Unbeknown to many graduates who mostly learn about coding or Information Technology (IT) at university, the cybersecurity field is massive and offers a great career opportunity for those willing to invest in it. I have been in this industry for nearly two decades, hired dozens of staff/contractors, spoken at hundreds of events, trained thousands, and ran or overseen hundreds of projects. One question that I get asked the most is what should one do to build a career in cybersecurity? I thought I would highlight some important factors that may prove helpful to anyone wanting to develop a career in this exciting domain.
The cybersecurity industry remains a promising growth area. During 2020, while many industries were shedding resources or closing due to the economic volatility caused by a global pandemic, the cybersecurity industry continued to grow. Remote work security risks, increasing cyber-attacks, added compliance, and more contributed to the increased need for cyber professionals.
Why cybersecurity career paths matter
Becoming a well-rounded cybersecurity professional requires taking time to map out your career interests and aspirations. Experience and having the qualifications or certifications to back this up are critical building blocks to establish a cybersecurity career. You will become valuable (and effective) as your career progresses through developing good people and communication skills. I have had many honest conversations with specialists with 5+ certifications and years of experience, but they are very poor communicators. Unless they are content with having a role that excludes human interaction, they would be better suited spending money on public speaking training or improving their written skills – than investing in a 6th cert. Also, not having a recognised degree or masters certification will be career-limiting.
Examples of cybersecurity career paths
There are many career paths within cybersecurity. As cybersecurity is a fairly new term (do not forget that information security has been around for ages) and a constantly evolving sector, you may hear different titles or roles used depending on the country or sector you are in. There are, however, broadly two career paths:
1. Security Management (Governance, Compliance or Risk) → Senior leadership
2. Technical → Specialist roles
1. Security Management (Governance, Compliance or Risk) → Senior Leadership
The security management and governance domain is focused on the oversight and management of cybersecurity within the organisation. Although it is important to have a basic technology foundation, it is less technical and more about risk management. Instead of configuring systems or analysing bits and bytes, a career path in this space entails using business savviness, organisational management, and soft skills to manage security according to international best practices or standards. Sample responsibilities include:
- Cybersecurity governance, compliance or risk
- Policies, standards and processes
- Managing a team or business unit
- Training and awareness
- Audits
- Privacy and third-party risk management
- Project or programme management.
Typical Roles:
- Security Consultant / Auditor
- Cybersecurity Manager
- Information Security Officer (ISO)
- Chief Privacy Officer (data protection focus)
- Chief Information Security Officer or Manager (CISO)
- Executive: Cybersecurity
Valuable Qualifications / Certifications to Obtain:
- Degree → MBA → Doctorate
- ISO 27001 Foundation / Lead Implementer
- CISM / CGEIT / CRISC / COBIT / CISA
- CISSP (Security) or CIPP (Privacy)
2. Technical → Specialist Roles
The technical/specialist domain is all about digging into systems, data, tools, and networks. The primary goal is to prevent, detect, and respond to cyber threats or find vulnerabilities in a controlled environment. In an organisation, you would need to manage security systems such as firewalls, data protection controls, patching, encryption, vulnerability scanning, pen testing, etc. Sample responsibilities include:
- Cybersecurity or SOC Analyst
- Cloud Security
- Identity and Access Management
- Security Engineering
- Security Operations
- Vulnerability Management
Typical Roles:
- Security Engineer
- Security Software Developer
- Cryptanalysts / Cryptographer
- Cybercrime / OSINT Investigator
- Ethical Hacker / Penetration Tester
- Malware Analyst
- Security Analyst / Administrator
- Security Architect
- Computer Security Incident Responder
- Computer Forensics
Valuable Qualifications / Certifications to Obtain:
- Degree → Masters → Doctorate
- Security + or CASP
- CISSP
- Then depending on specialisation:
- CEH / OSCP (Red Team)
- TOGAF / SABSA (Architecture)
- CHFI / GIAC GCFE / ACE / EnCE (Cyber Forensics)
- CIH / GIAC GCIH / IHRP (Incident Response)
Before committing to a career in cybersecurity, try exposing yourself to as many different areas as quickly as possible. This can often be achieved by volunteering in as many areas as possible, joining industry forums and listening to expert talks.
Also, do not be afraid to approach people in the industry for a quick 30-minute coffee chat – you will be amazed at the pearls of wisdom you can glean over a cup of frothy cappuccino.
Craig Rosewarne is the MD of Wolfpack Information Risk - a South African firm established in 2011 that provides information risk and cybersecurity services to governments & organisations. He founded Alert Africa in 2015 to provide free awareness resources and assistance to victims of cybercrime or harassment.
Sources:
Share