Cyber Security Career Ladders

Everything you need to know

November 28, 2023

👋 Good morning!

Each week I provide an in-depth response to your questions about careers, building security teams, AI security, cloud security, and anything else you need support with. Send me your questions and I’ll do my best to provide actionable advice.

Let’s dive in!

Q: I want to understand what my career progression could look like in cyber security. What career paths are available?

This week I’m delving into the world of cyber security career ladders, aiming to demystify what progression looks like and shed light on how understanding the game can be instrumental in shaping your professional journey. Whether you're a seasoned professional or just embarking on your cybersecurity journey, comprehending how the game works is essential to unlocking your full potential.

Firstly, there is no single ladder. The game can be played in countless different ways. To help you understand what your career could look like, I’ve come up with 5 ways you can frame your journey and the roles available to you:

  1. Areas of work in security

  2. Industry vs consulting vs service provider

  3. Permanent vs contracting

  4. Technical vs managerial

  5. Big firm vs startup

Let’s dive in!

1/ Areas of work

No security team is built the same. They vary massively based on budgets, team size and organisation priorities. This means that sub-teams and roles available in each organisation will differ. For example, one organisation may have 100+ people spread across the following distinct teams: Risk & Compliance, Security Operations, Threat Intelligence, Security Engineering, Security Architecture, Training & Awareness, Third Party Security, Vulnerability Management, and Security Testing. Another team may have a team of 10 people, consisting of primarily security engineers and some risk personnel.

Regardless, it’s important that you choose a field within security to focus on in the short term and earn your security stripes. Later, you can charge up the ladder or pivot to another area of security until you find a good fit.

2/ Consulting vs Industry vs Security Service Provider

You can climb ladders specific to organisation types, or you can move around. There are successful people that have worked in a consultancy their whole professional career, and there are successful people that have moved regularly across all three:

  • Consulting: A consultancy listens to a client problem and looks to sell you as the solution. The most valuable consultants are versatile ones. Capable of upskilling and adapting to changing client needs. Working in this field can be unpredictable and no two days are the same. A downside of this area is that if work dries up in your particular specialism, you best be ready to roll up your sleeves and get stuck into another area of security to support the team.

  • Industry: Experience will vary if you work for a big or small organisation. You’re likely being hired for a specific line of work. The client remains the same, and your role evolves if the capability evolves. You’ll likely sit within a specific team (such as engineering, or vulnerability management) and perform your operational duties.

  • Security Service Provider: Working for a service provider, like Microsoft or Wiz, means you’re specialised in their service offerings. Your role will be entirely in the context of this service provider's solutions and applying them to client’s environments.

3/ Permanent vs Contracting

When seeking to advance in your career, there are different opportunities available for different role types.

Permanent Roles

  • Permanent roles offer greater job security, with long-term employment contracts and benefits such as health insurance, retirement plans, and paid leave.

  • Employees in permanent roles generally experience more stability in terms of consistent work assignments and a predictable income.

  • Permanent positions often provide more structured career development opportunities, including training programs, promotions, and a defined career path within the organisation.

Contracting Roles

  • Contracting roles offer greater flexibility in terms of work arrangements, allowing professionals to take on diverse projects and work with multiple clients.

  • Contractors often have the potential for higher earnings, as they may negotiate higher hourly rates or project fees. However, this is balanced by the lack of certain benefits, such as structured career progression.

  • Contractors have the opportunity to gain a variety of experiences by working on different projects and with various clients, enhancing their skill set.

It's important to note that both permanent and contracting roles have their advantages and disadvantages, and the choice between them often depends on an individual's career goals, lifestyle preferences, and risk tolerance. Some professionals may prefer the stability and benefits of permanent roles, while others may value the flexibility and variety that contracting roles offer.

4/ Technical vs Managerial

Technical and managerial roles in cyber security differ in terms of their primary responsibilities, skill sets, and focus. You can ‘climb the ladder’ in both areas of work. Here's a breakdown of the key distinctions:

Technical Roles in Security

Technical roles are hands-on and involve the actual implementation of security measures. They are deeply involved in the use and management of security technologies, tools, and systems.

These roles require a strong technical skill set, such as knowledge of programming languages, network protocols, system administration, and proficiency with security tools. Technical roles are primarily concerned with preventing and defending against cyber threats.

Examples of Technical Roles:

  • Security Engineer

  • Incident Responder

  • Penetration Tester

  • Cloud Security Engineer

  • Security Architect

Managerial Roles in Security

Managers are responsible for developing and implementing the overall cyber security strategy for an organisation. This involves assessing risks, creating policies, and ensuring compliance.

Managers lead and coordinate security teams, ensuring that each member is contributing effectively to the security capability. Managers need strong leadership skills, as well as the ability to communicate effectively with both technical and non-technical stakeholders.

Examples of Managerial Roles:

  • Chief Information Security Officer (CISO)

  • Security Managers

  • Compliance Officer

  • Team Leads

In many organisations, a successful security program requires a balance between technical and managerial roles. Technical professionals implement and maintain security measures, while managers provide strategic direction, policy development, and ensure that security efforts align with overall business objectives. Career paths in security often allow professionals to transition between technical and managerial roles based on their skills, interests, and career goals.

5/ Big firms vs Start ups

The bigger the organisation, the more well-defined the career ladder becomes. It's a paradigm of big machine / small cog, versus small machine / big cog. Large organisations often boast structured and well-defined career paths, offering clear milestones and growth opportunities. These organisations function as big machines, where each role is a specialised cog contributing to the overall security capability. Understanding these structures can empower you to set strategic goals, align your skill development, and navigate the ladder with purpose.

On the flip side, smaller organisations may require cyber security professionals to wear multiple hats, transforming them into the big cog in a smaller machine. While the ladder may not be as clearly delineated, the versatility gained from this experience can be invaluable. Small teams demand a broader skill set, allowing individuals to become not just specialists, but well-rounded cyber security experts. Working for the right start-up could rocket your career compared to the standard progression timings of a large corporation.

Titles vs Responsibility

Every company has its own hierarchy lingo: VPs, Directors, Team Leads, Managers, Technicians, Specialists, Operators etc. The title isn’t what matters - it’s the responsibility.

As you climb the hierarchy, responsibilities gradually shift from 100% operational, to accommodate more strategic and managerial tasks. Even if you don’t want to be a CISO, if you want to lead your functional area such as Security Engineering, there is an element of managerial responsibility.

There is no single ladder, but all ascensions equal an increase in responsibility and accountability for business outcomes.

Example ladders:

  • Consultancy example: Analyst > Assistant Manager > Manager > Senior Manager > Director > Partner

  • Role specific example: Security Engineer > Senior Security Engineer > Lead Security Engineer > Principal Security Engineer

  • Unorthodox example: SecOps Analyst > Security Engineer > Security Manager > Security Architect > Head of Security Operations > CISO

How to climb

You climb any ladder by gaining experience to unlock new rungs on the ladder. Collect attributes, competencies and skills required for the next level to become available. By having a sense of direction, you can take control of your career trajectory and work on things that align with your ideal direction / role.

My advice:

  • Don’t sit in a role that isn’t serving you. You can evaluate the value of a role based on 3 factors: pay, experience and promotion opportunity.

  • Working across different areas of security will make you a more well-rounded security professional. You understand the complexities and challenges of each area and how they piece together. This positions you best to lead and manage teams / capabilities.

  • Let imposter syndrome guide you and be fearless in pursuit of your goals. Seek to address areas that make you feel uncomfortable and don’t shy away from a step up in responsibility. Rise to the occasion.

  • Build a network. Opportunities will come to you if you possess the right skills and experience, and decision makers know about you. Unconventional roles may even be created for you.

There is no ladder…

At the beginning I referenced ‘the game’. The game is yours to define, but the one the majority sign up for is one of corporate ladders. The pursuit of greater titles, pay and responsibility. The reality is, there is no intrinsic value in hitting these milestones - you will experience fleeting joy, the applause of some family and friends, the resentment of some others.

What I hope you discover is that your career is not really a ladder. It’s a jungle gym. It’s whatever you want it to be. You don’t need to stay the course if there is no fulfilment. You don’t need that bump in pay which demands greater sacrifice. You can pivot. You can build what doesn’t exist.

To each their own, but be aware of the game you’re playing. Hopefully learn what ‘enough’ is. And don’t lose yourself in pursuit of titles and bags of money.

That’s a wrap!