Building the cybersecurity career path

Career paths

Breaking into cyber

Change management

Leadership

Share:

Text Link

Вывод URL текущей страницы

Текущий URL страницы:

Building the cybersecurity career path

Sometimes, a thing can be common sense- and nearly everyone agrees. But when you look at it and see how prevalent it is in reality, it’s almost never there.

Career path models in security are one of those things. Nearly any security leader would tell you that offering a structured, competitive career path is a great way to attract and retain talent. Employees certainly want to feel that they are part of an organization that recognizes their contributions and affords them opportunities to continue to grow and advance.

But how many companies actually have strong career models in place for their security team? Very few.

There are many reasons for this. When you are in firefighting mode, it can be hard to do ‘infrastructure’ projects like this. Job descriptions tend to be dusted off when somebody leaves and you need to backfill, not as part of a strategic effort. And it can be hard to make big changes to career models with incumbent teams, because you start to make significant organizational changes, and that comes at the cost of a lot of emotional energy, angst, and inevitably some amount of disappointment.

While difficult, it’s a worthwhile endeavor. Benefits of a strong career model include:

Staff retention- people that move up through an organization are much more likely to remain loyal to the company. They feel rewarded, are regularly challenged, and build friendships that provide a fulfilling work experience.
Staff engagement- people that have a clear and achievable career path are more motivated and committed to their work. They have a sense of direction and purpose, and they see how their work contributes to the bigger picture.
Staff development- people that have opportunities to learn and grow are more productive and bring different perspectives. They acquire new skills and knowledge, and they apply them to improve their performance and solve problems.

So it’s hard to do. But it’s worthwhile. This is our guide to how to pull it off.

Components of a good career path model

There is no one size fits all career model for cyber. It depends immensely on the size, maturity, objectives of the cybersecurity program. It’s going to look very different for a Fortune 100 bank than it will for a mid-sized manufacturer, or a hospital that leans heavily on their MSSP.

But there are some basic components. There should be:

As much commonality of titles and levels as possible across the org (e.g. associate, analyst, etc)
Well documented gradation of expectations ‘up and down’ in a given area. Think about not just describing what the work is, but what good looks like for each step
Consideration of movement- career paths these days are rarely just straight up. There should be thought given to lateral movement and how that ties into skill development.
Consideration of common entry points from the outside. Where do you generally need to find external hires because there won’t be people internally that ‘build’ the requisite skill sets, and there’s not enough work to construct a talent pipeline into the senior roles?
For every role, you should be able to identify at least one strong potential next step. This could be a vertical or a lateral move, depending on the individual's preferences and goals.
Compensation ranges that are in line with market
Titles that are in line with market

You can read more about how to construct a strong job description (and pitfalls to avoid) here.

Examples of career path structures across security domains

The career path structure for your security organization will depend on many factors, such as the size, scope, and nature of your business, the maturity and complexity of your security function, and the availability and diversity of your talent pool. There is no one-size-fits-all solution, and you should design your model based on the unique characteristics and needs of your organization.

Dropbox has a well-known and world-class career framework for their engineering roles (these are mostly software engineering, but do include security engineer roles). It’s available here and worth browsing for inspiration: https://dropbox.github.io/dbx-career-framework/

You can also check out Cyberseek, which provides an interactive map of career pathways. It’s based on the NICE framework from NIST. I have to say, I applaud the initiative for both NICE and Cyberseek, but they seem to be somewhat disconnected from reality (featuring roles that don’t often exist IRL), and with excruciating level of detail in the knowledge, skills and abilities in the NICE framework, which total up to ~1,000)

Here are examples of potential path structures across security domains. This will be different for every company and should be designed based on unique characteristics and needs of the business.

Within enterprises, the two areas that will tend to lend themselves best to ladders within a function are security operations and security engineering (which can include sub-domains such as application security, cloud security, IAM, etc).

I spoke with Mannie Romero, VP of Product Security at Early Warning (Zelle) about their career path model. They have a fairly mature structure as far as cybersecurity departments go. One of the interesting things that Mannie noted is that at Zelle the career paths of security engineers and architects are parallel. While it may be common in some organizations for engineering to feed into architecture, Zelle’s security leadership found that since the nature of the jobs are substantially different (engineering, often more ‘hands on keyboard’ direct project work- architecture often more collaborative, varied work), they created flexibility for engineers to hop between the two paths based on the person’s own job satisfaction and career aspirations.

More broadly, give thought to the structure of parallel movement. It’s a great way to provide staff the opportunity to build new skills and explore different areas that may fit their interests and underlying skills.

Clearly, the career models for smaller companies (with small teams) are going to look very different than at larger companies, where you have entire teams that are specialized around one area. This doesn’t mean that you can’t have career pathways, though. The jobs just have a wider range of responsibilities and skills required.

As you design your career path model, you should also consider the tradeoffs between productivity and cost. Balance the benefits of having more skilled and experienced staff with the costs of hiring and retaining them. Also consider the opportunities and challenges of having more junior or entry-level roles that can serve as a talent pipeline and a source of cost savings.

Good practices

As you design your career path model, here are some good practices that you can follow:

Try to avoid baking hard ‘years of experience’ into the requirements. This can be, but isn’t always, a proxy for skill level. You can pass by people that would do a great job, and simultaneously set people that aren’t ready for handle the higher expectations up for failure. Try to define the requirements based on specific technical skills and performance expectations you would have for the role.
Allow for development along technical career paths that don’t require somebody to be a people leader to advance. Oftentimes very strong and high-end technical talent aren’t as skilled at people leadership, or that’s not of interest to them.
Make sure your career model is closely tied in with your performance management process. Use the career model as a framework to discuss aspirations, potential future steps, and the mutual expectations for both parties to get there.
In your role descriptions, don’t just think about ‘what’ the work is… think about expectations for ‘how’ the work gets done. Many companies use some version of a matrix with the ‘what’ on one axis (what you delivered, whether you met your goals, etc), and the ‘how’ on another axis (which includes behaviors, cultural alignment indicators, etc). So consider in your job descriptions not just including detail on work expectations, but also specification of what increasing seniority looks like in terms of contributions to the organization, interface with other teams, and leadership.

There’s a lot about career pathing that is cultural, not programmatic. Building a culture that rewards and encourages mentorship, taking risks on placing people with great potential but limited experience into new roles, and being OK with some amount of strong talent that you’ve developed heading out the door all show an emphasis on people, their skills, and their growth. And that will attract good talent. Recently on the CISO series podcast, David Spark, Andy Ellis (YL Ventures), and Joshua Brown (CISO, H&R Block) discussed our piece on talent retention and Andy noted that having an ‘open exit door’ philosophy (where people you’ve helped develop feel free and supported to move beyond the company) is such a testament to caring that it in fact works the opposite way- people look around and realize they have it really good, and choose to stay.

Making this happen

It can be a daunting exercise to build a career model for an organization- particularly if there is likely to be significant organizational change associated with it. The good news is that staff is overwhelmingly likely to welcome and appreciate anything that will give them more clarity on their future career development. This is a sign of investment in your people.

I recommend being honest and transparent from the outset on the effort. You will want engage a number of people in the design, so it makes sense to be upfront with people about the effort and the desired benefits. From the outset, communicate:

Your objectives (the scope and expectations)
The timeline and process
How people can provide input to the process and share ideas
What types of changes to expect once the design work is complete

It’s important to note that a career path refresh is not necessary an organizational re-design. The career model is independent of organizational structure, number of roles, etc. You may choose to tackle some amount of organizational realignment in parallel, but there’s very much a distinction from the model (which should be relatively constant) and the regular flow of organizational decisions on hiring, firing, backfilling, promoting, etc.

In the design process, you’ll want to:

Setup a common framework for roles and responsibilities, and make sure that’s aligned with overall company constructs.
Take stock of the work to be done, and how that aligns against roles. There are many decisions to be made here about specialization and breath of expectations/ work by role.
Incorporate employee feedback into the design. Seek input and opinions from your staff on what they value, what they aspire to, and what they need to succeed. Ask them what works well today and what should be changed.
Benchmark compensation by role. There are many services you can use to support this effort. Our quarterly market reports can give you a starting point.

Once design is complete, decide how much change you want to implement right away. Will you move gradually, only making updates when new roles or opened? Or will you snap the existing organization into the new model? I generally recommend the ‘rip off the band-aid’ approach, since generally this is an employee-friendly exercise to begin with. If you are not changing people’s compensation, usually they are pretty accommodating to title changes and adjustments to their roles and responsibilities.