WARNING: This post is a VERY candid rant. It might trigger you. If it does, think about why it triggered you.

Let’s cut the bullshit.

The information security industry is flooded with frauds—people who look the part, talk the talk, but can’t actually secure a damn thing.

We’ve built a system where knowing something is treated the same as being able to do it. But that’s not how the real world works. When ransomware is ripping through your network, when a breach is hitting the news, when everything is on fire—nobody gives a shit about your certifications, your degrees, or your LinkedIn buzzwords.

What matters is: Can you actually fix the problem?

And for far too many people in this industry, the answer is no.

The Problem: Paper Tigers Everywhere

We’ve created an entire generation of paper tigers—people who look tough on paper but fall apart when the fight starts.

How did we get here? Simple. We built an industry that values:

• Certifications over competence.
• Degrees over experience.
• Compliance over actual security.
• Buzzwords over real skills.

We’ve got CISOs who have never secured a damn thing in their careers, analysts who can’t analyze, engineers who don’t understand the tools they deploy, and auditors who wouldn’t know real security if it smacked them in the face.

The worst part? These people are making decisions that affect real businesses, real people, and real security. And they’re f*cking it up.

Why This Keeps Happening

Let’s be real—a lot of security hiring is a joke.

Job descriptions are packed with nonsense:

• “Must have CISSP, CISM, and 10+ years of experience in cloud security.” (For an entry-level job.)
• “Bachelor’s degree required.” (Because somehow a college course on English Lit makes you a better security pro?)
• “Must be a team player.” (Translation: We want someone who won’t rock the boat.)

Meanwhile, actual capable, hands-on security people get passed over because they don’t check the right HR boxes. We end up with teams full of policy pushers instead of problem solvers.

Then there’s the compliance bullshit.

Too many security programs are run by people who only know how to check boxes. They’ve never had to stop an attack, recover from an incident, or make a real risk-based decision under pressure. But hey, they can write a great report, so they must be qualified, right?

Security is not compliance. Compliance is not security. And if you can’t tell the difference, you shouldn’t be in charge of anything.

What Needs to Change

Enough is enough. If we actually want to fix security, we need to start demanding real skills, real experience, and real accountability.

1. Stop Hiring Based on Paper Credentials

If your hiring process is based on filtering out resumes that don’t have the “right” letters after a name, you deserve the security failures you get. Start hiring based on what people can actually do.

• Can they investigate a security incident?
• Can they analyze logs and detect an attack?
• Can they harden an environment and explain why they made the choices they did?

Can they do the job that’s required of them? If not, what the hell are they doing on your security team?

2. Stop Training People Like They’re Schoolchildren

Most security training is a joke. PowerPoint slides. Memorization. Multiple-choice exams. What does that teach anyone? Nothing.

Security training should be hands-on, high-pressure, and real-world.

• Tabletop exercises where things go wrong.
• Live-fire attack simulations where failure has consequences.
• Mentorship from people who have actually been in the trenches.

If you want to train security pros, you don’t teach them what to think—you teach them how to think.

3. Kick the Useless People Out of Security

This one’s gonna piss people off, but it needs to be said: Although information security is generally a life skill,  not everyone deserves a job in security.

If you can’t think critically, if you crumble under pressure, if you need a checklist to make every decision—get out of the way.

Security is not for people who just want a comfy job and a fancy title. It’s for people who want to solve real problems, stop real threats, and make real impact.

Final Thoughts

At the end of the day, security isn’t about what you know—it’s about what you can do.

I don’t care what certs you have. I don’t care what degree you earned. I don’t care how polished your LinkedIn profile is.

I care if, when everything is on fire, you’re the person who can put it out.

If you’re not that person, stop pretending to be.

And if you are that person, keep fighting the good fight—because the industry needs more of you.

What do you think? Have you run into these problems? Are you sick of the security industry rewarding the wrong people? Drop your thoughts in the comments—I want to hear them.