“Control your destiny…or someone else will.” — Jack Welch
In every organization, there’s an invisible current that pulls us toward complacency. It’s the current of stability, comfort, and routine. But in cybersecurity—especially cloud security—that current moves fast, and those who don’t swim against it risk being left behind.
The Law of the Lid
Leadership expert John Maxwell calls it The Law of the Lid: your effectiveness is limited by the effectiveness of your leader. This doesn’t just apply to leadership; it applies to professional growth as well.
If your manager doesn’t value certifications or ongoing education, that mindset can become your lid. Many corporate managers don’t intentionally discourage professional development, but their priorities often dictate who gets access to training. If they’ve never pursued certifications themselves, they may undervalue them for their team. It’s not ill will—it’s human nature—but it can quietly cap your growth if you let it.
The Hidden Economics of Training
Inside most organizations, training budgets are limited. Managers must decide whom to send for training, balancing the need to develop talent with the need to maintain team stability.
Here’s the insider truth: during performance reviews, many companies require managers to stack rank their employees. A few are labeled “highly promotable,” while most are classified as “steady performers.” Ironically, too many “high potentials” can cause churn—these employees expect promotions or new challenges. That dynamic can make some managers reluctant to send their top performers to expensive training like SANS, fearing they’ll outgrow their current roles.
Yet the best managers know that investing in their people pays off. And for cybersecurity professionals, few investments yield a higher return than SANS training.
Why SANS Training Is Different
SANS training isn’t just another class—it’s the Cadillac of cybersecurity education. I tell my students to think of it not as a week of training, but as the equivalent of a semester-long graduate course. That’s literally true at the SANS Technology Institute, where the certification exam serves as the final exam.
This is where The SANS Promise comes in: everyone who completes SANS training can apply the skills and knowledge they’ve learned the day they return to work.
As an instructor, one of the most rewarding experiences for me is when a student leaves class during a break, calls their supervisor, and says, “You won’t believe what I just learned—I can’t wait to show you this when I get back!” That kind of excitement validates everything we do. It proves that the content is practical, relevant, and immediately useful.
The certification itself demonstrates that you’ve met the course’s learning objectives and mastered the material. The GIAC exams are rigorous but fair. If you put in the work, you will pass. I recommend dedicating 40 to 60 hours of study after the week of instruction to ensure mastery.
Certifications as Career Leverage and Brand Building
Certifications are more than credentials—they’re part of your personal brand. They tell your peers, clients, and leadership that you take your profession seriously. If management perceives you as attractive to other hiring managers, they may value you more internally as well. Just be careful not to be seen as a flight risk—confidence and ambition are valuable traits, but they must be balanced with loyalty and contribution.
I also find it interesting that some companies don’t emphasize certifications internally but demand them when hiring externally. That inconsistency reveals something important: even if certifications don’t always help you advance in your current role, they will absolutely help you secure your next one.
The exception to this rule is consulting. In consulting roles, certifications directly translate into billable credibility. The more certifications you hold, the stronger your value proposition becomes. I am now in consulting when not teaching for SANS.
Negotiating for Growth
Here’s a tip I’ve used successfully when negotiating new roles: after finalizing salary discussions, bring up training and certification. These funds often come from a different budget than salaries, which makes the conversation easier. I would ask for one SANS training course (with certification attempt) per year, and I’d request it in writing—because managers change, and priorities shift. Having it documented ensures your professional development remains protected.
Investing in Yourself
I also practice what I preach. When I pursued my Master’s in Information Security Engineering at SANS Technology Institute, I personally paid for over half of the courses myself. Why? Because I believe the greatest return on investment (ROI) comes from investing in yourself. That investment has paid off many times over—in knowledge, credibility, and in my total compensation.
Controlling Your Own Current
Ultimately, the most successful cybersecurity professionals take charge of their own learning. They don’t wait for permission or for someone else’s priorities to align with their ambitions—they swim upstream.
If you’re ready to do the same, join me this December at SANS CDI in Washington, D.C. for SEC502: Cloud Security Tactical Defense. You’ll gain tactical skills for defending cloud environments, learn to apply them immediately when you return to work, and prepare for a GIAC certification that proves your mastery.
Join me at CDI → www.sans.org/u/1DgN
DISCLAIMER: These views are wholely my own. They do not reflect the views of SANS or any other organization.
