From time to time, a junior security specialist, or someone looking to break into cybersecurity, asks me for a few professional tips. The technical specifics of my recommendations naturally vary depending on the interests and plans of the individual in question. However, since I keep repeating certain general ideas and recommendations, and since I believe they may be useful to almost any junior security professional, I decided to put together a list of tips that I consider important for a meaningful, effective, and satisfying career in cybersecurity.

Below you will find 10 recommendations (+ one extra, just to please fans of Spinal Tap) that, looking back, I wish someone had shared with me when I was starting out. These points reflect only my personal perspective and opinions. And although I stand behind everything below, if any of it does not align with your own views, I will not hold it against you.

1. Security always depends on people, processes, and technologies, in that order. Never forget this, even if your career takes you into selling security solutions or into working in security management. Buying tools that no one properly operates or maintains is a great way to tick compliance checkboxes, but the real impact of a tool-centric approach to security will always be limited. Technologies alone will never deliver a meaningful level of security in any environment.
2. Be cautious of self-proclaimed authorities. Our field includes many people who genuinely deserve to be considered authorities – highly skilled professionals who are widely respected (as well as many equally capable individuals who are unfortunately not known at all outside their immediate circles). At the same time, there are also people perceived as “authorities” mainly because they present themselves that way, or because they have been around for a long time, are very vocal, or highly visible. Their actual expertise, especially in technical terms, is, however, often limited. The issue is not that they are more visible than they deserve, but that they sometimes spread outdated or even harmful ideas.
   Be selective about who you trust. One simple test is to look at the depth of the publicly accessible work of a given authority. If their contributions consist mostly of generic statements like “we need to manage risk”, “we must increase user awareness”, or, worse, “we need to implement zero trust”, with little real substance behind them, that tells you a lot. In short, the loudest voices are not always the most qualified ones.
3. Do not present yourself as a “cybersecurity expert”. Ever. No matter how knowledgeable you think you are, and regardless of any “expert-level” certifications you may earn along the way.
   We are not good at objectively assessing our own abilities (see the work of Dunning and Kruger), and cybersecurity has grown far too broad for anyone to truly master it all. From firewall configuration and incident response to reverse engineering, quantitative risk analysis, digital forensics, red teaming, OT security, and application security architecture, no one can realistically cover the entire spectrum.
   And don’t worry, if you ever become an expert in a specific area, others will start to label you as such on their own…
4. Do not limit your professional development and knowledge base strictly to your specialization. Specializing is both natural and often necessary in cybersecurity, but every security professional worthy of that title should maintain at least a basic understanding of the broader field, since it provides essential context for their work.
   For example, a firewall engineer should at least be aware of relevant regulatory requirements, as they may dictate where and how a firewall should/must be implemented. Similarly, a penetration tester should understand how security monitoring and SOCs work, since avoiding detection may become relevant during unannounced testing.
5. If you specialize in a particular vendor’s technology, do not fall into the trap of thinking it is universally the best. Whether it is a Check Point firewall, Microsoft EDR/XDR platform, or anything else, no solution is objectively “the best” in all scenarios. Claiming otherwise rarely makes sense, even if you are the one selling these solutions.
6. A high position does not guarantee expertise, and a low position does not mean a lack of it. Do not judge your colleagues solely by their titles or certifications. You will encounter highly capable people without certifications at all levels, and at the same time, people with an impressive list of certifications and titles who lack almost any practical competence.
7. Do not assume you understand any security domain just because you have seen it in detail in one organization. Even deep experience in a specific area, such as monitoring, risk management, or penetration testing, across multiple similar organizations or within the same region or sector, does not necessarily give you a full picture of how things can or should be done in general.
8. Your time is valuable, so be deliberate about how you spend it. If your goal is to learn, choose conferences carefully. Most so-called “professional” conferences are primarily marketing-driven rather than educational. Many talks are designed not to teach, but to convince you that a particular product or service is exactly what your organization needs.
9. If you want to work in cybersecurity and lack even a basic level of technical knowledge, invest in building it. Without it, you will not be able to perform effectively in any security role.
   This is not about gatekeeping, nor does it mean every CTI analyst, security manager, or risk specialist needs to be capable of writing exploits, hunting for zero-days or analyzing network traffic. But without understanding fundamentals like what the difference between TCP and UDP is and how this difference affects how firewalls work, what Active Directory is and why domain admin compromise matters, or how EDR/SIEM systems work and what they can realistically detect “out of the box”, none of these specialists can produce really meaningful and useful outputs.
   The idea that “anyone can do cybersecurity”, that is often repeated these days, is only partially true. Anyone can start, but not everyone can build a sustainable, meaningful career in the field.
   A non-technical background is not a barrier, and in some roles, such as CTI, it can even be an advantage. But without quickly building at least a basic technical foundation, it becomes very difficult to deliver real value, even in more process-oriented roles. It is hard to manage risks related to malware, or write meaningful policies about it, if terms like “malware,” “virus,” “trojan,” and “worm” are just vague, interchangeable labels, and “C2” sounds more like a chess coordinate than a command-and-control channel.
10. Do not believe everything you read. Books, courses, and certification materials, even official ones, often mix solid technical content with marketing claims and personal opinions presented as facts. You will frequently encounter half-truths or outright mistakes alongside accurate information. Being able to distinguish facts from marketing claims and outright fiction can be hard, and you will not always get it right. But at the very least, if something feels off, do not rely on a single source and cross-check it.
11. Be prepared for the fact that cybersecurity in any organization will have weaknesses you will not like. If you are not the owner or a member of executive management, your role is not to “ensure” security, but to help the organization operate as securely as possible within the constraints set by leadership. It is the management who owns all risks, including security-related ones. Your role is to help them understand and manage those risks.
    If you identify a weakness in a process or a technology, or discover a significant threat exposure, raise them with the appropriate stakeholders. If management then decides to accept those risks without implementing the controls you’ve recommended, do not take it personally. It may not be pleasant, but the final decision always belongs to them.
    As security professionals, we advise, guide, and do our best within the scope of our responsibilities. That is the reality of the field, even if it can sometimes be frustrating.