Choosing Your Cybersecurity Path

Alex Holden
Author: ISACA Now
Date Published: 2 October 2024
Read Time: 6 minutes

Staying ahead in the cybersecurity industry requires more than just technical skills. But how do you know where to start? ISACA member and cybersecurity expert Alex Holden recently delved into areas aspiring cybersecurity practitioners should consider when choosing a career in cybersecurity. Below we’ve compiled some of the key takeaways shared by Holden in a recent webinar.

Plenty of Pathways

Historically, the most common jobs in cybersecurity were firewall manager or antivirus manager roles. Today there are so many different components of cybersecurity, leading to many avenues individuals can take for a cybersecurity career, including professions in Governance Risk and Compliance (GRC), application security, provisioning, monitoring, blue team, red team and threat intelligence.

“Cybersecurity is a huge discipline, so finding what you are good at, and being the best at what you do, is critical,” says Holden.

There are several potential paths, as Holden explained. GRC roles are like an overseeing eye over systems and the direction of the company, ensuring compliance with regulations and laws, measurement of risk, and more. Application security professionals focus on building more secure, robust applications. Provisioning roles build secure setups, including desktop, account access, decommissioning, and more. Monitoring can involve reporting breaches or finding opportunities to improve through threat hunting. Blue team individuals focus on improving cybersecurity defenses, usually experienced cyber professionals. On the other hand, red team individuals have a good understanding of how things work and are often a former blue team member who will test the company’s cybersecurity. Threat intelligence professionals have the goal of preventing breaches before they occur and being prepared to defend against attacks.

Find an Organization that Values Cybersecurity Culture

In addition to choosing their best path, practitioners also need to be mindful of how their organization will set them up for success. Holden discussed the value of an organization’s cybersecurity culture.

“Cybersecurity careers can be made or broken by the corporate culture,” says Holden. “The culture you may be in can give you a lot of flexibility and opportunity, or it may not be giving you enough satisfaction and your growth is being stifled.”

One of the keys to improving an organization’s culture around cybersecurity is to identify a cybersecurity champion. In Holden’s opinion, this should not be someone on the ground level or a middle manager, but should instead be someone in the boardroom, whether it’s the CEO or a C-level executive. The cybersecurity champion will be critical in building a healthy culture of cybersecurity awareness.

Holden also recommends bug bounty programs as an important way to build cybersecurity awareness and have a culture of continuous improvement.

“Internal bug bounty programs should be present in every company,” said Holden. “Within the corporate environment, there must be an easy, blame-free opportunity to improve your own cybersecurity culture. Finding areas of improvement, whether critical or minor, should be rewarded rather than punished.”

Be an Eager Learner

Cybersecurity is an ever-evolving industry, so staying on top of trends is vital. “I consider myself a lifelong student. I’m constantly learning new things,” said Holden. “Even if you’re further in your career, you still want to improve your knowledge, and you need to have curiosity.”

Holden recommends finding others with more experience who can become a mentor to you. “In my career, I have a number of people I can thank for putting me on the right path and who gave me the opportunity to learn from their wisdom. I also try to be a mentor to others to encourage them not to make the mistakes I made, and to bypass speedbumps in their career to help jumpstart them.”

Learning from others across the industry and understanding how people succeed in positions like yours is helpful. Are they facing the same challenges? A great place to start is by attending conferences, webinars, or networking events.

“When I was starting my career, I always found myself waiting for the speaker after a presentation and asking them additional questions,” said Holden. “Conferences give me an opportunity to find fellow cybersecurity professionals. I want to be immersed in the world.”

Steer Clear of Monotony

The cybersecurity profession can come with a lot of pressure, and it’s easy to get overwhelmed. It’s important to take steps to prevent burnout.

One thing that might help is intentionally creating a daily routine that you enjoy. A daily routine that is boring can lead to making errors. “Building a daily routine is critical in balancing tasks,” says Holden. “Don’t spend too many hours on the same task, because the more time you spend on it, the more likely you’ll make a mistake. Alternate your tasks, and balance the things you enjoy doing with the things you must do.”

Additionally, competition in cybersecurity careers can be challenging. When we see someone doing a better job than us, it’s easy to feel as though they are more successful and to get competitive. “I always remind people we are on the same team and have the same goals,” said Holden. “You have to look at it from the perspective of what you’re trying to achieve. Build a team, rather than staying apart.”

Your job satisfaction will improve and you will build strong bonds in your team if you can find ways to excel and improve, rather than focusing on competing with others. “Your contribution matters, and you are adding a benefit to the overall security,” said Holden. “Find things you can contribute and measure them. For example, I found that I am great under pressure, but that’s not for everyone.”

Learn from Failure

Dealing with a big breach can be tough and make you feel that your hard work has been worthless, but it’s important to remember that cybersecurity professionals can be the best at their jobs, and threat actors will still find a way. According to ISACA’s State of Cybersecurity 2024 report, 38% of respondents are experiencing increased cybersecurity attacks, compared to 31% in 2023. “Cybersecurity is always fighting a nemesis who is improving quickly and powerfully on their offenses as we are building our defenses,” said Holden. “Cybersecurity professionals fix hundreds of issues, but threat actors only need to find one issue that you missed.” Preparing for a breach, through table-top exercises for example, is vital for making sure you’re prepared.

Keeping calm under pressure is easier said than done but focus on finding the best solution. This can involve making what Holden refers to as “good-bad decisions.” There is no magic model for recovering from a breach, and you’ll have to make tough calls on what the best possible decision is in a bad situation.

Learning how to not repeat past mistakes is critical. “You are becoming the most valuable asset for your company because you have experience,” said Holden. “Those who have survived a breach become stronger from it and end up being more desirable assets as they learn from their mistakes.”

A Recipe for Cyber Success

The path to a successful career in cybersecurity is apparent: find the area of cybersecurity you like and are good at, work on continuously improving, and promote healthy cybersecurity culture. “Getting satisfaction from your job may not always be possible, but getting satisfaction from your career is so important since you’ll be in it for a very long time,” said Holden. “And lastly, give back to society and anyone who helped you along the way. Helping others get to the top is the biggest job satisfaction.”

Additional resources