Learning to See the Whole Board

When did cybersecurity finally start to make sense to you?

I presented at SANS Secure Your Fortress 2026, and that question is the entire premise of what I covered. Not the tools or the certifications, but the moment — or the absence of one — when the field stopped feeling like a list and started feeling like a system. Whether you’re new to the field, years into it, or responsible for developing the people around you, the model below will change how you think about your own growth and theirs.

The Wall Nobody Talks About

Every person who enters this field encounters a wall that is not built on purpose. It is made of vocabulary: SIEM, EDR, IAM, Zero Trust, CVE, MITRE ATT&CK, threat intelligence, vulnerability management. These are all real concepts that real practitioners have built real careers around, but the problem is what happens when someone uses three of them in a single sentence and simply expects you to follow. That wall sends a message nobody intends but almost everyone receives: you don't belong here.

That message is wrong, and the cost of leaving people in front of it is bigger than this industry admits.

As a result, there are four costs: The first is anxiety — the scale stops feeling like a fact about the field and starts feeling like a fact about the person standing in front of it. When somebody tells me they want to get into cybersecurity, the honest answer is "doing what, exactly?" There are 150 real specializations inside this field. When you don't know that yet, the size feels more like a verdict than an opportunity.

The second cost is a reactive posture. You can only respond to what has already happened, because someone else is deciding what matters. You are waiting for the alert, the email, or the meeting, and you are not ahead of anything.

The third cost is learned helplessness: a mindset of "security is for the SOC," or "that's the team upstairs." This posture guarantees losses before the work even starts.

The fourth cost is the one that should haunt every hiring manager and team lead in this field, and I am going to say it directly: We do not have a shortage of talent. We have a shortage of willingness to give that talent a chance. We post jobs requiring twenty years of experience across every technology known to mankind, with no appetite for potential and no investment in growth, then act surprised when the pipeline runs dry. We decided that the only people we want are the ones who already made it through the wall, and then we act confused when the community does not grow. There are people with the right instincts and curiosity who would have been exceptional at this work if anyone on the inside had been willing to take a chance on them. We decided not to let them in. That is on us, not on them.

What “The Board” Actually Means

The board we need to learn to pay attention to is the living relationships between technology, operations, people, and the business.

Test that definition against the last genuinely hard problem you worked on. Not a clean one, but the messy one. The stakeholder who wouldn't reply, the timeline that made no sense, or the problem that wasn't technically a security issue on paper but ended up on your plate anyway. Was that problem really about the technology, or was the technology the smallest piece of it?

The mistake the field keeps making is treating security like a collection of facts. Facts are easy. Facts are everywhere. What makes someone genuinely valuable in a security role is not more facts, but more connections. The following five stages of security thinking describe what those connections look like as they develop.

Five Stages of Security Thinking

These stages appear in every student and every new hire. Figure out which one you are actually in — not the one on your resume, but the real one.

Stage 1: I know the words

You have the vocabulary. You can use the right terms in a sentence, follow most conversations, and pass entry-level certifications, which are largely vocabulary tests. This is also the stage where almost everyone pretends to be further along than they are, because the social cost of admitting you don't understand something in a room of peers feels too high.

Think about the last meeting where somebody said something and you nodded along, yeah, yeah, yeah, and you had no idea what they actually meant. You weren't going to ask, because asking would have given you away. Maybe you jotted it down. Maybe you told yourself you'd Google it later. You never Googled it. Be honest about how often that happens. Not to the new person on your team, but to you.

Stage 2: I see the same shapes

After enough time in the field, something shifts that you cannot quite articulate yet. Events start to rhyme. I borrow that from Mark Twain: history doesn't repeat itself, but it often rhymes. Two events are not identical, but they share an underlying shape. They follow the same pattern even when the details are completely different.

Phishing rhymes. The lure changes, the brand changes, the urgency hook changes, but the shape never does. Misconfigurations rhyme. Breaches rhyme. The same handful of mistakes appear over and over, framed in different technology.

The test for stage two is whether you had a gut feeling about the last incident before you had any evidence. Did some part of you say, "this looks like the thing from last quarter," before you could explain why? That is not a hunch. It is your brain building a model, and it is telling you something real. Do not let anyone shame you for not having a citation yet. Pattern recognition is proof that the connections are forming. Most people at this stage never name what is happening, which means they never give themselves credit for it.

Stage 3: This affects that

This is the unlock, the one everything else builds toward.

Think about the first time you traced a thread all the way through. A configuration touched an identity. That identity touched a customer. That customer touched a contract. That contract touched a meeting you were not in two months ago. And that meeting was the actual reason you got a call at 3 AM.

If you have had that moment, you remember it clearly. You do not have to dig; the room is right there. If you have not had it yet, know what to look for: It feels like a physical click. Something that was loose in your head snaps into place, and the field is never quite the same after.

Stage three is where security stops being a job and starts being a system. Once you can see the system, you cannot unsee it. That is the gift and also the burden, because from that point forward you will see things others in your organization cannot see yet, and part of the job becomes figuring out how to show them.

Stage 4: The org is alive

This stage takes longer to reach, and it is where a lot of highly technical practitioners get stuck.

The realization at stage four is that the organization is not a stack. It is humans with incentives, budgets, deadlines, fear, ambition, trust, grudges, and the meeting that went sideways three years ago that nobody mentions anymore but everybody still remembers. Security stops being a tool problem and becomes a people problem dressed in technology.

Think about the last security ask that did not go your way. The one that should have been a yes and somehow was not. The one you walked out of frustrated, thinking, “how do they not get it?” Now ask the harder question: what were they actually protecting? Because they were protecting something. It might not have been what you wanted protected, but they had a reason, and the reason made sense to them.

When you can answer that question — even when you disagree with the answer — you stop being mad at the organization and start being curious about it. Curiosity is the difference between someone who can do the work and someone who can lead it. It is also, practically speaking, how you start winning the conversations that used to go against you.

Stage 5: I can advise, anticipate, and teach

This is the whole board, the seat at the table.

At stage five, you can read the threat landscape and read your organization at the same time, and the two readings inform each other. You can what is coming, and who in the building will need what kind of help to be ready for it. You are shaping what happens next instead of reacting to what already happened.

Rather than striving to be the smartest person in the room, the job is to point at the board for the next person so they do not have to take the long way around. That is what makes a stage five practitioner genuinely valuable. Not the knowledge they hold, but the clarity they create for everyone around them.

Three Things That Change at Stage Five

The questions you ask. A fragmented practitioner asks, "are we using the right tools?" That is a stage one question, and it treats security like a shopping list. A connected practitioner asks, "what is the tool actually protecting, and who depends on it being right?" Same problem, different altitude. The way to measure whether a team is maturing is whether the questions are improving.

In SEC301, my goal by the end of five days is to give people the ability to ask questions that lead and add value — questions that let someone who is not yet a practitioner engage meaningfully with those who are.

Who you can talk to. At stage one, you can mostly communicate with other security people, and even that can be uneven. At stage five, you can talk to anyone in the building, because you understand what they actually care about. Engineering lives in trade-offs, so show up in their language and they will move mountains. Legal breathes risk and obligation, so lead with that, not headlines. The CFO thinks in dollars, downtime, and trust, not CVE scores.

Think about the person in your organization you find hardest to reach, the one who never seems to get it. Then ask honestly: are you showing up in their language, or are you waiting for them to learn yours? The answer is uncomfortable for most of us, but it is the right question.

How you feel about the work. When the field is fragmented, work is reactive. Someone else lights the fire, and you bring the bucket. That dynamic is a significant contributor to the burnout numbers this industry carries. When the field is connected, work becomes proactive. You are shaping what happens next, choosing which problems to get ahead of, and closing doors before the adversary finds them.

The same field that was crushing you at stage one is the field you are using to do good work at stage five. Nothing about the field changed; you changed. And if you are tired right now, the way out is not less work; the way out is more connection.

Your Assignment

Think about who pulled you up. Someone pointed at something for you, even once, even briefly, even if they do not know they did it. That person is why something clicked for you when it did.

Now consider who you are doing that for right now.

You are somebody's stage five, and that is not optional. Look at your organization. Find the new hire staring at the wall, the colleague one conversation away from the stage three moment, the person you said you would mentor and then got too busy to actually mentor.

A rising tide lifts all ships, and this industry needs practitioners who are willing to turn around and be the tide for someone else.

Here is where to start:

• Audit the last three questions you asked in a meeting. Were they stage one questions — tools, checklists, coverage gaps — or connected ones that mapped a control to a business outcome? Most practitioners overestimate where their questions actually land.
• Identify the person in your organization who is most difficult to reach. Figure out their actual currency and show up in it next time.
• Find one person looking at the wall and have a real conversation with them. Point at something they cannot see yet.
• Get outside your usual environment. Look at BSides, OWASP chapters, and local events. Meeting practitioners across a table changes the dynamic in ways that LinkedIn, Reddit, and Discord simply cannot replicate.

Go Deeper

If you want to build this kind of connected thinking in a structured way, this framework is at the core of what I teach in SEC301: Introduction to Cyber Security.

Watch the full talk: https://youtu.be/SsALoBJtsto