What happens when cybersecurity knowledge walks out the door

In this Help Net Security interview, Andrew Northern, Principal Security Researcher at Censys, explains why mentorship matters and what organizations risk losing when senior staff disengage. He argues that institutional memory and judgment under pressure are difficult to rebuild once they disappear.

Northern also pushes back on the idea that mentoring makes someone replaceable, saying it can strengthen both the mentor and the team. He discusses how mentorship can tie directly to measurable security outcomes, including faster incident response. He also outlines where organizations are lowering technical expectations through tool-first training and over-reliance on automation. Finally, he explains which foundational skills early-career defenders still need, even as security environments become more automated.

When senior defenders disengage from mentoring, what knowledge is most at risk of being lost: tacit skills, institutional memory, or judgment under pressure? Which of those is hardest to replace?

When senior defenders disengage from mentoring, all three are at risk, but institutional memory and judgment under pressure are the most difficult to replace. Defenders are often responsible for protecting environments shaped by regulatory constraints, accumulated technical debt and budget limitations, which leave many organizations with long legacy tails. The knowledge required to secure these systems and understand their baseline behavior often lives with the original operators and architects.

Once they retire or leave the organization, institutional memory erodes quickly. Tacit skills can sometimes be rebuilt through repetition, but judgment under pressure is developed over years of operating in imperfect environments, responding to incidents with incomplete information and understanding how small decisions cascade through interconnected systems. In legacy-heavy environments, the combination of context and judgment is rarely written down, and once lost, it is exceptionally hard to recover.

How do you persuade experienced engineers and researchers that mentoring is not a career risk but a form of professional leverage?

Early in my career, some of the best advice I received was to always mentor yourself out of a job. The idea is not to make yourself replaceable in a negative sense, but to recognize that capability scales through people, not through individual effort alone. It is almost guaranteed that if there were two people with the same level of context and competence, there would still be higher-value work that needed attention. The constraint is rarely a lack of problems to solve. It is a lack of time, focus, and durable expertise.

Passing knowledge on to others reinforces your own understanding of a topic and forces you to articulate assumptions that may have gone unexamined for years. Teaching exposes gaps in reasoning, clarifies mental models and often reveals where experience has turned into habit rather than deliberate judgment. In the process, a mentee develops into a peer who can independently assess problems, share operational load and challenge conclusions with informed skepticism rather than deference.

It is also important to recognize that mentoring relationships are not one-directional. While mentees gain context, confidence and technical grounding, mentors benefit from sustained engagement rather than isolation. Burnout is a real and persistent risk in demanding technical roles, particularly in security, where ambiguity and pressure are constant. Longevity in this work is often supported by the relationships and trust built through collaboration and shared problem-solving.

Mentors are also routinely exposed to new technologies, tooling, or analytical approaches that mentees bring with them. Curiosity often enters an organization through its least tenured members. When mentorship is treated as a two-way exchange rather than an obligation, it becomes a mechanism for renewal, adaptation, and collective resilience rather than a drain on productivity.

I had the opportunity to mentor dozens of middle school and high school students through the CyberPatriot program, and I am proud to have helped many of them take their first steps toward careers in information security. Several went on to pursue formal education and early professional roles in the field, and a number ultimately secured positions at organizations where I previously worked. Seeing progression in real time reinforces the long-term value of mentorship, not as an abstract ideal, but as a durable community investment that continues to pay forward over time. Though this was not on-the-job mentorship in the traditional sense, it underscores the importance of community alongside formal professional development. Communities create early access to guidance, encouragement and technical exposure long before an individual enters the workforce.

If you had to justify mentorship investment to a skeptical board or CFO, which security outcomes would you tie it to?

It depends on the function, but many capabilities can be measured to justify mentorship investment. For example, a seasoned SOC technical lead sharing experience and operational knowledge with analysts who are just beginning their watch can lead to reduced mean time to response.

You have warned against downplaying technical rigor. Where do you see organizations unintentionally lowering the bar, whether through tool abstraction, over-reliance on AI, SOC workflow design, or training expectations?

Much of the persistent disconnect in how information security (infosec) is framed starts with how academic programs, for-profit certifications and bootcamps market the field. Infosec is often presented as an entry point, rather than a specialization built on prior operational experience; this framing quietly lowers expectations around technical rigor.

Tool-first curricula and credential-as-competence narratives prioritize familiarity with platforms over a real understanding of Windows and Linux internals, networking and system behavior. The result is defenders who can operate abstractions but struggle to reason independently when automation, AI or prescribed workflows break down. Effective defense still relies on the defender’s understanding of how systems are designed, how they are actually used and how they interconnect, because that is what enables defenders to recognize abuse, identify anomalies and assess architectural risk with confidence.

What foundational skills do you believe early-career defenders cannot skip, regardless of how automated security environments become?

Even as security environments become more automated, there are foundational skills that defenders cannot bypass. A firm understanding of Windows and Linux administration, networking fundamentals, and how systems are architected and interconnected is table stakes. Without this baseline, it is not possible to reliably understand normal behavior, reason about anomalies, or evaluate whether an alert, response or assessment is technically sound. Automation can surface signals at scale, but it cannot substitute for an operator’s ability to contextualize those signals within real system behavior.

Alongside operating systems and networking, adjacent technical disciplines play a critical role in effective security work. Foundational knowledge of software development provides insight into how vulnerabilities arise and how they are exploited in practice, not just how they are labeled. Understanding concepts such as memory management, control flow and error handling allows defenders to reason about issues like stack overflows or logic flaws beyond surface-level indicators.

Similarly, experience with database design and administration creates an intuitive understanding of how malicious SQL queries differ from legitimate application behavior during incidents involving SQL injection. Web development expertise contributes the ability to quickly recognize abnormal patterns in client-side and server-side code, including malicious stagers injected into compromised websites or abuse of common frameworks and libraries.

These skills are not interchangeable, but they are complementary. Each provides a different lens for interpreting the same incident, reducing reliance on signatures or vendor classifications and increasing confidence in analytical judgments. Over time, this breadth allows defenders to distinguish between theoretical risk and operationally meaningful threat activity.

This foundation also enables progression into more specialized roles such as penetration testing or cyber threat intelligence. Penetration testing requires an understanding of how secure systems and networks are designed and operated before attempting to identify weaknesses. Cyber threat intelligence requires technical depth and analytical discipline, not just the ability to communicate clearly or summarize reports. These are not entry-level positions because they depend on accumulated context and judgment built through hands-on technical exposure.

These skills compound over time and form the substrate that automation builds on, rather than replaces.