Choosing your Cybersecurity Career Path

November 15, 2018
  • Strategic vs. tactical (Technical) career paths
  • What’s best for your cybersecurity career – a certification or a degree?
  • Landing and keeping a job in cybersecurity

I’m often asked by folks entering the cybersecurity career field, “How do I land (or keep) a job in cybersecurity? Should I get a degree in cybersecurity or focus on certifications?” The bottom line is that there is no one answer; as with most things in life, it depends.

In this post, I’ll cover various cybersecurity career field options to help you understand the benefits of each, and how you can grow your career as a professional. This is part two of my series on Breaking into Cybersecurity.

From a career perspective, information security (including cybersecurity) is a stable and growing profession. Information security jobs are expected to increase by 28 percent through 2026 according to the Bureau of Labor Statistics. Even with such vast opportunities, landing a cybersecurity job can still be tricky when you’re trying to meet a laundry list of role requirements.

Below are some steps for you to determine the certifications and/or degrees you need to help build a cyber career:

First, Pick a Path.

There are two main categories of cybersecurity careers: Strategic and Tactical.

    1. Strategic includes Governance, Risk, and Compliance (GRC), policy, IT audit, security frameworks and management.
    2. Tactical includes everything technical: security systems administration, networking, application security, security operations, incident response, vulnerability management, and penetration testing.

If you love playing with technology, take the tactical route. If you’re more inclined to management and process, consider strategic. Picking one over the other does not mean you don’t need to know how the other side works. Both sides of the business need to understand technology and business risk. The Cyber Seek website contains a list of careers for each path.

Second, Determine Your Education Path.

Cybersecurity degrees and certifications each have benefits and costs. Both can be used to open doors to cybersecurity careers.

    1. Degree – With a degree you learn how to learn. This is crucial in the ever-changing cyber world. You’ll also gain additional professional skills like communications, leadership and management. Of course, it comes at a cost; time and money. An inexpensive education option in the United States are two-year community colleges. The National Security Agency designates two- and four-year schools as Centers of Academic Excellence in Cyber Defense.
    2. Certification  Establish your credibility. Certifications demonstrate that you have knowledge in a specific area or indicate that you have subject-matter expertise. The benefit is that you can often take a 1-week boot camp or watch a video series and complete the certification exam shortly after. This can be a low-cost option but most certifications require continuous learning over time.

Third, Develop Practical Experience/Practice. 

Certifications and degrees don’t guarantee you a job. You must continually practice what you’ve learned and build on that knowledge. This should come from both practical experience and personal practice.

  1. Experience – For many cybersecurity jobs, this matters more than formal education. Those who are new to the cybersecurity career field might start in a help/service desk or security operations center. These are great ways to gain professional experience, learning how cybersecurity operates within an organization. You can also obtain experience by volunteering to fix computers or offering security advice in a community group (e.g., senior center, religious organization, etc.). In return, ask for a reference. Remember, you don’t have to start in cybersecurity. All careers have transferable skills that can provide a fresh perspective.
  2. Practice and do your homework – Cybersecurity is a career that requires continuous learning to stay relevant and keep skills sharp. I often tell my students, “Homework begins after you graduate” and “The real test is in the real world – not the classroom.” If you flunk a test in school, you can still graduate. If you flunk a test in real life, you may not get the job. Keep learning by taking advantage of sites like Cybrary that provide free education on many aspects of cybersecurity.


No matter the path, you need to:

  1. Be aware of the other side. If you’re tactical/technical, you still need to understand strategic/business, and vice versa.
  2. Network the human kind. Join security groups in your community like ISSAISACAISC2OWASP, Infragard etc. This is a great way to meet other passionate cybersecurity professionals. These groups may also provide mentors to help you chose your path and keep your skills sharp.

Author Bio

Ron Woerner, CISSP, CISM has over 25 years of IT and Security experience and is a noted consultant, speaker and writer in the security industry. As President and Chief Trusted Advisor at RWX Security Solutions, he works as an IT security consultant performing security audit and risk assessments for small, medium and large organizations. Ron has established security practices for multiple Nebraska and international organizations. He has been a featured speaker at the (ISC)2, ISACA and RSA conferences. Ron loves to talk to others who are passionate about security and privacy.