Bilal Rana, CISSP, SSCP shares his personal perspective on the quandaries that cybersecurity professionals experience when making decisions about career progression, education and changing direction.
Disclaimer: The views and opinions expressed in this article belong solely to the author and do not necessarily reflect those of ISC2.
Every day in cybersecurity, we make decisions under conditions of uncertainty. We evaluate threats, reduce risk, accept what remains and move forward. Yet when it comes to our own careers, we can often freeze. We can find ourselves researching endlessly. We may wait for the “perfect” certification or the “perfect” timing. We can postpone action until ambiguity disappears, even though ambiguity never disappears. The irony is clear: we apply disciplined risk thinking at work while potentially avoiding it in our own career development. This is how I learned how to unfreeze my career.
I recently found myself at a professional crossroads – but analysing development paths, weighing options and researching possibilities without ever committing to one. Then something clicked for me – and a term we use constantly in cybersecurity was the key. I realised that every career path carries “residual risk”. The question is not which path removes uncertainty, but which risks you are willing to accept and move forward with anyway. That shift in mindset changed everything for me.
A Framework I Already Knew
In my professional work, the approach is always the same: understand the risk, reduce what is reasonable, accept what remains and execute. Organizations or cybersecurity practitioners that wait for certainty end up stuck. I realised I was doing something similar, delaying commitment while expecting clarity to arrive on its own, so the breakthrough came from applying the same model to myself.
During incident response, investigations move quickly and demand clarity. Even with structure and strong processes, real incidents expose weaknesses immediately, particularly in cloud environments. But over the last few years, I had seen a clear pattern emerge: more breaches were originating from, or pivoting through, cloud services. A significant portion of my casework already involved cloud identity gaps, storage exposure and missing or incomplete logging, so I had built up more hands-on cloud experience than I realised initially.
I wasn’t starting from zero. I had certifications in foundational cloud awareness, while the CISSP gave me governance depth and risk-based thinking. Working alongside the protective monitoring team made the picture sharper: cloud misconfigurations were not hypothetical but were direct pathways to incidents.
Then, at some point, my development stopped being about broadening. It became about deepening. Cloud was the domain where my incident response experience, governance background and long-term direction came together, so specialising there was not just logical, it was inevitable. By the time I found an old journal entry mapping out a path I had sketched years earlier, my journey to CISSP was already complete – it confirmed that the direction I had written down was not accidental but aligned: CISSP → CCSP → AZ-500. A trilogy covering governance, architecture and technical depth.
With the hardest part behind me, the remaining steps moved from aspiration to intention. So, I broke it down:
- What was I trying to achieve? Build end-to-end capability across governance, architecture and technical cloud security.
- What could I control? I could anchor learning to real investigation patterns, build hands-on labs and draw from my operational experience.
- What remained outside my control? Exam difficulty, organisational changes and the timing of opportunities.
It came down to 12-18 months of effort with no guaranteed immediate progression. But… I accepted that residual risk. This wasn’t about certifications; it was about building the capability to lead in cloud security.
It’s not just me; I’ve seen other professionals follow similar paths. One example spent months debating whether to specialise. When he finally accepted the uncertainty – encompassing the possibility of failure, lateral moves or even rejection – he committed, built a small cloud lab and moved forward. Two years later, he was working full-time in cloud security. His progress came not from certainty, but from accepting uncertainty and acting anyway.
What Changed?
Looking back, I realised how often I had mistaken my hesitation for “due diligence”. I told myself I needed more research, more clarity, one more course, one more conversation… In operational terms, I was indulging in control proliferation: adding activity that did not meaningfully reduce risk. Eventually, I had to accept that no amount of extra preparation would remove uncertainty, only action would.
What I came to understand is that inaction carries its own cost: while I was weighing options, the industry kept moving. The threat landscape, the skills in demand and the roles emerging and disappearing were all shifting. The real risk to me was looking back years later and finding myself in the same position, only older and more frustrated. That constituted avoidance, not risk management.
Success for me no longer means finding a perfect path. It means choosing a direction that aligns with where the industry is heading, where my strengths are forming and where I see myself contributing in the long term. Cloud security fits that path strategically, technically, and professionally. The way I plan now for my next move is straightforward: act on what I know, prepare for what I can, and accept whatever uncertainty remains. That shift has removed more hesitation than any amount of research ever did.
The way I see it now, and the advice I would offer my peers, is that the ultimate residual risk is not choosing the wrong certification or pivoting too early, but allowing your indecision to harden into stagnation. This understanding this has changed how I move, leaving me far better equipped to manage my career proactively rather than reactively.
Bilal Rana, CISSP, SSCP, has several years of experience across telecommunications, security operations, and threat-led analysis. He has held technical and operational roles with responsibility for incident response, protective monitoring, and strengthening security processes. His cybersecurity work spans cloud security, governance, and the investigation of real-world security incidents.
