Too many people are unsure how to enter or grow in the cybersecurity industry. It's a relatively young field, and we haven’t done a good job of defining what it means to have a career in it. Hiring managers who are worried about finding candidates because of the much-discussed cybersecurity skills gap should consider the underlying issue, which I'd like to call the cybersecurity careers gap.
The cybersecurity careers gap is the idea that it’s hard for security professionals to enter and progress in the field of cybersecurity. The shortage of qualified security professionals probably isn’t due to insufficient training options–many free and commercial learning opportunities exist. Instead, it’s finding a first job to apply and expand skills over the years people find difficult. It’s also hard to determine how to turn a series of successive jobs into a career.
To address the cybersecurity careers gap, established practitioners should:
Those just entering the field should put effort into understanding their interests and how they map to various career options. Becoming a chief information security officer (CISO) might not make sense for everyone in the field, and that’s okay. Depending on individual interests and goals, someone might not want to manage a team, and instead, might want to spend their career on the hands-on technical side.
We need all types of people in cybersecurity because of the variety of challenges we’re solving. For those who are deeply analytical or uncommonly creative, we can use your help. Whether people excel in human or computer communications, we can use the help. For example, at my former job, we loved hiring former bartenders who had an interest in security and tinkered with IT gadgets as a hobby–they were strong at multitasking and interacting with people.
By allowing non-traditional practitioners to fill entry-level cybersecurity roles, organizations can increase the number of people entering the career funnel. Many of them will develop advanced expertise with the right mentorship and training. This requires adjusting job requirements for entry-level roles, reaching out to people outside the traditional talent pool, and making them feel welcome. Organizations should also build programs that guide new hires through cybersecurity career pathways.
How should people progress in their cybersecurity careers? There are so many different roles, titles, and responsibilities. They differ across companies, geographies, and industries, and confusion regarding the best approaches to climbing the career ladder probably discourages many individuals from attempting to enter the profession in the first place. Moreover, such uncertainty leads to current cybersecurity personnel failing to progress in their professional journey.
Today, resources are starting to appear that can guide new and existing professionals. For example, SANS Institute, which offers cybersecurity training, published a skills roadmap that outlines several possible career paths and associated skills. Various government organizations also offer detailed guidance, including:
Those new to the industry, or those wondering whether cybersecurity would work for them, will also benefit from the book by Alyssa Miller, Cybersecurity Career Guide.
These resources can help new and experienced professionals navigate cybersecurity career paths. They can also help with hiring managers and HR professionals recruit and retain talent.
Even more experienced professionals can get lost in their career journey without the right support and guidance, given the many types of positions under the cybersecurity umbrella. It’s even more likely for those who are new. How might a person with a network security background get into incident response? What awaits those who get tired of working in a security operations center (SOC)? What paths exist for technical people who don’t want to become managers? These questions are hard to answer alone.
People need to understand their capabilities and strengths to progress in their careers. They also need people around them to whom they can turn for advice. Those seeking guidance can turn to professional security organizations that offer educational and networking opportunities. There are also mentorship initiatives, such as Women in Cybersecurity (WiCyS) and Cyversity, which pair mentors with mentees and facilitate fruitful interactions.
By being open to newcomers, exploring different career paths, and supporting each other, we can grow the number of cybersecurity professionals and chart professional development paths for each other to cover the cybersecurity careers gap.
Click to Open Code Editor