Reading time ~2 minutes

Cyber Security Career Pathways

Ours is a confused industry
A first attempt
A call for feedback

As you might know, I’m working on my next side-project, The CloudSec Engineer, a book on entering, establishing yourself, and thriving in the cloud security industry as an individual contributor.

As part of the book’s introduction, I’ve been researching common career pathways within the security industry to contextualise where Cloud Security fits into the big picture.

I naively assumed that I could’ve found some sort of codified guidance in this regard. I was wrong.

This post is part of the “The CloudSec Engineer - Previews” series.

Ours is a confused industry

I then turned (obviously 😆) to social media:

What frameworks do people currently use to showcase/list the multitude of specializations one can take in the infosec industry? For example, is there a resource that collates all "possible" (i.e., primary) specializations?
— Marco Lancini (@lancinimarco) September 28, 2022

The silence was telling.

The more I try to map it all together, the more I realise we need to standardise our profession a bit more 🤔 https://t.co/KA1PBn78ZR
— Marco Lancini (@lancinimarco) October 1, 2022

As an industry, we still don’t have a formal standardisation of paths people could follow to start and then progress in their careers. “Careers” in InfoSec usually happen cause people get exposed to some sub-domains of security and think that’s all they can aspire to. But there’s much more!

If you do a quick Google search, you’ll see each website/company uses a different categorisation. And most of them are just trying to sell their certifications.

A first attempt

I started collating different resources, like companies sharing their security org structure (like GitLab) or governments trying to help fill vacancies in the industry (like the UK Cyber Security Council).

The mindmap below is a first attempt at grouping roles into macro-functions commonly found in tech companies.

I realise this could even be considered an over-simplification, given the nearly infinite number of declinations (and overlaps!) jobs in these functions could take. But we should start somewhere, no?

A call for feedback

I’m keen to get feedback on it! If you find the information in the mindmap to be incorrect, if something is missing, or if you have ideas on improving it, please let me know on 🐣 Twitter or at 📢 feedback.marcolancini.it!

Once finalised, I’ll expand on each of these pathways as part of the introduction of The CloudSec Engineer.

Thank you! 🙇‍♂️

About

Cyber Security Career Pathways

Ours is a confused industry

A first attempt

A call for feedback

Subscribe to CloudSecList

Marco Lancini

Serverless Emails with Cloudflare Email Routing

Serverless Ad Blocking with Cloudflare Gateway

About

CloudSec* Projects

Collections

Continuous Visibility into Ephemeral Cloud Environments

Cloud Security Strategies

The CloudSec Engineer - Previews

Kubernetes Primer for Security Professionals

Must Read

What to look for when reviewing a company's infrastructure

On Establishing a Cloud Security Program

Security Logging in Cloud Environments - GCP

Security Logging in Cloud Environments - AWS

Tracking Moving Clouds: How to continuously track cloud assets with Cartography

The Current State of Kubernetes Threat Modelling

Mapping Moving Clouds: How to stay on top of your ephemeral environments with Cartography

So I Heard You Want to Learn Kubernetes

Recent Articles

Migrating Terraform state from Terraform Cloud to S3

Zero Trust Access to Private Webapps on AWS ECS with Cloudflare Tunnel

Serverless Emails with Cloudflare Email Routing

Cyber Security Career Pathways

Serverless Ad Blocking with Cloudflare Gateway

Tags