I get a lot of requests from people asking me how to get into cybersecurity. My advice (almost invariably) is to start by seeking out a deep understanding of the variety of roles and responsibilities that fall under the cybersecurity umbrella, rather than fixating on a single job title or buzzword, or simply wanting to “work in cybersecurity” without knowing what your options may be.
I’m gonna take a moment to be totally honest here: when I started my path into cybersecurity, I was aiming to be a penetration tester, i.e. someone who gets paid to attack systems, find vulnerabilities, and report on them. As I gained more understanding of both the scope of the field and my own skills and interests, I realized that there were many aspects about pentesting that were actually not the best fit for me, and that my existing skills and interests lined up better with things like DFIR (Digital Forensics and Incident Response), risk assessment, and detection engineering.
The fact of the matter is, until you understand what actually exists, it’s difficult to make informed choices about where your interests, skills, and temperament genuinely fit. So, that’s why I wrote this article, to help broaden your horizon and give you something to think about.
Cybersecurity Is Bigger Than You Think
When people hear “cybersecurity,” they often picture a hacker typing furiously in a dark room, or maybe a SOC analyst staring at blinking dashboards. While those roles are important, they represent only a slice of a much larger and more diverse field.
Cybersecurity isn’t one job. It’s an ecosystem of disciplines that intersect with technology, business, law, psychology, engineering, and risk management. Understanding this diversity is critical… not just for people trying to break into the field, but also for organizations that struggle to hire, train, and retain security talent.
If you’re looking for work experience, career direction, or simply a clearer mental model of what “cybersecurity” actually means. Below is a non-exhaustive exploration of different areas in the cybersecurity field.
Governance, Risk, and Compliance (GRC)
Not all security work happens at a keyboard. Governance, Risk, and Compliance (often shortened to GRC) focuses on how security aligns with business objectives, legal obligations, and real-world risk.
Professionals in this space assess organizational risk, write and maintain policies, manage compliance with standards like ISO 27001 or SOC 2, and evaluate third-party vendors. The work is analytical, documentation-heavy, and deeply connected to how decisions get made.
This domain is often overlooked by technically inclined newcomers, yet it remains one of the most accessible entry points into cybersecurity. Strong writing skills, an ability to translate technical concepts into plain language, and comfort working with stakeholders are often more important than deep technical expertise.
Security Operations: Detecting and Responding to Threats
Security Operations, often referred to as “blue team” work, is where many people first encounter cybersecurity in practice. This is the realm of Security Operations Centers (SOCs), incident response teams, and threat monitoring.
Here, the focus is on detecting suspicious activity, investigating alerts, responding to incidents, and learning from real attacks. Analysts work with logs, network traffic, endpoint telemetry, and threat intelligence feeds. The pace can be intense, and the work is often shift-based, but it provides invaluable exposure to how attacks actually unfold.
For those who prefer hands-on technical work and learning by doing, security operations remains a common and legitimate entry path into the field.
Offensive Security: Thinking Like an Adversary
Offensive security flips the perspective. Instead of defending systems, practitioners attempt to break into them, ethically and with permission, to identify weaknesses before real attackers do. This includes penetration testing, red team operations, vulnerability research, and social engineering engagments. These roles demand a deep understanding of systems, networks, and applications, as well as creativity and persistence. They tend to be a good fit for people who like the thrill of doing bad things, albeit for a good purpose. 😛
Offensive security skills can also be applied on a freelance basis, making use of bug bounty programs and vulnerability reporting programs rather than relying on secure employment. You can think of this like panning for gold… you could spend a lot of time achieving nothing, or hit a serious bug and make a salary’s worth of money in a very short amount of time. It’s going to depend on your knowledge, methods, and at least a little bit of luck.
Application Security: Where Software Meets Risk
As organizations increasingly build their own software, application security has become one of the most critical and in-demand domains.
AppSec professionals work closely with developers to identify vulnerabilities in code, secure the software development lifecycle, and prevent issues like injection flaws, authentication failures, and insecure dependencies. This domain sits at the intersection of development and security, and it rewards people who understand how software is actually built and maintained.
For developers looking to pivot into security, application security is often the most natural transition.
Cloud and Infrastructure Security: Securing What Runs the Business
Modern organizations rely heavily on cloud platforms, virtualized infrastructure, and complex identity systems. Securing these environments is its own discipline.
Cloud and infrastructure security covers identity and access management, network segmentation, container security, configuration hardening, and monitoring of large-scale environments. Misconfigurations (rather than exploits) are often the biggest source of risk here.
This domain appeals to those with backgrounds in systems administration, networking, or DevOps, and it underscores an important reality: much of cybersecurity is about preventing boring, avoidable mistakes.
Identity, Access, and Authentication: Who Can Do What
At the core of many breaches is a simple problem: the wrong person had access to the wrong thing.
Identity and Access Management (IAM) focuses on how users are authenticated, what permissions they have, and how access is granted and revoked over time. This includes directory services, single sign-on, privileged access management, and multi-factor authentication.
IAM work is process-heavy and detail-oriented, but it has outsized impact. Done well, it quietly prevents entire classes of attacks.
Privacy and Data Protection: Security Meets Human Impact
Privacy-focused security work emphasizes the protection of personal and sensitive data, not just systems.
This includes data classification, loss prevention, privacy impact assessments, and collaboration with legal and compliance teams. The work often involves balancing usability, regulatory requirements, and technical controls.
As data collection expands and regulations evolve, this domain continues to grow—especially for those interested in the human and ethical dimensions of security.
Architecture, Engineering, and Strategy: Designing Security at Scale
Some roles focus less on day-to-day operations and more on long-term design. Security architects and engineers think in systems: how components interact, where trust boundaries exist, and how failure modes can be anticipated.
These roles typically require broad experience and are rarely entry-level, but they highlight an important truth: cybersecurity is not just reactive. Much of the most effective security work happens before systems are ever deployed.
The Takeaway: There Is No Single “Cybersecurity Path”
Cybersecurity is not a ladder. It’s a landscape.
Some people enter through policy and risk. Others through IT, development, or investigations. Some specialize deeply; others remain generalists. Many move between domains over time.
For anyone seeking work experience, the most important step is not choosing the “right” domain, but understanding that multiple paths exist—and that your existing skills are likely more relevant than you think.
Applied awareness in cybersecurity starts with recognizing the field for what it really is: a collection of disciplines united by a common goal, not a single role defined by a stereotype.