Cybersecurity is a relatively new career field, and it’s constantly evolving. Everyone, from the smallest business to the largest government, needs to be aware of cybersecurity. That means either hiring a staff of experts or contracting security services to a third party. It’s a growing field, with new roles and new specialties appearing every year. To a certain extent, you can learn and train yourself and then forge your own path, but there are defined career paths you can take if you want a little more proven path to a career.
This post is largely just a list of different cybersecurity career paths you might take, and the salaries you can expect. Some of these are entry-level, some of them are advanced, and some of them rely on self-motivation to run your own consulting company. Treat this list as a source of inspiration and guidance on what possibilities exist once you complete a program and are ready to enter the field.
Cyber Security Architect
A cybersecurity architect is a mid-level position. It’s usually a step up along a career path from security analyst to security director. Responsibilities for the role vary, but typically involve managing a team of security analysts, auditing a company’s security, and developing both software plans and company procedures to help keep a company safe. Security architects are also often responsible for monitoring and maintaining security systems, analyzing what went wrong if they fail, and reporting intrusions. They often have to deal with disaster recovery as well.
Network Security Engineer
Network security engineers are usually entry-level security specialists. They have an education above and beyond basic IT familiarity but are at the bottom of the chain of command for the security team. They are typically responsible for deploying, maintaining, and monitoring security infrastructure. They may be tasked with reviewing processes and enforcing compliance, as well as tier-1 service desk security administration. Upper-level network security engineers may be asked to develop architecture and research solutions to secure a network, working as part of a team. Upward mobility is typically good, as a stepping stone to a security architect or developer role.
Security Software Developer
Security software developers or security software engineers are specialized software developers. They know the ins and outs of both front-end and back-end development (and may also be considered full-stack developers). Critically, they are focused on the security side of development, rather than the features or UX side. They concern themselves with elements such as security compliance, sanitizing inputs, designing software with security in mind, secure database access, and other security-first development. Security software developers may be tasked with developing any software to make sure it’s secure, or they may work for security firms that develop firewalls, filters, and other security appliances.
Security Systems Administrator
An entry-level job, the systems administrator title is a fancy title for what is essentially the engineer responsible for implementing and managing a system. These are the people who do the work in the security team, reporting to a security architect or manager, or to a generalized head of IT and security. Security systems administrators handle day-to-day monitoring, deployment, and configuration of secure systems, but they are not typically responsible for engineering or designing those systems. The role is a great entry-level stepping stone to more security responsibility.
Information Security Analyst
Another entry-level role, information security analysts tend to be information specialists and data scientists. Rather than actively deploying and managing security solutions, they develop reports, monitor industry best practices, and advise companies on the security precautions they should be taking. Analysts might audit and report on an existing security framework and procedures, or they might assist another security specialist in analyzing the results of their deployment. Security analysts are also often consultants or the entry-level employees of a security consulting company. This is a very common entry-level role with a lot of potential for advancement.
Penetration testers, also known as red teams or penetration engineers, are the security employees tasked with attempting to breach a system, probing for vulnerabilities using known hacking tools. They are some of the most aggressive security specialists, and often have a lot of crossover with ethical hackers. Penetration testers are also considered a subset of quality assurance in some companies. Pen testers can do everything from running common tools to scan for vulnerabilities to engineering custom attacks against specific infrastructures. They can be freelancers, consultants, or employees in equal measure.
Vulnerability researchers are the security employees often perched at the cutting edge of cyber-warfare. They are the engineers, researchers, and developers who focus on the arms race between malicious attackers and defenders. They are data analysts and scientists as well as developers. They set up honeypots to capture new strains of malware, categorize and analyze malicious software, and monitor both the internet at large and the security community to watch for new developments. Some may specialize in defensive security, and others in offensive security. They use their expertise to help develop new protections, find new vulnerabilities, and assist companies with closing security holes.
Exploit developers, also occasionally known as reverse engineers, are the people who take in a security system from the outside and attempt to penetrate it using new, custom software. They’re a red team or penetration tester with a specialty in developing new tools to crack systems. Often, they are employed by high-level security firms and governments, so while their average salary is lower than many other roles in the industry, they often have a competitive benefits package and significant additional benefits to working beyond simple monetary compensation.
Ethical hackers, also known as white hat hackers, are security professionals who attempt to hack systems and then present their findings to those companies, showing proof of concept for exploits and striving to get those companies to address the problems. Sometimes they may release the exploit publicly, or a report about it, either to shame the company into action or to warn other companies in a similar situation. They are most often freelancers or consultants and may gain additional income from bug bounties and exploit hunting. True ethical hackers may also want to pursue the ethical hacker certification process.
Security Research Engineer
Also known as the security researcher, this role is widely varied. Security researchers may be on the offensive or the defensive side of the spectrum. They analyze systems, security procedures, threats, malware, and other vectors and study them over time. They may develop industry reports, or company reports, and may work to develop counter-agents, antivirus detection, and prevention protocols, or new intrusion tools, depending on where they work. Security research engineers are occasionally freelancers or consultants but are most often employed by major security firms and given direction by security directors and high-level engineers.
Security auditors are usually third-party contractors or employees of security consulting firms. They are responsible for coming in and investigating the security and procedures of a company from an outside perspective. They leverage impartial knowledge and perspective to develop reports on procedures, ratings for security, and potential vulnerabilities. Often, they analyze specific forms of security – a cybersecurity auditor might not look at physical security, for example – but may encompass all of the operational security. Occasionally, security auditors are also tasked with looking for industry and ISO compliance levels and may have mandatory reporting instructions for specific kinds of violations.
IT Forensics Technician
IT forensics, also known as computer forensics technicians, are often the people who come in and analyze what went wrong after a breach. They follow the trail and figure out how a breach happened, what information was accessed or stolen, where that information has gone, and how to prevent future instances of the same breach from happening. Typically, IT forensics specialists work either with third-party security and disaster recovery consultants, but they may also work directly as part of law enforcement. They may work closely with law enforcement to investigate and build cases against perpetrators of cyber-crimes.
Security Operations Analyst
Security operations analysts are often the entry-level role in an overall digital security department, usually at mid-sized and larger corporations. They work as part of a team doing everything from analysis and internal red-teaming to deployment, monitoring, and maintenance of security systems. They may also handle simple security issues for employees, ranging from password resets and account lockouts to other computational issues. Operations analysts are a stepping stone to operations engineers and directors, with a clear path for career development, mentorship, training, and certification usually provided by the company hiring the analyst.
Incident response is the team, either in-house or working with a security consulting firm, who come in and deal with an incident. They may be called as soon as an incident is detected, to deal with it as it happens. They may have overlap with forensics, to analyze and develop a post-mortem when an incident has already occurred. They also have some overlap with disaster recovery, helping a company put the pieces back together after an incident occurs. They can do anything from analyzing which devices were affected, how to repair or replace devices or systems that have been breached, and how to deploy new security to help prevent it from happening again.
Disaster Recovery Specialist
Disaster recovery is an entire sector of cybersecurity. Specialists are entry-level recovery agents who do the manual labor of interfacing with and attempting to repair or recover data from affected systems. Disaster recovery managers, administrators, and directors are all more highly-paid employees in the same role and may have overlap with incident responders and with forensics. Disaster recovery specialists may also be tasked with developing and implementing a disaster recovery plan for a company before an incident occurs, including implementing digital backups and data handling practices.
Director of (Digital) Security
Directors of cybersecurity are managers and team leaders who are responsible for all things cybersecurity, and often physical and operational security, within an organization. The average salary for a director is low, but the sky is the limit for security directors at large companies. They need experience and knowledge, as well as resources and the ability to manage a team. They are also the person responsible for everything from implementing security to enforcing policies to recovering from incidents. Their roles are many and varied, so the skills they need (and compensation they receive) is equally varied.
There are three major things to keep in mind about the list above.
The first is that, in the real world, things get messy. The job titles listed above are flexible, the responsibilities vary, and consistency is nothing more than a dream. Your skills and your education are more important than your job title, and finding a role you can settle into is more important than maintaining a specific job title. This is by no means an entirely comprehensive list; it’s merely a list of examples.
The second is that cybersecurity is a quickly-evolving specialty. Some of these roles will come into greater prominence in the coming years, while others might fall out of favor. Entirely new security disciplines can spring up. Think about ransomware; it wasn’t all that long ago that such a thing didn’t exist, and now it’s one of the most common threats.
The third is that salary information varies wildly. What we’ve listed above is an industry average, but the pay rate can be very different for the same role if you’re in Missouri compared to San Francisco. Demand, skill level, and geographic location all play a role. Treat these as averages and baselines, not as hard rules.
What are your thoughts on the career paths and their average salaries? Does anything on the list surprise you?