Reading time ~2 minutes
Cyber Security Career Pathways
As you might know, I’m working on my next side-project, The CloudSec Engineer, a book on entering, establishing yourself, and thriving in the cloud security industry as an individual contributor.
As part of the book’s introduction, I’ve been researching common career pathways within the security industry to contextualise where Cloud Security fits into the big picture.
I naively assumed that I could’ve found some sort of codified guidance in this regard. I was wrong.
This post is part of the “The CloudSec Engineer - Previews” series.
Ours is a confused industry
I then turned (obviously 😆) to social media:
What frameworks do people currently use to showcase/list the multitude of specializations one can take in the infosec industry? For example, is there a resource that collates all "possible" (i.e., primary) specializations?
— Marco Lancini (@lancinimarco) September 28, 2022
The silence was telling.
The more I try to map it all together, the more I realise we need to standardise our profession a bit more 🤔 https://t.co/KA1PBn78ZR
— Marco Lancini (@lancinimarco) October 1, 2022
As an industry, we still don’t have a formal standardisation of paths people could follow to start and then progress in their careers. “Careers” in InfoSec usually happen cause people get exposed to some sub-domains of security and think that’s all they can aspire to. But there’s much more!
If you do a quick Google search, you’ll see each website/company uses a different categorisation. And most of them are just trying to sell their certifications.
A first attempt
I started collating different resources, like companies sharing their security org structure (like GitLab) or governments trying to help fill vacancies in the industry (like the UK Cyber Security Council).
The mindmap below is a first attempt at grouping roles into macro-functions commonly found in tech companies.

I realise this could even be considered an over-simplification, given the nearly infinite number of declinations (and overlaps!) jobs in these functions could take. But we should start somewhere, no?
A call for feedback
I’m keen to get feedback on it! If you find the information in the mindmap to be incorrect, if something is missing, or if you have ideas on improving it, please let me know on 🐣 Twitter or at 📢 feedback.marcolancini.it!
Once finalised, I’ll expand on each of these pathways as part of the introduction of The CloudSec Engineer.
Thank you! 🙇♂️