"It's a Dangerous Business, Going Out Your Door" - Why the Cybersecurity Community Needs a Fellowship

On June 11th, I'll be delivering the keynote at WISCON 2026, the inaugural Wisconsin Information Security Conference in Madison. It's a brand-new conference, and that matters. New conferences don't come with an established crowd or twenty years of institutional memory. They come with a room full of people deciding whether this community is worth investing in. That's exactly the kind of room where this conversation belongs.

I am presenting "It's a Dangerous Business, Going Out Your Door": A Fellowship Approach to Growing the Cybersecurity Community. The title is borrowed from Tolkien, because the metaphor is too good not to use and because I have an obsession with building talks around cultural references. It just makes me laugh inside when presenting it. But this one isn't just a framing device. The Lord of the Rings is, at its core, a story about unlikely people doing extraordinary things because someone believed in them and walked beside them. That's the conversation our industry needs to have.

The Front Door Problem

The cybersecurity workforce gap is not a new statistic, but the numbers keep getting worse. The ISC2 2024 Cybersecurity Workforce Study estimated 4.8 million unfilled cybersecurity positions globally, a 19 percent year-on-year increase. Two out of three organizations report moderate-to-critical skills gaps, and organizations with critical gaps are nearly twice as likely to suffer a material breach. The 2025 study shifted the framing even further: 95 percent of respondents reported at least one critical skill need, and for the first time, ISC2 declined to publish a single workforce gap number because the problem had evolved from "not enough people" to "not enough of the right skills."

Here's where it gets interesting. Budget cuts have now overtaken a lack of qualified talent as the primary reason positions stay empty. We're not just failing to train people. We're cutting the investments that would make training possible while simultaneously wondering why nobody's walking through the door.

But the door itself is the problem I want to talk about. Not the budget line or the headcount number. The actual experience of trying to enter this industry for the first time.

Think about what that door looks like to someone on the outside. Entry-level job postings that require five years of experience and three certifications. Conference schedules packed with jargon that reads like an encrypted message. Online communities where asking a basic question earns you a condescending "just Google it." The people who could do this work, who would be great at it, are standing outside looking in. And too often, nobody's knocking on their door to say "you're welcome here."

That's where Tolkien comes in.

The Fellowship Model

Frodo Baggins didn't volunteer for the quest. He didn't have a certification in ring-bearing. He didn't have five years of Middle-earth threat intelligence experience. He had curiosity, a willingness to step outside his comfortable round green door, and, critically, someone who showed up uninvited and said, "you're part of this now."

The entire foundation of The Lord of the Rings is built on this premise. Nobody goes on the quest alone. The hobbits didn't start as heroes. They were curious, underestimated, and completely out of their depth. But they had Gandalf showing up at the right moment, Aragorn walking beside them when the road got dark, and a fellowship that brought together wildly different skill sets for a shared mission.

At WISCON, I'm going to walk through what I think the fellowship model looks like when applied to how we build cybersecurity community. Not networking. Community. There's a difference, and it matters.

Gandalf Didn't Do It for Them

The mentorship section of this talk is the one I keep coming back to, because I think we get mentorship wrong more often than we get it right.

Gandalf is the mentor everyone thinks they want. He's wise, powerful, shows up with fireworks, and has all the answers. But look at what he actually did. He identified potential. He created opportunity. He gave Frodo the information he needed. And then he got out of the way. He didn't carry the ring. He didn't walk into Mordor. He trusted the hobbits to walk the road themselves.

That's what real mentorship looks like. Not hand-holding. Not gatekeeping. Lighting the path and trusting people to walk it.

I see three anti-patterns in cybersecurity mentorship that I want to challenge directly. The Gatekeeper, who decides who deserves access to knowledge based on arbitrary thresholds: "You're not ready for that yet." The Savior, who does everything for the mentee and never lets them struggle, so they learn dependency instead of skill. And the Ghost, who agrees to mentor someone and then disappears. All signal, no follow-through.

What we need more of is the Gandalf model. We should be pointing people in the right direction and helping open doors they didn't know existed. And occasionally, when it truly matters, drop fire on a Balrog. Then step back and let them walk.

Organizations like OWASP have been building this kind of mentorship infrastructure for years, from their Meet the Mentor programs at Global AppSec to their chapter-level community events where newcomers can connect with practitioners. The BSides conference network does this at a grassroots level, creating accessible, community-driven spaces where you don't need a DEFCON badge or a five-figure conference budget to start learning. And programs like WiCyS (Women in CyberSecurity) are doing critical work connecting students and career-changers with mentors and professional development resources.

The infrastructure exists. The question is whether we're using it, and whether we're actively bringing people to the door instead of waiting for them to find it on their own.

The Fellowship Was Not a Team of Equals

This is the part of the talk that I think carries the most practical weight.

The Council of Elrond didn't assemble a team of nine Aragorns. They sent a wizard, a ranger, an elf, a dwarf, two men, and three hobbits who had never held a sword in any meaningful way. Every single one of them was essential. Remove Sam and the quest fails at the last possible moment on Mount Doom. Remove Merry and Pippin and Rohan never rides. The "least qualified" members of the fellowship turned out to be the ones the mission couldn't survive without.

This maps directly to how cybersecurity teams and communities should work. The twenty-year veteran sees patterns a newcomer can't. But the newcomer asks the question the veteran stopped asking ten years ago, and sometimes that question cracks something open. The career-switcher from a non-technical background brings perspective that the purely technical team is blind to.

I've spent over 30 years in this industry. I've built incident response teams, architected security solutions for large enterprises, and pentested everything from government agencies to Fortune 100 companies. And I can tell you without hesitation that some of the most valuable contributions I've seen came from people who didn't have the "right" resume. They had curiosity, commitment, and a willingness to ask the questions everyone else had stopped asking.

When we hire for "culture fit" in cybersecurity, we often mean "people who look and sound like the people we already have." The fellowship model says something different. Bring everyone who's willing to walk the road. The differences are the strength.

Community, Not Networking

The most powerful moments in The Lord of the Rings aren't the battles. They're the quiet ones. Frodo on the slopes of Mount Doom, barely able to stand, and Sam saying "I can't carry it for you, but I can carry you." That's not networking. That's community.

Networking is transactional. I meet you because you might be useful to me. Community is relational. I invest in you because we're on the same road. The distinction matters because the cybersecurity industry has gotten very good at networking and not nearly good enough at community.

Community looks like answering the "dumb" question in a Slack channel without making someone feel small. It looks like sitting with someone at a conference who's clearly alone and clearly nervous. It looks like telling someone "you belong here" when imposter syndrome is screaming the opposite. It's not a LinkedIn connection. It's a commitment to show up.

WISCON itself is an example of this. A brand new conference, community-driven, creating a space for people in Wisconsin and beyond to come together around shared purpose. That's how community starts. Someone decides to build a table and then makes sure there are enough chairs.

Even Boromir Had Something to Teach

I'm including a section in the keynote about failure, because I think it's important and because I think we don't talk about it enough. Boromir was brave, skilled, and committed to the mission. He also broke. He tried to take the ring. He fractured the fellowship. And then he died defending Merry and Pippin, and his last words were an oath of loyalty.

The cybersecurity community is not a utopia. Mentors burn out. Communities that start open become cliques. Conferences talk about inclusion while the hallway conversations tell a different story. Some of us have been Boromir. We've let ego, exhaustion, or fear make us the worst version of our professional selves. That doesn't disqualify us from the fellowship. It means we have to own it, repair it, and do better.

The fellowship fractured at Amon Hen. It reformed as something different, smaller groups with different configurations, but still bound by the same mission. That's how real communities work. They break, they change shape, and they keep going. Perfection is not the standard. Persistence is.

The Road Goes Ever On

The close of this keynote speaks to both audiences in the room.

To the newcomers: the door is terrifying, the road doesn't come with a map, and you're going to feel out of your depth for longer than you'd like. But you are not alone on this road. Find the people who will walk with you. Ask the question you think is dumb. Sit in the front row. Introduce yourself to the person next to you. You don't have to know where the road leads to take the first step. Frodo didn't.

To the veterans: you are someone's Gandalf, whether you know it or not. Someone in your orbit is looking at you and wondering if they belong here. Every piece of knowledge you wish someone had shared with you earlier is a map you can draw for someone else. The fellowship was never about the strongest. It was about the willing.

If you're going to be in Madison on June 11th, I'd love to see you at WISCON. It's a new conference, which means we have the chance to build the kind of community this industry needs from the ground up. Wizards and gardeners. Rangers and ring-bearers. Veterans and newcomers who've never left the Shire.

The fellowship was not a team of equals. Let's build ours.