The most effective security controls aren’t just technically sound; they’re also contextually aware.

I used to live in the world of GRC, where I audited controls, managed frameworks, and ensured we passed compliance checks. I spoke the language of risk, but I was distant from the engineering reality. I realized that for security to be truly effective, it couldn’t just be a checklist; it had to be a built-in feature. That insight, along with a relocation to a new world in the Netherlands, drove my transition into the hands-on world of DevSecOps, where I now work to translate policy into practice within the very tools and workflows developers use every day.

The Missing Piece

Traditional GRC excels at identifying gaps and building frameworks. However, there’s a critical distance between knowing security matters and understanding how to integrate them into fast-moving development environments. I could map risks and audit controls, but I couldn’t sit with a developer and secure their pipeline. That gap became increasingly uncomfortable.

The shifts in the AI world and the new country move offered me a chance to recalibrate. That’s when I enrolled with Cyberella – to gain expertise in integrating robust security measures directly into enterprise development lifecycles, moving beyond theory to practical implementation.

Where Theory Meets Practice

The past six months have been transformative. Revisiting the OWASP Top 10 wasn’t about memorizing vulnerabilities; it was about understanding how security integrates throughout CI/CD pipelines. Implementing SAST/SCA tooling revealed how early detection reshapes team dynamics. Managing secrets exposed the delicate balance between security and developer experience.

The rigor is substantial: 40+ hours weekly of full-stack development, cloud operations, and DevSecOps tooling. However, Cyberella’s approach recognizes that technical depth must be paired with cross-functional communication. The program aimed to support female professionals who can both configure security scanning tools and explain their value to product teams.

Bridging the Communication Gap

In cybersecurity, I see a profound empathy gap. Security teams hear “make it secure” as a technical command, while software development teams often listen to it as a checkbox. This assumption, that security happens automatically or is someone else’s problem, is the biggest blocker to building truly resilient systems.

Now, by building my hands-on DevSecOps skills, I am closing the loop. I’m learning to implement the very controls I once advocated for, designing them to work with developer workflows, not against them. My goal is to replace the assumption of “automatic security” with the practical reality of embedded security.

The Path Forward

This time has been devoted to building a bridge, bringing years of context from audit, compliance, and product ownership into DevSecOps roles. The threat landscape has expanded beyond traditional perimeters into software supply chains, shadow AI, and complex dependencies. Organizations need professionals who understand both governance frameworks and the realities of implementation.

In a world where security can’t be an afterthought and compliance must be embedded rather than bolted on, we need people who can bridge both sides. Who can design security controls that developers will actually use? Who can communicate risk in language that resonates with business stakeholders?

That’s the intersection where I’m building my next chapter, where GRC experience meets hands-on security engineering, and where diverse perspectives strengthen the entire security ecosystem. My focus is on building trusted systems that fully integrate security and compliance.