This post is a personal reflection. It is feedback on the evolution of a profession that I have practised with passion for many years. It is not meant to be a rant. I simply want to explain why I am now taking a step back from a practice that, in my view, has strayed from its original purpose.
I have been working in the IT sector for several years. In the past, I have been fortunate enough to contribute to concrete projects where security — which was simply called ‘IT security’ without being divided into marketing sub-domains — was built with technical rigour, common sense and practical experience.
I would like to thank the experienced technicians, engineers and specialists who shared their knowledge, tips and feedback with me…. and sometimes, when I was just starting out, gave me a well-deserved ‘RTFM’. (And if you’re reading this, thank you again 😉)
We didn’t just comply with standards: we created stable, resilient environments that could withstand incidents and restart quickly. And that was even more crucial when we were dealing with services exposed to financial flows. Security was a set of living, evolving, often inventive practices. It was demanding, but rewarding.
But today, what I experience on a daily basis has little to do with that approach. Security — sorry, cybersecurity — seems to be increasingly reduced to an exercise in compliance. It’s all about proving that you comply with this or that standard. We spend a lot (too much) time producing documents, tracking indicators, validating processes… sometimes to the point of absurdity, just to tick boxes.
And in this model, a system can be perfectly compliant while remaining vulnerable, while a truly robust architecture can be rejected simply because it doesn’t tick the right boxes. This logic can also be found elsewhere, such as in management, where indicators become an end in themselves, rather than a means of measuring real efficiency.
I am not against standards. I understand their role. But when compliance with standards overrides business logic, restricts technology and slows down innovation, then we are missing the point. That is not why I chose computer engineering.
So no, I’m not turning my back on cybersecurity. I remain committed to it. But today, I’m choosing to move away from it in its current form, to refocus on projects where technology still has its place, where security is provided intelligently — not bureaucratically — and where I can still solve real problems, not just satisfy an audit checklist.
I’m choosing security that’s rooted in reality but built with common sense, even if it’s imperfect, rather than compliance that’s shiny on the surface but hollow at its core. For me, engineering remains above all an art of balance and solutions, solving real problems and creating something solid, not just an exercise in submission aimed at satisfying sterile audit grids. That’s what I want to continue doing — outside this regulatory cage where proof is often confused with protection.