Why does learning cybersecurity feel so hard?

Over the past six months, we’ve trained hundreds of experienced IT professionals. Confident, technical, capable - yet almost all of them struggled with cybersecurity. And I kept wondering: why?

To get answers, I sat down with one of our lead instructors. For an hour, she unpacked the same frustrations and roadblocks she sees every week - the moments where seasoned IT veterans suddenly feel lost.

As we talked, something clicked. We realised there’s a simple mental model that explains why cybersecurity feels like a completely different universe, even for highly skilled IT professionals:

Most IT professionals walk in expecting cybersecurity to look like the rest of their toolkit: clean GUIs, neat dashboards, predictable workflows. They expect the work to be linear, human-centred, mechanistic, and orderly.

But cybersecurity refuses to fit that frame.

The structure of cybersecurity looks like this:

• Volatile: Techniques, tactics, tools, and entire technology stacks evolve constantly. What works today may not work tomorrow.

• Complex: Cybersecurity sits at the intersection of systems, networks, software, human behaviour, the law, economic incentives, and adversarial intent. Everything is connected, and small details matter.

• Uncertain: Most cyber problems are investigations. You don’t know the answer upfront; you uncover it by researching, testing ideas, and proving your solution all the way up to 100% correctness.

And the biggest surprise for these IT veterans? Technical cybersecurity work is low-level. No dashboard. No wizard. Just raw analysis using hex editors, disassemblers, packet captures, log dumps and file headers.

It’s better to think of it as reverse engineering rather than the “drag-and-drop” or “click-and-connect” IT they’re use to.

This mismatch between expectation and reality is where the struggle begins.

How Instructors Learned Cybersecurity

After mapping the IT veteran’s mindset, I asked our instructors to write down their own mental model for how they learned the field:

They had faced the exact same challenges as the IT veterans when they started learning cybersecurity. But instead of getting frustrated, they adapted. They understood the actual structure of the field, so their mindset aligned with its reality.

They approached every problem with curiosity and a desire to investigate. They enjoyed uncovering how things worked. And over time, that mindset sharpened their problem-solving skills. They became more capable, more confident, and more eager to tackle deeper, harder, low-level challenges.

The difference wasn’t talent.
It was mindset.

The Secret

So what’s the secret to learning cybersecurity?

Align your mindset with the structure of how cybersecurity really works.

Lean into curiosity. Treat every problem as something to explore, not something that should already be solved for you.

Once you adopt that mental model, the path becomes clear: work through a series of problems that gradually increase in difficulty and variety. With each one, your skills grow, your confidence builds, and the journey stops feeling daunting and starts feeling exhilarating.