Too many people are unsure how to enter or grow in the cybersecurity industry. It's a relatively young field, and we haven’t done a good job of defining what it means to have a career in it. Hiring managers who are worried about finding candidates because of the much-discussed cybersecurity skills gap should consider the underlying issue, which I'd like to call the cybersecurity careers gap.

The cybersecurity careers gap is the idea that it’s hard for security professionals to enter and progress in the field of cybersecurity. The shortage of qualified security professionals probably isn’t due to insufficient training options–many free and commercial learning opportunities exist. Instead, it’s finding a first job to apply and expand skills over the years people find difficult. It’s also hard to determine how to turn a series of successive jobs into a career.

Addressing the Careers Gap

To address the cybersecurity careers gap, established practitioners should:

• Think outside the box. Develop an approach that allows organizations to hire people with non-technical backgrounds for entry-level roles–musicians, hospitality workers, teachers, and so on.
• Explain what a cybersecurity career entails. Define and communicate pathways for progressing in the field, helping individuals get started and progress in their career journeys.
• Offer career counseling to people already in the field. Help practitioners map their strengths and aspirations to career pathways to help ensure their professional journey is fulfilling.

Those just entering the field should put effort into understanding their interests and how they map to various career options. Becoming a Chief Information Security Officer (CISO) might not make sense for everyone in the field, and that’s okay. Depending on individual interests and goals, someone might not want to manage a team, and, instead, might want to spend their career on the hands-on technical side.

Non-Traditional Practitioners Welcome

We need all types of people in cybersecurity because of the variety of challenges we’re solving. If you are deeply analytical or uncommonly creative, we can use your help. If you excel in human or computer communications, we can use the help. For example, at my former job, we loved hiring former bartenders who had an interest in security and tinkered with IT gadgets as a hobby–they were strong at multitasking and interacting with people.

By allowing non-traditional practitioners to fill entry-level cybersecurity roles, organizations can increase the number of people entering the career funnel. Many of them will develop advanced expertise with the right mentorship and training. This requires adjusting job requirements for entry-level roles, reaching out to people outside the traditional talent pool, and making them feel welcome.

Organizations should also build programs that guide new hires through cybersecurity career pathways.

Cybersecurity Career Pathways

How should people progress in their cybersecurity careers? There are so many different roles, titles, and responsibilities. They differ across companies, geographies, and industries, and confusion regarding the best approaches to climbing the career ladder probably discourages many individuals from attempting to enter the profession in the first place. Moreover, such uncertainty leads to current cybersecurity personnel failing to progress in their professional journey.

Today, resources are starting to appear that can guide new and existing professionals. For example, SANS Institute, which offers cybersecurity training, published a skills roadmap that outlines several possible career paths and associated skills. Various government organizations also offer detailed guidance, including:

• The National Initiative for Cybersecurity Education (NICE) Framework, created by the National Institute of Standards and Technology (NIST), defines the lexicon for discussing cybersecurity roles. Candidates and HR managers can explore the framework’s content to understand security roles on the Cybersecurity and Infrastructure Security Agency (CISA) website.
• Cyber Seek Security Career Pathway has an interactive website that lets candidates get details about each role and see how it fits into the appropriate career path. For each role, it shows salary information, related certifications, and associated NICE Framework skills.
• The European Cybersecurity Skills Framework (ECSF) document, published by the European Union Agency for Cybersecurity, details common cybersecurity roles. It’s not as comprehensive as NICE, but it offers more information about each role, including titles, mission, responsibilities, deliverables, skills, etc. 

Those new to the industry, or those wondering whether cybersecurity would work for them, will also benefit from the book by Alyssa Miller, Cybersecurity Career Guide.

These resources can help new and experienced professionals navigate cybersecurity career paths. They can also help with hiring managers and HR professionals recruit and retain talent.

Career Guidance and Mentorship

Even more experienced professionals can get lost in their career journey without the right support and guidance, given the many types of positions under the cybersecurity umbrella. It’s even more likely for those who are new. Consider:

• How might a person with a network security background get into incident response?
• What awaits those who get tired of working in a security operations center (SOC)?
• What paths exist for technical people who don’t want to become managers?

These questions are hard to answer alone.

People need to understand their capabilities and strengths to progress in their careers. They also need people around them to whom they can turn for advice. Those seeking guidance can turn to professional security organizations that offer educational and networking opportunities. There are also mentorship initiatives, such as Women in Cybersecurity (WiCyS) and Cyversity, which pair mentors with mentees and facilitate fruitful interactions.

By being open to newcomers, exploring different career paths, and supporting each other, we can grow the number of cybersecurity professionals and chart professional development paths for each other to cover the cybersecurity careers gap.