We Can’t Train Everyone. That’s the Truth.

Every few weeks, I come across another frustrated post from someone trying to "break into cybersecurity". The story is familiar: they’ve done the bootcamp, passed a certification, maybe even applied to a dozen roles. They’re not getting traction. So they vent. About how unfair the system is. About how companies are greedy. About how the industry talks a big game about the talent shortage but refuses to give newcomers a chance.

I understand where the frustration comes from. But the reality is more complicated than they realize.

Because the truth is this: we can’t scale training the way they think we can. Not because we don’t want to. Not because we’re gatekeeping. But because this work is deep, complex, and requires time, trust, and repetition to learn properly. On-the-job security and GRC training isn’t something you can just do in front of an auditorium of people taking notes. No matter how motivated the person is, we can't just "toss them to the wolves" like that: they need to be relevant to our stakeholders.

I’m a Trainer. And I’m at Capacity.

I’ve been training people in cybersecurity for years. Yet, I can count on my two hands the number of people that I took from "making coffee at Starbucks" to "autonomous security analyst". I care deeply about helping others grow into this field. I wouldn't be a part-time teacher if I didn't (most of the pay goes to taxes). And now, as a manager and coach, I have even more responsibility—not just for outcomes, but for developing others.

But here's the honest truth: I can only properly train 1 to 2 people at a time. That’s it.

Not because I lack the will. But because real coaching isn’t about quick tips or dropping a few links in a Slack channel. It’s about building judgment, not just knowledge. It’s about having regular feedback loops, guiding someone through complex ambiguity, and letting them fail safely so they can learn from it. You can’t rush that. And you definitely can’t scale it beyond a handful of people at once, especially when you're still delivering on business objectives.

I say this because people often assume that trainers like me are holding back. That we could be doing more. That if we really wanted to help, we’d open the floodgates.

But what they don’t see is how much time and effort goes into mentoring even one person well. I feel I’m doing my part. And I know many others who are too.

GRC Isn’t a Soft Landing Spot

One of the reasons expectations get skewed is the way GRC is presented to newcomers. It’s often sold as the “easy” on-ramp into cybersecurity: “Don’t like command-line? Not into pentesting? No problem, try GRC: no coding necessary!”

This does real damage.

Because GRC isn’t beginner work. It’s advisory. It's "business oriented". It requires a strong grasp of technical systems and the ability to interface with legal, engineering, procurement, and executives, often in the same meeting. It’s not enough to know a framework or memorize controls. You have to interpret risk in context, communicate clearly under pressure, and manage tradeoffs that don’t have a right answer.

I see a lot of people show up with enthusiasm but little understanding of the depth involved. They believe that because they’re willing to learn, someone should be ready to train them. But GRC doesn’t work that way. It takes time. It takes repetition. It takes coaching.

And again: coaching doesn’t scale.

We’re Not Hoarding Knowledge

I think there’s a quiet resentment building in some corners of cybersecurity toward people already in the field. As if we owe knowledge to anyone who asks for it. As if we should just “give back” more.

But here’s the thing: you can’t transfer mastery in a few coffee chats.

You don’t learn how to think like a GRC advisor from a thread or a training video. You learn it by drawing diagrams, failing reviews, getting grilled in engineering meetings, and by making judgment calls (and living with the results).

That’s why GRC isn’t a “just teach me” field. It’s a “teach me how to think” field. And that kind of mentorship is precious, slow, and intimate.

So no, we’re not hoarding knowledge to keep the supply of security specialists low in order to maintain high wages. The skill level is just much, much higher to reach than what it looks like on the outside.

The Millions of Open Jobs Are a Myth

Let’s address the other elephant in the room: the idea that there are “millions” of cybersecurity jobs and that all you need is a good attitude to land one.

There are jobs, yes, but the entry-level ones are few and the ones that include structured training are even rarer. Pete Strouse, a cybersecurity talent advisor, tells on LinkedIn regularly about these stories of communities and bootcamps 20,000 strong who are fighting for 500 open jobs. Here's an uncomfortable truth: are you in the top 2.5%?

Most security programs are underwater, just trying to keep up with audits, assessments, vendor reviews, architecture changes, and incident response. They don’t have the time to build apprenticeships from scratch. Not because they’re evil. Because they’re barely staffed to meet current demands.

This is especially true in GRC, where training someone requires deep understanding of the relationships between technology and business and building relationships where compliance adds plus value. That kind of growth can’t be offloaded or outsourced. Picture this: if I tell a trainee to make sure a new product complies with the frameworks they've studied, how can this person do their work without just handing the piece of paper to the lead engineer to fill out for them? I've seen seniors do this...

What I Tell People Who Still Want In

If you’re serious about building a career in GRC, you need to understand the terrain.

Here’s what I usually tell people who come to me for advice:

• Start with understanding modern systems: IAM, cloud, SaaS, vendor ecosystems. GRC sits on top of real tech. Get hands-on.
• Build mental models: Learn to diagram how systems work and where risks emerge. If you can’t draw it, you don’t know it.
• Learn to translate: GRC is about turning tech talk into risk narratives and turning policies into real controls and somehow wrapping this up in dollars.
• Stop expecting it to be easy: It’s not. This is a tough field. And that’s okay. Hard things are worth doing.

Now layer on top of that the "people skills": exceptional communication, high emotional intelligence and strong negotiation aptitudes. The bad news here is that both of these are extremely hard to train. Be honest with yourself: is that what you really want? Selling people on doing things that add no business value and that often degrade user experience? Security is not cool, remember. Your job is to be the buzzkill when HR and marketing want to bring AI bots to do phone calls and when engineering uses Cursor with a personal license.

The Path Is Long, But It’s Real

To the people venting online, I say this with compassion:

You’re not wrong that it’s hard to break in. You’re not wrong that the market is tough. But don’t confuse that with a moral failure on the part of the people already here.

The failure is on the media and certification bodies selling you a pipe dream, that there's a whole industry waiting for you with open arms, ready to shower you with money.

Many of us are doing our best. Building teams, coaching juniors, fair hiring practices. But we also know the limits of what real development takes.

Building a career in cybersecurity isn’t about shortcuts or quick wins. The industry doesn’t owe you a job or an easy path. What it takes is deep, sustained effort, and the willingness to learn from failure.

So before blaming the system, recognize that real growth doesn’t happen overnight. It’s about developing real skills, judgment, and resilience, and those things take time.