Matteo Giordano

/home

/about

/blog

/tools

/library

Everyone’s a Hacker Now: The Cybersecurity Paradox of Skill

Long story short, the paradox says that as everyone gets better at something, the gap between the best and the rest shrinks.

Opinion
#security

I recently stumbled on a little extract (i.e., “The paradox of skill”) from a book from Michael J. Mauboussin, and it got me thinking. Long story short, the paradox says that as everyone gets better at something, the gap between the best and the rest shrinks, and oddly enough, luck starts playing a bigger role. In the investing world, a potential implication for this is that even star stock-pickers struggle to beat the market because everyone’s so well-trained and informed. But what about cybersecurity? Let’s take a little trip down memory lane…

Back in the day

Think back to the mid-2000s. Security was almost an afterthought in many organizations. A lot of companies didn’t even have dedicated security teams, and often it was just “the IT guy” handling viruses between resetting passwords. Hacking incidents were frequent but usually low on sophistication. Many attackers were hobbyists or teenagers in their basements, defacing websites for bragging rights or unleashing goofy viruses (ILOVEYOU virus, anyone?). Sure, there were serious threats even then, but the overall skill level and tools available were a far cry from today’s standards.

Back then, the balance of skill was heavily skewed. Only a small group of tech-savvy wizards knew how to pull off complex hacks. If you could write a buffer overflow exploit or craft a decent phishing email, you were practically a cyber ninja. Meanwhile, most people and businesses were pretty naïve about security: using weak passwords, ignoring software updates, and falling for obvious scams. It was the era of script kiddies and “spray-and-pray” attacks. And honestly, a lot of those attacks succeeded simply because the bar was low.

Fast forward to today()

Now jump to today, and wow, have things leveled up. Cybersecurity is front-page news and a dinner-table topic. Global ransomware waves are knocking out pipelines and hospitals, and massive data breaches are exposing millions of people’s info. In response, companies large and small have gotten serious about security. It’s not just about installing an antivirus anymore, we’ve got chief information security officers in the boardroom and entire security operations centers on patrol. Governments are involved, regulations are in place, and “zero trust architecture” isn’t just a buzzword, but the new mantra. In short, the whole ecosystem grew up.

Attackers have seriously upped their game too, and multiplied. Cyber crime went from mostly lone wolves and pranksters to a sprawling underground economy. Today’s hackers include state-sponsored espionage units, organized crime rings, and yes, still the occasional teenager (now armed with far more powerful tools). Perhaps most striking: hacking has been democratized. You don’t have to be a genius to launch a cyberattack anymore. There are black-market kits for sale and plug-and-play malware services. “It’s more widespread, horizontally, where your common criminal element can pick up hacking tools and start targeting organizations,” observed California CISO Vitaliy Panych. In other words, the field of bad actors has widened a lot.

And it’s not just the attackers; defenders are more skilled than ever too. Cybersecurity education and training have exploded. Back in the day, you might have learned on the job or been self-taught. Now there are university degrees, certifications out the wazoo, and a whole industry of training programs. The result? A huge influx of freshly minted cybersecurity professionals. In fact, so many people jumped into the field that landing even an entry-level security job has become a slog. Ten years ago, a two-year degree and a Security+ cert could land you a security gig. Today, the “minimum” for a junior analyst role often looks like a bachelor’s degree, several certs, and a couple years’ experience… an absurd jump in requirements. Both sides of the cyber battlefield have gotten really skilled across the board.

When everyone got good

So, given all this leveling up, where does the paradox of skill come in? The paradox, as Michael Mauboussin explained, is that once everyone gets highly skilled, the difference between the top performers and the average becomes slim, and chance events start to loom larger in determining outcomes.

In cybersecurity, that means the gap between a “secure” organization and a very secure one is often razor-thin. A single unpatched server or one distracted click on a phishing link can be the difference between a clean audit and a front-page breach. You could have a world-class security team, but maybe an attacker happens to find a novel zero-day exploit before anyone else… that’s bad luck. Consider supply chain attacks: even if you’re doing everything right, you could download a trusted software update that’s been secretly poisoned (hello, SolarWinds 2020). In these cases, skill reduces risk but can’t erase it entirely, randomness still gets a vote.

Luck, careers, and the cyber ladder

And hey, while we’re on the topic of luck… what about career paths in cybersecurity? These days, kinda everyone’s grinding: certs, degrees, bootcamps, side projects, capture-the-flag competitions, you name it. The field is full of smart, motivated folks who’ve done all the right things. And yet, some people rocket forward while others stay stuck in entry-level purgatory. Maybe it’s networking, timing, or just being in the right Slack channel when a job opens up. Or maybe (just maybe) there’s a dash of luck there too. That doesn’t mean skill and strategy aren’t essential (they are), but it’s worth asking: in a field where everyone’s good, how much of success comes from preparation… and how much from being in the right place at the right time?

So, now what?

All this leads to an unsettling question: What do we do in a world where everyone is a cyber ninja, yet breaches keep occurring? If both attackers and defenders have skyrocketed in competence, how do you get an edge? Perhaps this is where creativity and strategy step in: thinking differently, not just deploying the same tools and checklists everyone else has. Or maybe it’s about doubling down on fundamentals like user awareness, patch management, and resilient architectures.

Because here’s the thing: luck might tilt the scales in a single battle, but over the long haul, methodical, disciplined approaches still win more often than not. Skill shapes the odds; luck decides the coin flips. The trick is to make sure your odds are as good as they can be before that coin goes in the air.

We love neat stories: see an effect, pin the cause, roll credits. But in a field where everyone’s skilled and systems are messy, some “causes” are just coin flips wearing a lab coat. When you back-solve from breach to blame, or promotion to “merit”, make room for luck as an additional variable, not an afterthought. Build process, train hard, design for failure… and still budget for the dice roll. If you actually planned as if luck will show up, what would you do differently tomorrow?