Working in Cybersecurity, Steps to consider for Developing your Cyber Career Plan (Part 4 of 4)

I originally envisioned writing a series of pieces detailing some of the steps people would take if they were interested in a cybersecurity career. My goal was to develop a resource that would not only be used by people seeking entry-level positions but could also be used by seasoned professionals who needed to update their resume, search for a new job, or prepare for an interview. For those of you who may have missed the previous articles, they are as follows:

1.      Writing a Cybersecurity Resume

2.      Conducting a Cybersecurity Job Search

3.      Preparing for Your Cybersecurity Job Interview

The final chapter in this series is focused not on getting a job but building a career. It is my hope as you read these paragraphs, you have been selected for the job you interviewed for, and it's time for you to develop your career roadmap. I have spoken on numerous occasions about how I stumbled into my career in cybersecurity. Every time I am asked to describe my process, I want to laugh; it's not like I just took a class on how to have a career in cybersecurity. It has been a lot of hard work, with many mistakes, and the path I have followed has had several turns. This leads to the purpose of our discussion, each person and the career course they follow will be different, and hopefully, through this article, I can provide some insight to assist you in making your path less eventful. 

1.      Evaluate yourself – Developing a career plan is, in some ways, trying to forecast the future because it is planning where you want to go and the steps you think you need to take to get there. Before you start this process, I would recommend you spend some time with yourself and with people who know you to collect information. Now, this information may not be positive and what I mean by that is you may come to the realization you are impatient, or you don't like to be around large groups of people. I bring this up because you should know your limitations; you should know those things you enjoy and those that drive you to distraction. Having this knowledge of self will help you in selecting which roles to apply for, projects to lead, or skills you need to improve in to grow both personally and professionally. 

2.      Conduct a skills assessment – Now that you have completed a self-assessment and you understand both the limitations and advantages you bring to building a career, its time to look at your skills. There are two types of skillsets that you should review and these soft-skills and technical (hard) skills. The technical skills you have will be based on your current education and experience. It is good to document your hard skills and current level of knowledge because this will again help you identify areas for improvement – hopefully, you are sensing a trend. Now for soft-skills, I am sure you are asking yourself why I recommend you audit those as well. The reason is for many job interviews after you get past the first meeting with the hiring manager, you will have multiple meetings with team members and stakeholders, and honestly, the discussions will come down to whether you are a "fit" for the team. Being a "fit" for a role relies heavily on your soft-skills such as, are you a good communicator, do you work well in groups, or do you collaborate well with stakeholders? There are numerous soft-skills, and the more senior you get in your career, the more critical they become. So I recommend you audit both your hard and soft-skills to establish your career baseline and as you progress, manage both of them. Having this established portfolio will help you answer questions such as what soft-skills do I lack for that new role? What technical skills do my mentors or industry recommend I develop if I want to work for this company? Don't forget, once you start this process, it is continuous, and you should periodically review it to make sure you have the skills needed for your current career plan and be working on what you think you may need for future goals.

3.      Understand the career roles available to you – The Cybersecurity career field is broad and continuously changing. I state this when I speak with people looking at entering the cybersecurity field that the job they start with will probably change and be something different five years from now, and this instability is typical in cybersecurity. So to account for this uncertainty, it pays to understand the different types of jobs available in cyber. One resource I would highly recommend is The National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework (NICE Framework). This framework groups cybersecurity into high-level functions and documents a large number of specialty areas within cybersecurity. Finally, this framework makes an effort to provide a detailed description of work roles by describing the knowledge, skills, and abilities required to perform tasks within that specific role. I recommend this resource because it helps you see there are so many exciting areas you can start your career in cybersecurity. It provides you insight into the skills and experience required for specific roles. Another resource available to help you build your career plan is Cyber Seek. Cyber Seek provides an interactive map that you can use to see how jobs in cybersecurity are interconnected and can provide a list of job titles, certifications, and skills required for a specific role. Both resources can be used together to help you build a detailed career map of where you want to go professionally and help you develop a list of skills, experience, education, and certifications you need to acquire.    

4.      Understand the dark side of this career field – Now its time to focus on the reality of working in cybersecurity. Working in this field is not how Hollywood portrays it as glamorous, and all hackers wear hoodies. This field is a lot of hard work and stress. Working in cybersecurity is not like regular jobs because you will be on call and must be available at all hours, day or night if needed. You will find working in cybersecurity; there is never an end to the projects, issues, or incidents you are doing because cybersecurity is continuous and doesn't stop. Also, you may have heard; there is a massive labor shortage in this field, which means you will typically be working in short-handed teams. Many factors cause this shortage. Some of them are the dynamic push-pull of emerging technologies and evolving new threats. Couple that innovation – threat cycle to continuous attacks by criminal syndicates on businesses and corporations driving the need for new technologies and services to compete; you have an environment ripe for cybersecurity and the stress it brings to all in the community. If you plan to stay long-term in the cybersecurity field, you should plan early on how you will manage this stress; you should develop a self-care strategy. What I mean by self-care is you should start early in your career planning and find things outside of cybersecurity to give you balance and purpose. This career field will take all of your time and energy if you let it. It would be best if you put processes in place to manage your stress, so you are here with us for the long term. Please take this seriously; I have seen stress destroy friends and cut careers short, so if you need help, ask for it. 

5.      Get involved in the community – Part of your career plan should also involve how you will give back to the cybersecurity community. If you are in this field for the long term, then let's make it enjoyable by getting you involved. In doing this, you will be able to expand and build a network of peers and friends. You will find this community is continuously changing, and many of us are pushing for more diversity as it makes us stronger. So I recommend you include in your plan joining some professional organizations like ISSA or ISACA, maybe volunteer to help at events like BSides or DefCon. What is crucial here is for you to develop a lasting and fulfilling career in cybersecurity; you need to participate in the community, and to be honest, we need you.

6.      Continuous education – As mentioned previously, the constant changes in technology and threats drive the cybersecurity industry. This drive also will impact you and your career because cybersecurity is not a field where you will know everything. In fact, it is a field that requires you to be vigilant, and if you want to be successful, you will need to educate yourself continuously. This education may take the form of reading and writing articles, researching emerging threats or new technologies, or more formal education such as completing courses or new professional certifications. I bring this up so you can add it to your career plan. Over my long career in Information Technology and Cybersecurity, I added a continuous education component in my career plan about every 18-24 months. So between doing courses or certifications at these career marks, I would factor in the daily reading of tech articles, blogs, podcasts, and the occasional book. Doing this will help you not only stay educated on your chosen career field but will also help you build trust with your organization's managers and leadership team. You will find the more you know, the more you don't know <smile>, and that is normal. What is critical to remember is don't be afraid of that, reach out to your network to ask for assistance, do research, and be willing to accept help from peers and team members. You will always be learning something new working in cybersecurity, so incorporate it into your career plan, and please share what you experience so others may grow as well. 

7.      Seek a Mentor – As you begin your career, you may not have any mentors, which isn't a bad thing. However, it will be something you will want to incorporate in your career plan as you grow professionally. Over my long career, I have had both technical (Cyber & IT) and non-technical mentors. Having mentors who were senior in my career field helped me dodge some of the potholes that would have stunted my career path. Also, having mentors outside of cybersecurity helped provide professional clarity on issues such as how businesses are run, how to work with non-technical teams and soft-skills that I needed to focus on if I wanted to be successful. The important lesson I want you to take away from this is having both types of mentors will provide you balance. Of course, the fun part is where do you find them? To answer this question, it's all about getting involved in the community because mentors will not come to you. So, look for them at work, look for them at church or school, look for them in professional organizations, and one last note, talk with your peers who are being mentored and learned how they did it. Don't forget, as you find mentors throughout your career, give back and mentor those coming behind you – it's essential to leave our community better than when you joined it.  

8.      Map your career growth – Mindmaps, post-it notes, index cards, or spreadsheets whatever tool you want to use doesn't matter. What is important is that you document your plan so you have a visual cue that you can continuously refer to for your professional growth. My career plan is a mindmap with many child boxes where I annotate research and ideas of subjects I may want to learn or technologies I find of interest. What's important is you use the tools mentioned above (NICE Framework or Cyber Seek) to help create your career timeline and document your current role and any future jobs you may want to target. With this filled out, you then add existing skillsets and new ones you will need and any certifications that may be required. Once this initial career plan is completed, it may look like a tree with different branches for you to follow, depending on the opportunities or challenges you face. Just remember, this plan is designed to be flexible because even with all of your hard work, there will be times you make mistakes. This uncertainty is why I recommend you periodically assess where you are on your career path and continually educate yourself, so if you need to pivot and change direction, you are prepared.

9.      Understand business sector challenges – Different business sectors have regulations, laws, compliance requirements, and technology challenges. The longer you are in cybersecurity, you may have the opportunity to work in several of these sectors and will find there are similarities and stark differences. I bring this topic up for you to think about the opportunities and challenges of specific industries and add these insights into your long term career plan. Some industries have heavy regulatory burdens, so quick changes may not happen in those industries. In one of those industries, if you are working in cybersecurity, you can expect initiatives will take longer to resource and complete, and there may be limited career growth. Other industries may be fast-moving, with changes coming daily, and you feel like you are continuously fighting fires. However, these fast-moving industries provide resources, you think your career is moving forward, and you also have the stress to go with your success. You can learn about the challenges and opportunities associated with these different business sectors by getting involved in the cyber community and speaking with your peers. You will find many of us are facing challenges unique to our companies. Through speaking with peers, you can collect information on the business sectors that are right for your long-term career goals and identify those that you may wish to avoid.

10.  Collaborate, Be Flexible – Finally, as we finish discussing steps to take in building your career plan. I want to stress a significant point, you will, over time, make mistakes and need help. Sometimes these mistakes are your fault; sometimes, you are a bystander in the process and just become part of the fallout as the business decides it needs to make a change. Whatever the case, you are ok because you have your career plan and a network to assist you in searching for your next job. What I want you to understand with this final point is your career plan should be flexible; you should have several types of roles and industries to target for your next job. It would help if you also were willing to speak with peers and mentors for ideas on what you could improve. Each time in my career, when I looked for a new job, I have always approached the process as a collaborative effort. I would highly recommend you do the same, make it a community effort and be willing to not only accept help but give it to those in need as well.  

Each of us walks our own road during our professional careers, sometimes this road is smooth and straight, but many times it's full of accidents and traffic jams. What is vital to remember for all of us is we are members of a community, and even with the best career plan, it helps to have friends and peers to speak to and mentors to hold us accountable. I hope this final article provides some value and will assist you in building a long and prosperous career in cybersecurity.

I look forward to hearing community feedback and if there are any extra steps I should have included. In closing, blessings to all of you and your families, and may you all be healthy and safe. 

 ***In addition to having the privilege of serving as a Chief Information Security Officer, I am a co-author with my partners Bill Bonney and Matt Stamper on the CISO Desk Reference Guide Volumes 1 & 2 and the author of a new book, The Essential Guide to Cybersecurity for SMBs. For those of you that have asked, all three are available in print and e-book on Amazon. To see more of what books are next in our series, please visit the CISO Desk Reference website.