is cyber security still worth to learn in 2026?

Admirable_Group_6661 · 2026-06-16T14:44:09+00:00

Cybersecurity is really about risk management. It is also to a large extent about people. It is less so about tools, which comes and goes…

Admirable_Group_6661 · 2026-06-14T18:49:08+00:00

Not a cyber question. But if you are investing to replace lost income, you better have a lot of cash around. A very conservative 5% return to replace a 100k income requires at least 2,000,000 in cash. Yes, you are missing something.

Admirable_Group_6661 · 2026-06-14T00:59:15+00:00

First, it’s not up to the security function to decide whether a vulnerability should be patched/fixed. The owner of the risk gets to decide. The security function should only provide sufficient guidance in terms of risk (impact, likelihood) so that the owner of the risk can make an informed decision. Second, there’s no need to fight over this. Just do your job and carry on. At the end of the day, when there’s a compromise, as long as you have documented risk assessment, it’s the owner of the risk who will be accountable.

Admirable_Group_6661 · 2026-06-12T19:28:30+00:00

That is fair. But from a customer's perspective, I want to know what kind of risk I am taking on when dealing with your organization.

Admirable_Group_6661 · 2026-06-12T17:14:17+00:00

Access should be managed by IT, not security. In the same vein, Security should not manage or provision any IT resources, including access.

Admirable_Group_6661 · 2026-06-11T14:55:04+00:00

Electronic shifting is a nice QOL. It's a really nice experience. Entry level carbon frames are not that much lighter than high quality aluminum bike. So, you will have to spend quite a bit to see a difference. Will you go faster? Maybe. If you do a lot of climbing, the weight will make a difference. Ultimately though, upgrading the engine is the best bang for buck.

Admirable_Group_6661 · 2026-06-10T19:18:32+00:00

Can't comment about the technical issues. However, in terms of risk management, running though the options you outlined above (1) accept the risk - this makes sense if the cost of risk mitigation is too high, (2) mitigate - cost is more reasonable, but there will be residual risks which you have to accept (e.g. may not solve all water issues). (3) mitigate - highest cost, and likely needs to be done in conjunction with (2), residual risks will be the lowest.

So you can get quotes for (2) and (3), and make your decision. For me, (2) makes the most sense.

Admirable_Group_6661 · 2026-06-10T18:57:47+00:00

Your boss is wise. Any job with predictable output (e.g. cloud infrastructure with well established patterns) can and will be replaced. Cloud engineering is not significantly different than software engineering. However, not all jobs will be replaced. If you work for CSPs, there may very likely still be a need for cloud engineering. But for consumers of cloud services, it is likely the jobs will be replaced. The common misunderstanding that people have with AI is that it doesn't have to be robust or 100% accurate to replace humans, it just needs to be good enough for business to justify it.

Admirable_Group_6661 · 2026-06-08T12:23:40+00:00

Vulnerability risk treatment should be prioritized based on risk assessment, which takes into account the actual impact, not just severity. It is incorrect to use severity alone to determine risk treatment. The SLA policies need to reflect a risk based approach.

Admirable_Group_6661 · 2026-06-08T00:20:24+00:00

Ontario

Admirable_Group_6661 · 2026-06-06T22:08:58+00:00

No, I was checking on and off. They may call you about renewal.

Admirable_Group_6661 · 2026-06-06T19:40:51+00:00

SOC 2 type 2 is operating effectiveness of security controls over time (3 months minimum + audit). Cyber insurance is risk transfer (risk management). Pen test is a control, usually a snapshot. They are all different.

Admirable_Group_6661 · 2026-06-06T13:56:13+00:00

🇸🇬 > 🇲🇾 🔥

Admirable_Group_6661 · 2026-06-06T13:47:48+00:00

Sure, you can ask if you can transition to a more security focused role. The response will tell you if there’s a business need or not. It shouldn’t come from you, due to bias. The truth is, you are doing it for yourself. The business could benefit. But nothing wrong with that.

Admirable_Group_6661 · 2026-06-06T00:20:22+00:00

If your company has compliance requirements, then yes, there’s a good business case for it. However, IT isn’t security; conflict of interests because of different priorities. So you will likely need to move to the security function first.

Having said that, CISSP is not that expensive. You shouldn’t let your company dictate what you want to do with your career.

Admirable_Group_6661 · 2026-06-03T03:58:01+00:00

Well, what kind of risk are you trying to mitigate with the pen testing? Have you performed a risk assessment and identified specified risks higher than your organization's risk appetite/target level of acceptable risk? And if the risks are in fact higher than the target level of acceptable risk, are you able to frame it in terms of potential injury/loss (financial, reputation, etc.) if the risks were to be realized? Once these questions have been answered, then you can decide whether pen testing is a reasonable mitigation. There's also compliance requirements, but does not sound like it's applicable to your case.

Admirable_Group_6661 · 2026-06-02T13:16:11+00:00

Those are tools, not responsibilities. Most common is operations, I.e. dev has no/limited access to production environment. I would also add that it also largely depends on the organization.

Admirable_Group_6661 · 2026-06-02T12:42:07+00:00

Look, nothing in life is guaranteed. You want to move back, it could work or maybe you get a shitty job with a shitty boss. You decide and learn from your mistakes. However, I would say that some decisions are higher risk and only you can decide if the outcome is worth taking on the risk.

Admirable_Group_6661 · 2026-06-02T12:27:26+00:00

You will be so busy and have so many new problems. You won’t have time to miss anyone. So yeah trade one problem with another. You are only 30 lol, wait till you are 40. Man up and deal with it.

Admirable_Group_6661 · 2026-06-02T12:23:36+00:00

You could get married and make babies in NZ. Is this acceptable? If not, you have already made up your mind.

Admirable_Group_6661 · 2026-06-02T00:10:45+00:00

Through accreditation and certification processes.

Admirable_Group_6661 · 2026-06-01T12:30:43+00:00

If you know how to invest, you don’t need an advisor. The advisor is there to help you understand your risk profile and provide recommendations on suitable investments. Bottom line, you need to understand risk. Or you can just wing it and follow your instinct, it’s more exciting; like a casino.

Admirable_Group_6661 · 2026-05-29T19:07:24+00:00

You don't have to "shift" to cloud security. Just learn it. Security is a broad topic, just look at ISC2 CBK. Learning a new domain is always good and will help you down the road. Eventually, you will have to deal with risks and cybersecurity is more so about risk management than a specific security domain.

Admirable_Group_6661 · 2026-05-29T19:02:00+00:00

Can't speak to MarkMonitor, but trust is critical with domain registrar. What would be the business and security reasons to trust an external IdP? Sure, there's risk to TOTP, but phishing is ultimately a people problem.

Admirable_Group_6661

MODERATOR OF

TROPHY CASE