How to harness your ambition to build a career in cyber

“The adversary doesn’t say, you can be a hacker if you go to university, have a lab in your room, get this certification, etc. That’s not how the adversary works. That’s not how the dark web works.”

Dr. Alissa J. Abdullah (Deputy CISO at Mastercard) said these words at Black Hat MEA. She was talking about the moonwalking bear – but we’ll get to that in a moment. 

In cybersecurity, there’s an expectation that roles should be filled with the candidates who have the degrees, and the graduate degrees, and the certifications; the pieces of paper that promise they know what they’re doing. And this extends to employees in non-cyber departments, too – who should have more opportunities to contribute to cyber resilience.

Abdullah argued that this attitude is doing security a disservice. If threat actors don’t need degrees and certifications in order to hack a network, “why are we putting that amount of pressure on our employees?”

“To be a successful hacker, all it takes is drive. And I’ll say in order to be successful in cybersecurity, all you need is drive.”

But how do you take that raw ambition and channel it into long-term success? The journeys of some of the industry's most accomplished practitioners offer lessons worth listening to. 

Lead with passion

For many cybersecurity leaders, ambition alone wasn’t enough – they needed passion to sustain the journey. Black Hat MEA speaker Mukhammad Khalilov (Head of Offensive Security at Help AG) started his career with Cisco Networking, but it took a twist when he stumbled upon a problem that required him to “hack and crack the type 7 password and get back into the shell.” 

That pivotal experience sparked his love for hacking and research. 

“The passion did not earn me money,” he admitted, “but this also has allowed me to pursue my computer science studies and masters in computer security.”

His story is a reminder that passion is what keeps the momentum going when progress feels slow. “This field requires non-stop learning,” he said – and his current focus on zero-day hunting reflects his commitment to securing the broader community. “Identifying those vulnerabilities and reporting them to the right owners, and in doing so securing the community, is a great feeling.”

If you’re just starting out, let your interests and curiosities fuel your drive and direction. 

Embrace the unknown

Imran Parray (Founder and CEO at Snapsec) didn’t just want to fix vulnerabilities; he wanted to reimagine how cybersecurity tools worked together. “There wasn't a single company offering centralised cybersecurity solutions that integrated all the essential tools...all under one dashboard,” he told us. 

His ambition wasn’t just technical – it was visionary. And it came with a steep learning curve.

“As a founder, I had to explore other fields in the industry, such as marketing and sales...this brought a lot of chaos to my life,” Parray said. But he also discovered that stepping out of his comfort zone helped him grow. “Even if you have the best product, if you don't have the ability to market it effectively...no one will use it.”

His advice for those aiming to build something meaningful? Balance your technical ambitions with business acumen. A fulfilling career often lies at the intersection of what you're good at, what you care about, and what the world needs.

And be strategic about your personal career growth

Not all career paths in cybersecurity begin in cyber. Actually, lots of the practitioners we speak to at Black Hat MEA started out in a completely different industry, and brought that varied experience into the field of cyber. That’s absolutely a good thing – because diverse knowledge strengthens defences. 

Stuart Seymour (CISO at Virgin Media) made the leap from physical security to cyber through deliberate upskilling and planning. “I started to proactively think, what next?” he said. With support from his CEO, he took a pen testing course, followed by a suite of SANS certifications, and embedded himself in SOC operations to understand how attackers think.

Seymour’s move didn’t happen overnight. But by being strategic – focusing on learning and seeking mentorship – he laid a solid foundation. “Mentorship played a very important role in my career,” he noted. “It helped me gain different perspectives and also helped me benefit from other’s experiences.”

Your ambition might push you to move fast, but don’t be afraid to take the time to map your growth. Ask: What do I need to learn? Who can help me get there? Where can I gain hands-on experience?

Take intelligent risks to reach new opportunities in cybersecurity

It’s easy to let fear of failure keep you from making bold moves. But for Seymour, if he could go back and give his younger self some advice, it would be: “Take intelligent risks and go for it.” 

And Awwab Arif (CISO at Bank of Hope) echoed this. He took on a leadership role despite initial self-doubt; because “with proper backing from management and team collaboration, any goal is achievable,” he said.

Ambition means little if you don’t back yourself. Don’t wait to feel 100% ready. Look for opportunities that scare you just a bit – and take the leap. Cybersecurity rewards those who are willing to learn by doing.

Broaden your perspective and stay curious 

When we spoke to Jason Lau (CISO at crypto.com), he reminded us that ambition isn’t just about climbing the ladder – it’s about lifting others up and shaping the future of the industry. 

“One of the main reasons I joined the ISACA Board was to give back to the community that has supported me throughout my career,” he said. His work on the board helps set standards, develop frameworks, and foster learning for thousands of professionals.

But he also stressed the importance of understanding human behaviour. “I would advise my younger self to take more courses on psychology...understanding human behaviour is crucial for anticipating and mitigating cybersecurity threats.”

A fulfilling career isn’t only about what you know. It’s also about how well you understand the ecosystem you work in. 

We asked Allan Alford (CEO at Alford & Adams, Podcast Host at The Cyber Ranch) what he gets out of hosting a successful cybersecurity podcast, and he said: “I learn. So much. My guests are brilliant...I must do a lot of research to ensure that my questions are not stupid.”

That humility, even after years as a CISO, is key. In cybersecurity, no one ever really ‘arrives.’ There’s always more to know, more to build, more to improve. Whether you're in the trenches doing pen testing or leading global defence strategy, curiosity is your most valuable asset.

Hold on – didn’t we mention a moonwalking bear?

You’re right; we did mention a moonwalking bear. 

At BHMEA22, Dr. Alissa J. Abdullah opened her keynote with a video of two teams of basketball players, practising passes. The video asked us, the viewers, to count how many passes the white team made.

“The answer is 13,” said the narrator; “but did you see the moonwalking bear?”

We did not see the moonwalking bear.

“It’s easy to miss something you’re not looking for,” Abdullah explained. “And that is what the adversary hopes that we do. That we’re so busy with all of our tasks, with trying to do the right thing, that we click on a phishing link — and that link is the moonwalking bear.”

Even the most experienced cybersecurity practitioner misses things all the time. So don’t worry if you don’t have the technical background to back you up; focus on the skills you do have, your capacity to learn, and the experiences that allow you to spot things other people might not.