Information Security Career Path

June 17, 2015

I sat down a few weeks ago to figure out a standard information security career path for the book I’m writing. I think you need a guide as you think about your career. It was funny though to listen to the podcast episodes I’m currently recording (they’ll come out this fall). There is no typical career path. That’s the point of the podcast — to hear others’ strange journeys to how they progressed in their career.

So what’s I’ve developed below is an early version of a map of a stereotypical career path. As I was developing the model, I struggled with the many different types of information security jobs. First, whether you’re working for an enterprise or in the consulting world. Second, as you grow in your career, what starts out as similar responsibilities quickly diverge.

Finally, the titles themselves sometimes have nothing to do with the job you hold. A Senior Security Engineer at a startup may act much more like a Chief Information Security Officer while a Director of Information Security may be configuring firewalls. In addition, I’ve added an average salary column to the graphic to again help people understand how salaries progress. Given the current supply and demand mismatch in information security, even the average salaries don’t always line up either.

I think where this model really helps is people who are moving in and out of consulting. As a long-time consultant myself, I’ve seen people who don’t understand the career paths and jump in and out of consulting for the wrong reasons. I’ve also seen people who assume that the only way to move up is to manage people. While not every organization has the technical route below, the option does exist.

What do you think of this model? I’d love feedback. Shoot me an e-mail at