There are stories behind cybersecurity’s most consequential moments that don’t exist anywhere. In protecting organizations from disclosure, the field quietly eliminated something it cannot afford to lose: the transfer of real operational knowledge from one generation of practitioners to the next.
Tomorrow’s security leaders are entering territory that has been charted but never mapped. With 4.8 million cybersecurity positions currently unfilled globally and a workforce gap that grew 19% in a single year, the cost of that missing knowledge is no longer theoretical. It is showing up in breach reports.
The missing link between today’s vulnerabilities and tomorrow’s resilience is the knowledge sitting silent in the people who built this field.
The Industry Trained Its Best People to Stay Quiet
When a significant incident occurs, the people closest to it do not get to debrief first. Legal teams arrive before the postmortem does. What gets documented is the version that survives discovery. What gets shared publicly is the version where the organization was largely in control and the lesson is palatable enough for a press release.
In 2022, former Uber CISO Joe Sullivan was convicted for his role in handling a 2016 data breach. The presiding judge used the sentencing to deliver a direct warning to the profession: future cases would result in prison regardless of character or circumstance.
Bitdefender’s 2025 survey of 1,200 IT and security professionals found 58% had been told to keep a breach confidential when they knew it should be reported, climbing to 69% among CISOs and CIOs specifically. Bryan Marlatt, a former CISO, resigned after his CIO asked him to downplay an incident and misrepresent security capabilities on an SEC filing.
These are not exceptions. They are the logical output of a profession that has spent decades being told that honesty is a liability. Cyber is being directed by legal teams whose jobs center on organizational protection, not institutional learning. The byproduct is that the most operationally valuable knowledge in cybersecurity has never been written down. Hiring more people into a broken knowledge transfer system only widens the gap.
The New Cyber Workforce Has a Preparation Crisis
The workforce shortage gets framed as a pipeline problem. The evidence points to something more precise: the field is not just short on people; it is short on transferable judgment.
Practitioners entering the field today inherit frameworks built from what cleared legal review. But these versions rarely determine outcomes for real CISOs under pressure. What’s missing from the curriculum: The instinct developed at 2am during an active incident. The pattern recognition built across a decade of near-misses. The understanding of how organizational dynamics shape technical decisions.
Other fields that operate under high stakes and time pressure built deliberate mechanisms for exactly this problem. Medicine developed case study culture and grand rounds to turn individual experience into shared knowledge. Aviation created a confidential reporting system that converted near-misses into doctrine and measurably changed safety outcomes over decades. The military put after-action reviews into standing doctrine because they understood that experience degrades unless it is recorded.
Cybersecurity built none of that. And the compounding effect is now showing up in workforce preparedness and retention data. According to ISC2, nearly half of cybersecurity leaders were expected to change jobs by 2025 due to burnout, with a quarter leaving the field entirely. The people carrying thirty years of undocumented experience are leaving faster than they can pass anything on.
Veteran Practitioners Are Cyber’s Untapped Resource
The same attack patterns resurface across cycles because the lessons from each round rarely outlast the people who learned them. Organizations make the same structural mistakes. Defenders face scenarios their predecessors already navigated, without knowing it. This is not a failure of intelligence. It is a failure of infrastructure.
The fix is less complicated than another framework. Senior practitioners need to describe what really happened. Early-career pathways need to be built around proximity to people who have operated under genuine pressure. And organizations need to stop treating their security leaders’ experience as proprietary and start recognizing it as the one asset that genuinely does not scale if it walks out the door.
The knowledge to build a stronger next generation already exists. It is sitting inside the careers of the people who kept critical systems running before anyone had a playbook for doing so. The only thing missing is the deliberate decision to capture it.
About the Author
Danielle Lewan is CEO and Founder of Red Mirror Studios, a cybersecurity media company documenting the experiences of the industry’s senior practitioners. She spent nearly a decade as a marketing executive for cybersecurity startups after a career in investigative journalism, building relationships with security leaders across the industry before co-founding Red Mirror Studios with Clint Howard II.
Danielle can be reached online at [email protected] and at our company website www.redmirrorstudios.com
