Get started Bring yourself up to speed with our introductory content.

Four steps toward a plan for a career in information security

Having a long-term goal for a career in information security isn't enough. Here are four key steps for planning for a career in information security.

Formulating your career plan is the cornerstone of successful career. In our 2008-2009 survey of information security professionals, the research revealed those who have a career plan are more likely to hold senior titles, earn more money, and have increased job satisfaction. These findings demonstrate that effective information security career planning has a measurable impact on your success.

Like any successful information security engagement, career planning should be based on a solid methodology that will provide you with the best chance of achieving success. The four key components to career planning include: the development of a baseline; understanding your ultimate career goal; determining intermediate milestones; and planning in reverse.


Before starting on the career planning process, you need an idea of what your current situation is. Former General Electric CEO and management guru Jack Welch is often quoted that the first step in management of anything is to get a solid understanding of the reality of your situation.

Unfortunately, this is difficult for most people. Most of us are weak in at least a couple of key areas, and it's not fun to take stock of your weaknesses. So this is where a lot of people stop the career planning process; it's difficult enough to take the time to sit down and plan, but even more difficult if that process involves understanding what you're not so good at.


Once you know where you are, the next step is to figure out where you want to end up longterm. Not surprisingly, most of our industry has some idea of this. When we asked about ultimate career goals in our survey, 37 percent responded they hoped to be a CISO/CSO, 20 percent said architect/subject matter expert, and 7 percent an entrepreneur.

If you have any of those goals, this should scare you, because those people are your competition. If your goal is to be a CISO, think about this: when you go to RSA Conference or Black Hat Briefings, three of every 10 people you run into share your career goal. And there are thousands of people at each of those conferences.

In choosing your outcome, realize that the competition is going to mean that you're going to have to work hard. If your goal is to be a penetration tester or a vulnerability researcher, you're going to have to put in long hours and a huge amount of effort to get there. And there will be tradeoffs and sacrifices.

After you have decided on your goal, you should research which skills, education, and experience would be required to achieve that position. At that point, you should be left with an understanding of where you are currently and what kind of commitment, sacrifice, and personal investment you would need to make in order to achieve your longterm career goal.

At the end of this exercise, you will be able to determine your personal willingness to achieve this goal. If you determine that you are unwilling to put in the necessary work and professional development, you should select another goal that is better aligned with your level of commitment. Please keep in mind that developing career goals is easy, achieving them requires a great deal of hard work.


Once you've decided on an outcome and a baseline, the next step is to figure out what intermediate milestones you need to reach. It's great to know that you want to be a CISO, but it's the steps along the way that most people have trouble with. So research what path most CISOs take. Most have certain certifications and education, and all of them at some point manage a team of people, learn to manage projects, budgets and more. You need to set goals and milestones that allow you to get from where you are today to accomplishing all of the steps on the path of a CISO.


Finally, with your milestones set out, you need to figure out what you're going to do over the next three, six and 12 months to reach your first milestone. What do you need to accomplish this year to move you toward your ultimate career goal? What do you need to learn?

This is all about planning backwards from your final outcome to the current day. If you know, for example, that you want to be taking a more managerial role a year from now, what skills would you need to obtain? What books would you need to read? What training would you need to take? And who would you need to meet and know?

Once you have this written plan, it will provide you with a guide for making career decisions and assessing specific career opportunities. As your information security career progresses, you will be presented with a variety of different opportunities to either utilize your current skill set or develop new skills. As an example, you may move from the role of an individual contributor toward a more management-oriented role--this may cause you to use less of your technical skills and more of your managerial skills.

Following these four steps should allow you to put together a plan that gives you a good understanding of where you want to go and how you get there.

Lee Kushner is the president of LJ Kushner and Associates an information security recruitment firm and co-founder of, an information security career content website.

Mike Murray has spent his entire career in information security and currently leads the delivery arm of MAD Security. He is co-founder of where he writes and talks about the skills and strategies for building a long-term career in information security.

Send comments on this column to [email protected]

Dig Deeper on Information security certifications, training and jobs