The more people shop, work, and share data online, the greater the need for cybersecurity professionals to keep their information and identity safe. The global cybersecurity market is expected to grow at a rate of 12% per year from 2022-2030. For job seekers, that growth means long-term job security with the potential for fast career advancement.
The first step to starting a career in cybersecurity is identifying which aspect of the industry you’re best suited for. Some people focus on building security systems, while others maintain and test those systems, or respond to and investigate incidents after they’ve occurred. Comparing your skills and workplace preferences against the typical responsibilities and environment for each of these distinct roles is the best way to identify which cybersecurity career you’ll thrive in.
How to Get Started in the Cybersecurity Industry
When you first look for roles in cybersecurity, it can feel like you’re stuck in a catch-22. Even jobs listed as entry-level often require two or more years of experience. The good news is, that experience often doesn’t need to be directly related to security. Many cybersecurity professionals start off working in information technology, data management, or other roles related to business computer systems and networks.
Once you have a couple of years of experience, you can start to look for positions directly related to cybersecurity. Most people start off in a general security role, such as a junior security analyst. This will normally involve working as part of a team that monitors networks, helps with troubleshooting, and assists in investigating and documenting breaches or issues.
Beyond the entry level is where the career paths diverge. Some choose to go into a specialty like ethical hacking or cryptography. For those with leadership skills, management positions overseeing teams of analysts can potentially lead to c-level and other executive roles. The right certifications and roles to prepare you for career advancement will depend in which specific direction you want to focus your career.
Types of Cybersecurity Careers
One of the benefits of a career in cybersecurity is that there are a wide variety of roles to choose from in this field. Some professionals focus on developing, implementing, and managing security systems, either for a SaaS company that provides third-party security software or within an organization developing proprietary, customized solutions. Others find and fix vulnerabilities where a hacker could gain access to a network, or take charge of incident response after a cybercrime has occurred to identify the perpetrator and prevent future attacks.
Each of these distinct job titles within the cybersecurity industry requires a specific combination of skills and knowledge, and their typical schedule, work environment, and responsibilities vary just as widely. Here are some of the most common cybersecurity career paths, what companies look for when hiring into the role, and what you can expect if you’re hired into the position.
Security Engineer
These are the professionals most think about when they picture information security careers. A cybersecurity engineer identifies potential threats then uses that knowledge to improve the company’s systems and procedures and better protect against hacking and other security breaches. Specific responsibilities often include planning, implementing, and monitoring the organization’s security infrastructure, providing troubleshooting and IT support, and testing the system to pinpoint its cybersecurity vulnerabilities.
Key Skills, Experience, and Credentials
The most crucial hard skill for a security engineer is an in-depth understanding of common computer and network security measures like firewalls, VPN, and data loss prevention. Proficiency in a programming language like Python, Java, or C++ is also often a requirement, as is knowledge of database platforms and experience with advanced threats such as social engineering, phishing, and network access controllers (NAC).
Most companies ask for 3-5 years of experience at minimum in a cybersecurity role, in addition to a Bachelor’s degree. An increasing percentage of companies look for someone with an advanced degree, and may waive the experience requirement for candidates with a Master’s or higher. Additional certificates like Certified Information Systems Security Professional (CISSP) or GIAC certifications can also be a plus.
Salary and Work Environment
Since security engineers generally work directly for organizations, the typical work environment can vary widely, with both remote and in-person roles available. Many engineers work a 9-5 schedule unless a breach happens outside normal business hours, in which case they’ll be called in to respond.
The starting base salary for a typical security engineering position is around $85,000-$90,000 a year. That pay rises quickly once you gain experience, though, to an average of around $120,000 for mid-career professionals. You can also go into more specialized areas like application security, where experienced professionals can make upwards of $200,000 a year.
Security Architect
Security architecture is the collection of technologies, tools, and methods that businesses use to protect their data and networks. An architect could be called in to build these IT security solutions, or to gauge the vulnerability of existing security policy and make improvements in compliance with the needs of the business. Security Architect is also often a leadership position, overseeing the team of information security analysts and specialists who monitor and maintain these structures.
Key Skills, Experience, and Credentials
Since they’re often called upon to create new policies and systems, security architects need to be industry experts with similar skills to a software developer. This includes knowledge of programming languages, coding, and networking best practices. They also need soft skills like communication, leadership, and collaboration to effectively work with colleagues and clients.
Experience with software development can be a big plus for a security architect. Employers usually look for a minimum of 5-10 years in the security industry as well as 3-5 years in a leadership role. A Bachelor’s degree in cybersecurity or computer science is a typical requirement, though a Master’s degree may be preferred. The (ISC)2 also offers certifications specific to architects, such as Information Systems Security Architecture Professional (ISSAP).
Salary and Work Environment
A variety of businesses hire security architects, from corporate offices to government agencies and everything in between. They often work in a high-pressure environment, and while their typical schedule falls during regular business hours, they may be on-call for security emergencies 24/7. The average starting salary is around $120,000-$125,000 a year and there is ample room for advancement, with Senior Security Architects earning an average annual salary of $190,000.
Systems Administrator
Also referred to as a network administrator or network engineer, this is a cybersecurity professional who ensures the computer systems in an organization are protected and functioning the way they should. Typical responsibilities include implementation, upgrades, and configuration of new software and hardware, managing permissions and accounts, testing the system to identify cybersecurity issues, and monitoring the network to ensure it’s performing according to the business standards.
Key Skills, Experience, and Credentials
An in-depth knowledge of operating systems, networks, computer hardware, and cloud computing is one must-have for these job roles. Interpersonal skills are also useful since administrators often provide troubleshooting support, which may mean explaining technical concepts in more accessible language.
Along with a Bachelor’s degree in cybersecurity, computer science, or related fields, systems administrators often hold one of several cybersecurity certifications. The most common include CompTIA Security+, Network+, or A+ certificates, as well as operating system specific training like Red Hat System Administrator or Windows Server Administration Fundamentals certification.
Salary and Work Environment
While system administrators may help in the case of an attack, many organizations have other employees who take responsibility for incidents. As a rule, Network Administrators have a more consistent and lower-stress job than incident responders, often tasked with open-ended work or projects with fairly long deadlines.
Salaries in this role vary widely depending on the type of organization and scope of the role. On the low end, they typically make around $55,000-$60,000 per year. That increases to an average of $76,000 a year for administrators with a few years of experience, while the best-paid 25% of professionals have an average annual salary of $107,000.
IT Auditor
The main responsibility of an IT Auditor is right there in the name: they audit the technologies used by a company, conduct risk assessment, then present their findings to internal and external stakeholders to point out areas for improvement. This could be a one-time audit for a client or an ongoing role that regularly assesses the network, data, and computer security across an organization.
Key Skills, Experience, and Credentials
Risk analysis is a key skill for IT Auditors. They also need to be familiar with software applications and data analysis tools commonly used in their field and have an in-depth knowledge of cybersecurity control frameworks. Along with these abilities, most employers look for candidates with two or more years in related positions, such as experience as a security analyst who assisted with audits.
A Bachelor’s degree in computer science, management information systems, or similar fields is the typical education for this role. Preferred qualifications often include certifications such as Certified Information Systems Auditor (CISA) or Certified Information Security Manager (CISM).
Salary and Work Environment
There is a lot of variety in the typical work environment of IT Auditors. Large organizations may have people in this role full-time, while others will bring in auditors as a cybersecurity specialist consultant to review and refine their security policies, often in the aftermath of data breaches or other issues.
The number of different companies that hire these professionals gives the role an equally wide salary range. On the low end, new auditors may earn a starting pay of $55,000-$65,000 a year, though the average across the US is $72,000 and annual salaries for senior auditors are often in the 6-figure range.
Penetration Tester
Penetration testing involves using the same tricks and tools as hackers but on the behalf of organizations. They take a more proactive approach to mitigating security risks, carrying out benevolent attacks on systems and networks to find gaps a real threat might exploit. Ethical hacker is a similar role that’s sometimes used interchangeably in job titles, though ethical hackers often use a wider variety of methods and may also do things like reverse engineering malware and viruses.
Key Skills, Experience, and Credentials
Performing an effective penetration test requires a mix of hard and soft skills. Up-to-date knowledge of network security protocols, remote access technologies, and the common coding languages and operating systems is a must. You also need strong creative problem solving abilities and technical writing skills to document and report on tests.
Not all penetration tester jobs require a degree, though a Bachelor’s in a field like computer science or IT can be an advantage. Hiring managers also look for certifications like Certified Ethical Hacker (CEH), Certified Penetration Tester (CPT), CompTIA PenTest+, or GIAC Penetration Tester (GPEN).
Salary and Work Environment
Larger corporations may have in-house penetration testers, but it’s also common for them to work for security consultant firms or as freelance consultants, so there are lots of workplace and culture options for professionals in this line of work. They also tend to have more agency over their schedule than people who respond to threats, good news for those mindful of their work-life balance. Salaries typically start around $60,000-$65,000 per year at the entry level, and the average penetration tester salary across the United States is $119,000 per year.
Digital Forensics
While many of the above roles aim to prevent cyber crimes, digital forensics comes into play after an attack or breach. Also called cyber forensics or computer forensics, these are the people who collect evidence to identify, track, locate, and prosecute cybercriminals. They often work closely with law enforcement, or may even be employed by police forces and detective agencies. Along with investigating cyber attacks, they may undertake other investigative work involving computers, like recovering deleted data or gathering clues from encrypted drives or devices.
Key Skills, Experience, and Credentials
While some digital forensics professionals have a background in tech, it’s just as common to have a Bachelor’s degree in criminal justice or a similar law enforcement field. Skills from both the law enforcement and technology worlds are needed for this role, including an in-depth understanding of hardware, software, and networks, as well as things like evidence integrity and digital privacy laws. Both of these areas are covered in certifications like Global Information Assurance Certification (GIAC) and Certified Forensic Computer Examiner (CFCE).
Salary and Work Environment
There are digital forensics roles in both the private and public sectors. They may work for police forces, law firms, corporations, or as a private forensic investigator, just to name a few options. Regardless of the setting, their work is often fairly independent and data-focused, and while time may be of the essence they aren’t expected to be on-call 24/7 like incident responders.
The median salary for a computer forensics examiner in the United States is $89,000 a year. On the low end, you can expect to make around $60,000-$65,000 a year when you’re first starting out. There is a very high salary potential once you’re established, though, especially for those who specialize in private sector industries like law or finance.
Choosing Your Ideal Career Path
These are certainly not all of the options available in the cybersecurity industry, nor are they mutually exclusive. Many of the roles above share similar skill sets and work environments, and professionals in the field may work in a variety of areas over the course of their career. Now that you have an overview of the most common career paths, it’s up to you to decide which one is best aligned to your life and goals.