9 Hard Truths About Cybersecurity I Wish Someone Had Told Me

It's been quite a journey since I first stepped into cybersecurity through university clubs seven years ago. Looking back, I realize how fortunate I've been to grow in a city with a vibrant security community. While everyone's path is different, I wanted to share some insights that might help those starting their journey or considering a career in cybersecurity.

1 - Getting Organized: Your First Line of Defence

The cybersecurity landscape can feel like drinking from a fire hose. New vulnerabilities, tools, and techniques emerge daily, and it's easy to feel overwhelmed. Here's what I've learned about staying afloat:

The key isn't trying to learn everything—it's being strategic about what you learn. Start by identifying specific areas that interest you and align with your goals. Are you fascinated by malware analysis? Or perhaps drawn to application security? Having a focus helps filter through the noise.

One practice that's served me well is maintaining a technical journal. Whether it's documenting a particularly tricky problem you solved or writing blog posts about your progress, this documentation serves multiple purposes. Not only does it help solidify your learning, but it also creates a portfolio of your work. And yes, while writing reports might seem tedious, it's an essential skill in our field. After all, a security finding is only as valuable as your ability to communicate it effectively.

2 - The Foundation Matters More Than Ever

During his BlackHat 2024 keynote, Signal Co-Founder Moxie Marlinspike emphasized something crucial: as technology becomes more advanced, understanding the fundamentals becomes more critical, not less. This really resonated with me. (His thoughts are well captured in his blog post "A Good Engineer").

Think about it: despite all our technological progress, memory allocation vulnerabilities still account for a significant percentage of CVEs. Why? Because these fundamental weaknesses persist even as we build more complex systems on top of them.

Beyond traditional security knowledge, today's landscape requires a broader understanding. AI, ML, and data science aren't just buzzwords—they're becoming integral tools in our arsenal. But here's the catch: you don't need to be an expert in everything. What matters is understanding how these pieces fit together in the bigger picture.

3 - The Research Mindset

One of the most valuable lessons I've learned is that cybersecurity is fundamentally about research. Whether you're threat hunting or analyzing new malware, the process is similar to scientific research: form hypotheses, control variables, take actions, and analyze results. When a new vulnerability drops, the question shouldn't just be "Can this be exploited?" but "How likely is this to impact real organizations?" This research mindset helps cut through marketing hype and evaluate what really matters.

4 - Building Real-World Skills

While Capture The Flag (CTF) competitions are exciting and educational, they shouldn't be your only focus. Setting up a home lab, automating security tasks, or contributing to open-source projects often provides more practical experience than solving CTF challenges. These hands-on projects help you understand how security works in real environments, where things move at a different pace than in research or competition settings.

5 - Community: Your Secret Weapon

The saying "it's not what you know, it's who you know" holds particularly true in cybersecurity. Some of my best opportunities came through connections made at conferences, CTFs, and local meetups. Building these connections isn't just about career advancement—it's about finding your tribe.

Start by finding a CTF team. These teammates become your first study group, each bringing different skills and perspectives to the table. When someone cracks a particularly tough challenge, they'll teach others how they did it. When you discover a new tool or technique, you share it with the team. This collaborative learning environment is invaluable—you'll learn faster together than you ever could alone.

Equally important is finding mentors. The cybersecurity community is generally welcoming to newcomers who show genuine interest and initiative. Don't be afraid to reach out to experienced professionals after meetups or conferences. Many are happy to share their journey, suggest learning resources, or even provide guidance on specific technical challenges. I still regularly consult with mentors I met years ago, who helped me navigate not just technical problems but also career decisions and industry dynamics.

6 - The Reality of Cybersecurity

One of the most interesting revelations from the Conti leaks was how organized cybercrime groups operate like regular businesses, complete with HR policies and vacation days. It's almost amusing to discover that even cybercriminals have to deal with office politics, request time off, and probably complain about their bosses. Who knew ransomware groups had HR departments?

But beyond these organizational similarities, cybersecurity is fundamentally a field that demands creativity. Whether you're on the defensive or offensive side, you're constantly faced with puzzles that require thinking outside the box. Attackers devise ingenious ways to live off the land using legitimate tools, create novel data exfiltration methods, and develop clever concealment techniques. Defenders, in turn, must be equally creative in detection, response, and prevention strategies. It's this constant battle of wits that makes the field so intellectually stimulating.

7 - A Melting Pot of Disciplines

One thing that became clear to me over the years is that cybersecurity isn't really a standalone field – it's a fascinating intersection of multiple disciplines. It brings together computer science fundamentals, military strategy principles (like defense in depth), sociology (think social engineering and human behavior), psychology (in user experience and awareness training), policy making, and criminal justice. This convergence is what makes it both challenging and exciting. One day you might be deep in assembly code, and the next you're analyzing the human impact of a security policy or studying criminal patterns to predict future attack vectors.

8 - The Privacy Dimension

Privacy wasn't initially what drew me to cybersecurity, but it's become a fascinating and crucial aspect of our field. As our digital lives become more intertwined, questions of identity, trust, and privacy become central to security. Innovation in this space is particularly exciting, as we try to balance security requirements with usability and regulatory compliance.

9 - The Ever-Expanding Horizon

When I started, I viewed cybersecurity primarily through the lens of protecting corporate assets. Seven years later, I see its broader impact: defending critical infrastructure, combating disinformation, protecting individual privacy, and enabling innovation.

Mikko Hyppönen's Law states that "If it's smart, it's vulnerable." As our world becomes increasingly connected, the importance of cybersecurity grows exponentially. I've witnessed this growth firsthand: more specialized degree programs, increased government initiatives, better funding, and greater public awareness of security issues.

The field has evolved from being purely technical to encompassing roles like policy analysts, privacy specialists, and digital identity experts. This evolution makes cybersecurity more accessible and impactful than ever before.

For those just starting: you're entering the field at an exciting time. The challenges are significant, but so are the opportunities to make a difference. Stay curious, build strong foundations, and remember that everyone's journey is unique. The most important thing is to find your path and keep learning along the way.