August 25, 2017 By Kevin Beaver 3 min read

Open information security jobs are everywhere. For businesses small and large, and across all industries, the need for qualified cybersecurity professionals is widespread. Compensation for the skills required to help run an information security program makes this field one of the most lucrative out there.

It’s unwise to kick off your cybersecurity career without having thought about what you want to specialize in. Information security is not just about keeping attackers away: There’s an entire life cycle associated with the security and risk management process. From managing the core elements of computers and networks to overseeing the day-to-day work, security requires specialized expertise in various areas.

Read the IBM executive report: Addressing the Skills Gap with a New Collar Approach

Find Your Focus

Early on in my career, through both formal education and hands-on experience, I gained a ton of knowledge about computer operating systems, software development and networking. I built up this skill set for the first half of my career and, once I went out on my own as an independent consultant, figured I was going to do all things security-related.

I was sorely mistaken — arguably delusional. I even introduced myself during some of my earlier presentations as someone who performs security assessments for those who take security seriously and incident response for those who don’t. I thought I was the end-all-be-all solution for everyone’s information security needs.

But it became clear to me that I needed to specialize in something, so I did just that. I decided that I wanted to work more on the proactive side of security, evaluating vulnerabilities and risks and then providing guidance to help my clients secure their environments before a breach occurs — without sacrificing productivity.

Carving Out Your Niche in Cybersecurity

Whenever people ask me what area of security they should focus on, my answer is always the same: It depends. I then ask them questions such as:

  • Do you consider yourself a techie or are you more business-oriented?
  • Do you feel like you’re a good communicator?
  • What security work seems more appealing to you: working on a computer in a lab all day or interacting with people?

Beyond that, I tell people to look at what they’ve been good at in the past and what they do well now. For example, some people are great at seeing the big picture and identifying patterns that create challenges to the business or IT function. Conversely, others are better at discovering technical details such breach-related clues and log files or knowing the proper source code syntax to prevent the manipulation of a web application. This can be a difficult process, but it’s really important if you want to get involved with security in the right ways.

Additionally, aspiring cybersecurity professionals should think about what areas interest them and what they want to get better at. In terms of specific areas of specialization, there are countless options, including:

  • Architect and designer;
  • Policy manager;
  • Administrator;
  • Analyst;
  • Security tester, including vulnerability and penetration testing;
  • Trainer;
  • Auditor;
  • Incident responder;
  • Forensics investigator; and
  • Lawyer.

You can do any of the above across practically all industries as an employee, consultant or contractor, including in the military and local, state and federal governments. You can start out at a junior level, end up in mid-management and even work your way up to chief information security officer (CISO). There is such a great need for information security skills in business today that you can literally write your own ticket in this field. If you’re likable, well-spoken and well-written, and understand security as it related to business, the sky is the limit, as long as you specialize.

Chart Your Cybersecurity Career Path

Regardless of your background and goals, the simple truth is that you cannot be an expert at everything. Even a seemingly niche field such as information security is extremely diverse and complex. Think things through: Ask yourself the tough questions now so that you can get on — and stay on — the right path rather than having to re-evaluate and shift your career focus years down the road.

When you find your area of specialty, go all in. Commit to continuous learning and vow to always be a person of value. There are a lot of people working in security who are not of much value — in many cases, because they lack direction and focus. Regardless of your skills, your ultimate success will depend on the quality of your relationships: who you know and, most importantly, who knows you.

Read the IBM executive report: Addressing the Skills Gap with a New Collar Approach

More from CISO

Making smart cybersecurity spending decisions in 2025

4 min read - December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment…

On holiday: Most important policies for reduced staff

4 min read - On Christmas Eve, 2023, the Ohio State Lottery had to shut down some of its systems because of a cyberattack. Around the same time, the Dark Web had a “Leaksmas” event, where cyber criminals shared stolen information for free as a holiday gift. In fact, the month of December 2023 saw more than 2 billion records breached and 1,351 disclosed security incidents, according to research from IT Governance — an increase of 332% and 187%, respectively, over the month of…

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today