Chapter 9
Change, Challenges,
and Priorities
By Marc van Zadelhoff
Pursuing a career in cybersecurity can be difficult and feel uncertain for many—an endless cycle of alerts, countless industry certifications to sift through, staffing shortages, and a lack of career development opportunities.
As a cybersecurity CEO, and a cybersecurity professional for 20+ years, I wanted to share the frameworks I’ve found most helpful throughout my career journey. None I’ve invented, but each sticks in my brain and altered for my usage in life. These frameworks can be helpful regardless of what industry you’re in or role you’re pursuing. I believe it’s a good way to level set and think about your career at a higher level.
Dealing with Change and Challenges
When it comes to cybersecurity, change is constant. You will face no shortage of new and ever-evolving cyberthreats, team and role changes, and organizational shifts. Learning how to adapt and respond is where you can set yourself apart and grow.
Early in my career, I came across this diagram charting ‘The Emotional Cycle of Change’ created by psychologists Don Kelley and Daryl Connor. I made a few changes to it, but the model has proven quite useful.
This framework is great for when you start a new project or job. You will see a pattern and once you notice it you can ride it versus it riding you.
Emotional Cycle of Change
Hover over each phase to learn more
Optimistic
Pessimistic
Uninformed
Informed
Valley of Death
A: My new boss/job is great!
B: First meeting was tough.
This will be hard.
C: Too hard. I can't do this.
D: Ok, first I'll find my way.
E: I think I've got this.
Stage 5
Optimistic, Informed
You did it! You navigated the change. It might have been a tough few weeks or months, but now you have a new skill and perspective.
05 / 05
Stage 4
Less Pessimistic, Informed
Things have gotten easier now. You’re still not great at your new tasks, but you’re learning. You’re creating new processes, talking to new people, and starting to adapt to your new reality. Maybe this is when you start to say, “I think I can handle this.”
04 / 05
Stage 3
Pessimistic, Informed
I call this stage The Valley of Death. The changes are happening in full force, and we haven’t yet developed the skills or knowledge to handle them confidently. You might be drowning in work, doubting your abilities, or regretting your decision to tackle new responsibilities. It feels like things will never get better.
03 / 05
Stage 2
Less Optimistic, More informed
As we settle into our new realities, we may start to realize that expectations are high and the job is more difficult than expected. We’re at the start of the learning curve, slowly grasping the challenges that lay ahead, and feeling uncertain if we can rise to the occasion. Maybe this is when you wonder, “What have I gotten myself into?”
02 / 05
Stage 1
Optimistic, Uninformed
We learn about a change—whether it’s an upcoming promotion, changing jobs, or tackling a new responsibility—and at first, we feel optimistic and excited about what’s to come. It’s energizing to think of how you can learn and grow.
The trouble is that we are fundamentally uninformed about it. We don’t really know what our new realities will look like or what is required of us.
01 / 05
Change is uncomfortable and can be downright terrifying at times. It’s easy to forget that in order to grow as a professional, you have to endure discomfort and uncertainty. As you navigate big changes, especially early in your career, the best piece of advice I can leave you with is that things won’t be tough forever. And, over the course of your career the goal is to both flatten and compress this curve: can you reduce the highs and lows? Can you get through the change cycle faster?
The Incongruence of Your Responsibility vs Ability
By nature, your responsibility (as best represented by your job title) will not always match your skill level. Promotions can take months—or even years—to be awarded, leaving you frustrated and stagnant. Conversely, you might start a job you don’t feel qualified for, leaving you overwhelmed and plagued with impostor syndrome.
I call this conundrum Career Skills vs. Level. Again, I’m sure I read about it years ago and it stuck in my head.
Here’s another diagram to help visualize the concept:
Scenarios
1: I'm bored! I'm ready!
2: Help! I have imposter syndrome!
3: I feel 100% fulfilled with my role.
There are three main dynamics that usually come into play:
01
"I'm ready! I'm Bored!"
In this scenario, you’ve been in the same role for a while. You feel competent in the job and are itching for a new challenge or promotion. This is a precarious place to be for both you and your organization. You might be frustrated with your organization’s recognition (or lack thereof) of your contributions and ability, leading you to seek a role elsewhere.
02
“Help! I have impostor syndrome!”
Whether you got a new job or received a promotion, there are times when you might not feel ready for the responsibilities of your job title. If this lasts forever among one of your team members, then they may have hit the Peter Principle (they were promoted one level above their competence).
03
“I feel 100% fulfilled with my role."
This is a great place to be as you are striking a great balance between confidence, competence, and satisfaction. Although it is a great feeling to be satisfied with your role, the more comfortable you get, the more likely you are to repeat the cycle and start to feel bored again.
Calculating Risk and Prioritizing
Cyberthreats are relentless, and it can be difficult to prioritize tasks when risk is coming from every direction. That’s why risk assessment and management are critical elements of working in cybersecurity.
To help focus on what matters most, I use the following equation:
Impact x Likelihood =
Risk
This framework was first developed by the United States Department of Defense, but I altered it slightly:
Likelihood
Impact
Using this model, you can organize your risks into four main categories:
A) High Likelihood, High Impact: These are the most important risks to mitigate. If something is probably going to happen, and the consequences will be severe, it should be your first priority.
B) Low Likelihood, High Impact: These types of risks should be planned for, but if they’re extremely unlikely, they may not be the best place to focus your energy.
C) High Likelihood, Low Impact: If something is probably going to happen, but the fallout will be minimal, you should put preventative measures in place.
D) Low Likelihood, Low Impact: These are the risks that you can add to the end of your to-do list. As far as risk goes, they’re the lowest priority.
I find I even talk to my kids about this framework when they have worries. I ask them: what’s the chance it happens, really? What’s the real impact? Often it’s a 4! And then we discuss the third dimension not shown: can you even control it? If you cannot control it at all, even if it’s a 1, it may not be something you should be worrying about.
My middle daughter had a field trip to DC and was stressing she may get a terrible roommate in the hotel. We discussed:
A) It’s unlikely, she submitted two choice girlfriends
B) If it’s not a “great” person, will that really ruin much?
C) You have no more control over this now, stop worrying!
I hope these three frameworks are a helpful way to think about your career in cybersecurity—whether you are just starting out, working toward a promotion, or just looking for general career advice.
As many of our SOC Career Guide contributors have attested, cybersecurity is not always sunshine and rainbows. The job is hard. It can be incredibly challenging and stressful, and at times, feel like the weight of the world is on your shoulders. Though, after two decades in this industry, I can confidently tell you this: It’s worth it.
In my experience, the best cybersecurity professionals recognize and love what makes this industry unique. In typical roles, you have two stakeholders in mind: your internal team and your customers. Cybersecurity introduces a third, equally important stakeholder: bad actors.
In simpler terms, your North Star is getting the bad guys. And how cool is that? The reward of successfully fending off bad actors makes everything long night, stressful alert, and threat hunting mission worth it.
By design, everything you do revolves around outsmarting adversaries in order to keep your organization safe.
Despite the perks of this job, historically, our industry hasn’t done enough to adequately prepare people for satisfying, long-term careers in cybersecurity.
That’s why I’m so thrilled this book came to fruition. Thank you to all of our contributors for conveying your passion for cybersecurity, and your eagerness to help aspiring SOC professionals find their footing. I sincerely hope that you find nuggets of wisdom from these pages and take it with you along your career journey.
About the author
Marc van Zadelhoff
Marc van Zadelhoff is a cybersecurity CEO. He has more than 20 years of experience in strategy, venture capital, business development and marketing in the cybersecurity space. A transformative technology leader, Marc thrives on building effective, high-performing cultures and driving continuous improvement in client service excellence. He’s helped oversee record growth, significant fundraising, and several acquisitions. Previously, Marc was COO of LogMeIn, Inc., driving all go-to-market activities leading up to its $4.3B ‘take private’ sale. Before that, he was the co-founder and CEO/GM of IBM Security, a unit he helped to found and grow to more than $2.5B in software and services revenues.
LinkedIn
Previous Chapter
Balancing Your Career and Wellness: A Hopeful Message for the SOC Community
Chapter 9
Change, Challenges,
and Priorities
By Marc van Zadelhoff
Pursuing a career in cybersecurity can be difficult and feel uncertain for many—an endless cycle of alerts, countless industry certifications to sift through, staffing shortages, and a lack of career development opportunities.
As a cybersecurity CEO, and a cybersecurity professional for 20+ years, I wanted to share the frameworks I’ve found most helpful throughout my career journey. None I’ve invented, but each sticks in my brain and altered for my usage in life. These frameworks can be helpful regardless of what industry you’re in or role you’re pursuing. I believe it’s a good way to level set and think about your career at a higher level.
Dealing with Change and Challenges
When it comes to cybersecurity, change is constant. You will face no shortage of new and ever-evolving cyberthreats, team and role changes, and organizational shifts. Learning how to adapt and respond is where you can set yourself apart and grow.
Early in my career, I came across this diagram charting ‘The Emotional Cycle of Change’ created by psychologists Don Kelley and Daryl Connor. I made a few changes to it, but the model has proven quite useful.
This framework is great for when you start a new project or job. You will see a pattern and once you notice it you can ride it versus it riding you.
Emotional Cycle of Change
Optimistic
Pessimistic
Uninformed
Informed
Valley of Death
A
My new boss/job
is great!
B
First meeting was
tough. This will be
hard
C
Too hard. I can't
do this.
D
Ok, first I'll find
my way.
E
I think I've
got this.
Stage 5
Optimistic, Informed
You did it! You navigated the change. It might have been a tough few weeks or months, but now you have a new skill and perspective.
05 / 05
Stage 4
Less Pessimistic, Informed
Things have gotten easier now. You’re still not great at your new tasks, but you’re learning. You’re creating new processes, talking to new people, and starting to adapt to your new reality. Maybe this is when you start to say, “I think I can handle this.”
04 / 05
Stage 3
Pessimistic, Informed
I call this stage The Valley of Death. The changes are happening in full force, and we haven’t yet developed the skills or knowledge to handle them confidently. You might be drowning in work, doubting your abilities, or regretting your decision to tackle new responsibilities. It feels like things will never get better.
03 / 05
Stage 2
Less Optimistic, More informed
As we settle into our new realities, we may start to realize that expectations are high and the job is more difficult than expected. We’re at the start of the learning curve, slowly grasping the challenges that lay ahead, and feeling uncertain if we can rise to the occasion. Maybe this is when you wonder, “What have I gotten myself into?”
02 / 05
Stage 1
Optimistic, Uninformed
We learn about a change—whether it’s an upcoming promotion, changing jobs, or tackling a new responsibility—and at first, we feel optimistic and excited about what’s to come. It’s energizing to think of how you can learn and grow.
The trouble is that we are fundamentally uninformed about it. We don’t really know what our new realities will look like or what is required of us.
01 / 05
Change is uncomfortable and can be downright terrifying at times. It’s easy to forget that in order to grow as a professional, you have to endure discomfort and uncertainty. As you navigate big changes, especially early in your career, the best piece of advice I can leave you with is that things won’t be tough forever. And, over the course of your career the goal is to both flatten and compress this curve: can you reduce the highs and lows? Can you get through the change cycle faster?
Step 2
The Incongruence of Your Responsibility vs Ability
By nature, your responsibility (as best represented by your job title) will not always match your skill level. Promotions can take months—or even years—to be awarded, leaving you frustrated and stagnant. Conversely, you might start a job you don’t feel qualified for, leaving you overwhelmed and plagued with impostor syndrome.
I call this conundrum Career Skills vs. Level. Again, I’m sure I read about it years ago and it stuck in my head.
Here’s another diagram to help visualize the concept:
Scenarios
1: I'm bored! I'm ready!
2: Help! I have imposter syndrome!
3: I feel 100% fulfilled with my role.
There are three main dynamics that usually come into play:
01
"I'm ready! I'm Bored!"
In this scenario, you’ve been in the same role for a while. You feel competent in the job and are itching for a new challenge or promotion. This is a precarious place to be for both you and your organization. You might be frustrated with your organization’s recognition (or lack thereof) of your contributions and ability, leading you to seek a role elsewhere.
02
“Help! I have impostor syndrome!”
Whether you got a new job or received a promotion, there are times when you might not feel ready for the responsibilities of your job title. If this lasts forever among one of your team members, then they may have hit the Peter Principle (they were promoted one level above their competence).
03
“I feel 100% fulfilled with my role."
This is a great place to be as you are striking a great balance between confidence, competence, and satisfaction. Although it is a great feeling to be satisfied with your role, the more comfortable you get, the more likely you are to repeat the cycle and start to feel bored again.
Calculating Risk and Prioritizing
Cyberthreats are relentless, and it can be difficult to prioritize tasks when risk is coming from every direction. That’s why risk assessment and management are critical elements of working in cybersecurity.
To help focus on what matters most, I use the following equation:
Impact x Likelihood =
Risk
This framework was first developed by the United States Department of Defense, but I altered it slightly:
Likelihood
Impact
Using this model, you can organize your risks into four main categories:
A) High Likelihood, High Impact: These are the most important risks to mitigate. If something is probably going to happen, and the consequences will be severe, it should be your first priority.
B) Low Likelihood, High Impact: These types of risks should be planned for, but if they’re extremely unlikely, they may not be the best place to focus your energy.
C) High Likelihood, Low Impact: If something is probably going to happen, but the fallout will be minimal, you should put preventative measures in place.
D) Low Likelihood, Low Impact: These are the risks that you can add to the end of your to-do list. As far as risk goes, they’re the lowest priority.
I find I even talk to my kids about this framework when they have worries. I ask them: what’s the chance it happens, really? What’s the real impact? Often it’s a 4! And then we discuss the third dimension not shown: can you even control it? If you cannot control it at all, even if it’s a 1, it may not be something you should be worrying about.
My middle daughter had a field trip to DC and was stressing she may get a terrible roommate in the hotel. We discussed:
A) It’s unlikely, she submitted two choice girlfriends
B) If it’s not a “great” person, will that really ruin much?
C) You have no more control over this now, stop worrying!
I hope these three frameworks are a helpful way to think about your career in cybersecurity—whether you are just starting out, working toward a promotion, or just looking for general career advice.
As many of our SOC Career Guide contributors have attested, cybersecurity is not always sunshine and rainbows. The job is hard. It can be incredibly challenging and stressful, and at times, feel like the weight of the world is on your shoulders. Though, after two decades in this industry, I can confidently tell you this: It’s worth it.
In my experience, the best cybersecurity professionals recognize and love what makes this industry unique. In typical roles, you have two stakeholders in mind: your internal team and your customers. Cybersecurity introduces a third, equally important stakeholder: bad actors.
By design, everything you do revolves around outsmarting adversaries in order to keep your organization safe.
In simpler terms, your North Star is getting the bad guys. And how cool is that? The reward of successfully fending off bad actors makes everything long night, stressful alert, and threat hunting mission worth it.
Despite the perks of this job, historically, our industry hasn’t done enough to adequately prepare people for satisfying, long-term careers in cybersecurity.
That’s why I’m so thrilled this book came to fruition. Thank you to all of our contributors for conveying your passion for cybersecurity, and your eagerness to help aspiring SOC professionals find their footing. I sincerely hope that you find nuggets of wisdom from these pages and take it with you along your career journey.
About the author
Marc van Zadelhoff
Marc van Zadelhoff is a cybersecurity CEO. He has more than 20 years of experience in strategy, venture capital, business development and marketing in the cybersecurity space. A transformative technology leader, Marc thrives on building effective, high-performing cultures and driving continuous improvement in client service excellence. He’s helped oversee record growth, significant fundraising, and several acquisitions. Previously, Marc was COO of LogMeIn, Inc., driving all go-to-market activities leading up to its $4.3B ‘take private’ sale. Before that, he was the co-founder and CEO/GM of IBM Security, a unit he helped to found and grow to more than $2.5B in software and services revenues.
Cybermindz.org
Twitter
LinkedIn
Previous Chapter
Balancing Your Career and Wellness:
A Hopeful Message for the SOC Community
[ Dealing with Change and Challenges ]
[ The Incongruence of Your Responsibility vs Ability ]
[ Calculating Risk and Prioritizing ]
Chapters
01
So You Want to Be a SOC analyst...
02
The Hard and Soft Skills Needed
to Crush a SOC Role
03
Advancing Cybersecurity and Career-Readiness in Academic Institutions
04
Break into Cybersecurity by Leveraging LinkedIn
05
Navigating Your Cybersecurity Career as a SOC Analyst
06
Becoming a Security Researcher:
5 Questions Answered
07
Positioning Yourself for a SOC Leadership Role
08
Balancing Your Career and Wellness: A Hopeful Message for the SOC Community
09
Change, Challenges, and Priorities
Back to Home
Chapters
01
So You Want to Be a
SOC Analyst
02
The Hard and Soft Skills Needed to Crush a SOC Role
03
Advancing Cybersecurity and Career-Readiness in Academic Institutions
04
Break into Cybersecurity by Leveraging LinkedIn
05
Navigating Your Cybersecurity Career as a SOC Analyst
06
Becoming a Security Researcher: 5 Questions Answered
07
Positioning Yourself for a SOC Leadership Role
08
Balancing Your Career and Wellness: A Hopeful Message for the SOC Community
09
Change, Challenges, and Priorities
Back to Home