After a decade as a permanent full time employee in cybersecurity, I was in debt. Then I got made redundant along with 24 other people.

That redundancy was the best thing that happened to my career.

Within months of crossing over to contract work, I was earning 3 to 5 times what I made as a permanent employee. I was doing the exact same tasks. The difference wasn’t my skills. It was understanding how companies actually spend money on security.

The Diagram

Over 20 years working in IT and cybersecurity across Greece, the UK and Canada, I’ve worked every arrangement on this spectrum.

On the left you have the Employee arrangements. Stable, predictable, not tax efficient. On the right you have Business Owner arrangements. Variable, flexible, and where the real money is.

The center is the pivot point. Most cybersecurity professionals never cross it.

The Permanent Employee Years

I started on the left side of that diagram. Junior Security Analyst, part of an InfoSec team, doing vulnerability scans, phishing tests, endpoint deployments, policy updates.

The pay was entry level. Raises depended on annual objectives. I got a bonus a few times when I was working in the UK. Nobody told me it was taxable.

The pace was slow. The ceiling was low. After a decade of this, including on call rotations, I was still in debt.

Then came the redundancy notice.

Crossing Over to Contract Work

When I started applying for permanent roles again, recruiters were suddenly helpful. Redundancy makes you a sympathetic candidate. But after two rounds of interviews with no offers, I took my first contract role.

That’s when I learned what contractors had known all along.

Every company has buckets of money called OPEX and CAPEX. These stand for Operating and Capital Expenses. Some departments have allocated project budgets they must spend each year or they lose it. That’s where external consultants come in.

When I worked in UK government, every January we had to find contractors to use up the remaining budget. If we didn’t spend it, next year’s allocation would drop.

Now, companies don’t find contractors randomly. They partner with recruitment agencies. Smaller companies work with multiple agencies but larger companies have only 2 or 3 agencies that they work with exclusively. Sometimes there’s a Managed Service Provider in between who has the contract with the end client but needs bodies to deliver it.

Here’s where you come in. To work as a contractor, you need a few things:

• A business incorporated

• A business bank account

• Liability insurance

From the company’s perspective, engaging a business with its own liability insurance is a risk mitigation strategy. It’s often easier for them than hiring you as an employee.

Once you have these set up, you can start applying for contract roles. An example workflow goes like this. You find a contract role on LinkedIn. The job posting will be titled something like “Cybersecurity Analyst 6 Month Contract”, fully remote or hybrid.

The decision cycle is way faster than permanent job applications. I have been offered contract roles after a single 20 minute phone interview. Sometimes after two rounds, but never the drawn out permanent hire process.

The money goes into the business and you have flexibility on how to pay yourself. Usually this is through a combination of minimum salary and dividends. It’s tax efficient in ways that permanent employment never is.

The pros of this arrangement is that you might be doing the exact same task that you were doing as a permanent employee but being paid 3 to 5 times more.

UK Business Tax Reform

After 4 years of working on contract roles through my UK limited company, the government introduced IR35 legislation. This put the onus on the clients hiring small business owners like myself and made them liable for additional tax if they were audited and my engagement was deemed to be that of an employee rather than a contractor.

My contracts were written correctly. I could provide replacement resources if needed. That didn’t make a difference. Most companies hired the Big 4 (KPMG, PWC, Deloitte, E&Y) to assess their contractor arrangements, and overnight nobody wanted to hire anyone with a limited company.

If you wanted to keep working as a contractor, you had to register as an employee of an umbrella company that could subcontract you to the client. The daily rate was still better than being a permanent employee but all the income was now taxable. I didn’t have paid holiday or sick days. Over the coming months the daily rates dropped even further.

The timing of the global pandemic made remote working mandatory and this made the situation more bearable. But the UK contractor market was permanently changed. I started looking at North American markets instead.

Direct Clients and Partnerships

Since I still had a business I started working directly with clients. This is the best arrangement. It is not easier as you have to be the marketing, sales, project and delivery person.

At the same time as remote work became the norm, it became possible to work with people globally. While working on moving and starting another company in Canada, I found consulting companies that had an overflow of clients they couldn’t serve. Instead of going through recruitment agencies, they partnered with other small business owners like myself and worked on SOW (Statement of Work) projects. These would be one off 40 hour engagements or longer term projects.

This arrangement provides a stream of leads and you can focus on delivery.

The Cycle

Here’s what nobody tells you. Until you have your own clients, you’re caught between a wheel of contract roles and permanent roles. Sometimes the contract market is slow and you have to take a permanent role. Sometimes it’s the opposite.

In January 2024 I went back into permanent employment. In March 2025 I was laid off for no reason. There just wasn’t enough work. In VC funded startups, higher paid roles go first. This was the second time in my career I was laid off in 22 years. Not bad.

But 2025 was different. Neither market worked. The AI hype, tariffs, economic uncertainty. Everything combined to freeze hiring. Contract roles that used to need 1 or 2 interviews now wanted to take you through 3 or 4 rounds. And they still couldn’t decide.

It was unreasonably hard to land even another contract role. That’s when I focused on getting my own clients.

What This Means For You

I don’t have a playbook anymore.

Everything I described above worked for 20 years. The permanent to contractor jump. The wheel between contract and permanent roles when one market went cold.

In 2025, all of it stopped working at the same time.

If you’re a permanent employee in cybersecurity wondering why contractors doing the same work earn multiples of your salary, now you know the mechanics. But knowing the mechanics doesn’t help when the machine is broken.

One thing still works: partnerships with larger consultancies. Building real relationships has been more beneficial in the long run than getting a higher contract rate or higher billable hours.

Another thing that’s worked at every level: don’t give textbook answers. When you’re interviewing for a contract role or pitching a client, understand the problem they’re trying to solve. Explain how you’d approach it as if you’re already part of the team. Take something you did elsewhere and apply it to their environment in real time, using whatever detail they’ve shared. Make them see you already solving their pain points.

Throughout all this I learned what amazing consultants look like. Naval Ravikant talks about these traits in an interview: talent, curiosity, good nature, low ego, high drive, and vision. Earned respect, not networked connections. He says the best way to match with people is through work, not just networking. Deeply understand and admire their work. Offer help. Ask good questions. Contribute.

That’s been my north star for a long time. Find people you deeply respect. Do good work with them. Build trust over time.

This isn’t a playbook. It’s a map of where the roads used to go, and a compass for what might come next.Cybersecurity Notes is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

Interviews have always been a necessary evil of the recruitment process. It is a performance. Nobody is their real self and can easily pretend to be whatever you want them to be for those 30–45 minutes. With the addition of Zoom interviews, it has become even more difficult to draw meaningful conclusions after the interaction.

You always get a gut feeling within the first 5 minutes, and that is important, but assessing the level of understanding a candidate possesses is both an art and a science. I have interviewed candidates throughout my career for various roles, but it has always been face-to-face interviews.

The pandemic made virtual interactions the new standard. In October 2022, the advent of ChatGPT, a publicly available large language model, changed the world. On the flip side, this elevated the meaning of the phrase “fake it till you make it” to a new stratospheric level.

In the context of interviews, the issue is not entirely with candidates but with the outdated hiring workflow. For years, your chances of being screened through to an interview have relied on keywords within your resume. So, making sure your resume matches the job title of the role you are applying for helps recruiters who do not have a technical understanding to match you with the job description.

I’ve had to do this too until I realized how this game works and learned to deal with recruiters.

Over the past year, every industry has been affected by the use of LLMs, and hiring and interviewing are no exception. Every few months, the iteration of large language models approaches the capabilities of human intellect. The latest models from OpenAI, ChatGPT-4.0, and Claude 3.5 have the reasoning skills of a teenager, and at some point, AGI will be smarter than 8 billion brains combined.

These are useful and amazing tools that can simplify tasks and amplify our capacity. The one thing they can’t do, for the time being at least, is sound human. The output is mechanical, and if you read it out verbatim, pretending that these are your thoughts, you sound like a smart assistant reading a Wikipedia article. In the past year, companies have been using AI to triage resumes, and candidates have been leveraging AI to pass through that triage.

There is nothing wrong with utilizing LLMs where it makes sense, but if you are trying to build a whole other persona through LLMs that manufacture a resume for you based on a job description with no basis in reality, then this is misrepresentation. It is actually a felony in 11 states in the US, in the UK, and other countries.

Over the past 2 months, I’ve had the experience of interviewing candidates for various levels of cybersecurity roles, all the way from the C-suite to analyst level.

I was shocked to discover that 70% of the candidates were following the same playbook. Specifically, there were 2 playbooks.

The first strategy appeared to be using an LLM to tailor the resume based on the job description and using words like senior, experienced for a work history of 3 years in total.

The second strategy was using a really impressive resume that had a work experience of 15 years and company names like Deloitte, PWC, Accenture. The strategy was to read through the made-up resume and then repeat each question with a pause and then start every response with, “Let me answer that for you.”

In either case, when I looked up a LinkedIn profile, the work experience matched the resume, but the roles on LinkedIn were in a completely different department than what was listed on the resume. For example, someone working as an Assistant Store Manager in a retail company had replaced that with Cybersecurity Analyst but had nothing to do with that.

Some candidates had a resume listing senior roles with the Big 4 but no online presence whatsoever.

Having LinkedIn is not a prerequisite, but I find it odd for someone to have spent 15 years with the Big 4 and not have any voice online.

During the interview, the candidates would blatantly read from the screen and in most cases repeat variations of the same answers regardless of the question.

There was no understanding of any of the domains in cybersecurity for the obviously fake resumes, but even the ones that did work in existing cybersecurity roles did not have any understanding outside of their day-to-day tasks.

The next striking observation was the correlation between certifications and actual knowledge. As with most industries, most people are split 50/50 on whether it makes sense to pursue certifications or not. I have obtained various certifications over the years, but I don’t do that anymore. I haven’t stopped developing my knowledge and understanding, just approach it differently.

Some of the candidates I interviewed had a list of certifications as long as my arm but couldn’t explain anything.

One candidate had just passed his CISSP exam. I congratulated him and proceeded to ask what some common domains across frameworks are that we would look to implement policies, processes, and controls in a small business.

The answer was, “I know I just passed the exam, but I don’t remember any domains.”

This relates to a concept called “The Map is not the territory.” This phrase was coined by Polish-American scientist and philosopher Alfred Korzybski in 1931. It means that looking at a map of a city is not the same as walking in it and experiencing it yourself.

The first 3 years of my career in cybersecurity, I was limiting myself to the tasks and activities of my job. As soon as I started getting exposed to other functions and started connecting the dots, I began creating a map in my head after walking through all the domains in cybersecurity. I put in my 10,000 hours and keep going.

Most candidates have a narrow field of vision and understanding of the big picture, and in some cases have no desire to do so, so they turn to ChatGPT as a shortcut.

The instant gratification promised by internet gurus gives people the false hope of going from 5 figures to 6 figures in 30 days, just because they went through a bootcamp or completed a certification.

Now, the current advice is to not even do that. The TikTok influencers are showing people that by using LLMs, you can pass technical interviews even in industries like aerospace without prior knowledge. I watched someone interviewing for Boeing as an engineer, answering questions on material strength, and passing the interview.

This is criminally dangerous. Imagine getting a job at Boeing and being the reason that planes start flying out of the sky.

If you haven’t heard it already, LLMs lie.

Specifically, they hallucinate. This is all to do with their original programming. The goal in most cases is to provide an answer. It is not to provide a truthful or factual answer but a complete answer, even if the LLM has to manufacture details that are untrue.

As these models evolve and become more capable, we will always look for people to build relationships based on honesty, integrity, and character. You cannot build these things by repeating words spit out from code. Have more honest conversations. It’s okay to say, "I don’t know this." Be honest. Be human. People appreciate that.

Put in the hours. Ask ChatGPT questions but then go and actually work on a hands-on project. Write a policy document. Use VMs to create a lab. Build a domain, configure group policies, and harden the OS following CIS guides.

ChatGPT can help with brainstorming project ideas, but you have to actually work on the project. Create something you can talk about and write about. Figure out what interests you and then apply for jobs in that field.

Don’t waste other people’s time. Do something you are proud to talk about to others.