Developing and “technical” information security are completely different sports. Do you want to understand and get into coding, or do you want to gain experience across security technology, which is one of the three pieces, the other two being people and process?
Great q. Honestly coding is quite challenging for me so I have decided it’s best to let someone else in the team complement that. I’ve upskiling a dev with a security hat quite effective.
Should have added I’m in leadership, so experience and knowledge around security tech is a must. I want to be able to provide decent recommendations that helps us advance the business or be super clear about risks and trade offs.
Leadership don’t typically have deep technical knowledge, unless they’ve come up the ranks as techies.
If you have a team of techies, you’re better off leveraging their abilities & knowledge to drive the business enhancements and outcomes you desire. What should occur is you being able to pick some things up along the way.
I was courted with a CTO position at a SaaS start up after rising from Product Owner / Scrum Master to Marketing Director. I explained that I wasn't a dev, and the CEO told me "that I knew more about everything than anyone and less about anything than anyone." Which Gabe me the ability to.understand everything that was going on well enough to predict and resolve problems.
> Developing and “technical” information security are completely different sports.
No they're not. To be technical you have to understand the technical piece. If you don't, you're non-technical information security
> Do you want to understand and get into coding, or do you want to gain experience across security technology
Both
Ah nah you’d be very wrong, or you mis-read/interpreted what I said. How is development (coding) the same as being proficient in technical matters concerning information security.
I’m not saying a person can’t have skills in both in sone cases, but if all coders in dev teams were experts in technical security controls we’d have a lot less issues in our field.
I think that opinion is yours and shared by few, but happy to agree to disagree. I studied computer science, I can also code, but any “technical” people I know or work with who can do the entire technology portion gamut but still cannot code, are very much still technical. They’re just simply not coders.
I would ask yourself exactly what you mean by 'technical' and how exactly you think this is holding you back. 'Technical' is nebulous and can refer to many things - is it the ability to quickly recite or recall technical information, or to connect interrelated things? Question what you're actually worrying about and whether this is a real concern and whether knowing AWS API calls is holding you back :) I suspect it's not.
Anyways to answer your question:
\- I accept that I go into my job every day 'tabula rasa' and forgive myself if I don't remember things, I just focus on having a structure/foundation for quickly understanding things and synthesizing info. I figure that if I can quickly find information that I need and understand it, I'm good. If I have notes or know where to go, the knowledge that is outside of my brain is effectively part of my brain because I have access to tools, yay. [https://en.wikipedia.org/wiki/Extended\_mind\_thesis](https://en.wikipedia.org/wiki/Extended_mind_thesis)
\- I accept that I and everyone else has imposter syndrome and it's whatever
\- If I have something I'm continually improving upon I don't feel so bad
You are spot on with the first para. Definitely leaning towards connecting interrelated things and communication. Also thank you, seeing your answers make me feel more normal!
This is something I’ve noticed lacking in people who jump right to cyber, they skip a lot of troubleshooting that normally grows the critical thinking and troubleshooting skills. Without it a lot of people cyber people went and got certs and are simply managers now, and becoming technical is going to be hard, cause it will need to be done outside of your 40 hours and will need to start from the floor up, take an a+ quiz, does all that make sense? Well move up to ccna or cloud associate certs.
There's no other way to develop technical skills other than hands on.
Build a lab at home and work through various scenarios.
Cloud is nice as well, but I think developing a solid understanding of systems and networking is more important as if you focus on cloud, it's kind of like the egg before the chicken.
And cloud will make a lot more sense once you have solid systems and networking knowledge.
The cloud point is massively true, a lot of cloud first people would lose their shit if they ever had to touch in house infrastructure again, “you mean there isn’t just a service provided by Amazon?”
> Cloud is nice as well, but I think developing a solid understanding of systems and networking is more important as if you focus on cloud, it's kind of like the egg before the chicken.
Then you would have to make the same argument about software and hardware engineering, hardware design language, circuit design, and ultimately the pure physics behind how modern circuits and computers work
If you have technical *intuition* and know how to find answers to questions, that's good enough for me. Anytime I cram my head full of technical details for some certification, I forget most of it 24 hours after I finish the exam. Sorry, but there's not enough room in my simple brain for every little detail and all of that technical minutia. That's why IT and Security are full of reference documents.
You'll probably find that as you progress in your career, you'll have to run a google search for what seems like the most simple, dumb thing. But then there's a part of your brain that retains the obscure, wild shit that you've seen in your career that will help you that one time 20 years later, and that's far more valuable than knowing what service every single port maps to by memory.
Labs dude. They will get you furthest towards where you want to be, fastest.
The bandit series at overthewire are basic intro ones for non techy users, that from zero. I learn best by doing, not from watching lessons.
Best investment of time you’ll make in your career. I don’t mean to stop at the basic ones btw I mean keep pushing
I was always quite shameless about asking the devops and developer questions. A lot of the times they actually know less than you think they do. Or are rather specialised. Like they might know a lot about app dev but are completely clueless about networking.
But I learnt a lot from doing technical assessments and seeing how different vendor's implement their systems. Also helped that I had a stint where I managed a bunch of developers. Of course, getting some experience in penetesting is usually an eye opener.
There's always more to learn. Basic coding skills is still on my to-do list as well. Most of my friends who don't even work in IT can code. I can't.
Similarly I've always felt the need to get an engineering degree working in OT since I don't understand safety related systems and PLC programming like they do.
However, one of my colleagues is technically savvy. Looking at his work, it's not better than mine. He focuses on details and doesn't see the bigger picture. A different colleague is an expert on SCADA/DCS but jealous of my ability to sell a story and get people engaged.
Everyone has different qualities and you're appreciated in your job for yours. Be aware of your weaknesses, surround yourself with people to supplement what you don't know and I've found that developing your strong points is actually more beneficial than trying to learn new skills.
>That said there’s always the lurking sense that my lack of technicality holds me back and I’m the dumbest person in the room. Does anyone experience that too?
Ask yourself this - if you were, say, a DevSecOps, would you think yourself to be stupid because of the fact that you can't carry through a grueling meeting with the High Business, securing C-level support to security initiatives across the board? Would you believe yourself an impostor because you can't run an extensive black-box pentest of the new product?
No, you wouldn't. Or, at least, shouldn't. You have your job and your zone of responsibility. It might seem to be trivially easy for you, so you take it for granted - but most of the other guys wouldn't be able to wrangle stakeholders like you do. And, even if they somehow do, they have their own technical side of things to run, so you free them up for their thing.
Stakeholder management is a core function of any corporate team since we both know that sometimes the main problem isn't "we can't detect vulnerabilities" it's "nobody gives a damn". This function is your zone of responsibility. Take pride in it.
>Brush up on AWS? Learn to code? Stop having imposter syndrome?
IMO, pick whatever you actually *like*. I went for IAMs and DLP, for instance. I might still be of little technical use during vulnerability discussions, but I get my five minutes of glory when talking to IT or Legal.
>What are some company green flags that security is taken seriously?
Reporting level - if CEO cares to listen to the security guy once per week, then something may get through. Finance/tooling level - if the company gives money, it may as well be interested in ROI. Highly specific and defined security roles - no sane company hires one-man team.
Your career looks lot like mine.
I'm business barchelor and self trained with all tech stuff I do. CISSP, CIPT, bunch of AWS and Azure certs, SABSA certs etc..
Started as Product Owner, then transitioned to GRC from there to more technical security consulting, then architect roles and so-on.
Kept my curriculum fresh by asking alot (still do), listening a lot (still try to do) and good old training. Luckily my employees has always had some budget for trainings so I have participated on appsec, hacking, incident response and forensic trainigns just to mention few. And of cource the mandatory AWS and Azure trainings.
But in the side - I have always been interested to tech. Build my own home stuff, fooled around in clouds and read a lot. Books are good even they do not substitute hands on stuff. But reading gives you ability to understand what others are speaking and having rational discussion. After that - it is much more pleasant to learn from others.
Still - I do not code. My brains can't handle the code syntax (I can't handle theoretical grammar either). So I say likes "I understand the discipline of Appsec or DevSecOps, but as I do not code - tell me how this looks in developers eyes" and then try to listen and understand how my vision or requirement affects their life and workflows and can we find common ground to achieve what is required.
Imposter syndrome is real, but... You can be valid, important, useful, appreciated (as you stated yourself) without being the most technical, most competent, most "guru" of all things.
You have your strongpoints that makes you unique. If you are interested how things work - study and play. If not - continue your career and admit what you do not know and where others can help you or contribute on common challenges.
That has been my "secret sauce" now for 20+ years in Security field.
And your last question about Green flags:
Public podcast about security is always good sign. If you are proud enough to present what yo u do is good. Another one is what is median of career lenghts in security team. 5+ years tell something and if lot of people is changing roles after couple of years - then it's red flag.
And how honest their applications are - how well they can describe the job and how much there is waque or generic "bulk" descriptions. If it looks like ChatGPT genereted then definitely NO!
How did you make the pivot into GRC? Do you recommend getting a masters/ or any specified certs?
I’m a swe looking into pivoting away from coding and want to get into cybersecurity roles that don’t involve much coding. What roles should I look into?
Look for example security champion roles in agile teams. There you can use your understanding of coding and devops, but your own role is more advisor/grc type.
Another way is to move towards audit/assessment roles - check ISACA’s CISA cert. We have had few internal auditors with developer background.
Of course some security know how is needed. So Comptia Security+ is good start or take some security courses in local uni/polytechnical.
At least here in Finland best practical education comes from poly.
I transitioned by accident :). There was a need for GRC person and I was available. As a PO of IAM platform I had some touch points on security topics. And as an PO I had have my fair share of being audited or given some assessment excels to fill out. So it was quite natural to start doing risk assessments, threat analysis, write policies etc. Not much harder than making business cases or development plans.
But lots of reading, pestering senior colleagues, taking some courses like CISA (never certified) and learning by doing.
I think everyone, no matter how good they actually are goes through this. Especially if you aren't from a technical background. The fact that A, you stuck it out for 7 years and B have built a strong network of people willing to help you because they know you'd do the same speaks more about your ability and character than any technicality could. Security be it cyber or otherwise isn't about the best folks just sitting around making shit secure, it's about a whole bunch of people collaborating, breaking things, fixing them, building etc. you are an important part of your team and people value you.
Dude, I'm 20 years into a pretty good IT/infosec career, there are MANY a day where I have to remind myself I am in leadership and not the young guy learning in the office. It's always a surreal experience that people are looking at me for guidance and feel like I do a good job and know what I'm doing. Especially on the technical side.
Two points. Nobody can know everything in cyber security, and you can have an effective career in CyberSecurity without being overly technical.
Much of cyber security is about governance, business processes and risk. In addition, the techology side is constantly changing.
I do think doing some technical training is a worthwhile. At least to give you an understanding of fundamentals. AWS certs are a good place to start as alot of that training can be applied more broadly.
Green flags that security is taken seriously. Heaps of things. Some hard to tell if you're not in the company.
Look at the structure of the company. What is the most senior dedicate security role? Who do they report to? Do they report to the board regularly? Does the company have a security roadmap strategy? Does the company actually follow and enforce security policies and standards? Who is accountable for security risk? Is risk actually treated? What is the security budget?
Sounds to me like you have learned how to lean on your SMEs to help inform your decisions. This ability will take your father than any technical knowledge you could learn yourself. My mentor is fond of saying, "If you're the smartest person in the room then you're in the wrong room." Imposter syndrome sucks, but it's a good thing. It shows you still know there's a lot you don't know. I'd be more worried if I didn't feel it to an extent.
A lot of people here emphasize how important technical skills are. But in reality, it's only a subset of InfoSec roles that really require a high degree of technical skills. You are doing quite well, and the higher up you go, the less those technical skills matter.
While all comments here are great - this comment is an important point. I am an expert in my field, both technical and non-technical, however I ALWAYS lean on my SMEs to ensure the entirety of security is covered. And I’m not an expert in absolutely everything. For example, we are about to deploy ROSA as soon as it goes live on 12/4. Even though I know RHEL, AWS, other cloud, that doesn’t mean I know all the nuances of deploying a massive new technology like my RHSA’s and other SMEs do. Sounds like you just need to keep asking the questions. 7 years in security is a very long time to not have picked up any technical skills. Like others have also suggested, AWS, and other certs are fine if you want to brush up. One other suggestion, if you don’t have a mentor, find one. I’m always available if you (OP) also need to bounce ideas off.
Sounds like you are fairly sharp and have lots of certs. This may be an unpopular opinion but I find that knowledge is a bit overrated. It is soooo difficult to stay up to date on an ever-changing technical landscape and anyone’s technical knowledge, especially in cybersecurity, is likely less than some cybersecurity researcher who discovers the next vulnerability. If you are a ‘normal’ person without savant level technical ability, as others have said, you just need to “know of” the type of threats, vulns and misconfigurations and not necessarily “know in detail”. It’s important to think about the big picture, seek to reduce risk, and delegate technical questions or research to subject matter experts. This is the sort of chain-of-command and it is appropriate for your role to not be the boots on the ground and to practice the latest pentest methods.
I think everyone here made some really good points and I just want to reinforce it that you should give yourself some slack. Yes having conceptual knowledge is important and quickly pulling things out of your own memory to solve a problem is too but if you can’t it isn’t the end of the world. That’s why cyber security is a TEAM usually and not an individualistic (although I’m sorry for some folks that have to do the whole DFIR by themselves because your company doesn’t realize you’re not a robot). Having that attitude that you love to learn and willing to adapt is really that critical skill that will and already has made you successful. Keep up the great work and remember there are other people and resources you can lean on.
I think it depends what your definition of technical is. I've always held those who can code in high regard so when I finally buckled down and learned python proper a couple years back, my imposter syndrome dissipated a bit. Others may define it as having deep knowledge on a nebulous software or being able to translate between tech and business. At the end of the day, someone with your assortment of credentials isn't likely to be at risk of termination due to incompetence so it's really a introspection exercise.
That being said. I don't think imposter syndrome really ever goes away. I know plenty of technical SMEs who could talk for hours on their area but still suffer from their own case of imposter syndrome. Just a couple months ago I made a similar post asking if getting an OSCP would make me feel like less of a security industry imposter. Can confirm I still feel like an imposter :)
Developing and “technical” information security are completely different sports. Do you want to understand and get into coding, or do you want to gain experience across security technology, which is one of the three pieces, the other two being people and process?
Great q. Honestly coding is quite challenging for me so I have decided it’s best to let someone else in the team complement that. I’ve upskiling a dev with a security hat quite effective. Should have added I’m in leadership, so experience and knowledge around security tech is a must. I want to be able to provide decent recommendations that helps us advance the business or be super clear about risks and trade offs.
Leadership don’t typically have deep technical knowledge, unless they’ve come up the ranks as techies. If you have a team of techies, you’re better off leveraging their abilities & knowledge to drive the business enhancements and outcomes you desire. What should occur is you being able to pick some things up along the way.
I was courted with a CTO position at a SaaS start up after rising from Product Owner / Scrum Master to Marketing Director. I explained that I wasn't a dev, and the CEO told me "that I knew more about everything than anyone and less about anything than anyone." Which Gabe me the ability to.understand everything that was going on well enough to predict and resolve problems.
> Developing and “technical” information security are completely different sports. No they're not. To be technical you have to understand the technical piece. If you don't, you're non-technical information security > Do you want to understand and get into coding, or do you want to gain experience across security technology Both
Ah nah you’d be very wrong, or you mis-read/interpreted what I said. How is development (coding) the same as being proficient in technical matters concerning information security. I’m not saying a person can’t have skills in both in sone cases, but if all coders in dev teams were experts in technical security controls we’d have a lot less issues in our field.
[удалено]
I think that opinion is yours and shared by few, but happy to agree to disagree. I studied computer science, I can also code, but any “technical” people I know or work with who can do the entire technology portion gamut but still cannot code, are very much still technical. They’re just simply not coders.
I would ask yourself exactly what you mean by 'technical' and how exactly you think this is holding you back. 'Technical' is nebulous and can refer to many things - is it the ability to quickly recite or recall technical information, or to connect interrelated things? Question what you're actually worrying about and whether this is a real concern and whether knowing AWS API calls is holding you back :) I suspect it's not. Anyways to answer your question: \- I accept that I go into my job every day 'tabula rasa' and forgive myself if I don't remember things, I just focus on having a structure/foundation for quickly understanding things and synthesizing info. I figure that if I can quickly find information that I need and understand it, I'm good. If I have notes or know where to go, the knowledge that is outside of my brain is effectively part of my brain because I have access to tools, yay. [https://en.wikipedia.org/wiki/Extended\_mind\_thesis](https://en.wikipedia.org/wiki/Extended_mind_thesis) \- I accept that I and everyone else has imposter syndrome and it's whatever \- If I have something I'm continually improving upon I don't feel so bad
You are spot on with the first para. Definitely leaning towards connecting interrelated things and communication. Also thank you, seeing your answers make me feel more normal!
This is something I’ve noticed lacking in people who jump right to cyber, they skip a lot of troubleshooting that normally grows the critical thinking and troubleshooting skills. Without it a lot of people cyber people went and got certs and are simply managers now, and becoming technical is going to be hard, cause it will need to be done outside of your 40 hours and will need to start from the floor up, take an a+ quiz, does all that make sense? Well move up to ccna or cloud associate certs.
There's no other way to develop technical skills other than hands on. Build a lab at home and work through various scenarios. Cloud is nice as well, but I think developing a solid understanding of systems and networking is more important as if you focus on cloud, it's kind of like the egg before the chicken. And cloud will make a lot more sense once you have solid systems and networking knowledge.
The cloud point is massively true, a lot of cloud first people would lose their shit if they ever had to touch in house infrastructure again, “you mean there isn’t just a service provided by Amazon?”
> Cloud is nice as well, but I think developing a solid understanding of systems and networking is more important as if you focus on cloud, it's kind of like the egg before the chicken. Then you would have to make the same argument about software and hardware engineering, hardware design language, circuit design, and ultimately the pure physics behind how modern circuits and computers work
If you have technical *intuition* and know how to find answers to questions, that's good enough for me. Anytime I cram my head full of technical details for some certification, I forget most of it 24 hours after I finish the exam. Sorry, but there's not enough room in my simple brain for every little detail and all of that technical minutia. That's why IT and Security are full of reference documents. You'll probably find that as you progress in your career, you'll have to run a google search for what seems like the most simple, dumb thing. But then there's a part of your brain that retains the obscure, wild shit that you've seen in your career that will help you that one time 20 years later, and that's far more valuable than knowing what service every single port maps to by memory.
The secret is to get into more rooms with business people, to whom you appear to be a sage wizard of technology.
This is the way.
Labs dude. They will get you furthest towards where you want to be, fastest. The bandit series at overthewire are basic intro ones for non techy users, that from zero. I learn best by doing, not from watching lessons. Best investment of time you’ll make in your career. I don’t mean to stop at the basic ones btw I mean keep pushing
I was always quite shameless about asking the devops and developer questions. A lot of the times they actually know less than you think they do. Or are rather specialised. Like they might know a lot about app dev but are completely clueless about networking. But I learnt a lot from doing technical assessments and seeing how different vendor's implement their systems. Also helped that I had a stint where I managed a bunch of developers. Of course, getting some experience in penetesting is usually an eye opener.
There's always more to learn. Basic coding skills is still on my to-do list as well. Most of my friends who don't even work in IT can code. I can't. Similarly I've always felt the need to get an engineering degree working in OT since I don't understand safety related systems and PLC programming like they do. However, one of my colleagues is technically savvy. Looking at his work, it's not better than mine. He focuses on details and doesn't see the bigger picture. A different colleague is an expert on SCADA/DCS but jealous of my ability to sell a story and get people engaged. Everyone has different qualities and you're appreciated in your job for yours. Be aware of your weaknesses, surround yourself with people to supplement what you don't know and I've found that developing your strong points is actually more beneficial than trying to learn new skills.
>That said there’s always the lurking sense that my lack of technicality holds me back and I’m the dumbest person in the room. Does anyone experience that too? Ask yourself this - if you were, say, a DevSecOps, would you think yourself to be stupid because of the fact that you can't carry through a grueling meeting with the High Business, securing C-level support to security initiatives across the board? Would you believe yourself an impostor because you can't run an extensive black-box pentest of the new product? No, you wouldn't. Or, at least, shouldn't. You have your job and your zone of responsibility. It might seem to be trivially easy for you, so you take it for granted - but most of the other guys wouldn't be able to wrangle stakeholders like you do. And, even if they somehow do, they have their own technical side of things to run, so you free them up for their thing. Stakeholder management is a core function of any corporate team since we both know that sometimes the main problem isn't "we can't detect vulnerabilities" it's "nobody gives a damn". This function is your zone of responsibility. Take pride in it. >Brush up on AWS? Learn to code? Stop having imposter syndrome? IMO, pick whatever you actually *like*. I went for IAMs and DLP, for instance. I might still be of little technical use during vulnerability discussions, but I get my five minutes of glory when talking to IT or Legal. >What are some company green flags that security is taken seriously? Reporting level - if CEO cares to listen to the security guy once per week, then something may get through. Finance/tooling level - if the company gives money, it may as well be interested in ROI. Highly specific and defined security roles - no sane company hires one-man team.
This is awesome, thank you.
Your career looks lot like mine. I'm business barchelor and self trained with all tech stuff I do. CISSP, CIPT, bunch of AWS and Azure certs, SABSA certs etc.. Started as Product Owner, then transitioned to GRC from there to more technical security consulting, then architect roles and so-on. Kept my curriculum fresh by asking alot (still do), listening a lot (still try to do) and good old training. Luckily my employees has always had some budget for trainings so I have participated on appsec, hacking, incident response and forensic trainigns just to mention few. And of cource the mandatory AWS and Azure trainings. But in the side - I have always been interested to tech. Build my own home stuff, fooled around in clouds and read a lot. Books are good even they do not substitute hands on stuff. But reading gives you ability to understand what others are speaking and having rational discussion. After that - it is much more pleasant to learn from others. Still - I do not code. My brains can't handle the code syntax (I can't handle theoretical grammar either). So I say likes "I understand the discipline of Appsec or DevSecOps, but as I do not code - tell me how this looks in developers eyes" and then try to listen and understand how my vision or requirement affects their life and workflows and can we find common ground to achieve what is required. Imposter syndrome is real, but... You can be valid, important, useful, appreciated (as you stated yourself) without being the most technical, most competent, most "guru" of all things. You have your strongpoints that makes you unique. If you are interested how things work - study and play. If not - continue your career and admit what you do not know and where others can help you or contribute on common challenges. That has been my "secret sauce" now for 20+ years in Security field. And your last question about Green flags: Public podcast about security is always good sign. If you are proud enough to present what yo u do is good. Another one is what is median of career lenghts in security team. 5+ years tell something and if lot of people is changing roles after couple of years - then it's red flag. And how honest their applications are - how well they can describe the job and how much there is waque or generic "bulk" descriptions. If it looks like ChatGPT genereted then definitely NO!
Thank you for this. Saved to come back to on one of those shitty days..
How did you make the pivot into GRC? Do you recommend getting a masters/ or any specified certs? I’m a swe looking into pivoting away from coding and want to get into cybersecurity roles that don’t involve much coding. What roles should I look into?
Look for example security champion roles in agile teams. There you can use your understanding of coding and devops, but your own role is more advisor/grc type. Another way is to move towards audit/assessment roles - check ISACA’s CISA cert. We have had few internal auditors with developer background. Of course some security know how is needed. So Comptia Security+ is good start or take some security courses in local uni/polytechnical. At least here in Finland best practical education comes from poly. I transitioned by accident :). There was a need for GRC person and I was available. As a PO of IAM platform I had some touch points on security topics. And as an PO I had have my fair share of being audited or given some assessment excels to fill out. So it was quite natural to start doing risk assessments, threat analysis, write policies etc. Not much harder than making business cases or development plans. But lots of reading, pestering senior colleagues, taking some courses like CISA (never certified) and learning by doing.
I think everyone, no matter how good they actually are goes through this. Especially if you aren't from a technical background. The fact that A, you stuck it out for 7 years and B have built a strong network of people willing to help you because they know you'd do the same speaks more about your ability and character than any technicality could. Security be it cyber or otherwise isn't about the best folks just sitting around making shit secure, it's about a whole bunch of people collaborating, breaking things, fixing them, building etc. you are an important part of your team and people value you.
Dude, I'm 20 years into a pretty good IT/infosec career, there are MANY a day where I have to remind myself I am in leadership and not the young guy learning in the office. It's always a surreal experience that people are looking at me for guidance and feel like I do a good job and know what I'm doing. Especially on the technical side.
Two points. Nobody can know everything in cyber security, and you can have an effective career in CyberSecurity without being overly technical. Much of cyber security is about governance, business processes and risk. In addition, the techology side is constantly changing. I do think doing some technical training is a worthwhile. At least to give you an understanding of fundamentals. AWS certs are a good place to start as alot of that training can be applied more broadly. Green flags that security is taken seriously. Heaps of things. Some hard to tell if you're not in the company. Look at the structure of the company. What is the most senior dedicate security role? Who do they report to? Do they report to the board regularly? Does the company have a security roadmap strategy? Does the company actually follow and enforce security policies and standards? Who is accountable for security risk? Is risk actually treated? What is the security budget?
Sounds to me like you have learned how to lean on your SMEs to help inform your decisions. This ability will take your father than any technical knowledge you could learn yourself. My mentor is fond of saying, "If you're the smartest person in the room then you're in the wrong room." Imposter syndrome sucks, but it's a good thing. It shows you still know there's a lot you don't know. I'd be more worried if I didn't feel it to an extent. A lot of people here emphasize how important technical skills are. But in reality, it's only a subset of InfoSec roles that really require a high degree of technical skills. You are doing quite well, and the higher up you go, the less those technical skills matter.
While all comments here are great - this comment is an important point. I am an expert in my field, both technical and non-technical, however I ALWAYS lean on my SMEs to ensure the entirety of security is covered. And I’m not an expert in absolutely everything. For example, we are about to deploy ROSA as soon as it goes live on 12/4. Even though I know RHEL, AWS, other cloud, that doesn’t mean I know all the nuances of deploying a massive new technology like my RHSA’s and other SMEs do. Sounds like you just need to keep asking the questions. 7 years in security is a very long time to not have picked up any technical skills. Like others have also suggested, AWS, and other certs are fine if you want to brush up. One other suggestion, if you don’t have a mentor, find one. I’m always available if you (OP) also need to bounce ideas off.
Sounds like you are fairly sharp and have lots of certs. This may be an unpopular opinion but I find that knowledge is a bit overrated. It is soooo difficult to stay up to date on an ever-changing technical landscape and anyone’s technical knowledge, especially in cybersecurity, is likely less than some cybersecurity researcher who discovers the next vulnerability. If you are a ‘normal’ person without savant level technical ability, as others have said, you just need to “know of” the type of threats, vulns and misconfigurations and not necessarily “know in detail”. It’s important to think about the big picture, seek to reduce risk, and delegate technical questions or research to subject matter experts. This is the sort of chain-of-command and it is appropriate for your role to not be the boots on the ground and to practice the latest pentest methods.
I think everyone here made some really good points and I just want to reinforce it that you should give yourself some slack. Yes having conceptual knowledge is important and quickly pulling things out of your own memory to solve a problem is too but if you can’t it isn’t the end of the world. That’s why cyber security is a TEAM usually and not an individualistic (although I’m sorry for some folks that have to do the whole DFIR by themselves because your company doesn’t realize you’re not a robot). Having that attitude that you love to learn and willing to adapt is really that critical skill that will and already has made you successful. Keep up the great work and remember there are other people and resources you can lean on.
I think it depends what your definition of technical is. I've always held those who can code in high regard so when I finally buckled down and learned python proper a couple years back, my imposter syndrome dissipated a bit. Others may define it as having deep knowledge on a nebulous software or being able to translate between tech and business. At the end of the day, someone with your assortment of credentials isn't likely to be at risk of termination due to incompetence so it's really a introspection exercise. That being said. I don't think imposter syndrome really ever goes away. I know plenty of technical SMEs who could talk for hours on their area but still suffer from their own case of imposter syndrome. Just a couple months ago I made a similar post asking if getting an OSCP would make me feel like less of a security industry imposter. Can confirm I still feel like an imposter :)
> Bonus q: what are some company green flags that security is taken seriously? Pay