Cybersecurity Career Path: How to Start and Grow

There’s continuing good news for tech professionals and recent college graduates: demand for skilled cybersecurity workers remains robust. A recent report from CyberSeek estimates there are nearly 770,000 open cyber positions as of September 2022, and job postings in the industry remain robust even as some other sectors of the U.S. economy have started to cool.

The problem, however, is that many tech pros and recent graduates have trouble starting their path toward a cybersecurity career. Having the right tech or cybersecurity experience is a specific concern for potential candidates, according to the 2022 (ISC)2 Cybersecurity Workforce Study report released this month. In a survey of more than 11,000 global security professionals, researchers found that, from 2021 to 2022, “practical skills and experience have grown into being more important qualifications for those considering employment in the cybersecurity profession.”

For example, the (ISC)2 survey found greater emphasis is now placed on relevant IT work experience, strong problem-solving abilities, and relevant cybersecurity work experience.

The report (and others like it) demonstrate that the cybersecurity industry needs to do more to help train tech pros and recent graduates to ensure that hiring can keep up with the current demand. “We need to accelerate the need for skilled workers in cybersecurity and fast track them into the industry as the skills shortage is only getting larger,” Joseph Carson, chief security scientist and advisory CISO at security firm Delinea, recently told Dice. “Cybersecurity is not simply an industry issue, it can impact all of society. Cybersecurity is no longer just a career path. It is an essential skill in today’s digital society.”

Gaining enough relevant experience and developing the right skill set to enter the cybersecurity industry may appear daunting, but experts noted numerous resources can help prepare candidates for a cybersecurity career and lay the groundwork for later promotions and advancements.

Cybersecurity: Where Can Tech Pros Start?

For tech pros and graduates interested in a cybersecurity career, industry watchers stressed that a pure technical background is not necessarily needed. The field has numerous positions that can draw on experience from other fields.

“There is no specific route to becoming a cybersecurity expert. An innate curiosity and passion for problem-solving are the most critical skills, by far,” Timothy Morris, chief security advisor at Tanium told Dice. “Some of my most qualified team members have had backgrounds from non-tech walks of life—including teachers, retailers, mechanics—and have been phenomenal hires.”

For those taking the more traditional route of studying cybersecurity in college or working in another part of the technology space before making the jump, Morris added that a solid cross-section of experience in IT, including work on the help desk, development and operations, can help candidates better market themselves for a cybersecurity career.

John Bambenek, principal threat hunter at security firm Netenrich, noted that while it’s possible to take skills developed as a system, network or cloud administrator and apply them toward a cybersecurity career, many companies and recruiters want job candidates to have a cybersecurity degree. 

There are ways, however, to overcome this obstacle. “Once you have a foothold, growth is mostly based on what you have shown you can do,” Bambenek told Dice. “Capture-the-flag and related competitions help, as do certifications. It seems that in cybersecurity, more than other fields, there is a need to stay fresh and constantly learn.”

Cybersecurity Courses and Certifications: Which Ones Matter?

Security experts remain split on whether cybersecurity candidates need specific certifications to optimize their careers. What counts is the ability to learn, a knack for solving problems, and thinking creatively about solutions, said John Hellickson, field CISO at consulting firm Coalfire.

“Due to the various paths one could take, the main focus should be to find your passion and interests to explore different areas of cybersecurity to see what excites you, engage in the local community to talk with others, and be eager to learn the various ways you’d like to leverage your skills,” Hellickson told Dice. “Based on these various specialties within cybersecurity, you can find roles that need more technical skills such as system administration, network or application development, to roles that need business soft skills where you may be guiding an organization on managing risk or educating them on cybersecurity.”

For those starting or looking to gain a foothold, Hellickson would recommend the Security Advisor Alliance resource page as well as the SANS Institute’s New to Cyber Field Manual as two reliable methods for building up various cybersecurity skill-sets.

While the necessity of certifications is debatable, most experts recommend candidates invest in one or more recognizable certifications to help them stand out. These include, but are not limited to:

“For entry-level positions, the CompTIA Security+ or GSEC certifications can help, but what is also invaluable is participating in cyber-range activities or capture-the-flags focused on blue team skills. For instance, for college students, the National Cyber League is very helpful, which also doubles as a corporate recruitment effort,” Bambenek said.

For experts such as Bambenek, this path can still take too long in an industry that needs hundreds of thousands of skilled workers. “The typical career path for new cybersecurity specialists is to earn a BS in computer science, get an MS in cybersecurity, and then get professional certifications. This is simply too onerous considering it isn’t even providing the expertise we need,” Bambenek added. “Moving forward, we need a strong push to get entry-level cybersecurity education at the associate’s level and for employers to accept that as sufficient.”

Cybersecurity Careers: What Is the Next Step for Tech Pros?

While gaining the right skills and building up a network of contacts takes time, there are numerous entry-level positions for the right candidates. Currently, many tech pros start as cyber analysts before moving to other positions. In addition, organizations and some government agencies need entry-level workers to join so-called blue teams to help shore up defenses and test infrastructure for vulnerabilities. 

The instant reward for this is a median starting salary of about $130,000 in the U.S., with those holding a master’s degree or doctoral degree earning more, according to the (ISC)2 study.

For those looking to move up and explore more advanced or management positions, it’s important to gain more business skills to understand how an organization works. “The path to management often is taking someone with technical expertise, but often experts don’t have the discrete skills management or leadership needs. Growth into these ranks also depends on the ability to speak ‘in business language’ and have strong written and verbal communication skills,” Bambenek suggested.

It also means finding mentors both inside and outside an organization to help guide a career path. “Look for a mentor. Find people in cybersecurity analyst roles you aspire to be in; reach out and connect with them. Ask if they would be willing to share their journey and help guide your journey. Consider the value prop you’re bringing to the table—why should they help you and what are they getting out of it?” noted George Tang, principal solutions architect at JupiterOne.