Johnny Beverton
In this episode, Morey Haber, Chief Security Advisor at BeyondTrust and author of seven cybersecurity books, joins Empiric’s Cybersecurity and Identity & Access Management Account Manager for the Nordics, Findlay Livingstone, to discuss staying relevant through continuous learning, overcoming imposter syndrome and building resilient IAM teams.
With more than 21 years at BeyondTrust and experience spanning vulnerability management, cloud attack vectors, identity and privilege security and the history of cybersecurity tooling, Morey brings a long-view perspective on how the profession has evolved.
Watch the full episode and read the full recap below.
[ YOUTUBE EMBED ]
TLDR: Key Takeaways from the IAM Conversation
- Attackers increasingly “log in” rather than “hack in”, making identity the primary attack surface.
- Staying effective in cybersecurity demands the same commitment to continuous learning that medicine requires of its practitioners – the threat environment does not stand still.
- Certifications signal commitment to the field, but knowing where to apply knowledge under real conditions tends to determine whether a professional actually delivers.
- Imposter syndrome persists throughout cybersecurity careers because complete mastery is impossible in a discipline that keeps redefining its own boundaries.
- Communication, cultural fit and the ability to absorb new information without friction matter as much as technical depth when evaluating cybersecurity candidates.
- Internal mobility builds business knowledge, prevents burnout and retains institutional expertise more reliably than replacing staff with external hires.
- Teams built on long tenure, cross-functional experience and continuous development consistently outperform those assembled through rapid hiring cycles and high turnover.
How Do You Stay Relevant in a Shifting Cybersecurity Threat Landscape?
Staying effective in cybersecurity requires the same ongoing commitment to learning that medicine demands of its practitioners.
Over two decades, Morey has seen the threat model change materially.
“Most recently in terms of attack vectors, we've seen that change from weaponising vulnerabilities and exploits to having threat actors find ways to log in versus hacking. It's actually easier. Why break in when you can log in.”
For Morey, staying effective in this environment mirrors other professional disciplines, “A lot of my family is in the medical community and they have to do CMEs [continuing medical education qualifications] every year and in many ways cybersecurity is the same, even though I've been with the same organisation for 20 plus years. You constantly have to read; you constantly have to learn. You have to constantly find the new techniques, the new attack vectors, the new techniques that threat actors are using to compromise environments. And that's the key piece that allows you to stay relevant.”
Is Imposter Syndrome a Real Challenge in Cybersecurity?
Imposter syndrome persists in cybersecurity because complete mastery is impossible in a field that keeps redefining its own boundaries.
Morey is direct about imposter syndrome and why it persists in cybersecurity, “Imposter syndrome is real for starters, it’s really a self-doubt. It’s am I good enough to be on this stage or write or be the expert in this material?”
He links it to the limits of expertise, “You can never learn anything fully. You can never be the expert that has every piece of information on every topic. You become like that doctor specialised whether it’s heart surgery, brain surgery, ear nose throat, whatever it may be, and cybersecurity is the same.”
Even within a discipline like identity and privileged access, the ceiling keeps moving, “You can study you can read you can do it but you’re always going to learn one more piece and that piece of self-doubt that there’s someone else that knows more or would contradict you really can burn on the inside.”
Despite authoring seven books on cybersecurity, Morey reflects, “Someone may consider me an expert because I’ve written those books, but I can tell you personally I learn new stuff every day.”
His advice is practical, “Learn as much as you can but have confidence. Don’t get complacent. Don’t let that imposter syndrome get under your skin. It is very real.”
What Should Hiring Managers Prioritise Beyond Technical Skills?
Communication and the ability to absorb new information without friction matter as much as technical depth when evaluating cybersecurity candidates.
When evaluating candidates, Morey stresses that looking good on paper isn't enough, "If you cannot articulate your knowledge to anybody else, if you cannot absorb new information without being abrasive, you only look good on paper."
The most successful hires can absorb information and continue their work without disruption, “The most successful people have taken imposter syndrome and going, you know what? I might have it. I might have it in the extreme, but I still can articulate with confidence what I know and have room for improvement and do my job well and fit into the culture of business.”
Culture matters immensely. Morey describes businesses with good intent, minimal politics and positive rewards where technical people “will love it, feel it. Maybe it's why I'm with my company for so long.” Conversely, environments with “constant backstabbing and ‘why did you leave two minutes before five’, it doesn't matter how good you are on paper or how good you articulate that social culture of the business will basically force that employee to leave over time.”
Do Certifications Matter More Than Practical Experience in IAM?
Certifications signal commitment, but knowing where to apply knowledge under real conditions tends to determine whether a professional actually delivers.
Morey shares a story about a ship’s engine that would not start despite repeated attempts to fix it, “They brought in a specialist. He walked in, looked at the engine, took out a hammer, hit it in one specific spot and it started immediately. He sent an invoice for an obscene amount.”
The explanation was simple, “He wasn’t charging for hitting it with a hammer. He was charging because he knew where to hit the hammer.”
Experience, in that sense, is not theoretical. “Someone who's done things a thousand times and knows what they're doing from experience and practical work may just have a licence but can do phenomenal work.”
He differentiates by role. For professional services roles, he believes certifications are “incredibly important”, but for running daily business operations, "Personally as a CISO, I never looked for those certifications. I looked for people that could demonstrate knowing how to do things and getting the job done well versus, yeah, I got a piece of paper with X, Y, and Z on the end of it."
Where Should Junior IAM Professionals Focus Their Development?
Junior cybersecurity professionals will develop faster by prioritising self-improvement and communication than by specialising in a single technical discipline.
Morey acknowledges the range of emerging disciplines across identity, AI and connected devices, but resists narrowing development to a single technical path, “You could pick any one of these disciplines and become that expert in it. But if I was to recommend to anybody in cyber or technology what they should focus on, I would actually say don't focus on that specific discipline. I would focus on yourself.”
For him, progression begins with mindset and behaviour, “Focus on your own ability to literally shut up and listen when other people are talking, not believe that you’ve always got the right answer. Be open to criticism.”
Improvement is deliberate and continuous, “Learn how to embrace self-improvement, learn how to take constructive feedback, learn how to communicate, written, podcasts, whatever it may be, because whatever knowledge you consume is that discipline that you choose. Somehow, you're going to have to teach somebody else or communicate the design out.”
He illustrates this through specialisation, “I'm the expert in oceanic communications to satellites. Do I know everything? I have to be able to communicate why my design and my expertise is better than anything else out there.”
For Morey, the differentiator is clear, “Think about your own self-improvement. That's where you're going to succeed the best.”
Why Is Internal Mobility Often More Effective Than External Hiring?
Internal mobility builds business knowledge, prevents burnout and retains institutional expertise more reliably than external replacement.
Morey is direct about turnover, "The amount of time that it takes to ramp someone out for culture, technology, implementation, strategy is six months plus."
When someone is unhappy without HR or performance issues, he prefers moving them internally, "I'd rather move them, and actually I find moving them to be quite beneficial. So they don't become stale, they don't burn out. They're learning something new, they're being challenged with something different, and then they slowly become business experts because they've touched multiple disciplines within the company."
He shares two case studies. One started on the help desk, got burnt out from angry client calls, expressed interest in another department and was moved. "They started setting systems up and hardening them because they understood hardening from their days of being on the help desk. Now they're actually running teams to verify threat hunting exercises, phenomenal resource."
Another started in finance, excelling with spreadsheets, then taught herself to code. "Now she works in development helping build very complex reporting, knowledge that's industrial to the company and helping them succeed and grow is better than saying, you know what? We don't need that finance person anymore because of AI."
His question for hiring managers: "Is there a mover that's better than a new hire? And would that fit better than just basically terminating and hiring new?"
What Does It Take to Build a Resilient Cybersecurity Team?
Teams built on long tenure, cross-functional experience and continuous development consistently outperform those assembled through rapid hiring and high turnover.
Morey recommends professionals make cybersecurity more of a career than short stints, "I was at this company for six months, went to the next company a year, another company, a year and a half. Yes, you may have experience across everything, but you really don't understand the fundamentals of how a business operates because you've never been there long enough, the gears work all the way through a cycle."
His closing advice encourages both hiring managers to consider internal movement and specialists to commit to understanding business operations deeply, building experience beyond just technical capability.
Connecting Cybersecurity Professionals with Career Opportunities
Identity has moved to the centre of modern security strategy. As Morey makes clear, tools and certifications matter, but continuous learning, communication and internal development matter just as much.
Our dedicated Cybersecurity and Identity & Access Management recruitment team connects organisations with professionals who bring proven technical expertise, clear communication and genuine commitment to continuous development.
If you're building out your cybersecurity or IAM teams, hiring senior security leaders or are a cybersecurity professional exploring your next role, get in touch with our specialist team today.
Be sure to connect with Findlay Livingstone and Morey Haber on LinkedIn to continue the conversation and be sure to follow us on LinkedIn and sign up to our newsletter to stay in the loop on what's next.
