{"id":14563,"date":"2025-08-05T07:07:40","date_gmt":"2025-08-05T07:07:40","guid":{"rendered":"https:\/\/newestek.com\/?p=14563"},"modified":"2025-08-05T07:07:40","modified_gmt":"2025-08-05T07:07:40","slug":"5-hard-truths-of-a-career-in-cybersecurity-and-how-to-navigate-them","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=14563","title":{"rendered":"5 hard truths of a career in cybersecurity \u2014 and how to navigate them"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

Cybersecurity is an exceptionally promising career path. Demand for cyber talent is high, as is compensation, with average base salaries for leading functional roles topping $150,000, according to a 2025 benchmark report from IANS and Artico Search<\/a>.<\/p>\n

But working in cybersecurity comes with challenges that are often glossed over in job postings, media coverage, and even at industry events. And those challenges can wear down a cyber pro over time. To wit, IANS and Artico Search found that while functional staff by and large report positive job engagement, those further along in their careers are less positive about their situations, with middle management and department heads just as likely to be detractors as to be promoters when it comes to their current career situation.<\/p>\n

To gain a better understanding of the sources of cyber pros\u2019 dissatisfaction with their careers, we spoke with professionals across the field. Their perspectives shed light on the often-overlooked realities of life in cybersecurity, as well as the strategies they\u2019ve found effective in addressing these issues.<\/p>\n

<\/a>Security for all \u2014 but not all are welcome<\/h2>\n

Mike Morrato<\/a>, CISO of Forward Networks, says the first hurdle in cybersecurity is simply breaking into the field, due largely to persistent gatekeeping. He cites his own experience as an example.<\/p>\n

\u201cOnce upon a time, I had the belief that you had to know basic networking skills. Without that knowledge, you could not be an effective security practitioner,\u201d he says.<\/p>\n

Morrato now recognizes that cybersecurity spans a wide range of domains, but he believes many in the industry still hold that narrow view. \u201cThere is a lot of that level of thinking within the cybersecurity industry: People still treat cybersecurity as firewalls and IPSs and VPNs. And that\u2019s just fundamentally false,\u201d he says.<\/p>\n

As a result, leadership and HR teams often gatekeep by focusing exclusively on candidates with certain educational degrees or specific credentials, typically from vendors such as Cisco, Juniper, or Palo Alto. Although Morrato finds this somewhat understandable given the high cost of hiring in cybersecurity, he believes this approach unfairly filters out capable individuals who, in a different era, would have had more opportunities.<\/p>\n

He recalls his own path: a college dropout who started in a role where he could learn on the job, eventually earning his Certified Network Administrator (CNA) certification.<\/p>\n

To counteract this bias in hiring, Morrato takes a hands-on role in recruitment. He writes all job descriptions himself and reviews batches of applications directly with HR. \u201cWe\u2019ll go through those first 15, 20, 30, whatever that number is, resumes. And I\u2019ll work with the recruiters or HR and say, \u2018This is the person I\u2019m looking for. This is not the person I\u2019m looking for,\u2019\u201d he says.<\/p>\n

He also pays close attention to candidates who may be overlooked due to nontraditional profiles, such as those who are neurodivergent<\/a>. \u201cWe have a lot of neurodivergence, especially in development, but also in cybersecurity as well. If I\u2019m ignoring those people, I\u2019m passing up a lot of talent,\u201d he says.<\/p>\n

For Morrato, degrees and certifications serve only as a tiebreaker between otherwise equally qualified candidates. And while he acknowledges CISOs at large enterprises may not be able to engage as deeply in hiring, senior directors still can, he insists. His own approach has led to some of the best hires of his career \u2014 candidates who would likely have been screened out by conventional recruiting filters.<\/p>\n

Morrato also encourages cybersecurity leaders to consider applicants with \u201cadjacent skills.\u201d<\/p>\n

\u201cIf I\u2019ve got a networking person wanting to change roles from a networking IT role to a cybersecurity role, that\u2019s a really good fit. They may not know all my technology, but they know the technology that drives my technology,\u201d he explains.<\/p>\n

As for job seekers, Morrato advises not relying solely on resumes to stand out. Tailored cover letters can make a real difference, and in-person networking remains powerful.<\/p>\n

\u201cMaybe it\u2019s boring as sin to go to those things, but you\u2019ve got people there. You can get to know people there. Eventually, those people can help open doors for you as well,\u201d he says.<\/p>\n

<\/a>Cybersecurity teams protect systems but neglect people<\/h2>\n

After all the effort it takes to break into cybersecurity, professionals often end up on teams that don\u2019t feel welcoming or supportive.<\/p>\n

Jinan Budge<\/a>, a research director at Forrester who focuses on enabling CISOs and other technical leaders, believes the way most cybersecurity career paths are structured plays a role in this. Because most team managers elevate from technical roles, they often lack the leadership and interpersonal skills needed to foster healthy team cultures or manage stakeholder relationships effectively.<\/p>\n

This cultural disconnect has a tangible impact on individuals. \u201cPeople who work in security functions don\u2019t always feel safe \u2014 psychologically safe \u2014 doing so,\u201d Budge explains.<\/p>\n

Forrester recently published research showing a strong link between low psychological safety and organizational issues such as absenteeism, siloed communication, and, more alarmingly, an increased likelihood of security breaches.<\/p>\n

\u201cIn some instances, the less psychologically safe the team is, they are three or four times more likely to be exposed to a breach,\u201d says Budge, who encourages cyber pros who find themselves in such environments to engage in honest self-reflection. \u201cIt\u2019s important to examine: Is this really toxicity? Is this something I am able to influence? Am I able to change? Is this a me problem or is it rather an issue with the organization itself, with my boss?\u201d she says.<\/p>\n

In addressing such questions, Budge recommends enlisting resources such as employee assistance programs, executive coaches, or even psychologists for support. And if the core problem lies with the organization, she advises strongly considering an exit.<\/p>\n

Still, many professionals hesitate to leave toxic workplaces, worried that short tenures will hurt their future job prospects, which Budge sees as a common concern, noting that many people stay in unhealthy environments simply to meet an arbitrary 12- to 18-month minimum. Cyber pros who find themselves in this situation should take not that, in the context of hiring, Budge believes this kind of rigid thinking prior tenure lengths no longer applies. \u201cI feel like those days are gone,\u201d she says.<\/p>\n

To reduce the risk of misalignment, Budge recommends conducting due diligence when evaluating potential employers \u2014 particularly with leadership roles.<\/p>\n

\u201cImagine if you go to work for a legal firm that only wants a CISO to do ISO 27001 compliance. That\u2019s not going to work for you\u201d if you\u2019re seeking to be a transformational leader, she says, emphasizing the importance of aligning personal strengths and motivations with the company\u2019s overall direction.<\/p>\n

Patrick Glennon<\/a>, CTO at IDIQ, adds that functional staff should also seek out the kind of work that energizes them. For instance, those who thrive on investigation might find rejuvenation in combing through web application firewall logs and correlating them with system access logs to uncover meaningful patterns. \u201cI would lock into the things that got you in there in the first place,\u201d he concludes.<\/p>\n

<\/a>Cybersecurity is stigmatized as a blocker<\/h2>\n

Bharat Mistry<\/a>, field CTO at Trend Micro, points out how CISOs can adopt a zero-risk mindset by enforcing blanket controls without engaging key stakeholders \u2014 a strategy that can further isolate cybersecurity within IT, a function that is often already siloed.<\/p>\n

\u201cYou\u2019ve got network teams, you\u2019ve got server teams, you\u2019ve got the IT applications teams, and then you\u2019ve got the security team at the back of the chain,\u201d Mistry says, adding that this isolation ends up shaping cybersecurity\u2019s internal reputation. \u201cBecause they\u2019re seen quite often as a department that says no, the reputation of the team is very much, \u2018They\u2019re a business disabler, not an enabler,\u2019\u201d he says.\u00a0<\/p>\n

To overcome internal disconnect, Mistry recommends hosting events to give the cybersecurity team a chance to share insights on the broader threat landscape and the organization\u2019s current posture, while also inviting input from other departments.<\/p>\n

\u201cWe want to understand how you guys are working, what are you facing, and what are the new regulations you need to cope with. And then let\u2019s work hand in hand in a joint strategy to work out how we can enable you to work better, faster, and quicker,\u201d he says.<\/p>\n

This kind of dialogue can help dispel a persistent myth. \u201cCybersecurity is seen as a technical issue, and the perception in most organizations is that it lies within the IT team. But the reality is: It\u2019s a company-wide issue,\u201d Mistry says.<\/p>\n

To reinforce this point, Mistry encourages empowering cyber champions \u2014 voluntary advocates from departments such as HR, marketing, and legal \u2014 who can help demystify cybersecurity for their peers, improve awareness of associated risks, and promote good cyber hygiene.<\/p>\n

Richard Addiscot<\/a>, vice president analyst at Gartner, sees these informal roles increasingly being formalized into positions like the business information security officer (BISO)<\/a>, reflecting the growing need to embed security into the business at every level.<\/p>\n

\u201cThese roles are there to be the conduit between the security function and the business to ensure that whatever the business is looking to achieve can be managed,\u201d he says.<\/p>\n

Even with such champions, Addiscot stresses communication must begin at the top. CISOs must clearly articulate how their work aligns with broader business objectives. Such alignment, however, can be difficult to achieve. \u201cThere\u2019s often a disconnect between what communication the business is expecting and what the CISO is actually communicating,\u201d Addiscot explains, noting that this gap typically stems from the CISO\u2019s technical background.<\/p>\n

\u201cPicking up business acumen, understanding how the business works rather than being a technology guru is a fundamentally important shift for any midlevel security manager who wants to find themselves in a true C-suite CISO role,\u201d he says.<\/p>\n

Cybersecurity teams must also rethink how they approach risk, as relying solely on strict, one-size-fits-all controls is no longer tenable, Mistry says. Instead, he advocates for a more adaptive, business-aligned framework that considers overall exposure rather than just technical vulnerabilities.<\/p>\n

\u201cCan I live with this risk? Can I not live with this risk? Can I do something to reduce the risk? Can I offload the risk? And it\u2019s a risk conversation, not a \u2018speeds and feeds\u2019 conversation,\u201d he says, emphasizing that cybersecurity leaders must actively build relationships across the organization to make these conversations possible.<\/p>\n

Without such efforts in place, cybersecurity isolation can take its toll on one\u2019s experience of the career.<\/p>\n

<\/a>Stakeholders expect da Vinci<\/h2>\n

Anthony Diaz<\/a>, CISO at Exterro, highlights another tough reality of a cybersecurity career: the relentless pace of technological change.<\/p>\n

\u201cThreat actors are quick studies, constantly finding new angles and leveraging the latest innovations, including the rapid leaps in AI. This demands that we, as defenders, are in a perpetual state of learning and adaptation, which can be quite demanding,\u201d says Diaz.<\/p>\n

It\u2019s not just a matter of learning more \u2014 it\u2019s also about doing more. According to the IANS and Artico Search report, 61% of cybersecurity staff work across multiple domains. For instance, among professionals in architecture and engineering, 23% also contribute to identity and access management, 26% to application security, and nearly half \u2014 48% \u2014 to product security.<\/p>\n

These expanded expectations are even more intense at the leadership level<\/a>. Forrester\u2019s Budge calls this the \u201cDa Vinci Fallacy.\u201d<\/p>\n

\u201cCISOs are expected to be experts with mastery of skills that includes cybersecurity, technology, strategy, finance, people, and communication. That is quite a burden of expectations of any leader, particularly of security leaders,\u201d she says.<\/p>\n

To meet the increased demands on cyber pros, Diaz advocates for training programs, not just for the essential building blocks of cybersecurity but with risk management integrated as well. \u201cThis includes regular, realistic risk assessments and the development of practical mitigation strategies that consider both the technological aspects and the human element,\u201d he says.<\/p>\n

He also champions mentorship programs that pair experienced professionals with newer team members to transfer risk assessment skills and core knowledge.<\/p>\n

While cybersecurity professionals may face steeper learning demands than most knowledge workers, IDIQ\u2019s Glennon believes that development opportunities are a powerful motivator.\u00a0 He points to conferences as a key example, where professionals can stay current on best practices relating to emerging technologies.<\/p>\n

\u201cThe more you do things like that, the more people stay invigorated and plugged into the role and excited about what\u2019s going on. It\u2019s employee retention and it\u2019s employee development at the same time,\u201d he says.<\/p>\n

<\/a>The emotional cost of constant readiness<\/h2>\n

Jason James<\/a>, CIO of Aptos, notes that there is no downtime for cybersecurity professionals. They must always prepare for when \u2014 not if \u2014 an attack will occur. \u201cYou stay on guard for so long that it does become emotionally draining,\u201d says James, who prefers the term \u201cwork-life harmony,\u201d which allows for shifts in focus, over \u201cwork-life balance,\u201d which implies a false sense of equality between the two.<\/p>\n

For James, achieving work-life harmony requires the ability to truly disconnect and recharge by doing things that bring joy and perspective. For him, that means reading non-business books like memoirs and taking family trips, such as a recent Disney cruise with his children. And he takes intentional steps to ensure his team does the same, by regularly reviewing how much paid time off (PTO) his team members are using and never denying a PTO request.<\/p>\n

As a global leader, he\u2019s especially mindful of cultural differences, particularly among American workers, who are often reluctant to take their leave. \u201cAs a leader, you need to be looking at their PTO and go, \u2018Well, how much time have they taken off?\u2019 And you\u2019ll have people that are like, \u2018No, I don\u2019t want to.\u2019 It\u2019s like, \u2018No, you need to,\u2019\u201d he says.<\/p>\n

To get a clearer picture of work-life harmony across the organization, James cautions other technology leaders against relying exclusively on communication filtered through their direct reports. To stay connected and informed, he regularly conducts skip-level meetings, which allow him to engage directly with employees beyond his immediate line of management.<\/p>\n

\u201cIt\u2019s to show that you\u2019re not disconnected from the business, you\u2019re not sitting in some ivory tower. The idea of leading is not being at the top \u2014 it\u2019s being out in front,\u201d he says.<\/p>\n

James also emphasizes the importance of succession planning to ensure team members can take time off without worrying about continuity.<\/p>\n

IDIQ\u2019s Glennon shares a similar approach. He explains that cross-training through shadowing and knowledge-sharing helps build redundancy across roles, reducing risk when key personnel step away.<\/p>\n

\u201cOne of our main guys just took a couple of weeks to go to Europe. I think he checked in once or twice. And we can do that because we have two guys covering,\u201d he says.<\/p>\n

James acknowledges that while new technologies can aid in defending against bad actors, maintaining work-life harmony remains just as essential.<\/p>\n

\u201cWe have a lot of AI that protects our environments, but at the end of the day, I lead people. I manage services. And so it\u2019s my duty to make sure that I\u2019m also protecting the people that are protecting us,\u201d he says.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

Cybersecurity is an exceptionally promising career path. Demand for cyber talent is high, as is compensation, with average base salaries for leading functional roles topping $150,000, according to a 2025 benchmark report from IANS and Artico Search. But working in cybersecurity comes with challenges that are often glossed over in job postings, media coverage, and even at industry events. And those challenges can wear down… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-14563","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14563","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=14563"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14563\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=14563"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=14563"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=14563"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}