Career planning in Information Security is challenging because it is such a broad and constantly-changing field. More than any other career, an iterative, constantly-evolving approach is necessary. Success means blazing a trail that has never been followed before. I mean that in a positive and liberating way and say it to emphasise that no matter what course your career has taken up to this point, you can direct your future any way you want.

The process outlined below is one I’ve followed for nearly 20 years, although I have refined and adapted it over time. I present it here as a work in progress. In its current form, it is loosely aligned to the risk management process outlined in NIST Special Publication 800–30 R1 (Guide for Conducting Risk Assessments) because that satisfies my affinity for self-reference and recursion.

Throughout this process, indeed throughout your career, it can help to talk to people to get their perspectives. You absolutely may reach out to me. I love talking to people of all backgrounds and skill levels. I promise to be kind and supportive. My DMs on Twitter are open.

Introspection

“What are my strengths today?”

Even the best map can’t get you to your destination if you don’t know where you are. Spend some time thinking about what your current strengths are. You’ll want to list your technical strengths, of course, but over the course of your career, “soft” skills and personality traits are far more important. Also, don’t judge your strengths by comparing yourself to the best in the business — you don’t need to jump like Michael Jordan to have a great vertical leap. This exercise is more about identifying the areas where you are strong and have great potential for getting stronger. I like to use a mind mapping tool such as FreeMind for this exercise. Consider also purchasing a copy of StrengthsFinder 2.0 and taking the related assessment. I’ve taken the assessment several times in the course of my career and learned something new every time.

Develop a specific goal

“What do I want to be when I grow up?”

The job you want in five years probably doesn’t exist today, but that’s no excuse not to have specific, long-term goals. Despite what (waterfall) project managers may tell you, the purpose of a plan is not to map out every step to a destination. Instead, it gives you a wishful-thinking path to a theoretical end state so you have a good chance of knowing whether a specific step along your path is toward, away from, or simply distracting from where you want to go.

A good way to start goal-setting is to look at the various security-related certifications and training classes to see which ones sound most interesting to you. If you approach security from a “bottom-up” perspective, meaning you are most interested in technical measures either for offence or defence, I recommend looking at the GIAC certifications as a starting point. Similarly, look at the SANS course catalog to find interesting topics you might want to specialise in. If your approach is “top-down”, meaning you think of security as being all about risk management, process, and service integrity, start by looking at the CISSP domains and make note of the areas that especially excite you.

List essential end-state qualities

“What does it take to do the job I want?”

The job you want will have a set of required skills. It’s easy for technologists to focus on “hard” technical skills and neglect “soft” communication and organisational skills. Doing so is a terrible mistake because it doesn’t matter how valuable you are if you can’t convince people of your value. Security professionals in particular must emphasise soft skills because we are often in the business of delivering bad news. You might think bad news is valuable, but whoever is signing your payslip will take some convincing. Again, a mind map is a good way to organise your thoughts. Consider reading What Got You Here Won’t Get You There to help you in this process.

Diff

“What strengths do I need to develop?”

At this point you have a list of strengths you need and a list of strengths you have. This step is pretty easy — just figure out what the differences are between the two. While you’re comparing the lists, you’ll probably identify a few things you missed on one or the other of the lists. Go ahead and update the lists as appropriate.

Hard truths

“Am I willing to develop those strengths?”

You can’t be good at everything, but you’ll never be good at something if you don’t want it enough to work for it. If the idea of putting in the work to become strong in a particular area makes you sick or fills you with existential dread, it’s essential that you accept that fact. Once you have admitted how you feel, you need to spend some time thinking about whether you can commit to developing that strength in spite of your negative feelings for it. If you cannot commit 100% that you are willing to put in the work on any of the essential end-state qualities of the goal you have chosen, you might want to revisit your original goal. At the very least, you’ll need to develop a plan for success without developing that strength. For example, if you hate writing status reports, developing a career as a project manager is going to be difficult. You can either suck it up and commit to getting good at reporting status, or you can develop a habit of delegating status reporting to one of your project resources. What you cannot do is ignore status reporting and disappoint your project stakeholders.

Develop a plan

What’s next?

When it comes to action plans, it’s important to order your efforts to get the most timely benefit. Equally important is to make sure that you will enjoy every week of work, even if it’s too much to ask that you enjoy every minute.

1. Separate the list of strengths you need to develop into two categories — those that excite you, and those you dread.

2. Prioritise each list according to logical order (crawl, walk, run) and how much work you need to put in.

Now that the hard part is out of the way, you get to have some fun.

1. Take the first two developing strengths, one from each category, and break them down into bite-size chunks, ordered however makes sense to you.

2. Look at the steps involved in building your developing strengths and try to imagine potential projects that would combine the exciting and dreadful.

3. Try to figure out how to incorporate those projects into your existing professional work (it’s always best to get paid for your efforts).

4. If your projects don’t fit with your existing job, think of some ways you could work on them outside of work.

5. Apply an aggressive due date for the project.

6. Repeat the process for the next set of exciting and dreadful strength goals. As your goals get farther and farther into the future, you can be more vague. 6 months of planning should have a specific date. 1 year of planning should have at least a month. 2 years of planning should have a quarter, and so on.