"There is no right path for a security career. Even in companies large enough to have defined role-based career ladders, a security practitioner can move up, over, down and up again in remarkable ways," wrote Helen Patton, in her book Navigating the Cybersecurity Career Path.
The lack of structure, however, can make it difficult for professionals to find their place on the ladder.
"I advocate for a land-and-expand model," Patton told SearchSecurity. This approach, she explained, involves finding a way into cybersecurity -- even if the role isn't what you want to do forever. Then, once in the industry, it will be easier to find a job that matches your interests.
In her book, Patton discussed this approach and guided readers through the three main stages of a cybersecurity career: arriving in security, thriving in security and leading security.
Here, Patton, an advisory CISO at Cisco and a senior faculty member at Digital Directors Network, offers advice on how to find your niche in cybersecurity. Patton also discusses the benefits and challenges of a specialized versus generalized career path, and gives guidance on picking the best certifications to pursue based on your career goals.
Editor's note: This transcript has been edited for length and clarity.
What are the most common career paths in cybersecurity?
Helen Patton: The first path is through formal education. Community colleges in the U.S. often offer cybersecurity programs, not just computer science programs. Four-year colleges are starting to do this, although they haven't been as fast to adopt cybersecurity programs as community colleges.
High schoolers lucky enough to attend a school with a computer science program -- just half of U.S. high schools offer a computer science class, according to Code.org -- will have a more formal development from high school to community or four-year college.
Students can also do internships so they come out with a degree and work experience. That tends to set people up nicely for an entry-level cybersecurity career.
The second path is for people like me who grew up at a time where there weren't any formal cybersecurity programs. Or they didn't take advantage of them if they were available. Now, they're into a career and want to explore something in cybersecurity. Either they make the choice to go back to school or find a way to laterally move into cybersecurity -- but they might have to take a pay cut to do it.
There are a lot of complementary jobs whose skills transfer nicely into cybersecurity. Roles such as program management, business analysis, software engineering, help desk and administrators.
Do you recommend a specialized or generalized career path?
Patton: There are two elements to this question. One is, what does the individual prefer? And the other is, what does the company need?
As an individual, I was much more interested in having a lot of experiences in different areas, because that's how my brain works. I've worked with people, however, who have done a specific role for 30 years.
For company needs, bigger companies tend to lead employees to specialize because they're too big for one person to manage security across the entire organization. Smaller companies, on the other hand, may only have two or three people on their security team who are needed to do everything.
It's really about what the company needs, what the employee wants to do and then finding a good match.
Learn how to write a cybersecurity job posting in this excerpt from Chapter 18 of Navigating the Cybersecurity Career Path by Helen Patton, published by Wiley.
What are the pros and cons of becoming a specialized cybersecurity professional?
Patton: A positive is that you can spend time learning about your specialization. This can help set boundaries around what you want to do, which is mentally helpful. One of the challenges of being a generalist is there is so much to learn about -- setting boundaries in terms of learning can be tough.
A challenge about being a specialist is picking a specialization that's going to exist in the future. Many technologies have come and gone; you may have to pivot in the future. We also tend to see people specialize in junior and midlevel positions. As you become more senior, you'll need to expand your view.
What advice do you have for finding your niche in cybersecurity?
Patton: Think about what your strengths are and what brings you energy, and then find a security role to align with that. It may be the place you want to go deep with, but you might get there and go, 'You know what? Now that I'm in it, it's less appealing.'
Take a leap of faith and find a way into the industry. Once you're in, it's relatively easy to build a network or build a training plan that's going to help your career. For example, if you start as a help desk technician, you might get a security role doing endpoint security engineering. That's all well and good, but you might then decide you want to become an ethical hacker. It's easier to jump from endpoint engineer to ethical hacker than from IT help desk admin to ethical hacker.
Once you're doing a job that interests you, decide if you want to specialize in the area or if you want to remain more generalized.
What advice do you have for entry-level cybersecurity professionals looking to take their career to the next level?
Patton: The security community is a welcoming, helpful group of people -- so use that. I'm a big advocate for networking. If you're two or three years into a security role -- or even if you're several years into a non-security role and you're looking to grow your career in security -- your first thing should be to find people who work in security. That could be online, following people who are in security roles that you want, or attending local meetups or security conferences.
We still do a lot of hiring based on referrals, so getting to know people is a key part of differentiating yourself as a candidate for the next role. Networks can also be a support group as things get more difficult in your job. A network is a learning resource. It's a mental health resource. It's a support resource.
Do you suggest pursuing a generalized or specialized certification?
Patton: Certifications are better if you're new to the industry in terms of opening doors. To get a certification, however, you usually need a certain amount of experience. From an entry-level perspective, I suggest people pursue a generalist certification. There's a reason CISSP is one of the industry's leading certifications. It's a generalist certification that opens a lot of doors for people.
There becomes a point in a career, however, when having a certification means less. I've let some of my certifications lapse. I can still put on my resume that I had the certification, just that it's now expired.
Cybersecurity certifications can be useful if you're trying to learn a new skill. Say you want to be an ethical hacker. In pursuing a hacking certification you learn more about being a hacker. It can be a useful self-paced learning approach, but I don't know how useful those specific certifications are in terms of getting you a job in those areas -- the jury's still out.
Certifications have become a signal that there is an area of security that you've cared enough about to complete a certification. But they don't signal that you're qualified to work in that space.
About the author
Helen Patton is an advisory CISO at Cisco, where she shares security strategies with the security community. Previously, she spent eight years as CISO at The Ohio State University, where she was awarded the 2018 ISE North American Academic/Public Sector Executive of the Year. Before joining Ohio State, she spent 10 years in risk and resiliency at JPMorgan Chase. She serves on the State of Ohio CyberOhio Advisory Board, the Manufacturing and Digital USA Cybersecurity Advisory Board and the Ohio State University College of Electrical and Computer Engineering Industry Advisory Board. Patton is also a faculty member for the Digital Director's Network and for the Educause Leadership Institute.