In the last year alone, 86% of organizations had at least one user try to connect to a phishing site, found a study by Cisco. Since the pandemic and the more widespread adoption of digital technologies, cybersecurity threats have increased. Cryptomining, ransomware, trojans, botnet, adware, exploit kit, man-in-the-middle, DNS tunneling, zero-day exploitation, etc., are but a few kinds of cyber-attacks being carried out today. Even the biggest enterprises aren’t safe from cybersecurity vulnerabilities. As the variety and complexity of cyber attacks grow every day, so does the demand for qualified cybersecurity professionals.
The US Bureau of Labor Statistics projects that the number of jobs for one of the key positions in cybersecurity, the information security analyst, will grow by 33% in the decade from 2020-2030—the average across all job roles is a mere 8%. The average salary is also much higher at $103,590. The cybersecurity industry is expected to have 3.5 million high-paying, unfilled jobs this year, with not enough candidates to fill them.
In this blog post, we explore how you can kickstart your cybersecurity career. We discuss the various roles available across experience/skills and answer some frequently asked questions.
Cyber Security Career Roadmap
“You don’t have to be a graduate of MIT to work in cybersecurity. It just requires someone who has the proper training, proper certification and is certainly committed to the work.”— Tim Herbert, EXVP Research, CompTIA.
Despite its important place in the information technology space, cybersecurity is still an emerging field. Organizations are just beginning to strengthen their cybersecurity workforce, creating new roles and hiring specialists. Therefore, while understanding cybersecurity career paths, it is crucial to keep it broad enough to adapt to the evolving needs of the industry in an agile manner.
In line with that, we’ve organized the cyber security career roadmap into three distinct parts: entry-level, mid-level, and senior-level jobs.
Entry-level jobs in cybersecurity require applicants to have basic educational qualifications like a bachelor’s degree or certification but might not expect work experience. Here, you would typically monitor systems, detect anomalies, escalate potential threats to seniors, etc.
With a few years of experience and some advanced certifications, mid-level analysts, testers, or engineers take on a more strategic role. Here, you will design security systems, review, assess and audit them for problems using methods like ethical hacking, and recommend solutions. You will also address the threats escalated by entry-level cybersecurity analysts and resolve them.
Senior-level positions like Chief Information Security Officer (CISO) or Chief Information Officer (CIO) are leadership roles. Here, you will take responsibility for the security of the organization’s IT landscape. You will create security roadmaps, review and negotiate contracts, engage vendors, and manage security teams.
Let us look at the roles and responsibilities of the various positions at each stage of the cybersecurity career.
Cyber Security Career Paths to Consider
While phishing continues to be among the most common cybersecurity threats today, cybercriminals are getting creative. They are using every vulnerability visible to them to attack and steal information. As a consequence, organizations are also seeking cybersecurity professionals with skills to handle existing and emerging threats. Here are some of the cybersecurity career paths available to you.
Entry-level Cybersecurity Jobs
These are jobs for early-career professionals with little or no experience. Cybersecurity as a field does not demand a master’s or an advanced degree to get started. However, a certification to demonstrate your basics might be necessary. Here are the two most common entry-level cybersecurity positions.
1. Incident Response Analyst
As the name suggests, an incident response analyst is the first responder to a cyber attack. They will investigate, analyze and respond to cyber incidents. Moreover, they will also proactively identify threats, contain and eradicate them as necessary. While these roles don’t expect advanced cybersecurity qualifications, they do demand specific skills in:
- Computer intrusion and incident response procedures
- Security architecture, system administration, and networking (TCP/IP, DNS, HTTP, SMTP, etc.)
- Security assessment across NMAP, Netcat, Nessus, Metasploit, etc.
Some of the certifications needed for this role are:
- GIAC Certified Incident Handler (GCIH)
- GIAC Critical Controls Certification (GCCC)
- EC-Council Certified Incident Handler
- CREST Certified Incident Manager (CCIM)
The average salary of an incident response analyst is $70,892.
2. Risk Analyst
A risk analyst is responsible for performing regular assessments of the cybersecurity landscape and recommending improvements. This could be studying access controls, policies, operational effectiveness, and so on. They might also be required to keep track of the latest threats and analyze enterprise systems for resilience.
The key skills expected of a risk analyst are:
- Identity and access management
- Threat intelligence and vulnerability assessments
- Security architecture and strategy
- Data risk and governance
- Compliance demands around personally identifiable information (PII) and industry-specific laws
Certifications needed are:
- Certified Information Systems Auditor (CISA)
- Certified Information Security Manager (CISM)
- Certified in Risk and Information Systems Control (CRISC)
- Certified Information Systems Security Professional (CISSP)
Risk analysts earn an average salary of $74,840. However, security-minded industries like healthcare or banking might offer much more.
Before starting your cybersecurity career, whether as an incident response analyst or a risk analyst, it is important to gain a strong foundation. Begin with a boot camp or an online course on the fundamentals of cybersecurity. Then, earn a general certification like The CompTIA Security+. From there, you can choose a specific area of interest and gain certification in the field. For instance, if you are interested in digital forensics, you might do well to be certified in reverse engineering malware or as a computer hacking forensic investigator.
Mid-level Cybersecurity Jobs
After 2-5 years as a cybersecurity analyst, most professionals move up to mid-level roles like penetration testers (also known as pen-testers), security engineers, or forensics analysts. These will be more strategic than an incident response analyst or risk analyst but need not necessarily be a leadership position. Mid-level cybersecurity professionals can be both individual contributors or managers.
Here are a few mid-level cybersecurity careers.
1. Penetration Tester
Penetration testers or ethical hackers design, simulate and execute attacks on enterprise networks and systems with an intent to identify vulnerabilities and address them. The skills needed by a penetration tester are:
- Vulnerability assessment and penetration testing (VASP)
- Code review for common vulnerabilities like the OWASP top 10
- Network-related protocols such as HTTPS, TCP/IP, etc.
- Compliance protocols such as PCI, ISO 17799, HIPAA, etc.
Some of the certifications helpful for a penetration tester are:
- CompTIA PenTest+
- Offensive Security Certified Professional (OSCP)
- GIAC Web Application Penetration Tester (GWAPT)
- GIAC Penetration Tester
- Certified Ethical Hacker (CEH)
The average salary of a penetration tester is $102,405. Unlike the analyst positions we discussed above, penetration testing is a programming-heavy role. So, before anything, become proficient in one of the popular application programming languages. Post that, gain certification in penetration testing or ethical hacking.
2. Security Engineer
A security engineer is much like a senior incident response analyst. While they do not directly respond to every cybersecurity incident, they design and implement security-focused tools and services. They also develop policies and procedures within the organization. As a mid-level role, experience is as important as skills/certifications here.
Key skills and experience expected of a security engineer are:
- Bachelor’s degree in computer science or cybersecurity
- Understanding of application development, service-oriented architecture, threat modeling, risk identification, etc.
- Proficiency in programming languages like Python, Java, C, C++, etc.
- Knowledge of web and network protocols, cloud technologies, VASP, remediation techniques, etc.
The commonly expected certifications are CompTIA Security+, CISSP, CISA, CISM, etc.
The average salary of a security engineer is $102,511. The most common path to becoming a security engineer is to evolve from a software engineer. With some programming and quality assurance experience, you can gain cybersecurity credentials and transition. On the other hand, if you already have cybersecurity skills/experience, you can also gain foundational application development skills to move up the ladder.
3. Forensics Analyst
A forensics analyst is an investigator who follows the digital evidence and solves a crime virtually. They recover data and determine how the security breach happened. They study how the attackers gained access, traversed the network, what they did, etc. Key skills expected of a forensics analyst are:
- Collaborate with incident response and risk management teams to perform a thorough analysis
- Perform forensic functions to identify indicators of compromise
- Examine all sources of data, including firewall, web, database, logs, etc. to determine malicious and compromised activity
- Assess new tools and applications for security vulnerabilities
- Develop digital forensics best practices
The certifications expected of a forensic analyst are:
- Certified Forensic Computer Examiner (CFCE)
- Certified Computer Examiner (CCE)
- GIAC Certified Forensic Analyst (GCFA)
- Computer Hacking Forensic Investigator (CHFI)
The average pay for a forensics analyst is $80,990. While defense, law enforcement, and counterintelligence were among the first to employ forensic analysts, today, several enterprises are hiring them to protect themselves from attack. To get started on a career in forensic analysis, gain foundational skills across computer programming, data analytics, criminal justice, and systems engineering. Then, focus on 1-2 specialized certifications.
Senior-level Cybersecurity Jobs
Leadership positions like the chief information security officer (CISO) and chief information officer (CIO) shape the cybersecurity posture not just of the organization they lead but of the industry as well. They set the standards and define appropriate responses. Therefore, these roles involve technological strengths, business acumen, strategic thinking, and a futuristic approach. The two key cybersecurity leadership positions are as follows.
A chief information security officer is responsible for the protection of the organization’s data. As companies collect more and more consumer data, this role becomes crucial across privacy, security, customer experience, and compliance implications. Therefore, the demands on the skills of a CISO are quite high.
- Bachelor’s degree in information security, information systems, or computer science
- 10-15 years of experience in information security or risk management
- Experience in defining policies and procedures
- Knowledge of security frameworks, standards, and regulations such as ISO 27001, SOC, PCI DSS, HITECH, HIPAA, PSQIA, GDPR, etc.
Some of the certifications expected are:
- Certified Information Systems Security Professional (CISSP)
- Certified Information Security Manager (CISM)
- Certified Information Systems Auditor (CISA)
- GIAC Strategic Planning, Policy & Leadership (GSPPL)
- GIAC Security Leadership (GSLC)
In addition to these technical skills, CISOs are also expected to have leadership experience, strong analytical skills, project management skills, and a high level of personal integrity.
The average salary of a CISO is $1,73,705. The most common career path to becoming a CISO is to gain multi-functional skills and experience. This would typically include experience in application development, data analytics, information security, information systems, project management, and team leadership. Moreover, industry experience is a huge plus in these roles. For instance, for a CISO role in a hospital chain, someone with experience in the healthcare industry will be considered much ahead of anyone else, given their better understanding of the business and compliance landscape.
Chief Information Officers (CIOs) are roles that originated in the information era since the 1990s. As more and more data was collected and used, enterprises hired leaders for their information/data practice. Therefore, while CIOs are not technically part of the cybersecurity career path, in that, one can become a CIO without going through the cybersecurity career roadmap, this role is certainly one of the most respected and high-paying destinations.
The skills and experiences expected of them are:
- Bachelor’s degree in computer science, information systems, technology, etc.
- 15+ years of experience with at least 2-3 years in senior leadership roles
- Business, financial and operational acumen, with a keen eye for emerging data technologies
- Experience in designing and implementing security and privacy protocols
- Experience in cloud technologies
- Ability to collaborate effectively with CDO, CISO, application development leaders, and so on
Unlike specialist cybersecurity roles, CIOs are not expected to have certifications, but Six Sigma and Lean qualifications will certainly help. A qualified CIO gets paid an average salary of $1,58,305. A CIO typically reports to the chief technology officer (CTO) or, in rare cases, the chief executive officer (CIO).
Cybersecurity Career Path FAQs
Do You Need a Degree To Get Into Cybersecurity?
No, you don’t. While most jobs expect a bachelor’s degree in computer science, information systems, or other related fields, you can also gain the same skills through certificate programs and boot camps. Here is a guide on getting into cybersecurity regardless of your background.
Does Cybersecurity Pay Well?
Yes, it does. The median salary of a cybersecurity engineer is $100,000. A CISO’s salary can go up to $400,000 depending on their experience, skills, certifications, organization, and location. Given the increasing demand for cybersecurity professionals, the talent gap, and mounting threats, these salaries are only expected to go up.
For more on salaries of the various cybersecurity roles, read this salary guide.
How Long Will It Take To Learn Cybersecurity Basics?
We believe that it would take six months to master cybersecurity basics if you can spare 15-20 hours a week to study. This is why the Springboard Cyber Security Bootcamp is designed to teach you the fundamentals over six months. However, you might need longer if you have to learn programming languages as well.
How To Start a Cyber Security Career?
All cybersecurity career paths have almost the same set of requirements: IT skills, analytical skills, experience, certifications. Gain each of these, one by one.
- Gain basic qualifications. If you already have a bachelor’s degree in computer science, information systems, etc., take up a specialized course in cybersecurity. Else, get a basic qualification in the field through online courses, boot camps, etc.
- Get certified. CompTIA Security+ or Certified Ethical Hacker will help demonstrate your interest/competence in the field.
- Build experience. As a fresh graduate or a beginner, you might not have real-world work experience. In such cases, do your own projects or join hackathons, etc., to strengthen your portfolio.
- Develop interpersonal skills. Cybersecurity roles are often about collaboration. You need impeccable interpersonal skills to communicate effectively, collaborate with diverse teams and implement procedures.
How To Get a Job in Cyber Security?
Having the skills and experience to do a job is not the same as getting the job itself. To be hired, you need to demonstrate your skills and potential to the hiring team. To do that:
- Create a strong and convincing cyber security resume
- Build a job strategy, identify the jobs you’re interested in and apply to each of them thoughtfully
- Prepare for interviews, practice answers for the most common cybersecurity interview questions
- Be ready to negotiate your remuneration
- Make the most of your first week!
Kickstart Your Career with Springboard’s Cyber Security Career Track
Whether you’re a fresh graduate or an experienced professional, you can begin laying out your cybersecurity career path right away. Springboard’s Cyber Security Career Track offers a strong foundation in cybersecurity powered by 30+ labs, 30+ assignments, and one capstone project, covering the length and breadth of industry challenges. 1:1 mentorship with industry experts will enable your career growth, helping you overcome obstacles and stay accountable along the way. Personalized career coaching will give you everything you need to land a job of your choice in cybersecurity successfully.
Learn more about Springboard’s Cyber Security Career Track here.