This year marks 10 years for me working in IT Security at a university.
When I started, I thought security was mostly about tools. Firewalls. SIEMs. Alerts. Logs. Configuration.
A decade later, I’ve learned it’s mostly about people.
Here are ten lessons that stand out.
1. Security Is About Trust
If people don’t trust you, they won’t tell you when something goes wrong. And when they don’t tell you, small problems turn into big ones.
2. Tools Don’t Fix Culture
You can buy the best security stack in the world. It won’t matter if your organization treats security as someone else’s problem.
3. Incidents Are Inevitable
Perfection isn’t the goal. Preparedness is. The difference between chaos and control is usually planning.
4. Communication Beats Technical Brilliance
Explaining risk clearly to leadership is often more valuable than writing the perfect query.
5. Higher Ed Is Unique
Universities are open by design. That openness is a strength academically, but it creates interesting security challenges.
6. Security Should Enable, Not Block
If your answer is always “no,” people will find ways around you. The better answer is often, “Here’s how we can do this safely.”
7. Awareness Training Matters
Not because it makes everyone an expert, but because it creates shared responsibility.
8. Logging Is Gold
You don’t appreciate logs until you don’t have them.
9. Relationships Matter More Than Policies
Policies sit in documents. Relationships get things done.
10. You Never Stop Learning
The threat landscape changes. Technology evolves. Attackers adapt. If you’re not learning, you’re falling behind.
Ten years in, the tools have changed. The threat landscape has changed. The acronyms have multiplied.
What hasn’t changed is the need for clear thinking, good logging, solid processes, and strong relationships.
That part of the job still feels just as important as it did on day one.