By Marcus Coetzee, March 2026.
In the middle of 2025, after the summer holidays, I reached a point of despair in my career. I believed my career was doomed, and all doors were closed to me in the UK. I had anticipated my work to accelerate after the holidays, but unfortunately, it didn’t.
My work as an associate had dried up due to shifting government policies, both in the UK and with regard to development aid in Africa. My extensive networking and efforts to apply for interesting jobs over four years had produced a single interview, in which I was advised to apply for executive positions in future.
I had a strong and persistent impulse to reinvent myself, break free of my identity and brand, and restart my career afresh. I considered deleting my website and LinkedIn profile. I would have been tempted by time travel if this technology existed. Fortunately, I suggested these ideas to an AI which had enough wisdom programmed into it to discourage me from these rash impulses.
I also experienced a recurring fantasy, which still nags me nowadays, about simplifying my life and becoming a barista. I even caught myself sitting in Costa and checking out the barista job ads on their website, calculating my likely annual earnings.
So I decided to improve my digital skills since this field seemed to be growing and was sufficiently in flux that opportunities might emerge. I theorised that technical professions required chatty extroverts like me to interface with senior management and boards on behalf of technical specialists who much preferred to avoid such activities. I started reading about digital governance and digital transformation, and listening to related podcasts.
I concluded that cybersecurity might suit me since I enjoyed military history and the profession used strategic metaphors and terminology that felt familiar, partly because of my background as a strategy consultant.
I decided to test the water and completed the Introduction to Cybersecurity course in August 2025 through FutureLearn and the Open University. I enjoyed sitting at Costa in the late afternoons with my textbook and notes open, studying again and feeling solidarity with the younger students around me. I found this fascinating and passed with flying colours. My studies put into words so much of what I had been observing around me.
Building on this momentum, I then studied towards the Certified in Cybersecurity qualification through the International Information System Security Certification Consortium (ISC2). This was more difficult, but I nevertheless passed in late October 2025, after sitting the exam at a Pearson’s testing centre in Glasgow.
Building further on my momentum, I decided to study the CompTIA Security+ certification, which was even more difficult and technically advanced. I concluded that learning a new profession would keep my brain alive. I bought the textbook and launched into studying during all my spare time. I had almost completed the coursework when a family health crisis derailed my momentum, and I paused my studies. (Fortunately, this has since been resolved and they are on the mend.)
In December 2025, I met with an insightful and experienced career counsellor. The first thing he said was that I should reconsider my aspirations in the cybersecurity field. He explained that companies wanted young technical people with the types of qualifications I was obtaining, and that senior people in the field had come through the ranks over decades and therefore had a level of credibility I would struggle to obtain. (A Chief Information Security Officer, whom I networked with later that week, confirmed this insight.) He suggested that I build upon my existing strengths instead, become much bolder about my brand, and adopt an improved approach to networking. He is still supporting me, and our strategy seems to be coming together.
I also learned that my AI, which had been helping me with my career strategy, had a tendency to agree with my assumptions despite my prompts, and didn’t see what was obvious to a wise human. I’ve learned my lesson.
Subsequently, several people asked me what had happened to my cybersecurity studies, which I had been so enthusiastic about at the time. I answered that it now felt like a waste of time, but several people replied that I must have learned something valuable from the process. Unfortunately, I couldn’t bring any insights to mind at the time.
Now that some time has passed, over three months since I stopped studying cybersecurity, I’ve had time to reflect on whether I learned anything useful. This essay is my way of organising my thoughts and opinions on the subject.
Here are the 10 main lessons about cybersecurity that have stuck with me.
1. Dynamic and evolving battleground
What struck me most was that cybersecurity is an evolving and dynamic battleground, with tactics and tools constantly being developed and deployed. It is not a situation where you can simply set up your computer or network and forget about it. Attackers are actively scouring the internet looking for vulnerabilities to exploit, such as outdated software or passwords leaked on the dark web.
While some attackers do broad sweeps, others are much more targeted and do their homework on your organisation first. They see value in tricking your staff into making payments, encrypting and ransoming your data, or stealing confidential information about your customers and beneficiaries.
Such actions are surprisingly common. The UK government’s Cyber Breaches Survey 2025 estimates that approximately 612,000 businesses and 61,000 charities reported a breach or attack in the past year. That is a significant proportion – 43% of businesses and 30% of charities.
Defenders need to be as proactive as these attackers. Both sides have started using AI, which raises the stakes considerably, since AI has become quite capable of imitating human voices in conversation.
CEOs and governing bodies cannot afford to be negligent or naive. They must ensure several layers of solid defences are in place, and that sensitive or legacy assets are appropriately cordoned off. Cybersecurity should be a regular agenda item for leadership, especially in organisations handling sensitive data. For my part, I am constantly fine-tuning and updating my home network and devices, and drawing on advice from more technically-minded friends. Complacency is not an option.
2. Human failure and social manipulation
I also realised how many cyber vulnerabilities result from human failure rather than a lack of sophisticated knowledge or tools. People who are stressed, overwhelmed, or overly confident tend to do foolish things.
They don’t update their software. I often wonder how many people are running outdated and vulnerable Windows machines on their networks. People can also be tricked into installing software from suspicious sources. This happened recently in the UK with the surge of interest in free, and often malicious, VPNs following the government’s Online Safety Act. People click on untrustworthy links. There is also a persistent tendency to use weak passwords, often the same ones across multiple platforms and websites.
Vulnerabilities extend beyond technical negligence. Some cyberattackers specialise in social engineering, which is the psychological manipulation of people into divulging confidential information or bypassing security controls. These attempts at manipulation are not just targeted at the elderly and vulnerable. They have also succeeded against CEOs and financial managers who mistakenly believed they were beyond reach.
3. Online privacy
Studying cybersecurity made me much more mindful of my online privacy. I learned how attackers use publicly available information to profile their targets and figure out how best to manipulate them.
I also think about this from a career perspective. I want to mitigate the risk that something I said or posted online could be used against me in future. I want to curate what is known about me online, particularly as recruiters increasingly use AI for risk assessments on prospective candidates, or should I ever apply for security clearance. It is notoriously difficult to permanently erase information from the internet.
Here are some things I did to protect my privacy. I deleted my Reddit and Instagram accounts, which were annoying me anyway in a distracted, addicted sort of way. I am letting Facebook suspend my account because I didn’t want it to build a face scan to verify my identity against my photos. I became anonymous on Substack. I’m mindful of what I post in my various WhatsApp groups. I watch YouTube without having my own channel, which YouTube automatically creates whenever you like or comment on something. Finally, I reviewed every comment and post I’ve made on LinkedIn, and I’m careful about what I like on that platform, as I aim to present a neutral political identity online. My online presence is now centred around my website and LinkedIn.
4. Regular backups
Regular, scheduled backups are something I learned to take more seriously. Hard drives crash, though not as often as they used to. Nowadays, people need to worry more about portable devices being lost or stolen, information being encrypted and ransomed, or machines being quietly recruited into a network of bots. I heard too many alarming stories about people and organisations losing everything. We trust big IT companies like Google, Microsoft, Apple, Amazon and Dropbox with our data, and while they have good antivirus, anti-ransomware and backup protocols of their own, the security of your cloud accounts largely depends on your password and multi-factor authentication setup.
My advice is to work in a folder that is mirrored in the cloud. This provides automatic backups and makes data accessible from other devices. On top of that, copy everything onto an external hard drive at regular intervals and store it somewhere safe. I do this approximately once a month, which means there are always three copies of my data in existence. The cloud makes this far easier than a few decades ago, when I used to store a monthly backup at my parents’ house in case my flat caught fire or was burgled.
It is generally safe to store confidential documents in the cloud, provided you use strong passwords, multi-factor authentication, no untrustworthy third-party apps linked to your Google account, and that only people you trust have physical access to your logged-in devices.
5. Password management
Password management is another area where people are lax. Hackers use powerful computers that can run through thousands of password combinations and draw on databases of common passwords, catchy song lyrics and names of fictional characters. There are also databases on the dark web containing stolen usernames and passwords. I certainly don’t want a hacker getting into my accounts and causing havoc with my life.
My strategy is to use long, unique passphrases of 14 or more characters. I add complexity with capitals, numbers and special characters where required. I’ve found it easier to start with a random sentence and then modify it. This is a reasonable baseline for 2026. The only practical way to keep track of so many varied passwords is to use a password manager. I use LastPass, which significantly improved its security architecture following a 2022 security breach, and I’ve stuck with it because I’m accustomed to it and have everything set up the way I want it. That said, you should evaluate providers carefully with proper due diligence. The built-in password manager on your phone is also a reasonable option, since most of us have credentials for hundreds of websites, apps and services.
My cybersecurity friends have always encouraged me to activate multi-factor authentication wherever possible, whether that’s an SMS with a one-time password or an app like Google Authenticator. I know this sounds cumbersome, but it is far less painful than having an account hacked.
Finally, my Windows machines have separate administrator and everyday user accounts, each with their own password. I need to enter the administrator credentials whenever I install software or adjust important system settings. This is another essential security layer.
6. Browsing the internet and VPNs
Much of safe browsing comes down to common sense. Always use an updated browser and avoid dodgy websites. As an added precaution, I use uBlock Origin, a free, open-source content blocker. While often described as an ad blocker, it also blocks trackers, malware sites and the kind of bloat that slows down your browsing.
I use different browsers for work and personal affairs. They have separate bookmarks, and I appreciate the psychological compartmentalisation this provides. For those who don’t want to optimise their browser setup, I’d recommend Brave, which is widely considered one of the safest and most private mainstream browsers available. I remember someone on Reddit describing it as “the browser you put on your granny’s computer.”
You should also be mindful of which apps and services you grant access to your Google or Microsoft account. Too many people click “sign in with Google” without thinking about the permissions they’re granting. I periodically check my Google security settings to review linked accounts, and unlink as many as possible, creating separate credentials for those sites where I can.
It is also wise to set your browser to connect via HTTPS wherever possible. I recently read that Google Chrome is planning to make this the default later this year. I also use a paid VPN whenever I’m on public WiFi in cafes, though this is an optional precaution if HTTPS is already in use.
7. External standards and benchmarks
Something I hadn’t known before was how many external standards exist for securing computers and networks. There are standards covering security governance and others covering highly technical minutiae, many of them international in scope. Competent cybersecurity professionals constantly reference these benchmarks as they fine-tune networks and devices and prescribe behaviours for the rest of us.
Organisations worth considering include ISO 27001, which provides a framework for a secure Information Security Management System, and the UK government’s Cyber Essentials standard. The latter is required for organisations applying for UK government tenders, with self-assessment at lower levels and external audits required for contracts involving more sensitive information. Even if your organisation isn’t pursuing government work, a self-assessment against Cyber Essentials would be a worthwhile exercise.
8. Phishing and email security
Phishing is the most common source of cyberattacks. Attackers send emails or messages claiming to be from a reputable organisation, trying to trick people into sharing confidential information, installing malware or making a payment. They often use spoofing, which involves mimicking the email address, letterhead, URL and website of a trusted organisation.
It is not just elderly or vulnerable people who fall victim, as television dramas might suggest. Phishing equally targets executives and senior managers, who have greater authorisation over an organisation’s financial and information assets. Even cybersecurity experts can be caught out by a well-crafted attack, particularly when it uses social engineering tactics like urgency, apparent risk or authority. I read a story on Reddit about an executive who opted out of anti-phishing training because he considered it beneath him, and subsequently made a substantial payment to a fake supplier.
Before my studies, I was unaware of the different varieties of phishing. Standard mass email phishing includes the familiar lottery winnings, distant relatives leaving money in wills, the Nigerian prince trying to move funds out of the country, and parcels held up by customs. Then there is spear phishing, which is a customised and targeted message using your name and specific details, and whaling, which is spear phishing aimed at high-value targets like senior executives. Smishing is the equivalent carried out via SMS and other messaging platforms.
My approach is straightforward, but not foolproof. Even yesterday, when I received a bill from my energy supplier, I didn’t click the “make payment” link in the email. I logged onto the site separately to review my account and pay. A few months ago, I received a message from my bank about suspicious activity, with a number to call. I Googled the correct number and called that instead. I paste suspicious emails into AI for a second opinion, and I’ve taught my elderly father to do the same. When something looks off, I right-click on email addresses or URLs to check whether the actual address matches what is displayed. I also reconcile payments against proposals and invoices before authorising anything.
9. Network security at home
My studies brought home just how many of our devices are connected to the internet. The technical term is the Internet of Things, or IoT. In addition to the obvious devices like computers, tablets and smartphones, this includes routers, televisions, smart lights, central heating systems, cars, gaming consoles, washing machines, fridges, tumble dryers, door locks, Kindles, printers and doorbell cameras. The same applies in offices and factories. Everything connected to the internet has an operating system that must be kept updated, something manufacturers and users alike often fail to do.
These devices are vulnerable. The Stuxnet worm, for example, set back Iran’s nuclear programme by years after infecting the software controlling the speed of centrifuges, reportedly destroying around a fifth of the country’s enrichment capacity. It was introduced via an infected USB drive, which is also why you should never use USB drives you find lying around. More recently, an acquaintance from my gym who works in a high-security area of the defence industry told me that even hearing aids must be vetted by their cybersecurity team.
I have become selective about which smart devices I connect to the internet, often preferring the traditional version. My old tumble dryer works perfectly well as it is; it dries my laundry. I keep operating systems and firmware updated wherever possible. When my old Windows 10 machine, which was connected to our television, reached its official end of life in October 2025, I installed Linux Mint. I also keep my router updated, having logged in to change the default password, and I check every few months that the firmware is updating automatically.
10. AI and cybersecurity
I use AI every day and find it genuinely valuable, though as I mentioned earlier, it can be dangerously lacking in wisdom, as my own career detour demonstrated. My views on AI and its broader implications haven’t changed much since I wrote an essay on the subject in August 2023. If anything, I’ve seen many of those predictions come true.
AI is increasingly being integrated into the tools used by both attackers and defenders, in a predictable arms race of competing technologies. Email phishing, for example, is becoming easier to automate and personalise. My friends in cybersecurity have told me how heavily they now rely on AI in their work. This is what most of us would expect, as with other white-collar professions.
Two things stand out about how AI is being used by attackers.
The first is AI’s ability to research and profile targets. AI is increasingly capable of drawing together information from databases, platforms and websites to build a comprehensive picture of a person or organisation’s weaknesses and the most effective attack vector. Some of this information is gathered dynamically, by probing systems and observing how defenders respond. This has made me more intentional about what I share online, which is sometimes in tension with my desire to build a brand and write openly about my experiences and insights. Writing this essay is, in that sense, a calculated risk.
The second is the growing ability of AI to imitate the voices and likenesses of real people. An attacker could simulate the voice of a distressed family member asking for money, or a commanding CEO issuing a payment instruction. Combined with the profiling capability described above, this makes AI a formidable tool for attackers.
The implications reach beyond cybersecurity. The same deepfake technology could be deployed in the political sphere to cause conflict and distort public perception. I have already seen fake political speeches, though these were intentionally comedic. The subversive potential is far greater. The 1997 film Wag the Dog, with Dustin Hoffman and Robert De Niro, depicts protagonists fabricating a war to distract the public from a presidential scandal. It illustrates precisely the kind of impulse that will seek to harness this technology.
Conclusion
I have learned that the cybersecurity field is active and constantly evolving. There is far more going on than I had expected, across several distinctive areas of speciality. New devices and technologies are being developed continuously, and the rise of AI raises the stakes further.
I also learned that we all need to stay mindful of our IT setup and practices, covering passwords, backups, updates, privacy and more. I have stepped back from cybersecurity newsletters now that my direction has changed, but I stay broadly informed through computer and technology magazines, which I access for free via the PressReader app linked to our local public library. I also follow a few technology blogs.
I habitually share descriptions of my digital setup with my AI, or raise problems I’m having, to get ideas on how to make things simpler and more secure. Complex setups overwhelm me. Fine-tuning my systems is a never-ending but genuinely engaging process.
I recognise that I only scratched the surface of cybersecurity and picked up the lexicon and some practical basics. These were interesting and helped me make sense of things I had noticed around me but never properly understood. I also enjoyed having something productive to do in the afternoons when there was no paid work.
With my career counsellor’s support, I have regained some of my original confidence, am networking at a higher level than before, and am looking for work again in the strategy and economic development field.
Finally, I have always enjoyed writing, reading and studying in cafes, and I valued the sense of solidarity I felt with other students. And, in case you are wondering, I still contemplate the merits of becoming a barista almost every day. It remains my fallback position.