Creating a Roadmap for Your Dream Cybersecurity Career

Many of us build our cybersecurity careers based on whatever opportunities pop up or based on the first job we can find. While there is nothing wrong with this approach, it may not result in the perfect role for you. I want to spend some time reviewing how we can both approach opportunities with a long-term view and create the right opportunities for where we want to end up. I’ll start with a focus on getting into the ‘right’ cybersecurity field and then cover how to build the skills you need to advance. Finally, I’ll explain how to map out a path so that you end up in your dream job.

For someone thinking about starting a career in the cybersecurity field, I would advise you to consider what kind of role would be a good fit for you. I group cybersecurity industry roles into three categories: Engineering/operations, analysts and policy/compliance.

Engineering/Operations (Ops)

This specialty focuses on building and managing security controls and tools. This could include being a systems engineer who is part of an ops team, part of the architecture team or, if it is in an organization using DevSecOps methodology, you would also need coding skills. If you like to make things work, this could be a good fit.

Analyst

If you like to solve puzzles, then consider incident response/security operations center (SOC) analyst roles ( these involve real-time detection of intrusions), penetration tester roles (which involve validating the infrastructure by acting like an attacker) or forensics (determining what happened and presenting the evidence in court). It is worth noting that the analytics group tends to work extended hours during incidents.

Policy/Compliance

In these roles, you develop policies and ensure they are followed, including complying with relevant regulations and legislation. This team protects the company from external audits and lawsuits. Compliance is a good place to start if you don’t have a technical background and want to branch out into the auditor field.

These roles are only a brief subset of the options across the cybersecurity industry, but I think they represent a good baseline.  Think about what skills and temperament you would need for each of these. Review job descriptions, talk to folks who work in the industry and read stories and books from experts in the field you’re interested in. This will help you understand the true nature of the role. Then, decide which one is the best fit for you. If none of them fit, keep searching! There are so many cybersecurity opportunities; eventually, you will find the right role for you.

Advancing Your Career

Once you are working in the cybersecurity field, you quickly realize it is constantly changing. You will need a program to both maintain your expertise as well as develop the skills necessary for career advancement. Additionally, in this field, you should be comfortable with the idea of retooling your base skill set as technology and industry practices evolve.  To develop professionally,  I categorize my skills into three legs of a stool that need to be equally strong to support my career.

1. Technical expertise: You need to be both current and an expert in your area regardless of which career category you work in. That baseline of expertise changes as you progress through the ranks and as technology changes.
2. Leadership and management: You need to be able to lead a team or manage a project. These soft skills are built around interacting with stakeholders, partners and peers to ensure you are successful. Being a subject matter expert alone is not enough if you don’t deliver projects on time, to standard and within budget.
3. Risk/Business partner: You need to understand how your role contributes to reducing risk or protecting the company’s revenue. That means you should understand how the company generates revenue. This will allow you to accurately determine risk and recommend appropriate mitigations.

Every year, you need to ask yourself which leg is the weakest and develop a plan to strengthen it. One technique is formal education. This can be a paid course, or there are a number of free resources you can use. The key is to include a way to hold yourself accountable! Another method I find useful is teaming with a mentor. Seek out experts in areas you wish to excel and set specific goals with your mentor or coach. Also, you need to determine your preferred learning style and then build the plan around it – reading, lecture, hands-on workshops or a combination of all of these. Teaching others about a topic can be a great way to validate your knowledge.

Finally, I want to talk about managing your career. While there is nothing wrong with taking advantage of opportunities as they present themselves, it is not a guarantee you will end up in the best job for you. So, I recommend you take some time and decide where you want to end up. Consider adopting a technique I call the “North Star.” Imagine the perfect last job to have before you retire. To get you started, I will provide three jobs to select from, but these are just examples; you can come up with the right one for yourself.

1. CISO of a Fortune 500 company – this role would focus on leadership skills.
2. CTO of a cybersecurity company – this would require a focus on technical skills.
3. CEO of a cybersecurity company – this would mean you focus on business skills.

All of these would require a mix of skills, but each would require you to spend more time on one skill set to be successful.  I recommend you dedicate some time to looking at job descriptions for the role you want and then read up on what people who have actually done this work recommend to be successful. Additionally, we all change as we grow, so our North Star can change. That said, once you pick your North Star, opportunities should be weighted on how strongly they move you toward your long-term goal. You should be building relationships, developing skills and creating opportunities to get you there now.

One skills-related question I often get is about certifications. I think of these as employability insurance rather than something that will get you promoted. If you decide to get one, then analyze job boards to determine which certifications are most in demand for your desired role. HR departments and auditors love when you can quantify skills, but as a hiring manager, I take certs with a grain of salt. If someone crammed for a course to pass a test, they might not really know how to apply the principles on the job. That’s not always the case, but I have found it to be true in my experience. Note, however, that if you want to work in a heavily regulated industry, certifications are often required. So my answer to ‘Should I get a certification?’ is that I think they add value, but if possible, a person should focus on developing skills rather than collecting certifications.

What next? Hopefully, I have given you something to think about. Depending on where you are in your career, sit down and: Brainstorm,  build a mind map, talk with trusted advisors and loved ones or do some research to find out your answers to the exercises I have suggested above. Think about how you learn, find a mentor, network toward your North Star and find your dream job. Don’t forget to be a mentor, support a local conference or cybersecurity organization and share your lessons learned with others along the way.

Recent Articles By Author

• Cyber Agility Mandate – Transforming InfoSec Programs to Meet Evolving Markets
• API Transformation Cyber Risks and Survival Tactics
• Using Scary but Fun Stories to Aid Cybersecurity Training

More from Steve Winterfeld