How to build a security career roadmap

6 steps to land your dream job

January 16, 2024

👋 Good morning!

Each week I provide an in-depth response to your questions about careers, building security teams, AI security, cloud security, and anything else you need support with. Send me your questions and I’ll do my best to provide actionable advice.

Let’s dive in!

The goal of this post is to empower you to create your own roadmap. I want to share with you a method that you can use time and time again, to carve out a path from wherever you are, to wherever you dream of going.

No matter how bleak your circumstances may seem and under-qualified you believe you are, there is a path and I’m going to help you see it.

Here are four core beliefs I hold that I want you to truly take in:

  1. It’s never too late to start, or pivot

  2. You’re never stuck, you just need to recalibrate

  3. Most of our pressure and stress comes from self-imposed time constraints and expectations

  4. Nowhere worth going is easy to get to

Your roadmap can be as simple or as detailed as you need it to be. It somewhat depends on where it is taking you. For example, defining a path for you to break into your first security role is easier than defining a path all the way to CISO from level zero.

So, start small and prove to yourself that the system works before defining a greater path.

Step 1: Where do you want to go?

For a roadmap to be of any use, it needs a destination. This can include a title, a company, a salary, a location, whatever.

We want to be fairly confident this is the direction we want to go in, because the trap most people fall into is rowing in one direction until they get bored, tired or distracted. Then they start rowing in another direction. And this cycle repeats itself, leading you back to exactly where you started.

I encourage you to remove any limitations that you have placed on yourself, or others have placed upon you. Set that audacious target destination and chart a course to get there. If you haven’t already, check out my previous post which may help with this - Cyber Security Annual Planning Guide.

Action - Choose a destination.

Step 2: What skills and experience is required to land this role?

At every stage in your career, your ability to land a role and advance on your journey, is limited by the skills and experiences you have.

Every role you see advertised has requirements. The more requirements you meet, the greater the likelihood that door of opportunity opens and you get your shot. The less requirements you meet, the harder it will be to break down that door and convince anyone you are worthy of the role. This is the nature of the game.

You can break this step down into two categories:

1/ Knowledge and skills: for your dream role, you need to determine what knowledge, certifications and skills are expected. Expectations vary massively as you progress from a beginner in the field, to intermediate and advanced.

For example:

  • If you’re looking to land your first security role, CompTIA Security+ will likely feature early on your roadmap.

  • If you’re seeking managerial responsibilities, you may seek ISC2 CISM.

  • If you want to specialise in Cloud Security, you may include ISC2 CCSP and vendor specific certifications like AZ-500.

2/ Experience: for your dream role, you need to determine what experiences you need to have and what you need exposure to, in order to qualify as a suitable candidate.

For example:

  • If you want a job at a FinTech startup, you’ll need exposure to fast paced start-up environments and experience with security requirements in the context of complex financial regulations.

  • If you want to be an Enterprise Security Architect, you’ll need exposure to frameworks such as SABSA and TOGAF.

Action - Reverse engineer what is required to get to your destination based on job specifications and begin to build out the requirements of your roadmap.

Step 3: What courses and training are available to gain these skills?

Knowledge and skills are either gained from working on the job, bought through formal courses and training, or created by yourself for free. On the job work and personal projects will give you experience, whereas professional courses and training will primarily give you knowledge and skills.

Certifications are a great way to gain knowledge and signal to prospective employers that you know what you’re talking about. Hands-on experience is sometimes included as part of certification paths, including lab environments to simulate real-world experience. This is vital to include in your roadmap and something you should consider when selecting courses and certifications.

Depending on the destination of your roadmap and your current capabilities, the development of certain ‘soft skills’ may actually be of greater importance for you than technical skills development.

In cyber security, the best operators are those with an ability to communicate effectively, lead and manage others to drive an outcome, and convince senior stakeholders on an approach with killer presentation skills.

Action - Based on your target destination, you need to create a list of hard and soft skills required to be successful in that role. Then align certifications, roles and projects to these skills to be added to your roadmap.

Step 4: How can I get these experiences for free?

If you can’t get the experience you need to advance or pivot, you need to create your own experiences. The term ‘Permissionless Apprentice’ was coined by Jack Butcher. It’s a useful concept you can apply to your cyber security journey.

It is the idea of delivering value to esteemed people in exchange for proof of talent and exposure to their network. You don’t need permission from anyone to create value on the internet. There aren’t barriers to entry for creating your own experiences, that you can later boast to prospective employers!

For example:

  • You could select a company and audit their business from the outside. Generate hypotheses for cyber threats or challenges relevant to their industry. Identity solutions and document it all in a blog post, video, or podcast. Share this publicly and establish your credibility!

  • You could select a domain within the industry, such as endpoint protection, and perform an evaluation of the best available tools and solutions in the market. Create your own scoring mechanism. Interview vendors. You can produce a best practice report for endpoint protection and present your evaluation of solutions to meet business requirements. Again, share this publicly via a blog post, video or podcast.

  • Monitor security news headlines or the latest innovations in the industry. Then complete write ups and analysis with your thoughts. Generally writing and producing content in the security domain will improve your soft skills and will prove to be valuable in the future.

Action - Make a list of some permissionless apprentice projects you could do to stand out compared to other candidates. Then add them to your roadmap.

Step 5: Where do you need to go first?

Let’s say you decide you want to become an Enterprise Security Architect. The reality of this role is that employers typically look for candidates with 10+ years experience. Therefore, the best question you can ask yourself is, what are the optimal roles, skills and experiences I need to put me in the best position to land this role in future?

Action - Figure out how to fill in the blanks in your roadmap.

You can do this by:

  • Reading blog posts from people in the role you want

  • Watching ‘day in the life’ videos on YouTube

  • Connecting with people on LinkedIn and network

  • Speaking to people about their experiences and incorporate their recommendations into your roadmap (this is an organic way to build a mentoring relationship)

Pro tip: there is no right or wrong way. Choose stepping stones that sound interesting and enjoyable to you. You will likely question your path and make mistakes. It’s all part of the journey.

Step 6: Update your roadmap

Your roadmap is not a static document - it’s meant to be dynamic. You should keep reviewing and updating it as you learn and grow. As your motivations, ambitions and priorities change, so will your path.

New technologies will develop, new courses will be built, and the demands of your role will influence what you need to know next. Throughout this, remember your North Star.

Below is a high level template you can use as inspiration. Your milestones can be roles, locations, salaries, organisations, whatever. And the idea is that you detail the steps you need to take to reach each milestone.

You can add more detail and milestones over time. It’s perfectly normal to have extremely detailed milestones early in your roadmap, and vague, high level milestones in later stages as you won’t have a complete picture yet.

Repeat

Repeat this process time and time again. Roadmaps can be big or small. You can create hyper-granular roadmaps for learning, or you can create a grand, high level vision roadmap for your career.

Use the loose flow to help you form some form of direction, or get you back on track. Try to stay on course and keep moving forward. Don’t be that boat rowing in circles, constantly changing direction. And most importantly, enjoy the journey.

That’s a wrap!