Starting and Growing a Cybersecurity Career

A cyber threat analyst describes a cyberattack to a colleague at work

*All content on this post was human-generated from 20 years of experience.

Cybersecurity is a large field of study and practice.  It can be daunting to start and grow a cybersecurity career. However, cybersecurity spans from extremely technical work to legal, policy, governance, and project management providing opportunities to almost everyone’s unique skills and talents.  Two areas of particular interest are the connected fields of digital forensics and threat intelligence.

After over 20 years practicing in the field and mentoring and hiring hundreds in the field, I’ll share some insights for those who want to grow in this area.  Maybe most importantly, I’ll share some “hidden” knowledge that is not widely discussed.

Training and Education

Here is what you need to know: training, and education are not very important to managers – they’re nothing but proxies for experience.  Experience matters far more to hiring managers.  In fact, after 3-4 years in your cybersecurity career and with a well-written resume you could remove the education section from your resume and you’d be fine (I don’t recommend that, but use it as an illustrative point).

Cybersecurity Certifications

Cybersecurity certifications can be important for two reasons (1) you trying to break into a specialty or new to cybersecurity, (2) your job requires it.  Certifications can be a path to experience. Otherwise certification chasing is not going to dramatically improve your career over time.  In fact, you’ll find many professionals after 7-8 years start removing certifications from their resumes.  Instead take courses which develop specific knowledge skills or areas you need to improve.

Traditional Education/Higher Education

Unlike many other fields, traditional education matters less in a cybersecurity career. Degrees in cybersecurity are still not universal and alone don’t provide much context to your skills and abilities.  HOWEVER, many jobs will require a 2 or 4 year degree (of which I completely ethically disagree with) and therefore they may be a necessary ticket to getting some positions.

What I, as a hiring manager, actually do love are those with non-technical higher education degrees – philosophy, journalism, literature, history, psychology, politics, etc. Partnered with some technical knowledge these individuals are usually the most capable individuals I’ve ever hired.

Remember: it takes longer to learn how to communicate and think critically than it does to dissect a packet or a binary.

Military Training

Many cybersecurity experts came from the military.  This is very valuable experience.  It is not a golden ticket to cybersecurity however.  For many it comes down to their communication skill in explaining verbally and via their resume how their experience translates into a position.  However, it does provide a benefit to a cybersecurity career generally.

Non Cyber/Technical Training

Don’t forget about all of the other skills and abilities you need to rely on!  Writing, public speaking, critical thinking and analysis, PowerPoint slide development (I’m not even joking), business dinner etiquette.  Think more broadly about your skillset and you’ll find yourself even more marketable.

Starting a Cybersecurity Career

There is an old adage that your first job will determine your career more than other decision.  There is SOME truth to that – but most of that truth comes from the decisions we make rather than those which are made for us.

Cybersecurity is a relatively new profession.  Therefore, many of the “old adages” need not apply and you have more power and opportunity than you think you do.  Your first position in cybersecurity is only a small stepping stone. It isn’t insignificant but it isn’t the determining factor many think.  Therefore, at this point in your career focus on just getting a position that follows these general guidelines:

First Cybersecurity Jobs: Where to Start?

  • Government cybersecurity positions.  Governments, ahead of most other employers, will provided and pay for training early in your career.  This is a great place to start.
  • Look for “operational” experience such as in incident response or security operations.  Even if your interests lie beyond that area, this experience will make you better in all areas of cybersecurity.
  • Look for positions in bigger organizations rather than smaller as they usually spend more money on training and employee development.
  • Ignore your first job title – focus instead of the job’s role and the experience you’re going to gain.
  • Get a position within a security division of an organization.  Not only will this help guarantee you’re going to the position you’re looking for but this will look better on your resume when you progress.
  • Paid internships are AMAZING. Unpaid internships are exploitation.

Applying for Positions

Applying for positions is a terrible thing. It’s impersonal, imperfect, and highly biased.  Here are some things I’ve noticed that can help you.

  • Write a cover letter for positions you really want.  As a hiring manager this is my only chance to get to know you and you can tell me any story you want.
  • Focus on the EXPERIENCE and RESULTS on your resume.  Don’t tell me what you did but what happened because of it.  If you can’t do that on a resume I can’t trust you can explain the impact of your actions in your daily job.
  • Apply directly on a company site instead of a job board site.  In many cases these systems are not connected and many managers and HR people don’t look at the job boards often enough but those who directly apply get attention.
  • Positively interacting with people from your potential employer and hiring manager on social media can be very helpful – especially if you establish some sort of informal relationship well before you apply.
  • Use your social network – tell people you’re looking, have people ask others on your behalf.
  • Ask directly if they have an internship program which isn’t advertised (many companies do).

Growing Your Cybersecurity Career

A dirty secret in the cybersecurity community: where you work or have worked has more weight than what you did.  There are many reasons for this (none of them good or ethical) but it is important for those choosing a career path to understand the reality of the situation.  Therefore, choose your employer more critically than you choose your job.

Cybersecurity is ALWAYS changing – therefore, while many like to have a career path mapped out, many find the map expires after too long as the field changes.  Therefore, be flexible and creative in your career path.  There is no “one path” or “right path.”  That same note applies to general progression – in many cases you’ll need to explore a ‘lateral’ position change to get tangential experience before you can move ‘vertically.’

Changing jobs (and employers) is critical to your cybersecurity career path. The quickest and most effective way to improve your career is to quit.  While this message is unfortunate I can’t help but give you the truth.  You should probably change employers every 3-5 years.  Leaving a position after less than a year is a ‘red flag’ without an explanation, but in this industry anything more than a year is generally reasonable.

Another important element is communication and community.  It is important to write or contribute to blog posts.  Consider writing for an academic journal at some point.  Write and distribute blog posts about things you learn.  Attend and present at conferences.  These are all important elements to growing your career and sharing knowledge with others.

Career Progression

While there is no formula or common consensus as to a standard career progression.  As a long-time manager here is what I’ve seen for individual roles across the industry.

  • An internship should last 3-9 months possibly up to a year.  Internships are not guaranteed to turn into full-time employment nor should you expect that.  In fact, at the end of your internship I recommend you start applying to many positions so as to gauge your market worth before accepting the first position offered.  Never accept an unpaid internship. That is just exploiting you.  The cybersecurity domain has enough money to pay everyone working a reasonable salary.
  • You can expect to spend 1-2 years in an entry or associate position before either being promoted or (more likely) changing jobs into a full individual contributor role.
  • You can expect to spend another 2-3 years as an individual contributor before being promoted or (more likely) changing jobs into a senior role.
  • A senior individual contributor in cybersecurity should have expected 4-5 years in the field before being promoted to this level. Expect to be at the senior level for anywhere between 2-6 years depending on your specialty – a more unique and in-demand specialty will be promoted quicker usually.
  • It is usually at this level and time that professionals begin to consider whether they want to stay individual contributors or move into management. Being a great individual contributor is not an indicator as to how good of a manager you will be – these are radically different skill sets.  Therefore, find manager mentors and talk to them and have them evaluate both your management skills and your desires before selecting management.  Note: managers should not necessarily be compensated more than their employees.  Managers don’t carry any more responsibility or risk than any individual contributor – the skills and objectives are just different.  Furthermore, it is individual contributors rather than mangers that are usually terminated for performance and therefore carry higher risk overall.
  • A principal individual contributor in cybersecurity should have about 10 years or more in the field to reach this level.
  • Above principle are individual contributor titles like: lead, technical director, distinguished, expert, etc.  These levels are usually reached after 13-17 years in cybersecurity.

For management roles, timelines are radically different because the skill sets necessary to be an effective manager are far different than those that make you successful in cybersecurity in general.

Selecting a Cybersecurity Specialty

At some point in your early cybersecurity career you should consider selecting a specialty.  I would recommend this about 3-5 years into your professional career.

Being in cybersecurity is like being an engineer or doctor in many ways.  There are some generalists but that isn’t how people succeed in these field.  Instead, you start your career in the general field but then you specialize.  In cybersecurity you can specialize in lots of topics. Plus, many topics are tangential which means these areas can give you latitude to float across them more easily.

Most importantly, you’re not stuck in a specialty!!  All you need to do is follow the advice below to start a new specialty when you want.  Like medicine and engineering, many fundamentals transfer across specialties which will make transitioning easier.

Some cybersecurity specialties include: compliance, governance, security operations, incident response, threat intelligence, digital forensics, architecture design, security product development or management, secure coding and development, malware analysis, law and policy, etc.

You ‘select’ a specialty in three ways:

  • Gain experience, knowledge, or education in that specific area
  • Get a mentor that also specializes in that area
  • Contribute to communities of that specialty
  • ‘Advertise’ your specialty: rewrite your resume focusing on your experiences in that area, modify your social media presence around that area, create content like blogging around that area
  • Lastly, get a job focused on that specialty (using your mentor and communities you’ve built in previous steps)

Mental Health

I’ve been very open with my burnout, stress, and anxiety challenges.  Read More.

Remember, you are not your job.  Your value is not determined by your work or your employer.

Try not to carry the world.  Yes, you want a job that makes a difference. Cybersecurity is important, worthy, and an honorable field.  But, don’t give more than is reasonable. You are your best advocate, fight for yourself.  It’s okay for a job to be a job and not a “passion” or “what you love.”  

Some Things That Helped Me

A common question I get regularly is: what helped you achieve success in your career? Let me answer that here.

  • Communication. More than any other skill, my time spent learning how to write and present to a variety of audiences is the most important skill I have.  It doesn’t matter how good your ideas are, if you cannot communicate them they don’t matter much.
  • Friendship, Honesty, and Community.  I only leave friends behind wherever I go.  I reach out to learn from others.  I’m an introvert, this isn’t easy, so when I feel myself wanting to shrink back is when I give myself the push to be more outgoing.
  • Analysis. The ability to collect, research, and explore data and ask the right questions to efficiently get to actionable results. One of my greatest teachers was were studies in theology which taught me effective textual and literary analysis techniques – how to find clues and contextual information in obscure and ancient writings.
  • Give Help and Ask for Help.  Nobody lives in a vacuum and it is only together that we thrive. When someone asks for help you should try to give it.  And in turn, you should not be ashamed to ask for help.

Watch the Webinar

Subscribe

Receive regular threat intelligence, incident response, and threat hunting lessons in your inbox

Share this post with your friends