August 25, 2017 By Kevin Beaver 3 min read

Open information security jobs are everywhere. For businesses small and large, and across all industries, the need for qualified cybersecurity professionals is widespread. Compensation for the skills required to help run an information security program makes this field one of the most lucrative out there.

It’s unwise to kick off your cybersecurity career without having thought about what you want to specialize in. Information security is not just about keeping attackers away: There’s an entire life cycle associated with the security and risk management process. From managing the core elements of computers and networks to overseeing the day-to-day work, security requires specialized expertise in various areas.

Read the IBM executive report: Addressing the Skills Gap with a New Collar Approach

Find Your Focus

Early on in my career, through both formal education and hands-on experience, I gained a ton of knowledge about computer operating systems, software development and networking. I built up this skill set for the first half of my career and, once I went out on my own as an independent consultant, figured I was going to do all things security-related.

I was sorely mistaken — arguably delusional. I even introduced myself during some of my earlier presentations as someone who performs security assessments for those who take security seriously and incident response for those who don’t. I thought I was the end-all-be-all solution for everyone’s information security needs.

But it became clear to me that I needed to specialize in something, so I did just that. I decided that I wanted to work more on the proactive side of security, evaluating vulnerabilities and risks and then providing guidance to help my clients secure their environments before a breach occurs — without sacrificing productivity.

Carving Out Your Niche in Cybersecurity

Whenever people ask me what area of security they should focus on, my answer is always the same: It depends. I then ask them questions such as:

  • Do you consider yourself a techie or are you more business-oriented?
  • Do you feel like you’re a good communicator?
  • What security work seems more appealing to you: working on a computer in a lab all day or interacting with people?

Beyond that, I tell people to look at what they’ve been good at in the past and what they do well now. For example, some people are great at seeing the big picture and identifying patterns that create challenges to the business or IT function. Conversely, others are better at discovering technical details such breach-related clues and log files or knowing the proper source code syntax to prevent the manipulation of a web application. This can be a difficult process, but it’s really important if you want to get involved with security in the right ways.

Additionally, aspiring cybersecurity professionals should think about what areas interest them and what they want to get better at. In terms of specific areas of specialization, there are countless options, including:

  • Architect and designer;
  • Policy manager;
  • Administrator;
  • Analyst;
  • Security tester, including vulnerability and penetration testing;
  • Trainer;
  • Auditor;
  • Incident responder;
  • Forensics investigator; and
  • Lawyer.

You can do any of the above across practically all industries as an employee, consultant or contractor, including in the military and local, state and federal governments. You can start out at a junior level, end up in mid-management and even work your way up to chief information security officer (CISO). There is such a great need for information security skills in business today that you can literally write your own ticket in this field. If you’re likable, well-spoken and well-written, and understand security as it related to business, the sky is the limit, as long as you specialize.

Chart Your Cybersecurity Career Path

Regardless of your background and goals, the simple truth is that you cannot be an expert at everything. Even a seemingly niche field such as information security is extremely diverse and complex. Think things through: Ask yourself the tough questions now so that you can get on — and stay on — the right path rather than having to re-evaluate and shift your career focus years down the road.

When you find your area of specialty, go all in. Commit to continuous learning and vow to always be a person of value. There are a lot of people working in security who are not of much value — in many cases, because they lack direction and focus. Regardless of your skills, your ultimate success will depend on the quality of your relationships: who you know and, most importantly, who knows you.

Read the IBM executive report: Addressing the Skills Gap with a New Collar Approach

More from CISO

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Boardroom cyber expertise comes under scrutiny

3 min read - Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close…

The CISO’s guide to accelerating quantum-safe readiness

3 min read - Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.A future cryptographically…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today