August 25, 2017 By Kevin Beaver 3 min read

Open information security jobs are everywhere. For businesses small and large, and across all industries, the need for qualified cybersecurity professionals is widespread. Compensation for the skills required to help run an information security program makes this field one of the most lucrative out there.

It’s unwise to kick off your cybersecurity career without having thought about what you want to specialize in. Information security is not just about keeping attackers away: There’s an entire life cycle associated with the security and risk management process. From managing the core elements of computers and networks to overseeing the day-to-day work, security requires specialized expertise in various areas.

Read the IBM executive report: Addressing the Skills Gap with a New Collar Approach

Find Your Focus

Early on in my career, through both formal education and hands-on experience, I gained a ton of knowledge about computer operating systems, software development and networking. I built up this skill set for the first half of my career and, once I went out on my own as an independent consultant, figured I was going to do all things security-related.

I was sorely mistaken — arguably delusional. I even introduced myself during some of my earlier presentations as someone who performs security assessments for those who take security seriously and incident response for those who don’t. I thought I was the end-all-be-all solution for everyone’s information security needs.

But it became clear to me that I needed to specialize in something, so I did just that. I decided that I wanted to work more on the proactive side of security, evaluating vulnerabilities and risks and then providing guidance to help my clients secure their environments before a breach occurs — without sacrificing productivity.

Carving Out Your Niche in Cybersecurity

Whenever people ask me what area of security they should focus on, my answer is always the same: It depends. I then ask them questions such as:

  • Do you consider yourself a techie or are you more business-oriented?
  • Do you feel like you’re a good communicator?
  • What security work seems more appealing to you: working on a computer in a lab all day or interacting with people?

Beyond that, I tell people to look at what they’ve been good at in the past and what they do well now. For example, some people are great at seeing the big picture and identifying patterns that create challenges to the business or IT function. Conversely, others are better at discovering technical details such breach-related clues and log files or knowing the proper source code syntax to prevent the manipulation of a web application. This can be a difficult process, but it’s really important if you want to get involved with security in the right ways.

Additionally, aspiring cybersecurity professionals should think about what areas interest them and what they want to get better at. In terms of specific areas of specialization, there are countless options, including:

  • Architect and designer;
  • Policy manager;
  • Administrator;
  • Analyst;
  • Security tester, including vulnerability and penetration testing;
  • Trainer;
  • Auditor;
  • Incident responder;
  • Forensics investigator; and
  • Lawyer.

You can do any of the above across practically all industries as an employee, consultant or contractor, including in the military and local, state and federal governments. You can start out at a junior level, end up in mid-management and even work your way up to chief information security officer (CISO). There is such a great need for information security skills in business today that you can literally write your own ticket in this field. If you’re likable, well-spoken and well-written, and understand security as it related to business, the sky is the limit, as long as you specialize.

Chart Your Cybersecurity Career Path

Regardless of your background and goals, the simple truth is that you cannot be an expert at everything. Even a seemingly niche field such as information security is extremely diverse and complex. Think things through: Ask yourself the tough questions now so that you can get on — and stay on — the right path rather than having to re-evaluate and shift your career focus years down the road.

When you find your area of specialty, go all in. Commit to continuous learning and vow to always be a person of value. There are a lot of people working in security who are not of much value — in many cases, because they lack direction and focus. Regardless of your skills, your ultimate success will depend on the quality of your relationships: who you know and, most importantly, who knows you.

Read the IBM executive report: Addressing the Skills Gap with a New Collar Approach

More from CISO

Empowering cybersecurity leadership: Strategies for effective Board engagement

4 min read - With the increased regulation surrounding cyberattacks, more and more executives are seeing these attacks for what they are - serious threats to business operations, profitability and business survivability. But what about the Board of Directors? Are they getting all the information they need? Are they aware of your organization’s cybersecurity initiatives? Do they understand why those initiatives matter? Maybe not. According to Harvard Business Review, only 47% of board members regularly engage with their CISO. There appears to be a…

The evolution of 20 years of cybersecurity awareness

3 min read - Since 2004, the White House and Congress have designated October National Cybersecurity Awareness Month. This year marks the 20th anniversary of this effort to raise awareness about the importance of cybersecurity and online safety. How have cybersecurity and malware evolved over the last two decades? What types of threat management tools surfaced and when? The Cybersecurity Awareness Month themes over the years give us a clue. 2004 - 2009: Inaugural year and beyond This early period emphasized general cybersecurity hygiene,…

C-suite weighs in on generative AI and security

3 min read - Generative AI (GenAI) is poised to deliver significant benefits to enterprises and their ability to readily respond to and effectively defend against cyber threats. But AI that is not itself secured may introduce a whole new set of threats to businesses. Today IBM’s Institute for Business Value published “The CEO's guide to generative AI: Cybersecurity," part of a larger series providing guidance for senior leaders planning to adopt generative AI models and tools. The materials highlight key considerations for CEOs…

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today