After spending the first half of my career as a project manager in engineering, I spent a lot of time wondering if the move to security would be right for me. What I knew about the industry was primarily limited to what you see in movies, hacker in a black hoodie included. However there’s an entire ecosystem involved that was completely different from how I imagined where the program/project management piece plays a critical role, just like in engineering.

In the product space, my focus was on delivering features and innovation, such as accessibility or performance. With the shift to security, my goal became to align teams on projects around governance, compliance, and risk reduction. This wasn’t as visible to end users, but was critical to the business.

As an engineering project manager, I relied on Scrum or Lean to improve predictability within the teams. Very few shifts in priorities came outside of testing or bug escalations, helping to keep the teams working at a steady pace for reliable planning and forecasting. The move to security highlighted differences almost immediately. My first initiatives involved onboarding new tools with vendor evaluations showing what was wrong with a tool (security flaws, vulnerabilities, and risks) instead of new functionality that it offered. The process felt like more of a Lean way of working with Waterfall checkpoints and shifted how I needed to think about project success. Instead of focusing on uptime and UX, my leadership cared about KPIs around detection and response time (MTTD and MTTR).

Over time, my transferable skills that I brought to the role became increasingly valuable. Risk management and stakeholder alignment benefited from my strong facilitation and organization skills, while my background in product gave me insight into how engineering teams operate day to day. This perspective helped me anticipate roadblocks, adjust processes, and ultimately make it easier to get things done. Without this support, the security team members would be spending more of their time on coordination instead of testing, defending, and risk reduction.

I was also able to bring in tooling expertise from earlier roles. Automations, dashboards, streamlined intake processes in Jira freed up the teams’ time, as that is often the most expensive resource in any project. While working on a Purple Team engagement, I created intake and notification workflows to ensure that the required information was gathered easily and the right team members were notified via email and Slack. I was able to reduce lead time before an exercise giving the team members more bandwidth on asking the right questions and requirement validation.

For those aspiring project managers, cybersecurity needs more than pentesters and defenders. It needs planners, communicators, and strategists to make sure that the technical expertise is spent where it matters most. Project management can be a natural entry role for those with leadership and facilitation skills, and still make a measurable impact. Through my career from product into cyber, I’ve learned that even if I’m not the one defending an asset or reverse engineering an exploit I’m still a critical part of the team. By focusing on improving processes and managing complex initiatives, I have helped security teams to spend less time on coordination and more time on reducing risk and keeping the company secure.