A few years ago, I had a picture on my LinkedIn profile with a simple mantra: “Be brave enough to suck at something new.” It came from a humbling moment. After many years in the industry, I walked into a training course thinking I was a pretty good cyber guy. And when I walked out later that morning, I realized I was less than stellar — I might go so far as to say “terrible.” It was a stark reminder that in cybersecurity, complacency is the most dangerous vulnerability of all.
That experience taught me a foundational lesson: The path to getting better begins with the courage to be bad at something. I believe this principle applies to both individual careers and the essence of organizational cyber resilience. We invest heavily in tools and processes to prevent attacks, but incidents will happen. True resilience, like any honed craft, is built only through practice. No one steps onto a tennis court for the first time and beats a champion.
Resilience requires the same dedication. It requires a commitment to continuously test our defenses, find our weaknesses, and learn from them.
The Foundation of Resilience: A Clear-Eyed View of Risk
This resilient mindset must be grounded in a practical reality: Risk must drive everything we do in security. Before we can build effective defenses, we must first have a comprehensive, honest understanding of our unique risk profile. This means asking a series of fundamental questions.
First, do you understand your threat landscape? The threats facing a financial services firm are vastly different from those facing a defense contractor or a manufacturing business.
Second, do you understand your people? Are your users highly skilled and potentially capable of finding clever workarounds to security controls, or do you have a culture of shadow IT where unvetted SaaS applications are common?
Third, do you know your assets and data? If you don’t have a clear asset inventory, you cannot secure your environment. Where is your most sensitive data, how is it classified, and who has access to it? Are your controls effective? Are they mitigating the specific risks you’ve identified, and are they doing so with the least possible friction for the business?
The Hidden Risk: Our Dependence on the Software Supply Chain
Even with a strong handle on internal risk, many organizations are overlooking a massive external threat — the software supply chain. I think we might all be horrified to see how many critical enterprise products are underpinned by an open-source project maintained by a handful of contributors in their spare time.
This is one of the biggest issues that I believe people aren’t talking loudly enough about. We place an enormous amount of faith in our technology providers, but we often lack visibility into their dependencies. As an industry, we need to get more rigorous about vetting the open-source components our developers use and demanding transparency from our vendors. I believe this will continue to be a major source of breaches until we collectively address it.
Applying the Mindset: A New Model for Security Training
Nowhere is this need for a risk-based mindset more apparent than in employee security training. I see our training programs as no different from the personal protective equipment (PPE) we’d give a worker in a manufacturing plant. Yet, we often approach it with a one-size-fits-all, “sheep dip” approach that is fundamentally broken.
A resilient organization understands that risk is not uniform. The risk profile of a CEO is, of course, different from that of an accounts payable clerk. Our training must reflect this reality. It should be dynamic and personalized, using risk signals from across the business — an employee’s role, their tenure or their IT literacy — to deliver the right training, to the right person, at the right time.
The Ultimate Test: Learning from Failure
This philosophy culminates in how we handle an incident. The technical steps of an effective response (identification, containment, eradication, and recovery) are critical. But for me, the single most important phase is what comes after — the lessons learned.
Every incident, every test, every exercise must be followed by a “lessons learned” session where people can be open, honest, and truthful, without fear of blame. This is a business-wide responsibility. When we run tabletop exercises, we bring everyone into the room who would be involved in a real crisis — from legal to communications to executive leadership. It is their business and their incident.
This collaborative, blameless process of learning from failure is where true resilience is forged. It’s the feedback loop that enables us to find the gaps in our playbook, refine our policies and ensure that next time, we will be stronger, faster, and more effective.
Resilience Is a Feedback Loop
In our industry, the threats will never stop evolving, which means we can never stop learning. The ability to “suck at something new” is about being open to the feedback that the world is giving you. The lessons-learned process after an incident is the organizational version of that mindset.
Preparedness is everything, but it is not a static state achieved by writing a policy. Instead, it is a dynamic process of training, testing and, most importantly, learning from every failure. This feedback loop forms the core of cyber resilience. It requires courage, humility, and a shared commitment to getting better, together.
Want to hear more on this topic? Listen to the full, unedited conversation with Sam on the Threat Vector podcast.
