How to find your niche in cybersecurity
“There is no right path for a career in security. Even in companies large enough to have defined role-based career ladders, a security professional can move up, down, down and up in ways remarkable,” wrote Helen Patton in her book. Navigating the Cybersecurity Career Path.
However, the lack of structure can make it difficult for professionals. find your place on the ladder.
“I’m advocating for an extend and expand model,” Patton told SearchSecurity. This approach, she explained, involves finding a path to cybersecurity — even if the role isn’t what you want to be in forever. Then, once in the industry, it will be easier to find a job that matches your interests.
In his book, Patton discussed this approach and guided readers through the three main stages of a cybersecurity career: Arrive in Security, Thrive in Security, and Lead in Security.
Here, Patton, an advisory CISO at Cisco and senior faculty member of the Digital Directors Network, offers advice on how to find your niche in cybersecurity. Patton also discusses the benefits and challenges of a specialized versus generalized career path, and offers advice on choosing the best certifications to pursue based on your career goals.
Editor’s note: This transcript has been edited for length and clarity.
What are the most common career paths in cybersecurity?
Helen Patton: The first path is through formal education. Community colleges in the United States often offer cybersecurity programs, not just computer science programs. Four-year colleges are starting to do this, although they haven’t been as quick to adopt cybersecurity programs as community colleges.
High school students lucky enough to attend a school with a computer science program — only half of U.S. high schools offer a computer science course, according to Code.org — will have a more formal development from high school to community or college four year .
Students can also do internships so they come out with a degree and work experience. This tends to prepare people well for an entry-level cybersecurity career.
The second path is for people like me who grew up in a time when there were no formal cybersecurity programs. Or they didn’t take advantage of it if they were available. Now they are in a career and want to explore something in cybersecurity. Either they make the choice to go back to school, or they find a way to move laterally into cybersecurity, but they might have to take a pay cut to do so.
There are plenty of complementary jobs whose skills transfer well into cybersecurity. Roles such as program management, business analysis, software engineering, help desk and administrators.
Do you recommend a specialized or generalized career path?
Patton: There are two parts to that question. The first is, what does the individual prefer? And the other is, what does the business need?
As an individual, I was much more interested in having lots of experiences in different areas, because that’s how my brain works. I have worked with people, however, who have played a specific role for 30 years.
For business purposes, large companies tend to encourage employees to specialize, as they are too large for one person to manage security across the entire organization. Small businesses, on the other hand, may only have two or three people on their security team who are needed to get everything done.
It’s really about what the company needs, what the employee wants to do, and then finding a good fit.
What are the pros and cons of becoming a cybersecurity professional?
Patton: One positive is that you can spend time learning your specialization. It can help set boundaries around what you want to do, which is mentally helpful. One of the challenges of being a generalist is that there is so much to learn – setting boundaries in terms of learning can be difficult.
A challenge of being a specialist is choosing a specialization that will exist in the future. Many technologies have come and gone; you may need to pivot in the future. We also tend to see people specializing in junior and mid-level positions. As you get older, you will need to broaden your vision.
What tips do you have for finding your niche in cybersecurity?
Patton: Think about your strengths and what brings you energy, then find a security role that works for you. This might be where you want to go deep, but you might get there and be like, “You know what? Now that I’m there, it’s less appealing.
Take a leap of faith and find a way in the industry. Once you’re there, it’s relatively easy to network or develop a training plan that will help you in your career. For example, if you start out as a help desk technician, you can get a security role in endpoint security engineering. That’s all well and good, but then you might decide to become an ethical hacker. It is easier to go from an endpoint engineer to an ethical hacker than from an IT help desk administrator to an ethical hacker.
Once you do a job that interests you, decide if you want to specialize in the field or if you want to stay more generalist.
What advice do you have for entry-level cybersecurity professionals looking to take their career to the next level?
Patton: The security community is a welcoming and helpful group of people — so take advantage of that. I am a big advocate of networking. If you’ve been in a security role for two or three years — or even if you’ve been in a non-security role for several years and are looking to grow your career in security — your first should be to find people who work safely. This can be online, following people who are in security positions you want, or attending local meetups or security conferences.
We still hire a lot based on referrals, so getting to know people is key to differentiating yourself as a candidate for the next role. Networks can also be a support group when things get tough in your job. A network is a learning resource. It’s a mental health resource. It is a support resource.
Do you suggest pursuing a generalized or specialized certification?
Patton: Certifications are better if you’re new to the industry in terms of opening doors. However, to get certified, you usually need some experience. From an entry-level perspective, I suggest people pursue a generalist certification. There’s a reason CISSP is one of the industry’s leading certifications. It’s a generalist certification that opens a lot of doors for people.
There comes a point in a career, however, when having a certification means less. I dropped some of my certifications. I can still put on my resume that I had the certification, just that it’s now expired.
Cybersecurity certifications can be helpful if you’re trying to learn a new skill. Say you want to be an ethical hacker. By pursuing a hacking certification, you will learn more about being a hacker. It can be a useful self-directed learning approach, but I’m not sure how useful these specific certifications are for getting you a job in these fields – the jury is still out.
Certifications have become a signal that there is an area of security that you care enough about to get certified. But they don’t signal that you are qualified to work in that space.
About the Author
Helen Patton is a CISO Advisor at Cisco, where she shares security policies with the security community. Previously, she spent eight years as a CISO at Ohio State University, where she received the ISE North American Academic/Public Sector Executive of the Year 2018 award. Prior to joining Ohio State, she spent 10 years in the area of risk and resilience at JPMorgan Chase. She serves on the CyberOhio State of Ohio Advisory Council, the U.S. Manufacturing and Digital Cybersecurity Advisory Council, and the Electrical and Computer Engineering Industry Advisory Council at the University of Ohio State. Patton is also a faculty member of the Digital Director’s Network and the Educause Leadership Institute.