Sign in Subscribe
4 min read new-to-cybersecurity

Security, Perspective, and Trust: A Day-One Conversation

What should every new security hire hear on day one? Not tools or policies; rather judgment, ethics, escalation, and perspective. This post shares the talk I give to set those expectations from the start.
Security, Perspective, and Trust: A Day-One Conversation

What I Tell Every New Security Team Member on Day One

When someone joins a cybersecurity team, they usually expect a tour of tools, processes, and maybe a quick run-through of policies.

That’s not where I start.

My first conversation with every new security team member is about how we operate as humans in security, not just what we do. Because security isn’t just technical work. It’s judgment work.

Security Is a Position of Trust

From day one, I make it clear: if you work in security, you will have access to information that most people never see. Some of it is uncomfortable. Some of it is sensitive. Occasionally, some of it may even feel legally or ethically unclear. When that happens, the expectation is simple:

Don't guess. Escalate. Ask.

Asking early is a sign of professionalism, not weakness. If something feels off, it probably is and that doesn’t mean you should go with your gut every time. You’re never expected to carry that alone.

High Impact Comes With Responsibility

Security teams operate closer to high-impact decisions than most roles in the company. Our actions and our inaction can affect customers, employees, and the business in real ways. That means:

  • Our judgement matters
  • Our ethics matter
  • Our professionalism is visible

I tell new team members this explicitly: act responsibly and ethically, and I will stand behind you, even if a decision looks wrong in hindsight.

Security isn’t about never being wrong. It’s about making defensible decisions with the information you have at the time.

Integrity Over Ego, Always

One of the fastest ways to lose trust in security is to blur facts, hide mistakes, or defend bad calls out of pride. So we don’t do that.

  • We deal in facts, not opinions.
  • We don’t cover things up.
  • And it’s completely okay to say, “I was wrong. This is what I learned.”

What matters is accuracy, honesty, and learning vs. looking perfect.

Security Exists to Support the Business

Another thing I’m explicit about early: security does not exist in a vacuum. Our job is to support the business, not block it by default. That means trade-offs are real. Perfect security isn’t a goal, rather, appropriate security is.

If you’re unsure how to balance risk and business needs, you’re not expected to solve that alone. We make those calls together. We absolutely will make decisions that don't reflect hard-core cybersecurity controls to support the business, people, or processes. If something is not secure enough temporarily, we'll add it to our risk register as an exception.

Perspective Prevents Burnout

Security can feel intense. Incidents, alerts, deadlines, pressure. It adds up! So I remind people of something that’s easy to forget in the moment:

This is important work, but it is not life support. (Context caveat: unless you work in that type of environment!)

God bless our nurses and doctors around the world, but we are not trading-off CPR on a human in an ER. Most situations, even if critical, are not life-or-death. Keeping perspective helps us make better decisions and avoid unnecessary stress. It also brings a different mind-set to a room when the security professional isn't visibly stressed.

Take Care of Yourself

Burned-out security pros don’t make good judgment calls. I encourage people to take care of their mental and emotional health, stay curious, and actually enjoy the work. This field moves fast and even faster now with AI. Learning is part of the job. So is taking a moment for a good laugh.

If you can’t find joy or curiosity in the work anymore, that’s a signal worth paying attention to.

Why I Start Here

Tools change. Architectures change. Threats change weekly, daily, hourly even. But judgment, integrity, perspective, and trust? Those are foundations.

If we get those right, the rest is teachable.

That’s why this is the first conversation I have with every new security team member and why I believe culture is one of the most important security controls we have.

Agree? Disagree? Think something’s missing? Send your thoughts to hello@cso.pro and I’ll fold the best additions into a future version of this shared list.

My Original Day-One List

  • Confidentiality
    You will have access to highly sensitive information. Some of it could cause serious harm to the company or individuals if mishandled. Treat everything with the utmost care.
  • Exposure to Sensitive Content
    You may encounter data or situations that are uncomfortable or even potentially illegal. Always escalate those to me right away if you have questions. It’s better to ask than guess. You can also yield to someone else, like me. And even I may yield to the proper authorities.
  • Exposure & Responsibility
    In Security, we operate closer to high-impact decisions than most employees. This means our actions, judgment, and ethics are more visible and carry greater weight. I expect you to act professionally, ethically, and responsibly at all times and if you do, I will stand behind you, even if a decision turns out to be the wrong one in hindsight.
  • Integrity
    Never cover up mistakes or misrepresent facts. Our work is built on accuracy and honesty, and we deal in facts, not opinions. It is OK to be wrong, admit it, learn from it, and move on.
  • Business Alignment
    Our job is to support the business. That sometimes means trade-offs. If you’re unsure how to balance security with business needs, ask and we’ll help make the call together.
  • Well-being
    Security can be stressful. Take care of your mental and emotional health. It’s important to enjoy the work and that enjoyment is often what keeps you curious and excited about what we do.
  • Perspective
    We handle critical issues, but remember this is not life support and we are absolutely not doing CPR on an human in the ER. Most situations, while important and sometimes critical, are not life or death. Keep perspective to avoid unnecessary stress and irrational decisions.
    • A note on context
      There are cybersecurity roles where lives may genuinely be at stake: in healthcare, critical infrastructure, aviation, defense, or industrial control systems. In most SaaS environments, that is not usually the case. This distinction matters. It helps us keep perspective, make better decisions under pressure, really it's about avoidance of manufacturing urgency where it doesn’t exist.
  • Enjoy the work we do
    Have fun, stay curious, and remember that learning is part of the job. Everything changes very quickly in what we do. Laugh.

Published by:

Brian W.