The paths that can lead to a cybersecurity career are as diverse as the job opportunities within this high-demand field.
The U.S. Bureau of Labor Statistics refers to cybersecurity professionals as information security analysts. It projects that available roles for these professionals will grow by 29% – an addition of 52,100 jobs – between 2024 and 2034.
If you think you may want to be on the front lines protecting personal data from bad actors or keeping vital digital systems afloat, where do you start? Paige Mooney, assistant director of career services at Heinz College of Information Systems and Public Policy at Carnegie Mellon University in Pennsylvania, suggests exploring microcredentials and other smaller options before committing to a certificate program or pursuing professional certifications.
“A lot of those gear you up for a certificate, but it also allows you to get a grasp on those fundamentals and kind of dip your toes in the water to make sure you enjoy that type of work,” she says.
This guide explores how to get started in cybersecurity, including the skills you should have in your toolkit, what experts say is the best cybersecurity certification for beginners and some different areas of the field.
What Are Cybersecurity Jobs?
As with many other fields, cybersecurity offers a variety of roles. While it’s not a comprehensive list, the table below shows a few areas of cybersecurity where professionals can specialize.
What can you do in cybersecurity?
Skill or area
What it is
Ethical hacking
Employing hacking techniques to find vulnerabilities in a network and fix them before a bad actor takes advantage of them. Basically, the best offense is a good defense.
Incident response
Taking action after a suspected data breach or attempt, such as a phishing scam or ransomware attack.
Network security
Protecting an organization’s information and digital infrastructure through VPNs, firewalls and other technology and policies.
Cloud security
Protecting data and other assets stored in a cloud environment from attacks and threats, and recovering data in case of disaster.
Governance, risk and compliance
A structured approach that organizations use to ensure they follow industry regulations, manage security risks and establish effective policies. It helps businesses align their objectives with legal and security requirements while maintaining accountability and efficiency.
“There are also areas in cybersecurity where you don’t have to do any coding or hacking at all,” says Hayley Blair, a former cybersecurity analyst who now works as a technical writer. “It’s more like policy, governance. You have to know all the different privacy laws and things like that.”
Blair cites the example of a company having a presence in both the U.S. and Germany, and needing to be well versed in each country’s privacy laws to safeguard clients’ personal data.
“When it comes to collecting credit card information for your company, you have to know PCI DSS (Payment Card Industry Data Security Standard) and all of these regulations in order to ensure that you’re just following the law and safeguarding people’s information,” she adds. “Where I used to work had a European branch in Germany, so we had to learn GDPR (General Data Protection Regulation). They have much stricter privacy laws there. So you have to learn all that and protect people’s information.”
The National Initiative for Cybersecurity Careers and Studies, part of the Cybersecurity and Infrastructure Security Agency, offers an interactive online Cyber Career Pathways Tool. You can use this tool to explore and compare various cybersecurity roles under the umbrellas of oversight and governance, design and development, and more.
If you’re looking to work for the federal government in the field of cybersecurity, it’s imperative that you get to know standards published by the National Institute of Standards and Technology. Knowing the risk management framework outlined in Special Publication 800-37 is a great start and this document will send you to many other useful guidelines that describe each step of the process in greater detail.
How much money can you make in cybersecurity?
You can make a six-figure salary in cybersecurity – and many cybersecurity professionals do – but as with any other industry, the pay varies based on factors such as your employer, geographic location, seniority or experience, and specific role.
The BLS reports that information security analysts make an average annual salary of $127,730. The highest-paid 90% of these professionals make $186,420, while the lowest-paid 10% make $69,660.
In general, California, Idaho, Maryland, Washington and New Jersey are the highest-paying states for cybersecurity professionals, and those based in Silicon Valley might make the most of all. The BLS reports that information security analysts in the San Jose-Sunnyvale-Santa Clara, California metro area make an average of $204,340 each year.
However, higher salaries often reflect a higher cost of living. If you apply for cybersecurity jobs that are based on-site, research how far your expected salary would go to cover housing, food and other necessities in that area. If you apply for remote cybersecurity jobs, consider how your new salary stacks up against your current expenses. A job with mid-range pay in an area with a lower cost of living often can pad your bank account faster than a six-figure salary in a high cost-of-living area.
Do You Need a Degree to Work in Cybersecurity?
No, you don’t necessarily need a degree to work in cybersecurity, though some employers, especially government contractors, may prefer to hire candidates who have one. As companies and organizations increasingly need capable cybersecurity professionals who can protect their digital assets, your skills – and the credentials that demonstrate you’ve mastered them – are your biggest asset.
“I see job descriptions all the time where a bachelor’s may be a preferred qualification instead of a hard basic qualification,” Mooney says. “However, usually in place of that, they may want more years of experience. So help desk roles, like IT kind of generalist roles, are one way that people get those years of experience as a stepping stone.”
“It’s not uncommon for people to utilize different boot camps or certificates,” she adds. “They get their foot in the door and learn the fundamentals that way.”
In lieu of pursuing a bachelor’s degree, you may launch your cybersecurity career by earning a certificate and early-career certifications.
While you may sometimes hear the terms “certificate” and “certification” used interchangeably, they’re not the same. Certificate programs are offered by colleges and universities. Often, the courses you take while pursuing a certificate earn college credit that you can transfer into a degree program should you decide to continue higher education.
Certifications, on the other hand, are usually awarded by companies and professional organizations. Earning a certification demonstrates your knowledge and mastery of a particular concept, program or skill. Stacking certifications – earning more than one over time – shows prospective employers your range of cybersecurity expertise. You can continue to earn certifications throughout your career as you tackle more advanced concepts, specialize and adapt to the ever-shifting cyber landscape.
Cybersecurity certificate programs
Colleges and universities offer cybersecurity certificate programs at the undergraduate and graduate levels. Certificate programs from community colleges or undergraduate certificates from universities can be good preparation for entry-level roles in the cybersecurity field, and you may be able to transfer credits from those programs toward an associate or bachelor’s degree, if you choose.
Graduate certificates in cybersecurity comprise graduate-level coursework, and students may opt to transfer credits from a certificate program toward a master’s degree. You’ll likely need a bachelor’s degree to be accepted into a graduate certificate program, though your degree doesn’t necessarily have to be in cybersecurity. This could make a graduate certificate a good option for career-switchers who have a background in another field.
Each cybersecurity certificate program is different, so before you apply for one, make sure you meet any prerequisites and the curriculum aligns with your cybersecurity career goals.
Cybersecurity certifications for beginners
Entry-level help desk or other IT roles may not require you to hold a certification; these are generally expected more for mid- or senior-level roles, when specialty and advanced knowledge of a certain aspect of cybersecurity come into play.
“However, any sort of credential that validates your skill set I think is going to be helpful,” Mooney says.
Earning a broad, entry-level certification from a reputable organization can be a good introduction to working in cybersecurity and show prospective employers that you’re serious about working in the field.
Some popular cybersecurity certifications for beginners include:
- CompTIA Security+
- ISC2 Certified in Cybersecurity
- Google Cybersecurity Certificate
- GIAC Security Essentials
Keep in mind that although these certifications may be designed to help prepare learners for entry-level roles, having a fundamental understanding of cybersecurity terminology and at least some programming knowledge beforehand can help you prepare to retain the information you learn while studying for certification exams. Explore free resources online as you learn to code and familiarize yourself with the essentials.
What cybersecurity certification is best for beginners?
Both Blair and Mooney recommend the Security+ credential from CompTIA as the best cybersecurity certification for beginners. Blair held that certification during her time in the field. CompTIA recommends that professionals have its Network+ credential and two years of experience working in a security/systems administrator role before attempting the Security+ exam, but this isn’t necessarily a requirement.
Many other certifications are designed for mid- or advanced-career cybersecurity professionals and require candidates to have a certain number of years’ work experience in the field. But Security+ can lay a strong foundation for a cybersecurity career, especially when paired with entry-level help desk work and a personal portfolio site demonstrating your programming and other relevant skills.
Advanced cybersecurity certifications and continuing education
As they advance in their careers and hone their specialties, many cybersecurity professionals stack certifications.
“I definitely think I see stacking very commonly in cybersecurity, more than what I see in some other different job functions or industries,” Mooney says.
The organizations that award entry-level credentials typically have options for more experienced professionals as well. For example, ISC2, whose Certified in Cybersecurity credential is an entry-level designation that doesn’t have any professional requirements, also offers the Certified Information Systems Security Professional credential. Candidates for this widely recognized certification need at least five years of professional experience, and it’s a common requirement or preference for more advanced cybersecurity roles.
You also can pursue specialty certifications that demonstrate your skills with a particular platform such as Amazon Web Services, Microsoft Azure, or in a particular area, such as the Certified Penetration Testing Professional credential from EC-Council. There are also application-specific certifications that can translate to opportunities across the industry like Splunk Security Essentials, Tenable Vulnerability Management Specialist Certification or other platforms like ServiceNow.
“Once you get into a role…the company often pays for you to get training and to earn these other certifications,” Blair says. “It might sound counterintuitive, but the more of a niche you have, the more hirable you are in certain positions. So you can start broad, and then narrow down to a certain level of expertise with very specific certifications.”
To maintain industry certifications, cybersecurity professionals need to continue their education throughout their careers. They may earn continuing education units through coursework, webinars or training, for example, or they may renew a certification by taking the most updated version of that credential’s exam. Options for renewal and the number of continuing education units required vary by awarding organization and specific credential.
What Skills Do You Need for a Cybersecurity Job?
While the necessary technical skills vary widely by specific role, experts recommend that all cybersecurity professionals keep a few essentials in their toolkit.
- Understand the terminology. Make sure you have a grasp on security and networking basics, such as what constitutes a threat or a vulnerability, and understanding what a firewall is. “You have to build the house first before you can defend it, so learn what those fundamentals are,” Mooney says.
- Learn Python basics. Even if you plan to work on the policy side of cybersecurity, a basic understanding of programming can help you facilitate communication between stakeholders in technical and nontechnical roles. Python is a common programming language, and a wealth of online resources that can help you learn it.
- Familiarize yourself with operating systems. Devices such as routers and VPNs use Linux, and cybersecurity professionals often use Linux distributions for penetration testing and vulnerability assessment. Mastering this operating system is an essential skill for many cybersecurity roles.
- Don’t neglect soft skills. “A big part of what we’re seeing in early careers is the emphasis of skills-based hiring. And that’s not even just technical skills or cyber skills, but also soft skills – so, communication, critical thinking, leadership,” Mooney says. She adds that certifications “are great because they prove that you have knowledge in those areas, but I think that they work best with hands-on work and in addition be able to demonstrate those soft skills too.”
Online platforms such as Hack The Box and TryHackMe present good opportunities for cybersecurity training. Completing challenges and projects on these sites can instill confidence and demonstrate your skills to prospective employers.
Many industries are changing and adapting as artificial intelligence becomes more prevalent in the workforce, and cybersecurity is no exception. So try not to get frustrated if you’re unable to land a job right away.
“I will say that with the advent of AI, it has been a lot harder to get jobs in cybersecurity at this moment,” Blair says. “But if people are really passionate about it and want to do it, and are willing to put that extra effort in to show their skills, like with a portfolio, it’s a great field to be in.”
