I remember during my senior year of college the struggle and confusion surrounding where to start my career.  Luckily, I had a very helpful professor who gave me an overview of the different paths a security professional can take.  As I started my career, it became apparent that it wasn’t as simple as he explained.  Don’t let that terrify you, it’s actually a great part of the cyber security profession because it allows us to change paths and experience a new environment.

I did my best to create a chart that shows the path for each section of the information security profession.  Keep in mind, every organization is structured differently and some job titles may be interchangeable (for example, security engineer and information security analyst can refer to the same job).  The left side shows the possible path at each level of experience and the right side shows executive level positions.  These positions can generally be filled by a qualified professional from any area of information security, although the job title will specify what area they’re dedicated too (Director of Compliance or Vice President – Application Protection).

Compliance/Risk Management

Compliance and risk management are usually grouped together in one team since they are closely related.  This team is tasked with developing, implementing, and managing requirements and programs related to compliance, security, and risk/fraud management.  They monitor changes in regulations and business practices in their industry, as well as analyze trends and changes in regulatory compliance laws.  This path usually leads to a career as an Information Security Officer.

Auditing

Auditing is also closely related to compliance and risk management.  This position requires knowledge of information security as well as the related industry.  The main purpose of the team is to schedule and facility risk-based security audits.  An audit is a review of an organization’s operations, such as security monitoring, policies and standards, system security, threat and vulnerability management.  Knowledge of regulatory standards is necessary (PCI-DSS, Sarbanes Oxley, etc).

Vulnerability Assessment

That big orange block can be categorized as vulnerability assessments.  Although each of the four divisions have unique roles and responsibilities, the career path is relatively similar.  A vulnerability assessment includes penetration testing and providing remediation guidance.  It is also the team’s responsibility to maintain the related organization’s standards, as well as keeping up to date on any relevant regulations.  Forensics and malware analysis are a bit different.  These teams are more focused on research and development, assisting in any investigations or security incident responses.  These paths usually lead to a role as a director or a security architect.

Identity/Access Management

These roles involve facilitating  the design of solutions that have the potential of affecting company wide systems in the areas of password management, user provisioning, system integration for authentication and authorization purposes.  More experienced roles have the responsibility designing and implementing identity and security software.  Most importantly, these roles design processes related to managing identities and access privileges.  This path often leads to a role as a security architect.

Consulting

Consulting work is a different environment from the corporate world.  Consulting firms such as Gotham Digital Science or IT Immunity are hired to send their consultants and ethical hackers to evaluate the security of an organization.  The scope of these assessments varies widely, depending on what the organization needs to evaluate, and increases as you become more experienced.  One assessment may only require a white box application vulnerability assessment, while another may be pure black box testing of an entire corporation.  I’ve had the pleasure of speaking to some very experienced consultants and they absolutely love it.  It does require knowledge of a wide array of tools and testing techniques, everything from SQL injections to social engineering.  The Certified Ethical Hacker (CEH) certification is an absolutely must to advance in the field.

Where To Start

There’s a lot of options.  Talking to an information security professional about their experience helps a lot.  My expertise is in web application security and it took me until my last week of college to decide where I wanted to start, but you always have the option of hopping from path to path because much of the knowledge required for one position can be used in another.

Here are a few other ideas to help you get started in your cyber security career:

• Make a Twitter account dedicated to information security.  Follow a bunch of security professionals and participate in any discussions you see.  You can find mine at @TheLaytonCipher.
• Start a blog (hence, the blog you’re reading right now).  Do you own research and make posts about it.
• Study and attempt an entry-level certification.  Security+ is a good one, and GIAC has a couple as well.
• Follow cyber security news and see what articles you find interesting.  I have a couple of apps on my phone that update me every day.
• Attend you local OWASP meeting, it’s a great place to meet security professionals (and eat free food).
• Find an information security related project you could do. My senior project was a working username/password login that used keystroke dynamics as multi-factor authentication.
• Contract work is a good first job.  Contracts can be anywhere from 3 months to a year (possibly longer), and they often offer a full-time position at the end of it.  This also allows you to try multiple roles without having to commit.

Most importantly, don’t worry.  Information security is a steadily growing field, new jobs are being created every day (yay cloud security). It’s only a matter of time before the right job comes along.

Thanks for reading and good luck!