October 10, 2018 By Christophe Veltsos 4 min read

Now is an exciting time to work in cybersecurity. Not only is the demand for security professionals still very strong, but young workers seeking an entry-level cybersecurity job have more information at their disposal than ever before. This information can help them show potential employers the value they can bring to an organization.

The field is still fresh and rapidly evolving, so a career started today could go anywhere in the years to come. Given this volatility, how can aspiring security professionals identify the right career path for them and get started today?

Use the Workforce Framework

One key source of information for those on the security job market can be found at the National Initiative for Cybersecurity Education (NICE), an effort led by the National Institute of Standards and Technology (NIST) to address the cybersecurity talent shortage. The program offers an invaluable tool called the NICE Cybersecurity Workforce Framework (NCWF).

The NCWF, also known as NIST Special Publication 800-181, describes all the various fields under the broader cybersecurity umbrella and groups all security activities into seven categories:

  1. Securely Provision (SP)
  2. Operate and Maintain (OM)
  3. Oversee and Govern (OV)
  4. Protect and Defend (PR)
  5. Analyze (AN)
  6. Collect and Operate (CO)
  7. Investigate (IN)

Within each category are specialty areas — 33 in total — such as risk management, knowledge management and executive cyber leadership, to name a few. The NCWF also specifies what knowledge, skills and abilities (KSAs) are required for each task and supports keyword searches across all of its attributes, including categories, work roles and, of course, KSAs. This can help you contextualize your experience and interests within potential pathways in a security career.

Explore Career Paths and Market Conditions

CyberSeek was launched in late 2016 to provide “detailed, actionable data about supply and demand in the cybersecurity job market.” The site features an interactive heat map of cybersecurity job supply and demand nationwide, as well as by state.

Another useful feature of CyberSeek is the Cybersecurity Career Pathway tool, which allows applicants to explore how five “feeder roles” can lead them to various entry-level cybersecurity jobs from which they can escalate to midlevel jobs and, eventually, advanced cybersecurity work. The feeder roles can be thought of as five domains of expertise:

  1. Networking
  2. Software development
  3. Systems engineering
  4. Financial and risk analysis
  5. Security intelligence

Review Common Entry-Level Cybersecurity Jobs

As with many fields, there is no official set of titles that clearly indicates an entry-level cybersecurity position. One reason for this gap is that the U.S. Bureau of Labor Statistics (BLS) only recently started to track cybersecurity roles separately from networking roles. However, by reviewing the NCWF, we can get some idea of common entry-level positions within its defined “specialty areas.”

Information Security Analyst

Because it is tracked by the BLS, this title is one of the most widely used to describe entry-level jobs in cybersecurity. However, the same title can also be found to describe midlevel positions, which can lead to confusion, so it’s important to review the specific qualifications and responsibilities detailed in each listing.

According to the BLS, information security analysts “plan, implement, upgrade, or monitor security measures for the protection of computer networks and information.” They are usually employed by the security function and can be internally facing (working for other security personnel) or externally facing (working for business units).

Junior Penetration Tester

A penetration tester is someone who is hired by a client to bypass or defeat security controls. From the client’s perspective, the pen tester will evaluate the organization’s defenses and report actual or potential weaknesses found along the way, thus giving the client a chance to fix those before a real attacker finds their way in.

The pen tester must have strong knowledge of the types of systems they’re going after, not only to grasp the many ways to compromise those systems, but also to avoid impacting or damaging them since many will be actual production systems. Pen testers usually specialize in specific system types, such as networks, web applications and mobile applications.

Meet the IBM X-Force Red Interns

Network and Computer Systems Administrators

Historically, this is has been a common career from which to transition into cybersecurity. The role primarily focuses on keeping networks functional and often includes security-related activities, such as monitoring access logs, implementing and verifying network-based backups, and tending to security measures to protect the network and detect or investigate activity.

Demonstrate Your Worth — Before You Apply

While there are many openings for qualified candidates, job seekers still need to demonstrate that they are not only qualified, but ultimately the best person for the role. Demonstrating value starts years before filling out a job application.

That means planning your next moves while still taking courses. I’ve heard many chief information security officers (CISOs) tell job seekers to highlight what they’ve done outside of the classroom, how they pushed themselves to learn new techniques, how they developed a home lab to explore various tools and scenarios, etc.

However, budding professionals should be careful not to spend all their time staring at a screen to learn a new tool. Most cybersecurity professions today include a heavy dose of interactions with multiple facets of an organization, including with people whose focus isn’t technology. Job seekers should practice their soft skills, such as thinking critically and communicating effectively to various target audiences.

Overall, cybersecurity career pathways are still so new and diverse that they are bound to continue shifting over time. It’s impossible to know exactly how you might grow into each role that you will take on in your lifetime, but setting goals now can help you get started blazing your own trail.

More from CISO

Making smart cybersecurity spending decisions in 2025

4 min read - December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment…

On holiday: Most important policies for reduced staff

4 min read - On Christmas Eve, 2023, the Ohio State Lottery had to shut down some of its systems because of a cyberattack. Around the same time, the Dark Web had a “Leaksmas” event, where cyber criminals shared stolen information for free as a holiday gift. In fact, the month of December 2023 saw more than 2 billion records breached and 1,351 disclosed security incidents, according to research from IT Governance — an increase of 332% and 187%, respectively, over the month of…

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today