All Posts
Tools & Frameworks

Why I Got a Cybersecurity Certification as a PM

26 September 20252 min read

When I tell people I have an ISC2 cybersecurity certification, the question is always the same: "Why? You are a PM, not a security engineer."

Exactly. And that is the point.

The Security Blind Spot

Most PMs treat security as someone else's domain. The security team handles it. The architects review it. The penetration testers find the vulnerabilities. The PM's job is to make sure the security sprint happens on time.

That approach fails in two ways. First, when you do not understand security concepts, you cannot evaluate whether security work is appropriately scoped. Is the team spending too much time on low-risk items? Are they missing critical threat vectors? You cannot tell if you do not speak the language.

Second, security decisions have schedule and budget implications. When a security review surfaces a vulnerability that requires rearchitecting a component, you need to understand the severity to prioritize correctly. Is this a "stop everything" finding or a "fix it next sprint" finding? Without security literacy, you are dependent on someone else's judgment for your own planning.

What the Certification Taught Me

The ISC2 CC covers security principles, network security, access controls, incident response, and security operations. It is foundational, not deep. But that foundation changed how I participate in security conversations.

I can now read a threat model and understand the risk ratings. I can evaluate whether a security requirement is proportionate to the actual threat. I can push back when security theater is eating sprint capacity, and I can escalate when real risks are being deprioritized.

The Broader Pattern

This is the same principle behind understanding CI/CD, performance testing, and AI governance. PMs do not need to be experts in these domains. But they need enough knowledge to make informed decisions instead of blindly deferring.

Every certification I pursue fills a gap in my ability to lead effectively. Security was one of the biggest gaps. Now it is not.

Back to all posts