When it comes to information security career paths there are so many directions you can go it can make your head spin. This is a good thing though because that also means there are so many options to find your dream job. Did you know that the Information Security field is both one of the fastest growing industries and also the highest paid? Not to mention one of the most fun if I must say so myself!
Most of what you read when you start searching for various paths you can take in information security will not be a path but will simply be a random list of the many different jobs you can go after and give a description of those. Instead here we will take a different look at it based real world experience rather than something written by someone not in the industry.
So, to start we should first think about this by looking at the industry as a pie that is cut in half. On one side of the pie you have those people who aren’t very technical or are technical but prefer the more Governance and Management side of Information Security. This is the first half.
On the second half of the pie you likely have those people who are very technical, are more hands on with the day to day tasks and deal less with the Managerial and Governance duties like say creating and maintaining policies.
This isn’t to say that there aren’t people that end up on both sides at the same time or that you have to choose but this is to simply say this is probably the easiest way to grasp the roles.
In each of these two categories we could keep breaking this out into the various roles and that list would be endless because there are so many different types of positions within the Information Security world. We thought it important to point out these two main paths at the very top because it is important to understand when mapping out your career and where you are trying to go so you know what steps you need to take to get there.
If you are a very big people person you might want to consider going the Governance route as you are guaranteed to be around people and there is a huge need to use your communication skills to help further the security of your organization. If you are someone who can’t stand talking for long periods of time and hate going to meetings then the technical path may be better for you.
Again, all this is not to say that you won’t have to communicate if you go the technical route because you absolutely will as you will need those skills in almost any job. It is just that the amount could be very different depending on the path.
So now that we have the two main paths out of the way let’s take a look at two scenarios within each area to get an idea on what type of positions we might be able to look forward to.
Scenario 1 (Red Team Manager):
Again, the lists are endless but let’s say your ultimate goal is to take the more technical path to becoming a red team manager 10 years from now where you are leading a team of penetration testers to test various organizations for fun. Well, to get there you may want to start by getting an entry level Network Security Engineer position where you are maintaining the network and security infrastructure on a daily basis. This might help you get those basic skills so that when you get your first interview as a novice pentester you actually know those basic technical questions you are guaranteed to be asked. From there you can spend several years honing your skills to get you into the position where you are now managing a team of pentesters rather than just conducting one at a time yourself.
Scenario 2 (Bank Executive):
This is a very different path than the first scenario where maybe your ultimate goal is to be an executive at a bank. These are totally different skills than what is needed in scenario #1. For this, communication skills are huge as you will be managing many people but you still need to know information security concepts. For this path you might want to start off as an entry level auditor where you gain both information security skills but also have a ton of interactions with those you are auditing and gain soft skills that allow you to better navigate an organizations politics and be able to get there. From there you can spend several years in a Risk Management role or something similar where you work your way up managing more and more people where you ultimately end up managing a small organization within a large bank.
Scenario 3 (Unsure Path):
You may be completely unsure on what path to take and sometimes until you figure out what path you want to take the best thing is to take all paths. It is better if you already know what path you would prefer to take because going this route may be longer as you don’t know exactly where you are going. In this case you try to gain as many technical and governance type skills as possible. You may take a position as a network engineer for a while and then in the next position you may decide you want to help write an organization’s policies. Again, this route isn’t the most ideal because when you go into an interview there may be questions around why you were writing policies for a while when you wanted to be a pentester or why you were helping to maintain a network as an engineer but are applying to be an Operations Risk Manager. Also, have you heard that saying a jack of all trades and master of none?
When trying to decided your information security career path it is always best to try to look out in the future and see the target you are likely to want to hit and then work backwards to see the path you need to take to get there. This is guaranteed to give you the best results.