Cybersecurity Wasn’t What I Expected

You probably know the image.

Someone sitting in front of several computer monitors, wearing a sweatshirt with the hood pulled up, typing away while trying to break into a system.

Cybersecurity seemed to be everywhere. News stories about data breaches. Companies dealing with ransomware attacks. Phishing emails showing up in inboxes. Phone scams. Spoofed websites. Every few weeks there seemed to be another story about a company being attacked or customer information being exposed.

I decided to take the Google Cybersecurity Certificate because I wanted to understand what all the discussion was about.

What I found was not what I expected.

What I Expected

I expected to learn mostly about hackers, attacks, malware, and how criminals break into systems.

Those topics were certainly discussed, but they turned out to be only one part of a much larger picture.

Instead, I found myself learning about risk management, security frameworks, incident response, vulnerability management, monitoring, logging, and security policies.

At first, I was surprised.

Why spend so much time talking about processes and planning when the threat seems to be the attacker?

As I continued through the course, I began to understand why.

The Question I Kept Asking

One question stayed in the back of my mind throughout the course.

Why wasn't security built into everything from the beginning?

When the internet started becoming popular, people were excited about connecting computers, sharing information, sending email, and building websites. The focus was on creating what many called the Information Superhighway.

The internet was growing rapidly and creating opportunities that had never existed before.

That doesn't mean nobody cared about security. But the internet was much smaller, and few people imagined how much business, banking, shopping, healthcare, and personal communication would eventually move online.

As more valuable information moved online, the risks increased.

And wherever there is value, there are people looking for ways to exploit it.

Security Is More Than Technology

One of the biggest surprises for me was learning that cybersecurity is not just a technology problem.

It is also a business problem.

Before taking the course, I assumed that if a company found a security problem, they would simply fix it.

The reality is more complicated.

Every fix takes time, money, planning, testing, and resources. Organizations have to decide which risks require immediate attention and which can be addressed later. Engineers have limited time. Systems cannot always be taken offline. Businesses still need to serve customers and keep operations running.

Security often involves trade-offs.

That was something I had never really considered before.

A Different Perspective

Another thing that changed for me was how I view everyday technology.

Software updates, for example, used to feel like an inconvenience. Now I understand that many updates contain security fixes for vulnerabilities that have already been discovered.

I also have a greater appreciation for the work that happens behind the scenes.

The analysts monitoring systems.

The teams responding to incidents.

The engineers applying patches.

The people making decisions about risk and priorities.

Most of that work is invisible when everything is running smoothly.

My Biggest Takeaway

I started the Google Cybersecurity Certificate because cybersecurity seemed to be everywhere and I wanted to understand what all the discussion was about.

What I discovered was that cybersecurity is much broader than the headlines suggest.

It's not just about hackers, malware, or the latest breach in the news.

It's also about risk, planning, priorities, and the ongoing effort to reduce risk in a world that becomes more connected every year.

I finished the course with a better understanding of why cybersecurity matters and why organizations invest so much time and effort into it.

And perhaps my biggest surprise was realizing that some of the most important work in cybersecurity happens long before an attack ever occurs.