All articles in the "Introduction to Cyber Security" series
- Cyber Security. Not What I thought
- Basics of Cyber Security Requirements
- The CIA Triad
- Introducing the ASD
- Introducing the Essential 8
- Mapping Strategies to controls
- Threats, Vulnerabilities, and Risks
- Introduction to Risk and Risk Management
- ICT Assets and Asset Registers
- Cyber Threat Awareness
- Introduction to Cyber Incident Response Plan
- Risk Management and Cyber Controls
- Risk Mitigation Plans
- Implement Security Controls
- Measuring Security
- Exploring Implementation Discrepancy
- CIRP as a Mitigation Strategy
Cyber Security. Not What I Though!
But I Like It…It’s strangely familiar
When I first approached cyber security, I expected something closer to what most people see in films: hooded figures typing furiously, digital spycraft, and last-minute counter hacks and tracers pinging around the globe. What I discovered instead was very different and much more familiar.
Cyber security is not about Hollywood drama. It is about process. It is about structure, documentation, and discipline. It is about planning ahead, following standards, and testing until systems prove they can stand up under pressure.
To be honest, I understand why many steer away from the subject when it is introduced, it is dry, bound with precess and procedure and very unsexy compared to movies or the very extreme end of red team, blue team war games (" hacker games " as a spectator sport)
To my surprise…. much of this felt familiar because it reminded me of my background in refineries and processing plant commissioning and testing.
Commissioning and testing vs. Cyber Security
In industries like oil, gas, and mining, testing means validating that systems are safe, reliable, and compliant before going live. This involves:
- Defining scope, producing detailed procedures and work packs
- Constant stakeholder engagement and multi-team, disciplines, coordination.
- Creating detailed test plans and defining what gets tested and how.
- Performing functional tests to expose weaknesses.
- Verifying integration across complex systems.
- Producing documentation and sign-offs to prove readiness.
Cyber security follows strikingly similar steps:
- Security plans define controls and acceptance criteria.
- Vulnerability scans and penetration tests expose weaknesses.
- System-wide checks validate alignment across networks, identity systems, and backups.
- Audits, logging, and governance provide traceability and assurance.
The mindset of “test first, validate, and document” ties the two worlds together.
Why Industrial Skills Transfer Well
Having worked in commissioning and industrial testing, many of the practices directly apply to cyber security:
- Discipline and process: Working through structured phases is familiar and practiced
- Threat and risk assessment: In refineries, offshore platforms, or processing plants, risk assessments determine hazards and potential consequences. In cybersecurity, the same discipline identifies threats to data and systems, weighing likelihood and impact to guide mitigations.
- Mitigation controls: Just as a hierarchy of controls reduce physical risks in industrial projects, cybersecurity employs preventative, detective, and corrective controls to contain digital risks.
- Test planning: Knowing how to define, run, and record tests is invaluable.
- Understanding Integration: One weak link can compromise an entire system in both fields.
- Change management: Documentation, versioning, and updates are critical in both domains.
- Validation: The principle is the same: stress-test before failure happens. Prove the controls, procedures and response plans work adequately.
Rethinking What Cyber Security Means
This experience changed my perspective. Cyber security isn’t about waiting for a hackers to strike. It’s about embedding resilience by design. Success in cyber security comes from not reacting to incidents but from proactively identifying and addressing vulnerabilities before threats impact operations. This is similar to how a commissioning engineer ensures a system is safe and fully operational before handover.
Lessons from Industrial testing and the Transition into Cyber Security
Coming from my industrial background, I’ve found that many of the skills and disciplines I developed translate directly into cyber security. My experience in procedure writing, systematic test planning can apply to the designing and implementing security controls, treating cyber security test matrices much like commissioning test sheets.
I find a strong comparison between acceptance criteria and sign-off processes from commissioning and evaluating control effectiveness in networked information environments, using familiar benchmarks to assess security posture. Processes around documentation, planning incident response, change management, and audit trails contribute to traceability and compliance in cybersecurity mitigation and incident respons plans.
I can bring a culture of specification driven verification, moving beyond ad hoc configurations to implementing evidence based validation of security controls. My understanding of risk, governance, and operational assurance will allows me to contribute quickly and lead in establishing structured verification and compliance practices.
Cyber security turned out to be less about hacking and more about structured “assurance”. For me, that made it not only approachable but engaging. Commissioning and testing, taught me the value of procedure, verification and documenting, and in cyber security, that understanding and mindset is not only helpful, it’s essential.