9 Achieving success

This chapter covers

• Recognizing and overcoming challenges to career success in cybersecurity
• Setting long-term goals and building a progressive strategy to achieve them
• Pivoting from one area of cybersecurity to another
• Taking everything you’ve learned and putting it into motion

In chapter 8, we transitioned from discussing how to land your first role in cybersecurity to addressing long-term success. We focused on one of the key challenges that cybersecurity professionals face from the earliest stages of their career journey throughout their development and beyond: impostor syndrome. However, that is only one challenge that threatens the success of your career. Because I want this guide to help enable your career for long-term success, it is important to discuss those other challenges in detail and identify ways of overcoming them.

Launching a career, whether as your first path directly out of school or as a change in your journey, is a risky undertaking. Having a strategy for building that career gives you steps to follow and clear intermediary objectives that you can focus on and measure to maintain your focus. The strategy you set forth at the start of your journey will no doubt change over time. Chapter 2 covered the various disciplines that make up cybersecurity. The specialty you choose today will probably not be your focus for the rest of your career. Still, the planning you do now will serve as your guide for years to come.

That propensity for your path to be dynamic and shift over time makes cybersecurity a particularly attractive career choice. As a result of the many varying but related disciplines, cybersecurity offers a particularly easy path for pivoting from one area of specialization to another. Still, it can be daunting to make such a change.

To help equip you with the tools necessary to make this switch effective, this chapter discusses pivoting. You have come this far in this guide; now it is time to put all the knowledge you have gained into motion.

9.1 Overcoming challenges in cybersecurity careers

Impostor syndrome was discussed at length in chapter 8 because it is such a universally encountered difficulty and one you will likely do battle with at various stages in your professional journey. However, it is not the only difficulty you may face that threatens to derail your plans for a long and successful career in cybersecurity.

Positioning yourself for that long-term vision requires anticipating and navigating those problem areas that could arise. While they are not unique to cybersecurity, the areas discussed here do exhibit themselves in unique ways in this domain. They are common topics in cybersecurity media, in various conference sessions, and of course on social media. The good news is that as the awareness of these trouble areas has grown, strategies have arisen for dealing with them.

9.1.1 Burnout

Talk to any career coach or human resources specialist about challenges they are worried about, and burnout is likely to be near or at the top of their list. Burnout is a state of exhaustion in one’s role. It is usually brought on by prolonged emotional and/or physical stress. A person experiencing burnout will typically feel drained emotionally and may exhibit high levels of anxiety or feel overwhelmed with the demands of their job. Burnout is in no way unique to cybersecurity. It transcends all industries and is always a key business risk for any employer.

In recent years, however, burnout has become an increasingly dominant topic of discussion in cybersecurity circles. Recall at the opening of this book in chapter 1, I talked about the skills shortage that organizations have reported. This was revisited in chapter 3, where I shared statistics showing that much of the shortage is self-inflicted by hiring practices. Regardless of the cause, however, the struggles that organizations have in locating cybersecurity staff put tremendous demand on existing practitioners. These increasing demands have generated higher stress levels across the cybersecurity community.

However, the inability to find skilled resources isn’t the only thing putting additional demands on existing staff. In many organizations, cybersecurity is not their core line of business. Therefore, security staff are looked at as an expense or cost-center. They are regarded as a necessary cost of doing business that does not directly generate revenue for the organization. As such, when leadership looks to improve profitability by reducing or eliminating expenses, cybersecurity is often one of the areas of the organization that feels the strain. Despite the growth in awareness and prioritization of cybersecurity in general, overall budgets for security staff and tooling have not grown at a commensurate rate. Staff and capability growth do not ultimately match up to the overall growth of the business. This creates additional strain, but it doesn’t stop there.

Much of that business growth is the result of new technologies and innovations. The role of cybersecurity in the face of swiftly developing technologies was discussed way back in chapter 1. As new technologies are launched, cybersecurity professionals are tasked with ensuring the security of those technologies. Within cybersecurity, we are faced with an ever-expanding landscape of systems to defend. We have to constantly be aware of the latest trends and innovations. We must work tirelessly to continue learning and expanding our areas of expertise to ensure we can defend this digital way of life. Add this to the stressors of the staffing and budget situations, and it starts to form what seems like an inescapable loop of trying to do more with less.

Finally, there is the perceived criticality of our role as cybersecurity professionals. After all, it is our job to defend the organization—and if we fail, the whole company could falter. Our customers could have their data exposed, money stolen from them, or other terrible outcomes. The business could lose profits, be fined by regulatory bodies, or lose shareholder confidence. Depending on the industry, whole markets or even worldwide economies could be impacted, as we have seen in recent years with various data breaches and ransomware attacks. This only adds to the level of pressure and stress that cybersecurity professionals experience on a daily basis.

As you enter your cybersecurity career, you will likely experience a honeymoon phase. This is that time after taking on a new role when every experience is filled with excitement over the new challenges. You feel energetic as your days are filled with opportunities to learn and grow. Your satisfaction with your job is likely to be its highest at this point.

Unfortunately, that phase does not last forever. As you settle into your role, you will slowly start to experience the stresses that go with it. Day-to-day experiences will become more mundane and repeated. Frustrations will develop over certain tasks or organizational difficulties. This is not unusual and is not unexpected in any career path. Nonetheless, if you do not begin taking steps at this stage to avoid it, stressors will begin to pile up, and burnout will set in.

A key facet in preparing for and preventing burnout is to make self-care a priority and a regular part of your routine. What this self-care looks like can be different for different people. Ultimately, the core needs to be rooted in giving yourself regular and intentional breaks from the stresses of your job. This means avoiding overwork. As a result of the criticality around cybersecurity in the context of the organization and possibly even worldwide markets, overwork is common. You might find yourself feeling a certain level of responsibility for every outcome that drives you to work long hours beyond what is expected of you.

Part of practicing self-care is planning specific times when you will not do work. Turn off the computer, leave the office, and so forth. To help ensure that you prioritize these times, planning other activities can be helpful. Hobbies, physical fitness, family time, or other non-work-related activities can help ensure that you break away.

Using vacation time is another critical element here. It sadly is not uncommon for people to neglect to take the time off that they so diligently negotiated for in their job hunt. In many companies, if you don’t use that time off, you lose it. This is time that your employer factors into the expense of employing you, so you should never feel guilty about using it.

When you take time off, be equally intentional about it. If necessary, go to places where you simply cannot be reached, or at minimum, set the boundary before you leave on your vacation that you will not be reachable. Resist that temptation to “just take this one call,” no matter how important it seems.

Failing to properly manage burnout by setting boundaries early will not only impact your current job, but can derail your entire career. Professionals often indicate that they almost left or did leave the cybersecurity community simply because they burned out in their jobs. As you sit today, you have a passion and a desire that will be your assets. But you need to maintain that energy to progress along your journey.

9.1.2 Gatekeeping

Inevitably, at some point in your career journey (likely multiple points), you will experience gatekeeping. This is the attempt or practice of establishing irrelevant or erroneous requirements for a role or function. For instance, in conversations with other cybersecurity professionals, you may hear that a person must spend time working on a help desk in order to be effective in a security role. But while this role will arm you with certain helpful skills, it is by no means a requirement.

Gatekeeping like this is an unfortunate reality in cybersecurity. Within our community, it seems to be more pronounced than in other industries. It seems to stem, at least in part, from the lack of a clearly defined career progression path. Many opinions exist about what the path should be, and some will take it upon themselves to declare their opinions as facts. Additionally, as discussed in chapter 8, the cybersecurity community is susceptible to toxic levels of competitiveness. This perceived competition leads some to want to invent obstacles that hold others back.

Gatekeeping not only adds to the challenges of impostor syndrome, but also can make people feel like the community is less than friendly overall. It is hard to say how many potential security professionals are turned away because they hear experienced voices saying that they must have some degree of nonsecurity experience before they can enter this field. Anecdotally, these stories are brought to light from time to time, and it can be painful to hear just how unjustified some of these artificial barriers are.

Overcoming gatekeeping is usually not too difficult with just a certain level of awareness. Knowing that this is an activity that some engage in can be enough to tell when their directives are indeed factual versus just their biased opinions. In those cases, simply ignoring their edicts and proceeding on, knowing that many paths could be followed, is often enough.

However, the challenge intensifies when the gatekeeper is in a position to impact your career progression. A person who has a level of influence or authority over you achieving your next goal can be harder to ignore. When you encounter a gatekeeper who is limiting your advancement in some way, the first and most important rule is to keep calm and not attack them. Because of their position of influence or authority, chances are, right or wrong, that they will be believed more readily than you should a confrontation arise.

Keeping your cool does not mean you need to be submissive, however. In fact, it is important to maintain your confidence and show that confidence in a friendly manner through your interactions with that person and others. Be straightforward about your opinions and knowledge and resist the temptation to offer concessions you do not believe in.

Sometimes the easiest way to overcome a gatekeeper is to simply work on making them an ally. Instead of trying to convince them that they are mistaken, simply begin showing them how you can work with them. Assuage some of their insecurities (which are likely at the root of their gatekeeping behaviors) by showing them that you are not a threat. Each gatekeeper you encounter will need to be handled in their own way, but understanding when you are being held back by gatekeeping and having a plan to overcome will help accelerate your career growth.

9.1.3 Stagnation

Believe it or not, despite the demand for constant learning and growth that comes with a career in cybersecurity, many professionals find themselves stagnating after a while. Stagnation refers to the idea of falling into a rut, being in a role where you are no longer growing and leveling up your skills or knowledge.

In some cases, stagnation is a result of other personal factors that lead a person to lose motivation for advancing themselves. Some cybersecurity professionals become complacent or comfortable in a given role and stop challenging themselves to do and learn new things. This can be a by-product of burnout, as the loss of passion and love for the job leads to just going through the motions. However, it can also be a result of impostor syndrome or just plain fear of taking a risk. Pursuing a new challenge can be daunting. For some, that risk of trying and failing is just too much to overcome, so they do not even try.

Stagnation can also be a result of the job you are in. Organizations can also become comfortable and complacent with their resources. Poor leadership in particular can lead to a lack of employee development. Additionally, in companies where cybersecurity is not a revenue-generating part of the business, there may be little desire to expand the capabilities and knowledge of that team beyond its current state. The status quo is perceived as enough to keep the business running, and no further investments are made. Finally, depending on the organization, a path to advancement may simply not exist from where you sit currently. Whether it is because vacancies are not opening above you or you have gone as high as you can in that organization, this can be a tough challenge as well.

How you choose to address or avoid stagnation will require you first to identify the cause. Managing your burnout proactively and cultivating your passion and risk taking can help you avoid self-imposed stagnation. Look for projects either within your organization or independently that you can engage in to continue building and expanding your skill set. Look for professional challenges that excite you and shoot your shot. Take the risk knowing that you have plenty of cushion to fall back on if it doesn’t work out. After all, this is a high-demand field, and it is not like you are going to end your career by taking a leap of faith.

If you are noticing stagnation because of the limitations of your job, that can be a bit more challenging. Still, look for ways that you can expand your influence across the organization. Can you lead the charge on implementing a new process, a new tool, or something similar that would show you are innovative and forward thinking? You’d get to learn new skills and potentially explore exciting new technology. Perhaps look for ways to engage with higher-level leaders as well. You can talk to your current manager to explore ways to get more visibility within the organization. Finally, consider laying out a personal career development road map. Describe training or other learning opportunities that you’d like to pursue and explore having your employer help fund them.

If these steps fail or your current organization provides no room to advance, you may have to face the reality of a job change. That is OK and is, of course, part of progressing in your career as well. The important facet is to recognize the stagnation early and begin looking for that next opportunity before the stagnation becomes a complicating factor in a job search.

I have maintained the rule that if someone approaches me about a job that seems like it would be a good opportunity for me, I always at least hear them out and explore it. Even if you’re not actively looking for a job, that could be one of those serendipitous moments that could lead to your next big thing. There is nothing wrong with exploring new opportunities as they present themselves. Make sure you have a path to keep growing, one way or the other. Figure 9.1 summarizes the three challenges presented in this section as well as tips for overcoming them or avoiding them altogether.

Figure 9.1 Common challenges to career success and tips for conquering or avoiding them

9.2 Building your career strategy

Building out a career path strategy is an invaluable step that allows you to clearly identify, understand, and achieve the successes you hope for in your professional life. It is not uncommon for people to launch a new career journey without taking the time to truly consider where they are headed. Unfortunately, this can lead to many changes in direction that can slow progression toward an ultimate success goal.

That is not to say that exploring various paths has no value, nor do I mean to suggest that you should shy away from taking advantage of unanticipated opportunities as they present themselves. However, it is good in those moments to have a clear overall understanding of your vision for your career. This will allow you to objectively consider how those opportunities fit into your overall plan. You can then recognize whether you want to adjust your plan or write off these options as simply a distraction that you want to avoid.

The process begins by setting the long-term goals that you would like to achieve, or as I’ll reference it, your vision. That, as you would expect, is the starting place for any career strategy. However, it is only the starting point. Once you know where you are headed, you need to look at where you are today and identify any existing gaps that will require you to develop new skills or knowledge to achieve that vision. Setting out this list of personal growth needs will help you chart a path to your ultimate goal.

Finally, you need to lay out the path by which you hope to accomplish that vision. Set short-term, achievable, and progressive milestones that will be achievements you can celebrate along the way. This will build your confidence and affirm for you that your career is progressing and not becoming stagnant. That, as discussed in chapter 8, will also help you avoid the damaging effects of impostor syndrome.

9.2.1 Describe your long-term vision

Having a long-term vision of your objective is crucial as you embark on your new career journey. A vision serves as a guide for decision-making all along your career journey. The vision can change over time, but it will be that view of the horizon that you are constantly walking toward. You might even use the cliché of referring to it as your north star. The key is knowing how to set an appropriate vision that is achievable and realistic but also not so narrowly focused that it has to constantly be shifted.

Think about it like navigating a road trip. Before you set out, you likely have an ultimate destination in mind. Before you can decide which highways to take, which scenic routes you may want to explore, you typically first pick out that ultimate destination. Your vision serves as that ultimate destination. It does not mean that once you get there, you are done. Certainly, you may decide to travel farther and visit another destination, but the ultimate destination guides each navigation decision you make along the way until you reach it. Each detour you take needs to be measured with the eventual return to your chosen path. You can explore those unanticipated scenic passes, but ultimately your destination remains unchanged.

Laying out a career vision should be achievable, but not so simple that it can be accomplished too quickly. I generally recommend that people think about where they want to be 7 to 10 years from now. This length of time enables us to generally envision some aspects of the future while at the same time recognizing that the landscape or our goal may change. A longer time frame makes the risk of change both personally and in the industry a near certainty. As a result, maintaining a consistent direction can become problematic. A shorter vision does not allow us to plan a course that results in a high-level achievement and leads to a tactical level of decision-making that lacks an overall clear direction.

Take a look at the self-reflection exercises you did in chapter 4. Consider the areas of cybersecurity that you find most interesting and have identified as your desired career path. Now here comes the hard part. Assuming you start down that path today, where do you see that taking you in 7 or even 10 years? Where do you want to be in 10 years? These sound like nebulous questions, especially since cybersecurity does not always have a good career progression map for us to follow. So, let’s talk about how you can figure out a realistic 10-year goal.

The best place to begin is to identify what is most important to you or what indicates success to you. Is a job title something that you feel strongly about and perhaps could serve as that point on the horizon for you? Perhaps salary growth is the thing you are most concerned with. Do you want to progress within a certain industry or perhaps even have goals of working for a particular company or type of organization?

For each person, these factors can be different and carry a different amount of weight. To figure out which factors are most important to you, start by grabbing a piece of paper, and let’s do a short exercise:

1. List the various factors that could be measures of success for you. These could include salary, job title, organizational industry, leadership, activism, or community involvement, for example. Be creative.

2. For each factor, go back and try to set a goal for what you would want 10 years from now. Try to be realistic, but if you are unsure of your answers, that is OK at this point. The accuracy or achievability is not as important at this step.

3. Go through each of these factors and goals and rate each individually in order, indicating which ones are most indicative of success to you and which ones you could do without. If you have 10 of them, number them 1 to 10 in order, from most important to least.

4. Beginning with the highest number (the least important), for each one, ask yourself whether you could still feel successful if you did not achieve the goal for that factor but did achieve all the ones above it. If the answer is yes, you would still feel successful, then cross it out. Continue moving up the list in this way until you answer no.

5. The factors that remain in your list are the most important aspects to you for the next 10 years and represent your areas of focus. Now you can use these to craft your vision statement.

Without a clear career progression guide to follow, your network and your mentors can serve as invaluable resources when it comes to finding an achievable objective. If your network includes people in the same discipline that you want to get into, begin reaching out to find out how their careers progressed. Perhaps they can connect you with someone who is at that point in their journey if they cannot help you themselves. Talk to your mentors if you have identified any. Even if they are in a different security field, ask them for ideas or to serve as a sounding board for yours. They should be able to help you validate that your vision is appropriate and achievable in the next decade.

9.2.2 Identify your personal growth needs

Now that you have a personal vision statement describing where you want your cybersecurity career to take you, it is time to figure out what you need to get there. The best place to begin is by identifying the knowledge and skills you need to develop as well as the experiences you expect will help you get there. These can be hard questions to answer for someone just getting started in the industry.

So once again, think about how you can leverage your personal and professional networks to gather information. Explore the topic with your mentor and determine whether they can help provide you with guidance or connect you with someone who can. If your goal is to achieve a particular job role, look at job descriptions for that role that you can find online.

Be sure that as you explore what your goal entails that you do not fixate on only technical skills. Think bigger in terms of the leadership, business, and interpersonal skills expected for someone who has successfully achieved that same vision. Think in absolute terms. What are all the facets of that vision that need to be accounted for, whether they are something you currently possess or something you will need to develop?

Once you feel confident that you have a clear understanding of what your vision is going to require, now you can go back to that capabilities inventory that you created in chapter 4. It is time to start looking at the gaps between where you are today and where you want to be in 10 years. The most important part of this exercise is being honest with yourself. Be as objective as you can in terms of where you stand today and how big that gap is. Begin a list that highlights the key areas you need to address in order to be ready for that vision that you have set for yourself.

9.2.3 Build a 1, 3, 5 plan

A 1, 3, 5 plan is commonly used in the corporate world to manage employee performance and development. However, there is no reason you need to wait until your employer requires it to create one. Now that you have a vision and you know the gaps that need to be addressed in order to achieve that vision, a 1, 3, 5, plan will help you lay out the path for getting there, by setting goals for those 1-, 3-, and 5-year time frames.

You may be wondering why this plan extends for only 5 years, when the vision you crafted is for 10 years from now. There are a couple of reasons. First, keeping this detailed plan to 5 years makes it more manageable from a scope perspective. Trying to plan out 10 years’ worth of career development can be difficult all at once. The objective here is to make things easier, not to send you down the path of complex planning and futuristic predictions.

Second, limiting your plan to the next 5 years gives you the opportunity to take stock of where you are when you reach the halfway point of your vision. While each of the intervals (1, 3, and 5 years) has its own measurable objectives, as you reach that 5-year objective, you now have the chance to assess whether your plan still has you on target to achieve your longer-term vision. It also gives you enough time to fully understand whether that path to your destination is one that you will really enjoy. Over a 5-year span, you may find that the vision you laid out is no longer the path you want to pursue. So, capping your initial planning at 5 years has less of a lock-in effect than if you laid out the next 10 years of your career in detail.

Building out your 5-year plan should not seem too daunting if you have taken the time to document your vision and list your personal growth needs. This plan simply sets realistic and measurable milestones for addressing those personal growth items. As the name suggests, you will want to lay out the elements that you plan to have achieved by each of the specified time frames.

Making sure that these plans are achievable and realistic is important to the process as well. For this, you will again want to make use of your mentors and network. You may also want to discuss these goals with your current manager or even fellow colleagues in the workplace. Remember, however, that as you gather information from these people, they offer educated opinions, not empirical facts. So take only what you can use and makes sense to you, and let the rest go.

Your 1, 3, 5 plan should be milestones based, as shown in figure 9.2. At minimum, it should include what you plan to have accomplished or where you want to be at each stage. If you want to get more detailed, you can lay out a road map for getting there. A road map would entail the specific tasks that you need to accomplish to reach those milestones. Those tasks could be training, job progressions, or other facets of skills and knowledge development that lead to your milestones.

Figure 9.2 Example of a 1, 3, 5 plan

Does all of this seem too deliberate? Does it seem like a lot of work that most people would never go through? Well, recognize that we all do this just out of human nature. The only difference is we typically are not so deliberate. You probably have ideas in your head of about that CISO job you want, that cybersecurity company you want to start up, or the type of research you want to be doing. The exercise of getting all this information on paper, however, is important to ensuring your success in getting there. Dreams are great to have, but achievable goals and successfully accomplishing those goals are more enjoyable. This is just one method of holding yourself accountable.

9.3 Pivoting

One of the truly attractive aspects of growing a career in cybersecurity is the fairly unique ability to easily pivot among domains of specialization. All the various domains discussed in chapter 2 are interconnected in some way. This interconnection is different from many other career paths that have multiple areas of specialty that are not easily transitioned between. For instance, if a neurosurgeon were to decide that she now wants to be an obstetrician, no easy path to do so exists. She’d have to go back through years of schooling and residency to make that change. The tools and techniques are very different and almost completely unrelated in most respects.

Conversely, if a cybersecurity professional currently specializing in security operations wants to move into a security architecture role, much of the knowledge learned in their security operations experience can be leveraged in the architecture space. The challenge with pivoting from one cybersecurity domain to another is not in the execution of the change. Instead, it comes in the form of knowing when it is necessary, charting a path to that pivot, and then taking the risk. The good news is that everything you have done up until now in this guide has given you tools to prepare you to make such a pivot when it is needed or desired.

9.3.1 Recognize when change is needed

While pivoting can be easily accomplished within the cybersecurity domains, it is not to be taken lightly. It still represents a career change that brings with it uncertainty and risk. That said, you might decide to undertake such a change for various reasons. Being able to recognize when the time is right to make a change, sometimes when it is simply needed, can help ensure continued career growth and prevent stagnation.

Usually, the need to make a pivot to a new discipline within cybersecurity will be a personal choice. If you have taken the steps described earlier in this chapter but still find yourself on the brink of burnout, that could be one indicator that pivoting to a new discipline is needed. For example, if you are working in an SOC and the demands and pace of the job are causing too high a level of stress, that might be an indication that a pivot is needed. However, before you jump into the deep end of a career move, it is important to make sure that it is the discipline of cybersecurity that you are not enjoying rather than the way in which your present organization has implemented it.

To this end, it can be helpful to chat with others in your network who are in similar positions. What has their experience been like? Do they share the same frustrations that are making you doubt whether this is the focus area of security that you want to continue working in? If so, that is a sign that a pivot is needed.

You may also want to take a moment to inventory your frustrations. You don’t need to write these down if you would rather not, but at least give them some thought. Is it truly the core aspects of your job responsibilities that have you longing for something new? If yes, then maybe a pivot is needed. However, if you’re frustrated about the politics of your organization, people you are working with, processes you have to follow, or complications with the tooling or support you are provided, then it may make more sense to explore opportunities in other organizations first.

Stagnation can be another reason for considering a pivot to a new role in cybersecurity. As you progress in your career journey, you may find that you simply do not have a passion for what you are doing. Heading that off quickly and pivoting into a new role could be a way to explore new areas of interest and rekindle the passion you once had. Perhaps over the course of working with other areas of your security team, you have been exposed to other disciplines that seem particularly interesting. There is nothing wrong with deciding to make a pivot simply for the purpose of exploring new domains and building a wider breadth of skill sets and experiences.

Again, the key here is to make sure that a pivot is really what you need in order to address your concerns. If you are keen to explore other aspects of cybersecurity, that can be a valid reason to pivot to a new discipline. If you feel like you have accomplished all you care to accomplish in your current area of expertise, that again is a good reason to look at pivoting. If you are stagnating because no advancement opportunity is available or your employer isn’t investing in your personal development, a new role in a new organization might be a better option.

Ultimately, it is important to recognize those career challenges as they come up and how they may lead to a necessity to pivot. You need to be honest with yourself and not be afraid to admit that you need this change. Perhaps you made the wrong choice back when you laid out your interests; that is totally OK. However, also realize that needing to pivot may not be a sign that you made a wrong choice. It can also be a sign that your interests have changed, or you want your career to feature more than that one specialized field of focus. Allow yourself to be OK with making a pivot, and you should never feel like it’s a good or bad indication of where your career is headed.

9.3.2 You need to pivot, now what?

Remember the exercise for finding your passion that you did back in section 4.2.2? Well, this is a good time to break out those materials once again. Take a look at what you identified as your interests when you made that initial list. Look at how many of those interests you got to explore in your current career path. Also consider how many of those areas of interest still hold true today. This can be a great way of determining whether your passions have changed or you have simply gotten all you can from your initial path and need to change as a result.

If you find that the interests you identified in that inventory no longer apply, now might be a good time to start over and do the exercise again. This will help you identify where you might want to go next. Do you already have an idea of what cybersecurity discipline you want to dive into next? Well, take a look at the passions you identified and see if they are truly a fit. You can continue to leverage that exercise for the rest of your career. Update your list as necessary but also analyze how well your chosen path ends up fitting with your interests.

However you choose the domain you would like to focus on next, this is also a good time to refresh your capabilities inventory. While pivoting within disciplines of cybersecurity is easier than in other careers, you still need to expect to have to learn new skills. In this case, understanding your current capabilities will help you better determine how easily and at what level you can pivot into a new role. If you need to improve or develop skills over those you have today, you now have a nice advantage as compared to when you were trying to land that first job.

You are now working in cybersecurity, and there is a pretty good chance that you can probably start developing those skills in your current role while you look for a position that will let you pivot. Additionally, because you are established within your organization, you might be able to more easily identify and move into a position in that new discipline of cybersecurity without changing companies. Most organizations have a formal process for employees to move between open positions. Take a look at that possibility in addition to looking at external job openings. While the transition timeline may be longer than the notice period you might give if you went elsewhere, the slower process can sometimes be easier and allow you to better prepare for success in your new role.

Revisiting a topic from chapter 6, be careful to research and know your worth in the new position. One challenge when making a pivot within the same organization is that the company may be less willing to significantly increase your salary even if the new position warrants it. Do the research necessary to know what you should be making in that new role, whether it is an internal transfer or a move to a new company. Pivoting can sometimes mean moving into a role that is more highly compensated, but that is not always the case.

Looking at your capabilities inventory, you may find that while you are in a senior role today, you are qualified for only a more junior role in the new domain you are pivoting to. In this case, you need to determine whether a salary reduction will be necessary and whether that is acceptable to you. Again, this is an opportunity for you to research and know the worth of that new position before you go into the interview and negotiation process. Ultimately, the biggest challenges in making a pivot are less about the skills required and more about the logistical aspects of the new role.

9.3.3 Shoot your shot

Risk taking is a topic that has come up quite a bit in these last two chapters. When deciding to pivot in your career, you are taking a risk. You are leaving the familiar, whether it has been a positive or a negative experience, and you are moving into unknown territory. The good news is that this is a high-demand field, and you could always pivot again or even pivot back if you feel like that is right for you.

Taking risks means being aggressive to a degree. If you are going to take on the risk of a pivot, make sure that sufficient potential reward can result. Maybe all you are looking for are new ways to learn and grow. Maybe you have decided that you want a discipline with greater salary potential. Perhaps your pivot is more about finding a way into higher levels of leadership. You need to know your motivations and weigh the potential rewards in terms of what is most important to you.

When it comes right down to it, taking that leap is a necessary part of growth. As discussed in chapter 8, if you become complacent and do not take risks, you will likely stagnate, which can have long-term implications on your career. When you’ve decided that it is time for that change of scenery and you want to pursue a new avenue of cybersecurity, don’t let impostor syndrome or your need to level up certain skills stand in your way. You did not let them stop you from going for that first job. You didn’t let them get in the way of setting ambitious goals for yourself, so why would you let them stand in the way now as you look to continue growing?

9.4 Putting it all into motion

You’ve made it! In chapter 1, you learned about what cybersecurity is and how it has become a crucial and inherent part of our everyday digital way of life. You discovered that diversity is a necessary component to the success of our endeavors. In chapter 2, you learned about the many exciting and varied roles that exist within cybersecurity. You saw how each fits into an overall objective and plays a crucial role in defending digital systems. You also learned more about the traits that make for the best cybersecurity professionals and learned which practices are best avoided.

In chapter 3, we started taking a look at job progression and technical skills that are often called upon in cybersecurity roles. You also saw how soft skills can be equally if not more important than technical skills. In chapter 4, you learned about the challenges that you will likely encounter when trying to land your first cybersecurity job. You went through multiple self-analysis exercises meant to help you find your desired career path and prepare for the job hunt. You discovered what core skills are and how they can help you demonstrate your value for a cybersecurity role in lieu of other desired technical skills and experience.

Chapter 5 explored certifications and other ways to build technical skills in cybersecurity. Chapter 6 provided strategies for mastering your resume and being successful in the interview process. Chapter 7 explored building your personal network and establishing mentorship relationships.

Chapters 8 and 9 changed the focus to the future, equipping you with tools that will help ensure your long-term professional success in cybersecurity. And now, here you are, ready to become a formidable force in the fight to protect our digital way of life. You are ready to take on the challenges of being a cyber defender. You are positioned to enjoy all the exciting and lucrative aspects of working in a career field that is in high demand and promises to be for years and decades to come.

What one last piece of advice can I offer to you that I haven’t already covered in the hundreds of pages of this guide? Let me leave you with this: The cybersecurity community is an amazing collective of highly driven and highly skilled people. The earliest days of hacker culture still influence the ways that we interact even today. Take pride in becoming a part of this wonderful community, and with that pride I hope you will also help shoulder the responsibility of making this community even stronger. That means actively working to improve our inclusivity, focusing on what matters most, and elevating those who come next.

By uplifting one another, we make our entire community better and our world just a little bit safer tomorrow than it was yesterday. I wish you all the greatest of successes in your career journey and I hope one day you and I can talk about your experiences.

Summary

• Cybersecurity professionals have to deal with unique challenges in the form of burnout, gatekeeping, and stagnation.

• Setting long-term goals and building a progressive strategy to achieve them can help avoid those challenges and conquer impostor syndrome.

• Pivoting from one area of cybersecurity to another is an expected outcome and can be more easily accomplished in this field than other industries.