Now is an exciting time to work in cybersecurity. Not only is the demand for security professionals still very strong, but young workers seeking an entry-level cybersecurity job have more information at their disposal than ever before. This information can help them show potential employers the value they can bring to an organization.
The field is still fresh and rapidly evolving, so a career started today could go anywhere in the years to come. Given this volatility, how can aspiring security professionals identify the right career path for them and get started today?
Use the Workforce Framework
One key source of information for those on the security job market can be found at the National Initiative for Cybersecurity Education (NICE), an effort led by the National Institute of Standards and Technology (NIST) to address the cybersecurity talent shortage. The program offers an invaluable tool called the NICE Cybersecurity Workforce Framework (NCWF).
The NCWF, also known as NIST Special Publication 800-181, describes all the various fields under the broader cybersecurity umbrella and groups all security activities into seven categories:
- Securely Provision (SP)
- Operate and Maintain (OM)
- Oversee and Govern (OV)
- Protect and Defend (PR)
- Analyze (AN)
- Collect and Operate (CO)
- Investigate (IN)
Within each category are specialty areas — 33 in total — such as risk management, knowledge management and executive cyber leadership, to name a few. The NCWF also specifies what knowledge, skills and abilities (KSAs) are required for each task and supports keyword searches across all of its attributes, including categories, work roles and, of course, KSAs. This can help you contextualize your experience and interests within potential pathways in a security career.
Explore Career Paths and Market Conditions
CyberSeek was launched in late 2016 to provide “detailed, actionable data about supply and demand in the cybersecurity job market.” The site features an interactive heat map of cybersecurity job supply and demand nationwide, as well as by state.
Another useful feature of CyberSeek is the Cybersecurity Career Pathway tool, which allows applicants to explore how five “feeder roles” can lead them to various entry-level cybersecurity jobs from which they can escalate to midlevel jobs and, eventually, advanced cybersecurity work. The feeder roles can be thought of as five domains of expertise:
- Software development
- Systems engineering
- Financial and risk analysis
- Security intelligence
Review Common Entry-Level Cybersecurity Jobs
As with many fields, there is no official set of titles that clearly indicates an entry-level cybersecurity position. One reason for this gap is that the U.S. Bureau of Labor Statistics (BLS) only recently started to track cybersecurity roles separately from networking roles. However, by reviewing the NCWF, we can get some idea of common entry-level positions within its defined “specialty areas.”
Information Security Analyst
Because it is tracked by the BLS, this title is one of the most widely used to describe entry-level jobs in cybersecurity. However, the same title can also be found to describe midlevel positions, which can lead to confusion, so it’s important to review the specific qualifications and responsibilities detailed in each listing.
According to the BLS, information security analysts “plan, implement, upgrade, or monitor security measures for the protection of computer networks and information.” They are usually employed by the security function and can be internally facing (working for other security personnel) or externally facing (working for business units).
Junior Penetration Tester
A penetration tester is someone who is hired by a client to bypass or defeat security controls. From the client’s perspective, the pen tester will evaluate the organization’s defenses and report actual or potential weaknesses found along the way, thus giving the client a chance to fix those before a real attacker finds their way in.
The pen tester must have strong knowledge of the types of systems they’re going after, not only to grasp the many ways to compromise those systems, but also to avoid impacting or damaging them since many will be actual production systems. Pen testers usually specialize in specific system types, such as networks, web applications and mobile applications.
Network and Computer Systems Administrators
Historically, this is has been a common career from which to transition into cybersecurity. The role primarily focuses on keeping networks functional and often includes security-related activities, such as monitoring access logs, implementing and verifying network-based backups, and tending to security measures to protect the network and detect or investigate activity.
Demonstrate Your Worth — Before You Apply
While there are many openings for qualified candidates, job seekers still need to demonstrate that they are not only qualified, but ultimately the best person for the role. Demonstrating value starts years before filling out a job application.
That means planning your next moves while still taking courses. I’ve heard many chief information security officers (CISOs) tell job seekers to highlight what they’ve done outside of the classroom, how they pushed themselves to learn new techniques, how they developed a home lab to explore various tools and scenarios, etc.
However, budding professionals should be careful not to spend all their time staring at a screen to learn a new tool. Most cybersecurity professions today include a heavy dose of interactions with multiple facets of an organization, including with people whose focus isn’t technology. Job seekers should practice their soft skills, such as thinking critically and communicating effectively to various target audiences.
Overall, cybersecurity career pathways are still so new and diverse that they are bound to continue shifting over time. It’s impossible to know exactly how you might grow into each role that you will take on in your lifetime, but setting goals now can help you get started blazing your own trail.