Now is an exciting time to work in cybersecurity. Not only is the demand for security professionals still very strong, but young workers seeking an entry-level cybersecurity job have more information at their disposal than ever before. This information can help them show potential employers the value they can bring to an organization.

The field is still fresh and rapidly evolving, so a career started today could go anywhere in the years to come. Given this volatility, how can aspiring security professionals identify the right career path for them and get started today?

Use the Workforce Framework

One key source of information for those on the security job market can be found at the National Initiative for Cybersecurity Education (NICE), an effort led by the National Institute of Standards and Technology (NIST) to address the cybersecurity talent shortage. The program offers an invaluable tool called the NICE Cybersecurity Workforce Framework (NCWF).

The NCWF, also known as NIST Special Publication 800-181, describes all the various fields under the broader cybersecurity umbrella and groups all security activities into seven categories:

  1. Securely Provision (SP)
  2. Operate and Maintain (OM)
  3. Oversee and Govern (OV)
  4. Protect and Defend (PR)
  5. Analyze (AN)
  6. Collect and Operate (CO)
  7. Investigate (IN)

Within each category are specialty areas — 33 in total — such as risk management, knowledge management and executive cyber leadership, to name a few. The NCWF also specifies what knowledge, skills and abilities (KSAs) are required for each task and supports keyword searches across all of its attributes, including categories, work roles and, of course, KSAs. This can help you contextualize your experience and interests within potential pathways in a security career.

Explore Career Paths and Market Conditions

CyberSeek was launched in late 2016 to provide “detailed, actionable data about supply and demand in the cybersecurity job market.” The site features an interactive heat map of cybersecurity job supply and demand nationwide, as well as by state.

Another useful feature of CyberSeek is the Cybersecurity Career Pathway tool, which allows applicants to explore how five “feeder roles” can lead them to various entry-level cybersecurity jobs from which they can escalate to midlevel jobs and, eventually, advanced cybersecurity work. The feeder roles can be thought of as five domains of expertise:

  1. Networking
  2. Software development
  3. Systems engineering
  4. Financial and risk analysis
  5. Security intelligence

Review Common Entry-Level Cybersecurity Jobs

As with many fields, there is no official set of titles that clearly indicates an entry-level cybersecurity position. One reason for this gap is that the U.S. Bureau of Labor Statistics (BLS) only recently started to track cybersecurity roles separately from networking roles. However, by reviewing the NCWF, we can get some idea of common entry-level positions within its defined “specialty areas.”

Information Security Analyst

Because it is tracked by the BLS, this title is one of the most widely used to describe entry-level jobs in cybersecurity. However, the same title can also be found to describe midlevel positions, which can lead to confusion, so it’s important to review the specific qualifications and responsibilities detailed in each listing.

According to the BLS, information security analysts “plan, implement, upgrade, or monitor security measures for the protection of computer networks and information.” They are usually employed by the security function and can be internally facing (working for other security personnel) or externally facing (working for business units).

Junior Penetration Tester

A penetration tester is someone who is hired by a client to bypass or defeat security controls. From the client’s perspective, the pen tester will evaluate the organization’s defenses and report actual or potential weaknesses found along the way, thus giving the client a chance to fix those before a real attacker finds their way in.

The pen tester must have strong knowledge of the types of systems they’re going after, not only to grasp the many ways to compromise those systems, but also to avoid impacting or damaging them since many will be actual production systems. Pen testers usually specialize in specific system types, such as networks, web applications and mobile applications.

Meet the IBM X-Force Red Interns

Network and Computer Systems Administrators

Historically, this is has been a common career from which to transition into cybersecurity. The role primarily focuses on keeping networks functional and often includes security-related activities, such as monitoring access logs, implementing and verifying network-based backups, and tending to security measures to protect the network and detect or investigate activity.

Demonstrate Your Worth — Before You Apply

While there are many openings for qualified candidates, job seekers still need to demonstrate that they are not only qualified, but ultimately the best person for the role. Demonstrating value starts years before filling out a job application.

That means planning your next moves while still taking courses. I’ve heard many chief information security officers (CISOs) tell job seekers to highlight what they’ve done outside of the classroom, how they pushed themselves to learn new techniques, how they developed a home lab to explore various tools and scenarios, etc.

However, budding professionals should be careful not to spend all their time staring at a screen to learn a new tool. Most cybersecurity professions today include a heavy dose of interactions with multiple facets of an organization, including with people whose focus isn’t technology. Job seekers should practice their soft skills, such as thinking critically and communicating effectively to various target audiences.

Overall, cybersecurity career pathways are still so new and diverse that they are bound to continue shifting over time. It’s impossible to know exactly how you might grow into each role that you will take on in your lifetime, but setting goals now can help you get started blazing your own trail.

More from CISO

Who Carries the Weight of a Cyberattack?

Almost immediately after a company discovers a data breach, the finger-pointing begins. Who is to blame? Most often, it is the chief information security officer (CISO) or chief security officer (CSO) because protecting the network infrastructure is their job. Heck, it is even in their job title: they are the security officer. Security is their responsibility. But is that fair – or even right? After all, the most common sources of data breaches and other cyber incidents are situations caused…

Transitioning to Quantum-Safe Encryption

With their vast increase in computing power, quantum computers promise to revolutionize many fields. Artificial intelligence, medicine and space exploration all benefit from this technological leap — but that power is also a double-edged sword. The risk is that threat actors could abuse quantum computers to break the key cryptographic algorithms we depend upon for the safety of our digital world. This poses a threat to a wide range of critical areas. Fortunately, alternate cryptographic algorithms that are safe against…

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Emotional Blowback: Dealing With Post-Incident Stress

Cyberattacks are on the rise as adversaries find new ways of creating chaos and increasing profits. Attacks evolve constantly and often involve real-world consequences. The growing criminal Software-as-a-Service enterprise puts ready-made tools in the hands of threat actors who can use them against the software supply chain and other critical systems. And then there's the threat of nation-state attacks, with major incidents reported every month and no sign of them slowing. Amidst these growing concerns, cybersecurity professionals continue to report…