The Exam Teaches the System as Designed. The Enemy Attacks It as Deployed

We have a generation problem in cybersecurity, and it isn’t a skills shortage, it’s a skills mismatch. When I train my staff I train them to the real world, to think like a criminal. We’ve spent two decades training defenders to pass exams. CISSP, CISM, CISA, the entire ISACA canon: they teach control families, risk matrices, audit trails, and the comforting fiction that a properly documented framework keeps you safe, it certainly does not. 

These credentials produce people who can map a NIST control to a policy line and close a finding before the auditor leaves. What they do not produce is people who think like an attacker who refuses to play by the rulebook. I tell staff all the time, get the cert to get past HR as they have no idea what we do but have googled that these certs are good to have. Honestly, I really don’t think much of an IT or audit manger with five certs after their name and ten years at the same firm, you need to get out their see multiple environments, understand multiple attack vectors, systems applications. 

That’s the heart of asymmetric warfare, and it’s where we are dangerously exposed. The math is brutal. A Shahed-136 drone costs roughly $20,000–$50,000; the Patriot interceptor that kills it costs millions. In June 2025, Ukraine’s “Spider’s Web” operation used over 100 FPV drones, built for a few thousand dollars each, to strike five Russian air bases and disable more than 40 aircraft, including strategic bombers. The attacker spends pennies; the defender spends fortunes. 

Cyber is the same asymmetry with no airspace to monitor. A single phishing email, one unpatched edge device, one bored insider, and the multimillion-dollar security program built to satisfy auditors is irrelevant. Our adversaries, state and non-state alike, don’t sit for certifications. They improvise, they scale, they exploit the gap between what’s documented and what’s actually defended. Meanwhile we keep rewarding compliance over creativity, checklists over curiosity, and “best practices” that were best a decade ago. The exam teaches you the system as designed. The enemy attacks the system as deployed. Those are never the same thing. Real readiness means red-teamers who break things, threat hunters who assume breach, and leaders who fund resilience instead of paperwork. It means hiring the curious over the credentialed and treating frameworks as a floor, never a ceiling. 

Until we stop confusing certification with capability, we’re training an army to win a war nobody is fighting, while the actual war is already underway, cheap, fast, and asymmetric. The attackers have already adapted. The question is whether we will, before the lights go out.