The Cybersecurity Habits That Changed My Career Forever
This advice will help you grow in cybersecurity — without wasting years chasing the wrong goals
When I started my cybersecurity career over 20 years ago, I genuinely believed that certifications were the golden ticket.
Everywhere I looked, people said: “Get your CISSP, get your CEH, get your cloud cert — and your career will take off.”
And back then, in the mid-2000s, that was partially true.
I passed my CISSP in 2005 and started getting calls within a week.
But here’s the problem: I assumed that formula would last forever.
So I kept stacking certifications — one after another — believing each one would automatically lead to more opportunities.
It didn’t.
At some point, I realized my certificates were growing, but my skills weren’t.
I could explain encryption algorithms and policy frameworks, but I couldn’t deploy secure systems hands-on. I could talk about risk management but hadn’t actually mapped a control to a cloud workload.
That was my first major lesson:
Certifications open doors — but only skills keep them open.
Now, when I mentor younger professionals, I tell them:
Don’t just collect acronyms. Build things. Break things. Document what you learn.
Knowledge only compounds when you apply it.
These are some of the key lessons I have learnt in my career and which I WISH my younger self learnt sooner
The Career Plateau .. Waiting for Permission to Grow
Another mistake I made was waiting for permission — from my manager, from my company, even from “timing.”
I used to think:
“Once my manager assigns me a new project, I’ll start learning that technology.”
“Once I’m promoted, I’ll start mentoring others.”
“Once I have a lab budget, I’ll start experimenting.”
You can probably guess how that went.
Nothing happened.
It took me years to realize that nobody was coming to hand me growth opportunities.
The people who advanced faster than me didn’t have more talent — they simply started without permission.
One colleague built a small automation script to help with compliance reporting.
Another started writing internal documentation to make onboarding smoother.
Another volunteered to train interns on phishing simulations.
None of them were “authorized” to do those things — but they did them anyway.
And they got noticed.
That’s when it clicked:
Initiative beats waiting. Every time
If you’re waiting for someone else to define your growth, you’re already behind.
In cybersecurity — or any fast-moving field — you have to self-assign your next challenge.
The Comfort Trap — Staying Too Long in One Job
There was a point in my career when I stayed at one company for far too long.
I liked the team, the predictability, and the comfort.
But comfort quietly kills growth.
When I finally looked around, I realized the market had moved on — cloud was booming, DevSecOps was emerging, and I was still buried in legacy on-prem systems.
The world had shifted, and I hadn’t.
The next time I applied for jobs, I was no longer “ahead of the curve.”
I was playing catch-up.
It was a painful but necessary wake-up call:
If you don’t evolve, the market evolves without you.
That’s when I doubled down on learning AWS and cloud security — not because someone told me to, but because I realized learning is the only real job security.
So if you’re reading this and you’ve been in the same role for 5–7 years — ask yourself:
Is this still challenging me, or just keeping me comfortable?
The Ego Lesson — From “That’s Insecure” to “Here’s How We Can Fix It”
When I was younger, I thought being a “security expert” meant being the person who said no the loudest.
“No, that’s not secure.”
“No, we can’t deploy this.”
“No, that violates policy.”
I thought that made me principled.
In reality, it made me isolated.
Developers didn’t want to work with me.
Business teams avoided me.
And when decisions were made, I was often left out — because I was seen as a blocker, not a partner.
It took years — and a few humbling conversations with senior engineers — to learn that security isn’t about control, it’s about collaboration.
Now I say:
→ “Here’s the risk this introduces.”
→ “Here’s a safer way to achieve your goal.”
→ “Here’s what this means for the business.”
The moment you shift from critic to translator, your influence grows tenfold.
The best security professionals don’t build walls — they build bridges.
The Invisible Skill — Teaching Others
For a long time, I believed you had to be an expert before you could teach.
So I stayed quiet.
Then, one day, a junior analyst asked me to explain how IAM roles worked in AWS.
I tried breaking it down — simply, conversationally — and realized halfway through that I understood it better by explaining it.
That’s when I discovered one of the biggest accelerators in cybersecurity (and life): teaching.
You don’t need to be an expert to explain — you become one by explaining.
Mentor a junior.
Write about what you’re learning.
Create a small internal guide.
Teaching forces clarity, and clarity forces growth.
Today, my entire YouTube channel, courses, and books are built around that one principle — explain as you learn.
The Perspective Shift — Seeing Systems, Not Symptoms
In the early years, I obsessed over tools.
SIEMs, firewalls, EDRs — I wanted to master them all.
But the more I grew, the more I realized:
Tools change. Systems don’t.
A senior professional doesn’t just fix issues; they understand why those issues exist.
They see workflows, not widgets.
Instead of asking, “How do I configure this?”
I began asking, “How does this reduce risk for the business?”
That one shift transformed my thinking — from security engineer to security architect.
If you want to level up, stop focusing on the next shiny tool.
Start understanding the system — the people, processes, and risks it supports.
Growth Is Not Linear
Here’s another myth that holds people back:
They think career growth is a straight ladder — Analyst → Engineer → Manager → CISO.
But cybersecurity doesn’t work like that.
It’s more like a web — full of pivots, experiments, and reinventions.
Real growth might look like:
→ Moving sideways into Cloud Security to learn architecture.
→ Jumping into GRC from a technical role to understand risk and governance.
→ Shifting into Product Security to see how security fits into design.
→ Switching industries — from banking to healthcare — to learn new risk models.
→ Or building a personal brand that attracts opportunities on its own.
Stop chasing job titles.
Start building skills that compound.
Every sideways move adds context.
Every context deepens your judgment.
And judgment — not tools — is what gets you promoted in the long run.
Focus on Depth, Not Decoration
Here’s the uncomfortable truth about certifications:
Stacking certs ≠ stacking skills.
Every certification has a hidden cost:
→ Time you could spend applying that knowledge.
→ Energy you could use writing, building, or experimenting.
→ Money that could fund labs or cloud credits.
Certifications are great for foundations.
But after a point, depth beats decoration.
The market doesn’t reward who has the longest list of acronyms.
It rewards those who can demonstrate results — automate, improve, or explain security better than others.
Here’s the secret senior professionals know:
Skills compound like interest.
When you learn cloud, it makes your risk management sharper.
When you understand GRC, it makes your architecture more defensible.
When you teach, your communication improves — which makes you a better leader.
Each skill amplifies the others.
That’s why your 10th year in cybersecurity can be your most productive — if you keep learning horizontally.
Growth isn’t about collecting shiny new skills.
It’s about connecting existing ones into a system that works.
The Most Important Lesson — Redefine Success
For years, I thought the ultimate success was becoming a CISO.
I got there — and I hated it.
Meetings, budgets, politics, PowerPoint slides — I felt completely detached from the craft that once inspired me.
That’s when I learned:
Not every promotion is progress.
Sometimes, the best career move is to move sideways into something that reignites your curiosity — whether that’s cloud, GRC, or AI security.
Today, I’m far happier designing systems, teaching others, and building products than I ever was managing dashboards and reports.
Your definition of success doesn’t have to match anyone else’s.
Define it for yourself — and don’t let anyone guilt you for it.
Final Reflection
If I could go back and give my younger self advice, I’d say:
Stop waiting. Start building. Teach what you learn.
The biggest lessons I’ve learned didn’t come from certifications, job titles, or promotions — they came from failure, discomfort, and reflection.
Every mistake taught me something vital:
Certs don’t equal skills.
Comfort kills growth.
Ego blocks trust.
Teaching accelerates mastery.
So if you’re early in your cybersecurity journey, don’t try to be perfect.
Just start — imperfectly, curiously, and consistently.
You’ll fail, you’ll learn, and one day, you’ll look back and realize —
the mistakes were the curriculum.