I see a lot of people who want to work in cybersecurity. I said the same when I got started, but now I think this is the wrong way to frame things, especially because of AI.
My thinking now is that working in an “industry” is too vague and unfocused to give you any stability in a world where AI can do most jobs.
❝
Clarity of direction is the becoming the ultimate superpower.
I think the only way to get stability in this future—or at least as much as possible—is to be very talented at working on really hard problems.
Crucially, that requires that you can clearly articulate those problems, and describe how your approach and results are superior to alternatives.
The past version of myself would’ve said I wanted to be a security expert and have a long, fruitful career in security.
OK, but what do you want to work on?
I would’ve said something like:
Well I don’t really know, but I really like Recon, Web Testing, Risk Assessment, Testing Methodology Optimization, OSINT, and stuff like that.
And then my career would sort of accidentally fall into that direction, and I would hopefully become known for those things.
That path worked for me over the last couple of decades, but I don’t think it would work for me again. Which is why I don’t recommend it.
I think what people should say today, is that I am fascinated by all sorts of security problems, but my favorites include the Many Eyes problem within open source, the time delay in Attack Surface Management, and the problem of not knowing who is doing what in a world of nonhuman identities, or the problem of establishing trust in a world where anything could be deepfaked, i.e., how do you know if you’re actually interacting with a person you think you are interacting with?
❝
Nothing is more attractive to a hiring manager than someone who’s both competent and self-directed.
These are still security. They’re still cyber. And in some ways it’s no different than where I started with my legacy narrative. But there is a crucial difference in that this doesn’t lead with “wanting to be in security”, and then rattling off some potential, ambiguous interests.
Instead, this narrative says I like security problems, and here are some examples of ones I want to work on.
I think this approach is going to be far more robust in competition with other job-seekers, and with AI. And perhaps even more importantly, it’s a way to clarify direction for those entering the field.
Get fascinated by problems.
That fascination leads to curiosity
That curiosity leads to work
That work leads to skill
And that skill over time leads to competence
Here are some examples.
OLD: I’d like to get into security. Maybe something with pentesting.
NEW: I’m fascinated by problems in the security space, especially around the difficulty of automating manual pentesting.
OLD: I’d like to get into security. Maybe something in identity or something. I have a Github.
NEW: I’m fascinated by problems in the security space, especially around how we’re going to tell the difference between AI agents and humans. I’ve posted some small projects that start to address the issues on my Github.
The difference between these two is small but massive.
To a hiring manager, the OLD version sounds like someone who needs guidance and handholding, which virtually no company has time to give anymore.
❝
Self-directed employees are worth 10x someone who needs to be constantly managed.
The NEW versions capture someone who is self-motivated by purpose, and who is using their skills in a tangible way to solve real problems.
That’s someone to hire. And it’s also someone to replace last with AI.
This is an extraordinarily bad time to not know what you want to do with your career. AI is coming for those people first.
This is why I’m so obsessed with questions and problems. They provide clarity, and they focus curiosity and talent to an edge that produces results.
So that’s my advice. Don’t think about entering an industry.
Think about problems that you want to solve because they fascinate you, and articulate/pursue the different ways that you intend to address them.