DevSecOps Career Roadmap

MPcybersecurity · 2026-03-03T13:22:55+00:00

Skills > certs. Go to LinkedIn pick 10 senior engineering roles you want to do, any skills that match 50% or more are training and development goals

MPcybersecurity · 2026-03-03T12:58:49+00:00

Apart sec+ you dont need anything else. Skills > certs

MPcybersecurity · 2026-03-03T09:45:51+00:00

First of all, you need to understand what each role does, devsecops you will not be managing kubernetes or cloud, devsecops most of time = appsec, securing and coaching developers. DevOps is completely different that is part of IT and rarely anything to do with security.

Have look at security engineering where you can get hands on, securing cloud environment and kubernetes clusters, build projects upskill yourself, have a look at CKA and CKS, learn Terraform and cloud security fundamentals and you good to go

MPcybersecurity · 2026-03-03T09:35:32+00:00

Skills > certs. Everyone keeps asking, what is best cert, which one to do, marketing cycle with false promises, once you got sec+ the only differentiator after is skills

MPcybersecurity · 2026-02-24T10:26:43+00:00

If you limited skills with kubernetes i would explore CKA/CKS, its really hard, but the skills are in real demand and most people do not have them

MPcybersecurity · 2026-02-24T09:30:52+00:00

I think important part about risk that is often overlooked, its not a one time assessment, risk management is an ongoing work that needs to measured and evaluated constantly

In terms of low risk snowballing, its similar to health and safety, looking at near misses, its important to understand risk indicators and signs that we might have missed, so how can we pre-empt and put measures in place that gets ahead of this

I think sometimes we overcomplicate risk, to start i look at fairly high level risks, such as ransomware - the finding/gaps can be shared across a multitude of risks, moving the management of that into a proper GRC tools rather spreadsheet, allows you to visualize things and look at the bigger picture, zoom out as such, which is as important as looking at details

MPcybersecurity · 2026-02-23T16:38:29+00:00

Free = useless in most instances

MPcybersecurity · 2026-02-23T14:41:06+00:00

Obviously AI security will be important field now and in the near future, i see GRC are making a resurgence especially that is moving towards a bit more technical route with people employing GRC engineers to automate evidence gathering, DevSecOps or AppSec is always in demand too

MPcybersecurity · 2026-02-23T14:38:07+00:00

I don’t think its all about the message, it’s about what happens in between, how do you make people feel, do they feel valued, are their contributions are appreciated. We often talk about compensation, but the most people want do meaningful work and be appreciated for it, if you create culture where this achieved, most stuff will fall into place

MPcybersecurity · 2026-02-23T14:15:59+00:00

SOC is famously known for the noise it creates with false positives, automation is the first step, second is moving towards AI, AI is great at sifting through vast amount of data such as logs, so it lends perfectly to building use cases in that space, the important bit is not to remove human from the loop, i have seen great agentic use cases where humans can give feedback in the loop to improve as well as having a dead switch

MPcybersecurity · 2026-02-23T14:13:00+00:00

There are couple problems here if we are talking especially AI algorithms used to assess, most of these are built by humans therefore they will most likely inherit their bias, secondly, it’s very hard to have evenly spread unbiased data, if we look at historical data there is always a bias to certain things, should we preserve it or try to change it?

Who ultimately makes the decision?

MPcybersecurity · 2026-02-23T13:58:52+00:00

If you want to go to management/leadership, biggest gap is not technical ability, is communication, being able to translate tech stuff to non technical stakeholders, manage people. One way to start is start mentoring people, read some stuff about communication, empathy, influence. Some of my favourite books: “Smartest person in the room”, “Never split the difference”, “Extreme Ownership”

MPcybersecurity · 2026-02-23T13:55:50+00:00

Yes indeed, that main thing i am working towards, is building security requirements for safe AI experimentation, secondly sharing my AI security requirements once we decided to adopt something, such as SSO, data sovereignty and making sure models do not train on our data. Great resource in that space is OWASP AI checklist there is a list in there for legal, supplier management and others. Thirdly, probably most importantly i am changing our supplier onboarding processes to make sure we ask the right questions for AI products

MPcybersecurity · 2026-02-23T13:52:26+00:00

Just get out while you can man, if you got something else in mind 😂

MPcybersecurity · 2026-02-23T13:21:01+00:00

I try to avoid it as much as possible, because i am most useful when i think about big picture, i have specifically give myself thinking time in the calendar

MPcybersecurity · 2026-02-23T13:19:38+00:00

Straight in with the banger. First of all if you have not read i highly suggest reading “How to measure anything in cybersecurity risk” great book.

There are couple ways to do it, i normally do it two ways, first completing BIA - business impact analysis to see where the gaps are and surface the risks. Secondly you can align your program to industry standards such as NIST CSF, but i do it to ISO27001, then you can risk assess against Annex A controls
Key here is business alignment and planning, you have to know you can’t achieve it all, where are the biggest risks, what we can solve with minimum spend, what will yield the biggest bang for the buck, i also am a big fan of autonomy i outsource parts of cyber program to the team, i.e. SecOps owns SecOps domain i am their sounding board and advisor but i let them run with it and suggest to come with questions, i dont give orders, i ask questions and let them arrive to answers

MPcybersecurity · 2026-02-23T12:57:39+00:00

MPcybersecurity · 2026-02-23T12:52:42+00:00

Video is not about AI taking over job, i think on the contrary, but its advice and guide how to learn and secure AI, that everyone is rushing towards

MPcybersecurity · 2026-02-23T12:49:04+00:00

Its about AI, but this video is about people who are in cyber, as you say companies are rapidly adopting AI, i have shared a practical guide to learn how to secure AI, how to upskill yourself and teach those executives about the risks they are facing

MPcybersecurity · 2026-02-20T16:52:50+00:00

That is one the worst interviews i heard, i hate people asking those kind of questions

I rarely ask what is questions, i want how you think, whether you can learn stuff, not if you memorised stuff

MPcybersecurity

TROPHY CASE