Why wouldn't you become a better professional by taking another course?

On the gap between knowledge and ability, honestly

Udemy keeps dropping prices, LinkedIn Learning reminds you that you haven't opened it in three months, and your inbox is filled with "Certified in 5 days" offers. You buy three courses and feel good.

Then three years later you'll see that you haven't opened any of them.

Sounds familiar? In the first episode of the CyberCamp podcast, we talked about this – why learning doesn't convert into value in the GRC and information security profession, and what's really missing from the development of most professionals.

This article picks up the thread at the end of the conversation.

The toolbox is full. Now...?

No one in the GRC profession suffers from a lack of knowledge. The attic is full of standards, frameworks, and methodologies – ISO 27001, NIST, COBIT, NIS2, DORA, and the list goes on. Anyone who has been in the profession for a few years has seen, read, and perhaps even implemented more than one of them.

The problem isn't that there aren't enough tools in the toolbox. The problem is when to take out which ones.

In other words: knowledge of standards is a tool. But what you do first in a specific situation – where management is uncooperative, IT is resistant, the budget is tight, and the audit is coming in three months – is a completely different competence.

This is the ability to make decisions. And no "course" teaches this.

The Paper Mill Illusion

There's a convenient narrative in the industry: if there's enough documentation, there's security. Sixty-eight pages of regulations, produced eighteen times, and then everything's fine.

Not.

A document by itself is worthless if there is no working process behind it. Anyone who has done this in a production environment knows this. Those who haven't are usually convinced that writing a policy is the same as solving a problem.

In the podcast, we put it this way: the goal is to get the paper mill off the ground as soon as possible so that it is valid, and then start the substantive professional work. Which means: where is the value of the company, what actually needs to be protected, and do those who have the money understand that a ransomware attack can cost the organization sixty million forints?

Why do good professionals get "stuck"?

There are plenty of smart, educated people in the GRC profession who are not trusted with decisions. This is neither a coincidence nor an injustice – there is a pattern behind it.

Many professionals get stuck in the knowledge acquisition phase. Another certification, another standard, another methodology. It's safe, it's measurable, and it looks good on your LinkedIn profile. But it's not the same as creating value in an organization.

Value creation starts where you put knowledge into context. Where you don't say "you need to do an asset inventory according to ISO 27001 A.8.1," but "in your environment, reviewing admin privileges is the most critical right now, because if ransomware comes tomorrow, that's your biggest exposure, and we can do it in two days."

The first sentence is knowledge. The second sentence is ability. Between the two is a gap that most professionals cannot cross.

Making mistakes is the only way to learn.

This is a harsh statement, but we both agreed on it in the podcast: making mistakes is not one of the best ways to learn. It's the only one.

The problem is that in most work environments, the conditions for making mistakes are not given. Either the environment is so harsh that the person blocks themselves and does not dare to make mistakes because they are afraid of the consequences. Or the opposite: they are not entrusted with tasks from which they could learn because they "do not have enough experience". They copy Excel, Control-C, Control-V, and never learn anything from it.

There was an anecdote in the conversation: the new manager at a large company who screwed up something and the lesson learned afterwards was worth more than any MBA program. That kind of visceral experience, when you face the consequences of your own decision, burns in. It doesn't get forgotten like a slide deck.

So the question is not how to avoid making mistakes. It's where you can make mistakes safely - in a way that doesn't blow up the organization, but is real enough that you actually learn from it .

The "training will fix it" trap

Many people view a training course as a key: I complete it, and then something opens up. A better position, higher salary, more responsibility.

It rarely works that way.

Not because training is bad. But because most training provides knowledge – and knowledge is a necessary but not sufficient condition for your career to move forward.

What we said in the podcast: if you're looking for a quick fix, this isn't for you. Because there are no quick fixes in this profession. What does exist is conscious, systematic development based on your own experience, which requires a set of tools - but also self-awareness, context awareness, and the ability to make decisions in uncertain situations.

Think about it: how many of your last three professional decisions were made based on a standard? And how many were made based on a sense of direction but no methodological framework?

If the latter is more common, that's okay. It means you have professional intuition. But it also means that it needs to be developed – and not with new slide decks.

The podcast also discussed a zombie game project. Someone who had nothing to do with game development took a chance on a Kickstarter campaign, spent their money on it, struggled with it for a year and a half, and nothing came of it.

But he learned how to build a team, assess competence, and put together a pitch. And his teammates – who did it with the same passion – got jobs at Siemens and other large companies because of that passion. It wasn't the success of the project that mattered, but the fact that they showed interest in what they were doing and were able to put themselves into it.

This is not an interview technique. This is an attitude. And this is exactly how it works in the GRC profession.

If you go to a job interview and it comes across that compliance documentation really bores you to death, but the pay is good – that shows. But if it comes across that you have your own project, a research area, something you do because you're really interested in – that shows too. And they buy the latter.

"Someone" also told the counterexample in the podcast: an experienced professional goes for an interview for a compliance manager and accidentally blurts out that his snowshoes are already full of documentation. For a compliance position. This can ruin even a good interview in ninety percent of cases.

What does this mean for your career?

If you are currently working in GRC or are planning to do so, the following questions are worth asking yourself – not because there are good answers to them, but because thinking about them is valuable in itself:

What decision do you not dare to make right now, and why? If you don't have an answer to this, no amount of training will be enough - that's how we put it literally in the podcast.

In the last professional situation where you were uncertain, what did you base your decision on? Standards, intuition, advice from a colleague, or procrastination?

What of the things you learned in the past year have you actually applied? If two out of ten, that's a good rate. But if zero out of ten, then you don't have a learning problem, but an application problem.

Is there an area of the profession that really interests you – not just because it pays well or looks good on your CV?

A GRC career is not like a skill tree in a video game where you unlock levels one after another. It is not linear. There are dead ends, setbacks, unexpected breakthroughs, and long plateaus where you feel like you are not making progress.

This is normal. Professional development is never what LinkedIn posts suggest, the reality is that everyone struggles, everyone makes mistakes, and everyone finds their own way to function differently.

We said this in the podcast: everyone has to figure this out for themselves. I can explain how to do a risk analysis and what to write in a policy. That won't get you any further.

What will make you more introverted is experience – preferably in an environment where you can make mistakes, where you can solve real problems, and where there is someone who will not hold your hand but who will ask the right questions.

This article is a follow-up to the CyberCamp podcast episode. The podcast is available on YouTube and other major podcast platforms.

👇👇👇 FOLLOW US! 👇