About half of all jobs that require cybersecurity skills don’t include the word cybersecurity in the title, which can make planning out or advancing in a cybersecurity career tough. The discipline is evolving quickly, and there are not the rigorously defined advancement pathways typical in established disciplines. However, don’t equate the lack of common career trajectories with lack of opportunity.
Increasing cybercrime rates, rapidly growing computer networks and the widespread adoption of digitally controlled physical infrastructure are prompting increased interest in computer and network security across industries and in the public sector. Organizations are investing more in cybersecurity strategy and infrastructure. And employers are creating thousands of jobs for qualified cybersecurity professionals each year.
Navigating this evolving landscape can be a challenge for those looking to join the ranks of cybersecurity professionals. Several interconnected career pathways have emerged in the discipline, and it is not always clear which skills align with which avenues of specialization. Complicating matters further, the educational barriers for entry into the profession have changed considerably.
This guide identifies four primary cybersecurity specialty areas – engineering, testing/auditing, incident response and oversight – and explores each. It also looks at the education necessary to excel in cybersecurity, whether professionals need to specialize to succeed and the benefits of earning a Master of Science in Cybersecurity in a program such as The University of Tulsa’s online master’s in cyber security.
Why focus on four primary cybersecurity career paths?
Finding a niche in cybersecurity is challenging because there are so many points of vulnerability in modern technological systems. Cisco predicts that the number of devices connected to IP networks will be more than three times the global population by 2023. Each represents scores of vulnerabilities cyberattackers can exploit. Consequently, there are dozens of specialization areas in cybersecurity, and the National Initiative for Cybersecurity Careers & Studies has identified more than 50 specific career roles in the field.
Researching your career options can be less overwhelming when you group them into simpler categories. Sources describe the high-level branches of cybersecurity in different ways. Some divide cybersecurity into application security, network security and endpoint protection, while others focus on the difference between system or device security and information security.
Cybersecurity jobs can be similarly categorized. Most roles in cybersecurity fall into one of four high-level categories: engineering, testing/auditing, incident response and oversight. Be aware as you dig deeper into each of these categories (explored in more detail below) that titles alone will seldom tell you much about the responsibilities associated with specific roles. Looking into high-level cybersecurity career pathways is just the first step in a larger professional journey that can involve researching cybersecurity specialties, cybersecurity salaries, certifications and more.
How high-level cybersecurity career pathways differ
Cybersecurity engineers build and maintain security systems and design policies, and they are typically responsible for requirements planning, compliance, risk management, systems development and security software engineering. These professionals often come from IT, network engineering or computer science backgrounds but have additional training in cybersecurity. Many start with bachelor’s degrees in cybersecurity or related fields but go on to pursue master’s degrees in cybersecurity to learn skills related to programming, cloud computing, penetration testing, risk prevention and more.
These cybersecurity specialists have a variety of job titles, including network security engineer, information systems security architect, information security analyst, security software developer and security systems administrator. Cyberseek estimates that there are about 61,503 openings for cybersecurity engineers, with an average salary of about $105,000. Engineers with the title cybersecurity architect can earn an additional $40,000 per year, but keep in mind that titles are used differently in every organization. Different roles may require similar skill sets, while two cybersecurity engineers with the same title might do very different work.
Security testers and auditors
Security testers and auditors evaluate security systems and policies for performance characteristics and specification requirements. Testers and auditors typically have the same technical cybersecurity skills as engineers, but that is not all. These cybersecurity professionals have to pay attention to what Auditboard calls “the human element.” Soft skills are essential in this cybersecurity career pathway because testers and auditors must be creative enough to understand how a hacker might act in advance. Testers and auditors in the highest levels of the discipline often have advanced degrees in addition to multiple certifications related to penetration testing.
Testers are usually part of internal quality assurance departments and may work closely with cybersecurity engineers. Auditors typically assess security systems, controls and policies for organizations on a contract basis. Both may be responsible for breaching systems and simulating attacks (or “ethical hacking”), reviewing code and troubleshooting security issues. Common job titles for testers and auditors include ethical hacker, penetration tester, security analyst, security auditor and systems testing specialist. There are currently about 21,000 open positions for penetration and vulnerability testers, and these cybersecurity specialists earn about $101,000 on average.
Incident responders investigate, analyze and design responses to cyberattacks. The Cybersecurity and Infrastructure Security Agency (CISA) maintains a list of core competencies for incident responders, including computer forensics, infrastructure design and threat analysis skills. CISA also notes these professionals should have a firm grasp of malware analysis concepts and an understanding of cloud service models and how those models can limit incident response – all of which are covered in the cybersecurity master’s coursework at TU. Additionally, incident responders need to be comfortable working with system monitoring tools, forensics software and e-discovery tools. Those who work for government agencies may need sufficient security clearance to be eligible for employment.
These cybersecurity specialists step in after hacks and intrusions to search for clues as to who launched attacks, what systems were affected and how to mitigate the impact of attacks. Their responsibilities include collecting evidence, deploying incident response protocols, locking down networks, performing incident triage and reporting to stakeholders. Titles in this career pathway include disaster recovery specialist and threat detection analyst. Some digital forensics jobs fall into this category, although most professionals who specialize in digital forensics do not deal with cybersecurity threats directly. Salaries range from $87,000 for intrusion analysts to $111,000 for cyber incident responders.
Cybersecurity managers are team leaders who oversee cybersecurity protection, detection, response and recovery for their organizations. Managers need a blend of technical expertise, communication skills and business administration acumen because justifying cybersecurity investments is part of the job. Cybersecurity managers often have many of the same core technical skills as engineers and computer network professionals, but are more likely to be decision-makers who choose new technologies and design security policies than technicians working on implementation. They also manage network security staff, maintain cybersecurity tools and report to leadership on the ROI of cybersecurity initiatives.
Common titles in this career path include chief information security officer, cybersecurity director, cybersecurity manager and IT security manager. Senior-level cybersecurity managers are more likely to have master’s degrees than other professionals in the field, but they also earn more. The average cybersecurity manager salary is about $167,000, making the ROI of a cybersecurity master’s impressive.
Professionals on all four paths need the same foundational skills
Professionals across all the branches of cybersecurity must know how to identify and combat security threats, how to protect computer systems and networks against cyberattacks and how to resolve data breaches and mitigate the impact of successful attacks. However, technical skills alone are no longer enough. According to the (ISC)² Cybersecurity Workforce Study, cybersecurity professionals now need “a broader mix of skills, both technical and non-technical,” which “underscores the reality that today’s cybersecurity roles are multi-dimensional and increasingly varied across specializations, organizations and industries.”
Successful cybersecurity specialists also have credentials that showcase their skills. Higher education is replacing general education and industry certifications as the gold standard in the information technology industry as a whole, but especially when it comes to cybersecurity. TU’s 100% online cybersecurity master’s program is for professionals who want to become technical, analytical and managerial leaders in the world of cybersecurity without taking time out of the workforce. The master’s in cybersecurity curriculum supports a variety of careers because it touches on a broad range of advanced cybersecurity concepts applicable in all branches. Graduates have advanced skills related to:
- Auditing and testing methodologies
- Defensive cybersecurity and related technologies
- Economic and ethical issues in cybersecurity
- High-assurance information system design
- Human factors in computer security
- Information and network security
- Intrusion detection, handling, response and recovery
- Legal, policy and logical dimensions of cybersecurity
- Network security design and operation
- Penetration testing methodologies
Is specializing crucial to success in cybersecurity?
The frustrating answer is maybe. There’s no blueprint for building a career in cybersecurity because there are so many subfields. Even mapping out a post-master’s advancement trajectory can be difficult. According to the National Initiative for Cybersecurity Careers and Studies (NICCS), “the path to follow for a cyber career is different for every individual, and job role. The dynamic nature of the cybersecurity field and the ever-changing landscape make it difficult to design a one-size-fits-all plan that will have a long shelf life. Organizations also have different needs and priorities.”
You might hold very different titles and follow a very different professional development path depending on whether you want to become, for example, a cybersecurity consultant, a senior cybersecurity engineer or an ethical hacker. On the other hand, employers in the real world may not know enough about cybersecurity to build meaningful roles around their needs. That’s why job seekers encounter vague titles such as cybersecurity specialist and systems security engineer. Many cybersecurity-focused roles don’t come with cybersecurity titles. Burning Glass Technologies calls them cyber-enabled jobs and reports that most “cybersecurity is a task built into other IT jobs, such as network administrator.”
A cybersecurity degree can unlock your potential in many fields
In the past, IT professionals learned cybersecurity on the job and took certification exams along the way. Today, there isn’t a standardized framework for advancement in the field, and cybersecurity professionals have to forge their own career paths, reskilling on an as-needed basis. That is part of what makes this discipline so interesting for many IT professionals. Competent and credentialed cybersecurity professionals work in nearly every field, have a wide variety of skills and often get to use emerging technologies first. Some cybersecurity professionals play crucial roles in defending the U.S. against attacks from foreign powers – the National Security Administration even has a tool you can use to sort through available positions in cyber operations.
Ultimately, cybersecurity professionals should specialize – especially when it comes to high-level specialty areas such as those outlined above – but they probably should not become so specialized they can’t slip into the kinds of roles that don’t fit neatly into the above categories. Employers across industries look for cybersecurity professionals with broad expertise and specialty skills. Earning a cybersecurity degree online in The University of Tulsa’s part-time online M.S. in Cyber Security program is one of the best ways to prepare to enter and advance in an employment landscape that is still evolving. The university works hard to make online learning more like studying on campus in an advanced cybersecurity degree program for busy professionals.
TU was one of the first to be designated a Center of Academic Excellence in Information Assurance and Cyber Defense Education by the federal government, and its online programs reflect the university’s dedication to cybersecurity education. The 30-credit hour cybersecurity master’s curriculum covers everything you must know to specialize in various areas of cybersecurity, including application security, automation, cloud computing security, cryptography, digital forensics and penetration testing. From there, the sky’s the limit as long as you are willing to keep learning. As the NICCS puts it, “the cybersecurity field is so diverse, opportunities for moving upward in rank, gaining more experience, or transferring positions horizontally, are achievable. The key is identifying the skills and strengths, those that bring out the most for an individual, and move from there.”
Scholarships and financial aid are available. Apply today to start your cybersecurity journey or attend an enrollment event to learn more about admissions requirements, tuition rates, the online student experience and TU’s student resources.