Alternative Pathways to a Career in Cybersecurity
By Rodney Petersen, Director of the National Initiative for Cybersecurity, National Institute of Standards and Technology, U.S. Department of Commerce
If you want to become a doctor you go to medical school. A lawyer, law school. An accountant, you obtain a CPA. A teacher, you become state certified. A tool and die maker, you get a journeyman’s card. Yet, there is no single best pathway to a career in cybersecurity. Still, there are some emerging alternatives that provide options to pursue according to one’s circumstances or career aspirations.
The diversity in academic and training pathways does not imply that there are no underlying standards, definitions, or identification of work roles for cybersecurity. The National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework (or NICE Framework) establishes a taxonomy and common lexicon that describes cybersecurity work and is intended to apply to the public, private, and non-profit sectors.
Not only does the NICE Framework group cybersecurity functions into seven broad high-level Categories (Securely Provision, Oversee and Govern, Protect and Defend, Analyze, Investigate, Operate and Maintain, and Collect and Operate), it also identifies thirty-three Specialty Areas that are distinct areas of cybersecurity work (ranging from systems architecture, cyber legal advisor, to digital forensics).
From a board or executive perspective, it is important to understand that cybersecurity is not a fixed set of jobs and that the roles require more than technical acumen; a comprehensive and strategic view of cybersecurity requires leaders to appreciate the combined value of technology, processes, and people and the type of knowledgeable and skilled workforce necessary to support each of those diverse areas.
Another way to use the NICE Framework is according to how it is organized, which includes the identification of dozens of cybersecurity Tasks; the corresponding Knowledge, Skills, and Abilities (KSA’s) that support each Task; and how the collection of Tasks can be used to define Work Roles (52 are identified in the NICE Framework). This view of the NICE Framework will help chief information security officers, hiring managers, and human resource professionals to assemble the right collection of human resources needed for a robust information security program. Additionally, the NICE Framework can influence the development of position descriptions with Tasks forming the basis for job duties, KSA’s influencing qualification requirements, and Work Roles suggesting different types of functional job titles.
The NICE Framework is also relevant for students, job seekers, or workers (hereafter referred to as Learners) curious about how to enter into a cybersecurity role or advance in their career. The Career Pathways portal in CyberSeek is a tool that can help learners discover how to progress in a cybersecurity career. For example, if you select the Mid-Level title of Cybersecurity Analyst, it provides information pertaining to the Average Salary, Total Job Openings, Requested Education, and most importantly the corresponding NICE Framework Categories. If you select the Category of “Protect and Defend” and the Specialty Area of “Cyber Defense Analysis”, it leads you to the Knowledge, Skills, and Abilities (KSA’s) for the position and the Tasks to be performed.
These KSA’s provide learners with a helpful list by which to determine what further education or training is needed and are useful for including in a resume to communicate to employers that they have acquired the knowledge and skills necessary to perform the tasks in the work role. Education and training providers can also use the NICE Framework to ensure that their content and curriculum provide learners with the KSA’s necessary to perform work roles.
A learner typically establishes their KSA’s by acquiring credentials, including academic degrees or certificates of study, industry-recognized certifications, and relevant work experience. However, the order in which you acquire credentials or establish work experience is increasingly flexible and varied given the high demand for skilled cybersecurity workers.
A traditional approach to a career in cybersecurity includes academic pathways that include high school completion and postsecondary education. However, even educational pathways can be diverse to include enrollment in high school, community colleges, undergraduate colleges or universities, graduate school, or professional school. Some learners may start and finish all levels consecutively. More commonly, individuals alternate between obtaining an education and working full or part-time. That is why it is sometimes better to think of the pathway as a highway with a series of on-ramps and off-ramps depending on personal or career circumstances.
There are a growing number of high-quality educational opportunities in cybersecurity including Career & Technical Education (CTE) programs of study with a cybersecurity focus or the NSA/DHS Centers of Academic Excellence in Cybersecurity. CTE programs and community college programs often encourage students to obtain industry-recognized certifications simultaneously with the educational experience.
Another promising approach to combining education with work is the cooperative education model where a student enrolls in an institution of higher education that has an arrangement with employers. In this case, learners are students first and employees second. In reality, there is an alternating relationship between academic studies and work. Though employers benefit from having an immediately available workforce that can learn and develop knowledge and skills over time through the combination of work-based learning and educational coursework.
An increasingly popular and trendy approach is for employers to establish apprenticeship programs. These programs are framed to treat learners as employees first and students second. The benefit to learners is that they can “Earn as they learn” and obtain the additional benefit of employer-supported education and training.
Employers also benefit by having an immediately available workforce who typically remain loyal to their employer even after obtaining education or training credentials. We are also seeing the emergence of “intermediaries” who take some of the mystery out of apprenticeships by assuming program administration and support.
Working adults may also pursue a cybersecurity career even if they have not previously acquired cybersecurity credentials or related work experience. The process of reskilling or upskilling typically includes participation in an academic or training program that facilitates a career change. This is particularly attractive to individuals who are unemployed, underemployed, or a transitioning military veteran.
Community colleges are particularly well-positioned to reskill individuals, both through for-credit courses leading to an associates degree or non-credit training that often leads to a certificate. Even individuals with bachelor’s degrees or advanced degrees can benefit from new credentials provided by a community college. Training organizations are another good resource for acquiring new knowledge and skills, especially programs that are flexible enough to provide part-time opportunities to more intensive bootcamp style programs that can upskills someone in a 3-6 month period of time.
In conclusion, the path to a cybersecurity career is as various as the diverse type of work that you are likely to assume, given the changing nature of technology and cybersecurity risks. There are a variety of options available at different levels of costs and time commitment. However, the path to a cybersecurity career is increasingly guided by the NICE Cybersecurity Workforce Framework that allows for more standardization and consistency in the experience for learners, education and training providers, and employers. To learn more about careers in cybersecurity, visit the National Initiative for Cybersecurity Education at nist.gov/nice.