is an intensely competitive field, often driven by superficial metrics like the number of certifications, CVEs, conference talks, or unique knowledge. However, these benchmarks fail to reflect the true value of your life or your progress toward meaningful personal goals.

If you take some time to reflect on what truly matters to you, you'll likely find that your most cherished goals have little to do with the industry's ranking metrics. My advice is to live by your own standards. Although it may be challenging at first, it requires a deep conviction in your values and the courage to prioritize your own growth and wellbeing.

Pointless Work

The unfortunate reality is that many cybersecurity professionals spend their days on seemingly pointless tasks. They are often expected to monitor screens and triage trivial alerts, attend unproductive meetings, navigate office politics, or conduct repetitive security assessments of the same applications year after year. Even when they do accomplish something tangible, they rarely witness the positive human impact of their efforts. Few leave work feeling fulfilled. This lack of visible progress towards meaningful goals is psychologically draining, as human flourishing relies on perceivable advancement toward personal values.

Ryan Ettridge conducted a survey and found that only 13% of cybersecurity professionals feel they are on track to reach their career potential.

Limited Career Opportunities

There’s a high demand for cybersecurity professionals, but much of the work involves repetitive tasks. This is beneficial early in your career, as a few years of experience can make you employable by numerous organizations with similar needs. However, if your aspirations are bigger, opportunities are limited.

Most countries lack ecosystems that effectively support start-ups, and many organizations are slow to adopt new ideas. This environment stifles true innovators and inventors, making it difficult for them to succeed. Additionally, it deters potential entrepreneurs who recognize that few clients see fostering new products and companies as their responsibility to advance the industry.

Consequently, even if you reach the pinnacle of the industry in your region, you may find very few opportunities to engage in something new and innovative.

So What Should You Do?

“Learn to value yourself, which means: fight for your happiness.” - Ayn Rand

My first piece of advice is to fight for your freedom. This means developing skills and building business relationships that allow you to be self-reliant. When you achieve this level of independence, you are no longer bound by metrics imposed by others or compelled to work for organizations that don't align with your values. The cybersecurity market offers the potential for such freedom. You can choose the people you work with and the problems you tackle based on what you truly value.

Focusing solely on certifications without developing real skills is self-sabotaging. While certifications may seem to increase employability, they don't provide the freedom that genuine skills, abilities, and connections offer. True freedom comes from mastery and self-sufficiency, not from external validation.

Secondly, it's crucial to live by a philosophy that prioritizes your own life and flourishing, as this is essential for achieving true happiness. Many workplaces will pressure you to sacrifice your values for their needs. They might require you to perform tasks that don't align with your aspirations or conform culturally at the expense of your individuality. These compromises may seem necessary in the short term, but life is a long-term journey, and consistently sacrificing your values will not help you achieve your goals.

My advice is to live by a philosophy of self-esteem. Clearly define what you want from your work life. Don't compromise on your core values. In the short term, you may need to trade your time and skills for get your foot in the door or pay the rent, but don't settle for a path that doesn't align with your true aspirations. Focus on maintaining your integrity and working towards a career that genuinely fulfills you.

How Can MCSI Help You?

At first glance, MCSI might appear to be just another cyber training institute. However, our mission is much more nuanced. We aim to empower individuals like you by teaching practical, in-demand skills, helping you achieve the freedom necessary for personal and professional flourishing.

If you haven't already, give our free version a try. Additionally, consider purchasing one of our courses with our May 2024 discount code: MCSI-MAY-2024-PQV

We’ve helped thousands of individuals achieve their career goals in cybersecurity, and we’d love to help you too.

Creativity Always Wins

“Defenders hate criticism. Attackers live by it. It motivates them to outdo their previous achievements” - Benjamin Mossé

Creativity is a powerful force that fuels innovation and problem-solving. In the realm of cybersecurity, creativity allows for the development of unique and unexpected methods to challenge existing systems. It enables individuals to think outside traditional frameworks and invent solutions that have never been considered before. This capacity for original thinking is crucial when facing complex and dynamic challenges, as it allows for adaptive and flexible responses rather than fixed, predictable ones.

This inherent power of creativity is precisely why cyber attackers often have the upper hand. They leverage their ability to devise novel tactics and exploit unforeseen vulnerabilities, making it difficult for defenders, who are bound by standard protocols and reactive strategies, to keep up. As attackers continue to employ imaginative and inventive methods, they outmaneuver static defense systems, demonstrating time and again that in the cyber world, creativity not only leads—it wins.

The Pitfalls of Rigid Standards in Cybersecurity

“ISO 27000 told me to do it” - Unnamed CIO

By rigidly adhering to established standards such as ISO 27000, PCI DSS, and the Essential Eight, defenders often confine themselves to predefined frameworks and checklists. These standards dictate their actions and justify their security measures at the expense of engaging in a more dynamic, creative problem-solving process. This reliance on fixed guidelines can inhibit their ability to adapt and respond to the unconventional strategies employed by attackers, who are not constrained by such norms and continuously creatively explore new avenues for breach.

Empowering Defenders with Creative Freedom in Training

At MCSI, we are pioneering training courses that instill a critical principle: every defender must have as much creative freedom as the attackers they face. This begins with their training. By embedding creativity at the heart of our cybersecurity education, we empower defenders to think and maneuver with the same ingenuity and adaptability as their adversaries. Our goal is to transform the landscape of cyber defense from rigid adherence to standards to a dynamic, innovative battleground where defenders are equipped to outsmart the adversaries.

If this sounds like something that interests you, then browse our list of courses here.

Every candidate claims they're the perfect fit for the job, yet some walk into the interview knowing less about the company than a cat knows about astrophysics. It's like saying you're ready to pilot a spaceship because you once flew a kite. Knowing your skills is half the battle; demonstrating how they align with what the company actually does is how you launch into orbit.

Welcome to our guide on mastering career development through job task analysis. We'll show you how to extract and analyze key knowledge, skills, abilities and tasks (KSATs) from job postings, identify your gaps, and create a training plan to address them.

Whether you're aiming to advance in your current field or switch to a new one, this guide will provide the practical tools and insights needed to improve your employability and achieve your career goals.

Step 1 - Extract KSATs from Job Postings

Understanding the requirements of your desired job role is the first step in career development. Job postings are a goldmine of information, detailing the KSATs that employers seek in candidates. To start, focus on thoroughly reading job descriptions relevant to your career aspirations. Here's how to effectively extract KSATs:

1. Identify Core Requirements: Look for sections in the job postings that list specific qualifications, skills, and experiences. These are typically highlighted under headings like "Requirements," "Qualifications," or "Responsibilities."

2. Highlight Keywords and Phrases: Use highlighters or a digital tool to mark important keywords and phrases that recur across multiple postings. These often represent the core KSATs needed for the role.

3. Organize and Categorize: Create a spreadsheet or a database where you can categorize the extracted information into Knowledge, Skills, Abilities and Tasks. This organization will aid in analyzing how these elements interrelate and prioritize them based on the needs of the industry or specific job.

Step 2 - Analyze the Data in a Spreadsheet

Once you have collected KSATs from job postings, the next step is to analyze this data to understand the job market demands and how you fit into them. A spreadsheet is an excellent tool for this analysis, allowing you to sort, filter, and organize data effectively. Here’s how to proceed:

1. Input Data Methodically: Enter the extracted KSATs into a spreadsheet. Ensure each entry is consistent.

2. Prioritize and Rank: Assess the frequency and importance of each KSAT across different job postings. Rank them based on how often they appear and their relevance to the roles you are targeting. This will help you identify the most in-demand KSATs in your chosen field.

3. Gap Analysis: Create a column next to your KSATs for self-assessment. Mark your current proficiency or experience level against each KSAT. This will visually highlight where you meet the requirements and where there are gaps needing attention.

4. Identify Trends and Patterns: Look for trends in the data that indicate specific industry directions or focus areas. For instance, if certain skills are increasingly in demand, it may signal a shift in industry standards or emerging technologies.

Step 3 - Identify Gaps in Personal KSATs

With a detailed analysis of job market KSATs in hand, the next step is to assess how your current skills and experiences align with these requirements. This gap analysis will help you pinpoint the areas you need to focus on to enhance your employability. Here’s how to conduct this assessment effectively:

1. Self-Evaluation: Compare your current set of skills, abilities, knowledge, and experiences with the KSATs listed in your spreadsheet. Be honest and objective about your level of proficiency and experience in each area.

2. Highlight the Gaps: Identify where your KSATs fall short of the job market demands. These gaps are your key areas for development. Highlighting these will provide a clear focus for your training and development efforts.

3. Consider the Context: Contextualize each gap in terms of your career goals and the industry you are targeting. A gap in a highly demanded skill within your desired industry should take priority over less critical areas.

4. Set Improvement Goals: For each identified gap, set specific, measurable, achievable, relevant, and time-bound (SMART) goals. This will make your development plan actionable and allow you to track progress over time.

Step 4 - Build a Training Plan

“If you fail to plan, you are planning to fail!” - Benjamin Franklin

After identifying the gaps in your KSATs, the next step is to develop a training plan tailored to your needs. This plan will guide your efforts to acquire the necessary skills and knowledge to advance your career. Here’s how to create an effective training plan:

1. Set Clear Objectives: Define what you aim to achieve through your training. Each objective should address a specific gap in your KSATs, contributing to your overall career goals.

2. Research Training Options: Explore various training and educational resources that align with your objectives. These could include online courses, workshops, seminars, certification programs, or self-study materials. Prioritize those that are most relevant and offer practical, applicable knowledge or skills.

3. Create a Timeline: Establish a realistic timeline for achieving your training objectives. Consider your current commitments and set achievable deadlines for completing each training module or course. This will help you maintain progress and stay motivated.

4. Allocate Resources: Determine the resources you need to execute your training plan, including time, money, and materials. Plan how you will allocate these resources effectively to avoid overcommitting or underfunding your development efforts.

Step 5 - Prepare a Portfolio with MCSI Exercises

“The portfolio is the critical step that almost everyone overlooks, leading to the common mistake of sending template CVs that fail to resonate with specific job postings. A tailored portfolio, in contrast, vividly demonstrates your skills and experiences in relation to the job's requirements, setting you apart in the competitive job market.” Benjamin Mossé

Building a portfolio through Mossé Cyber Security Institute (MCSI) exercises is a strategic approach to showcasing your cybersecurity competencies. MCSI's training emphasizes hands-on, real-world tasks, challenging you to apply critical thinking and troubleshooting skills without predefined solutions. Here’s how you can leverage MCSI's offerings to build a compelling portfolio:

1. Complete Practical Exercises: Engage in MCSI’s practical exercises that mirror real-world scenarios - select the most relevant exercises.

2. Demonstrate Competencies: Successfully completing MCSI exercises allows you to accumulate certificates and build a portfolio of demonstrated skills by producing videos, reports, briefings, source code etc. This portfolio serves as tangible evidence of your capabilities and readiness to tackle the jobs you want to apply for.

Step 6 - Show Up Prepared

In the final step, arrive at interviews ready to demonstrate that you can meet the job's demands. Bring a well-crafted portfolio that showcases your direct experience with the work KSATs outlined in the job description. This portfolio is your evidence, making abstract skills concrete and demonstrating your proactive approach to learning and problem-solving.

Moreover, prepare to discuss any gaps in your experience with a clear training plan that shows your initiative to develop those areas. This step is crucial; many overlook the power of a personalized portfolio and a strategic training plan, relying instead on generic CVs that fail to capture their unique fit for the role. Being prepared in this way will set you apart and make a strong case for your candidacy.

If you haven’t started learning with MCSI yet, pick up a course and get going.

The Many Faces of a CISO

“Incompatibility between CISOs and their companies can lead to stress, frustration, burnout and rapid turnover. Identify your CISO style to target the ideal role and environment for you.” - Alissa Irei, TechRadar (source)

Did you know there could be as many as 6 different types of CISOs? From technical experts to strategic visionaries, the range is vast. Identifying which type aligns with your skills and aspirations is paramount. Make sure to understand the specific demands of each type to avoid landing in a role that doesn't suit you.

1. Transformational CISO

2. Post-breach CISO

3. Tactical and operational expert CISO

4. Compliance and risk guru CISO

5. Steady-state CISO

6. Customer-facing evangelist CISO

The Vast Scope of Responsibilities

The CISO bears a vast range of responsibilities, from developing and executing a comprehensive cybersecurity strategy to ensuring regulatory compliance and leading incident response. This role also involves securing organizational assets, managing a dedicated security team, and integrating cybersecurity into all business operations. With a duty to bridge technical and business realms, the CISO's role is critical and wide-ranging, affecting every aspect of an organization's security posture.

The Budget War

“They reallocated my budget to buy iPads” - A friend that once was a CISO

Many CISOs find themselves in a constant struggle for resources. Despite the title, they often don't have the authority to secure the budgets necessary for implementing critical security controls or expanding their teams. This limitation can significantly impact the effectiveness of the organization's security posture.

The Scapegoat Scenario

Being a CISO can sometimes feel thankless. Without major security incidents, their work goes unnoticed, but when a breach occurs, they are often the first to be blamed. This aspect of the role can be particularly challenging, as it requires maintaining robust security measures while being prepared to take responsibility for any lapses.

Navigating the Political Landscape

“Bureaucracy is a construction by which a person is conveniently separated from the consequences of his or her actions.” Nassim Taleb

A CISO’s role is deeply entwined with organizational politics. Reporting structures can vary, with some CISOs answering to the CIO and others directly to the board. Their success depends heavily on their ability to influence other departments and navigate conflicting agendas, making it a highly political role.

Here are three questions you can ask yourself to assess whether you’re ready to be a CISO:

1. Am I capable of navigating corporate politics to advance security priorities?

2. Can I manage relationships with stakeholders who have competing interests?

3. How prepared am I to tackle the ethical and political challenges of being a CISO?

Ethical Dilemmas

“How do some organizations meet their cyber obligations and expectations whilst avoiding the high cost of cyber security? They use two business instruments that we call Dark Compliance and Dark Risk Management.” Benjamin Mossé, Legal Weapons of Mass Destruction

Alarmingly, some CISOs are pressured into unethical practices, such as downplaying security incidents or vulnerabilities to save costs or effort. This situation places CISOs in a precarious position, balancing between corporate expectations and ethical standards in cybersecurity management.

Benjamin’s Advice

Achieving the pinnacle title in cybersecurity is an admirable goal, yet many overlook the immense responsibilities and challenging work environment that come with it. It's essential to stay true to your passion for technology, valuing personal fulfilment over social status. For those aspiring to be CISOs, beginning with "CISO as a Service" can provide practical experience, focusing on real security enhancements. Choose an organization and team that resonate with you.

More Responsibility = More Money

Accountability leads to higher income because it establishes you as a reliable and essential professional. When you consistently demonstrate accountability, you're showing that you can be trusted to meet commitments and deliver results. This reliability makes you invaluable to your team or organization, leading to better job security, opportunities for advancement, and higher salary offers. In essence, being accountable makes you stand out as a professional who adds significant value, and this is often rewarded with greater financial compensation.

More Skills = More Money

Enhancing your skills in cybersecurity means you bring more value to your role, leading directly to higher income. As you develop a broader range of skills, you become more versatile and capable of handling diverse responsibilities, making you an indispensable part of the team. This increased capability and versatility mean you can take on more significant projects and roles, which naturally come with better pay. Essentially, the more skilled you are, the more you can contribute to your organization's success, and this contribution is often rewarded with increased financial compensation.

More Leverage = More Money

“We live in an age of infinite leverage, and the economic rewards for genuine intellectual curiosity have never been higher.” - Naval Ravikant

Gaining more leverage in cybersecurity equates to having greater influence and control over your career and income. Leverage can come from various sources, such as your reputation, expertise, network, or the critical role you play in your organization. When you have leverage, you have the power to negotiate better terms for your job, whether it’s a higher salary, better benefits, or more favorable working conditions. Essentially, the more leverage you have, the more you can dictate your financial terms, leading to increased earnings. This is because you're in a position to offer something valuable that your employer or clients want to retain, giving you an advantage in financial negotiations.

Here are some examples of leverage:

• “I have a good reputation”

• “I have a network of high-value employers”

• “I’m capable of building products”

• “I own a database of people with cyber skills”

• “I have an online product that makes money whilst I sleep”

• “I have money invested that makes money whilst I sleep”

• “I own a podcast that brings me opportunities”

• “I have a rolodex of customers that I can call and do deals with”

The MCSI Vision

MCSI is committed to becoming a platform that not only teaches the technical aspects of cybersecurity but also focuses on developing accountability, enhancing skills, and building leverage for its learners. By emphasizing these three critical areas, MCSI aims to empower individuals to advance their careers and achieve greater financial success in the cybersecurity field. Through comprehensive training and practical experience, MCSI provides the tools and knowledge necessary to navigate the complexities of cybersecurity, ensuring that learners are not just prepared to meet the demands of the industry but also to excel in it and reap the financial rewards that come with increased accountability, improved skills, and greater leverage.

Try out one of our courses if you haven’t already!

The shift towards task-based competencies over theoretical knowledge has reshaped the cybersecurity landscape. Initiatives like the DCWF and NIST NICE underscore this transition, emphasizing the importance of practical skills. MCSI's platform aligns with this trend, offering exercises designed to build real-world capabilities, urging users to prioritize skills development through hands-on experience.

Critical Thinking: A Core Competency

Critical thinking stands out as a fundamental requirement in cybersecurity. Enterprises and government organizations demand professionals capable of solving complex issues independently and connecting solutions to strategic objectives.

MCSI’s training modules are crafted to foster deep analytical skills and independent problem-solving, providing exercises that challenge and enhance critical thinking in cyber-related contexts.

The Imperative of Professional Writing

Despite AI's rise, professional writing retains its significance. Cyber professionals must master the art of creating various documents, integrating analytical thought with clear communication.

MCSI’s platform offers scenarios that improve writing proficiency, emphasizing the creation of professional documentation that reflects deep technical understanding and critical analysis.

Deep Technical Expertise Required

Technical experience continues to be a cornerstone of cybersecurity effectiveness. Organizations seek individuals who can tackle challenging issues across various domains, including operating systems, networking, cloud computing, and malware analysis. Even roles traditionally viewed as less technical, such as leadership and governance, risk, and compliance (GRC), now often require a solid understanding of technical operations.

MCSI: A Visionary Approach

Anticipating the industry’s evolution, MCSI crafted a training platform six years ago focused on critical thinking, practical tasks, and independent learning. This foresight has established MCSI as a pioneer in cybersecurity training, offering a comprehensive suite of exercises that simulate real-world scenarios. Our platform encourages extensive practice, adhering to industry standards and specifications, to prepare users for the demands of the modern cybersecurity landscape.

In summary, the state of cyber skills in 2024 demands a practical, skill-based approach, with a strong emphasis on critical thinking, professional writing, and deep technical experience. MCSI’s training platform remains at the forefront of this evolution, providing the tools and experiences necessary to thrive in the ever-changing cybersecurity domain.