Security Analyst Career Progression: The Path Nobody Tells You About (Until Now)

Understanding security analyst career progression is crucial whether you’re just starting in cybersecurity or looking to advance to senior roles. When I transitioned from programming to security research in 2018, I wish someone had given me a realistic roadmap for security analyst career progression—not the sanitized LinkedIn version, but the actual path with its detours, dead ends, and breakthrough moments.

Let me be direct: security analyst career progression isn’t a straight line from junior analyst to CISO. It’s a complex journey influenced by technical skills, soft skills, certifications, industry sector, company size, and often pure timing. But there are patterns, and understanding these patterns can save you years of frustration.

In this guide, I’m mapping out the real security analyst career progression path based on my experience, conversations with hundreds of security professionals across forums like r/cybersecurity and r/ITCareerQuestions, and analysis of actual job postings and salary data. You’ll see what each level actually entails, the realistic timelines, the skills that matter (and those that don’t), and the strategic decisions that accelerate advancement.

Understanding Security Analyst Career Progression: The Real Roadmap

The traditional view of security analyst career progression follows a predictable ladder: Junior Analyst → Analyst → Senior Analyst → Team Lead → Manager → Director → CISO. While this path exists, the reality is far more nuanced. I’ve seen brilliant analysts plateau at senior level by choice, others pivot to specialized roles like threat intelligence or incident response, and some leapfrog traditional progression by demonstrating exceptional value.

According to the Bureau of Labor Statistics projects, employment of information security analysts is projected to grow 32% from 2022 to 2032, much faster than the average for all occupations. This explosive growth creates opportunities but also fierce competition at each career stage.

Here’s what most career guides won’t tell you: the biggest differentiator in security analyst career progression isn’t technical skills—it’s your ability to communicate risk to non-technical stakeholders, mentor junior team members, and demonstrate business impact. Technical excellence gets you interviews; these “soft” skills get you promoted.

The Seven Stages of Security Analyst Career Progression

Stage 1: Junior Security Analyst (0-2 Years) – $55,000-$75,000

Reality Check: This is where everyone starts, and it’s often the most frustrating phase. You’re monitoring alerts, triaging incidents, and following playbooks created by others. The work feels repetitive, and you might question if you made the right career choice.

What You’re Actually Doing:

• Monitoring SIEM dashboards for security alerts
• Performing initial triage of security events
• Documenting incidents according to established procedures
• Escalating potential threats to senior analysts
• Learning your organization’s security tools and infrastructure

Key Skills to Develop:

• Attention to detail (this cannot be overstated)
• Basic understanding of network protocols (TCP/IP, DNS, HTTP/HTTPS)
• Familiarity with operating systems (Windows, Linux)
• Log analysis fundamentals
• Communication skills for reporting and documentation

Certifications That Matter:

• CompTIA Security+ (entry requirement for many positions)
• CompTIA CySA+ (Cybersecurity Analyst)
• GIAC Security Essentials (GSEC)

Career Advice from the Trenches:
During my first year in security operations, I was drowning in false positives. What saved me was creating a personal knowledge base—documenting every alert type, the investigative steps I took, and the outcome. This became invaluable when training others later and demonstrated initiative during performance reviews.

Don’t just process alerts mechanically. Understand why each alert triggered. This curiosity accelerates your learning curve and prepares you for Stage 2.

Stage 2: Security Analyst (2-4 Years) – $75,000-$95,000

The Transition: You’ve proven you can handle the basics. Now you’re trusted with more complex investigations and expected to work more independently.

What Changes:

• Conducting deeper incident investigations
• Correlating data from multiple security tools
• Identifying attack patterns and tactics (MITRE ATT&CK framework)
• Providing recommendations for security improvements
• Mentoring junior analysts

Technical Skills to Master:

• Advanced log analysis and correlation
• Network traffic analysis (Wireshark, Zeek)
• Malware analysis basics
• Threat intelligence integration
• Scripting for automation (Python, PowerShell)

Certifications to Consider:

• GIAC Certified Incident Handler (GCIH)
• Certified Information Systems Security Professional (CISSP) Associate
• EC-Council Certified Ethical Hacker (CEH)

The Reality of This Stage:
This is where I see many analysts get comfortable and plateau. The work becomes manageable, the salary is decent, and advancement seems like it would mean more meetings and less hands-on work. This comfort zone is dangerous.

To progress beyond this stage, you need to demonstrate impact beyond just handling incidents. Start quantifying your contributions: “Reduced false positive rate by 40% through tuning correlation rules” or “Identified and contained ransomware infection within 45 minutes, preventing estimated $2M in damages.”

Stage 3: Senior Security Analyst (4-7 Years) – $95,000-$125,000

The Shift: You’re now a subject matter expert. Junior and mid-level analysts look to you for guidance. Management expects you to not just react to threats but anticipate them.

New Responsibilities:

• Proactive threat hunting (not just responding to alerts)
• Developing and refining detection rules
• Creating and updating incident response playbooks
• Leading complex incident investigations
• Representing the security team in cross-functional meetings

Advanced Skills:

• Threat hunting methodologies
• Advanced persistent threat (APT) analysis
• Security orchestration, automation, and response (SOAR)
• Cloud security monitoring (AWS, Azure, GCP)
• Behavioral analytics and anomaly detection

Certifications That Add Value:

• GIAC Certified Intrusion Analyst (GCIA)
• Offensive Security Certified Professional (OSCP)
• SANS FOR500 (Windows Forensics)

Career Fork in the Road:
At this stage, you face a critical decision that significantly impacts your security analyst career progression: technical specialization or leadership track.

Technical Track: Deepen expertise in specific areas (malware analysis, forensics, threat intelligence, penetration testing). This leads to roles like Principal Security Analyst, Security Researcher, or specialized consultant.

Leadership Track: Develop team leadership, project management, and business communication skills. This leads to Security Team Lead, SOC Manager, and eventually director-level roles.

Neither path is superior—it depends on your interests and strengths. I’ve seen technically brilliant analysts forced into management roles they hated, and natural leaders stuck in technical roles because they thought management meant they’d “lost” the technical battle.

Stage 4: Security Team Lead / SOC Coordinator (5-8 Years) – $110,000-$145,000

If You Choose Leadership: This is your first formal leadership role. You’re responsible for a small team of analysts, shift scheduling, escalation management, and ensuring SLAs are met.

Key Responsibilities:

• Managing analyst schedules and shift coverage
• Conducting performance reviews
• Making hiring and firing decisions
• Coordinating incident response across shifts
• Reporting metrics to management

Skills Beyond Technical:

• People management and conflict resolution
• Resource allocation and prioritization
• Stakeholder communication
• Budget awareness
• Process improvement

Common Mistakes at This Level:
The biggest trap is trying to do everything yourself. You were promoted because you were an exceptional individual contributor, but that mindset kills your effectiveness as a leader. Your job is now to multiply the team’s impact, not just add to it with your personal contributions.

I struggled with this during my transition to leadership. I’d jump in to solve complex incidents myself rather than coaching my team through them. This prevented them from developing and me from focusing on strategic initiatives. Delegation isn’t giving up control—it’s investing in your team’s growth.

Stage 5: Security Manager / SOC Manager (7-10 Years) – $130,000-$170,000

The Business Side Emerges: You’re now firmly in middle management. Your day involves more meetings than technical work, and you’re measured on team performance, budget management, and strategic alignment with business objectives.

What You’re Managing:

• Multiple teams or specialized groups
• Security operations budget ($500K-$5M+)
• Tool selection and vendor relationships
• Cross-department security initiatives
• Compliance and audit support

Required Competencies:

• Strategic thinking and planning
• Executive communication
• Budget development and management
• Vendor negotiation
• Change management

Certifications for This Level:

• Certified Information Security Manager (CISM)
• Certified in Risk and Information Systems Control (CRISC)
• Project Management Professional (PMP)

Reality Check:
At this level, technical skills become less important than business acumen. The (ISC)² Cybersecurity Workforce Studyreveals a global cybersecurity workforce gap of 3.4 million professionals, yet many organizations struggle to find managers who understand both security and business.

Your value proposition shifts from “I can solve security problems” to “I can align security strategy with business goals while managing risk and resources effectively.”

Stage 6: Director of Security Operations (10-15 Years) – $160,000-$220,000

Strategic Leadership: You’re setting the vision for your organization’s security operations. You report to the CISO or CIO and represent security at the executive table.

Strategic Responsibilities:

• Defining security operations strategy
• Building and maintaining security architecture
• Leading major security initiatives and transformations
• Managing relationships with board members and executives
• Industry representation and thought leadership

Executive Skills:

• Business strategy alignment
• Board-level communication
• Crisis management and PR
• M&A security due diligence
• Building security culture

The Politics Intensify:
This level is as much about organizational politics as security expertise. You’re navigating competing priorities, limited budgets, executive egos, and sometimes resistance to security initiatives. The technical challenges that excited you early in your career now consume maybe 10% of your time.

Stage 7: Chief Information Security Officer (CISO) (15+ Years) – $200,000-$400,000+

The Peak: You’re the ultimate decision-maker for your organization’s security posture. You answer to the CEO and board, and security breaches can end your career or define your legacy.

What CISOs Actually Do:

• Setting enterprise-wide security strategy
• Managing security budget (often $5M-$50M+)
• Board reporting and cyber risk communication
• Regulatory compliance oversight
• Crisis management during major incidents
• Building strategic partnerships

Skills That Got You Here:

• Proven track record of protecting organizations
• Executive presence and gravitas
• Business fluency and financial acumen
• Strategic vision and long-term thinking
• Calm under pressure during crises

The Lonely Reality:
CISOs face unique pressures. According to recent industry surveys, the average CISO tenure is just 2-3 years. You’re accountable for breaches you can’t completely prevent, working with constrained budgets, and constantly balancing security needs against business velocity.

Security Analyst Career Progression Timeline: What to Expect

Important Note: These timelines are averages. I’ve seen exceptional individuals reach senior levels in half this time, and others take twice as long. Geography, industry, company size, and individual initiative all play huge roles.

Critical Skills That Accelerate Security Analyst Career Progression

Technical Skills Foundation

Essential Throughout Your Career:

• Network fundamentals (this never stops being relevant)
• Operating system internals (Windows, Linux, macOS)
• Cloud platforms (AWS, Azure, GCP security)
• Scripting and automation (Python, PowerShell, Bash)
• Security tools proficiency (SIEM, EDR, IDS/IPS, firewalls)

Emerging Skills for 2025:

• AI/ML in security operations
• Container security (Docker, Kubernetes)
• Infrastructure as Code security
• Zero trust architecture implementation
• Threat intelligence platforms

The Soft Skills Nobody Talks About

Here’s what I wish someone had told me early on: technical skills plateau in importance around the Senior Analyst level. Beyond that, security analyst career progression depends almost entirely on these “soft” skills:

Communication:

• Explaining technical risks to non-technical executives
• Writing clear, concise incident reports
• Presenting to boards and leadership teams
• Translating business requirements into security controls

Leadership:

• Mentoring junior team members
• Managing conflicts within your team
• Influencing peers and stakeholders
• Building consensus across departments

Strategic Thinking:

• Aligning security initiatives with business goals
• Prioritizing risks based on business impact
• Making decisions with incomplete information
• Understanding security’s role in business enablement

Emotional Intelligence:

• Managing stress during security incidents
• Reading room dynamics in meetings
• Building trust with skeptical stakeholders
• Navigating organizational politics

For a structured understanding of cybersecurity roles and competencies, the NIST NICE Framework provides industry-standard definitions that map well to security analyst career progression stages.

Certifications Strategy for Career Advancement

The certification debate in cybersecurity is endless. Here’s my pragmatic take based on hiring hundreds of security professionals:

Certifications Are:

• Resume filters (get you past HR and into interviews)
• Knowledge validators (prove you understand fundamentals)
• Salary negotiation tools (certified professionals earn 15-20% more on average)

Certifications Are Not:

• Substitutes for hands-on experience
• Guarantees of competence
• The most important factor in hiring decisions

Strategic Certification Roadmap

Entry Level (0-2 years):

• CompTIA Security+ (table stakes for most positions)
• CompTIA CySA+ or GIAC Security Essentials

Mid-Level (2-5 years):

• CISSP (or CISSP Associate if you lack experience)
• GIAC Certified Incident Handler (GCIH)
• CEH or OSCP (if moving toward offensive security)

Senior Level (5-10 years):

• GIAC Certified Intrusion Analyst (GCIA)
• SANS FOR500/FOR508 (forensics specialization)
• Cloud security certifications (AWS Security, CCSP)

Management Track (7+ years):

• CISM (Certified Information Security Manager)
• CRISC (Certified in Risk and Information Systems Control)
• CGEIT (Certified in Governance of Enterprise IT)

Budget-Conscious Approach:
Certifications are expensive ($300-$8,000 per cert). Prioritize:

1. What your current/target employer requires
2. What aligns with your chosen specialization
3. What offers the best ROI for your career stage

Many employers offer certification reimbursement or training budgets. Negotiate for these during job offers or performance reviews.

Common Career Pitfalls and How to Avoid Them

Pitfall #1: The Specialist Trap

The Problem: You become extremely proficient in one tool or technology (maybe you’re the “Splunk guru” or “Palo Alto expert”). Your depth of knowledge makes you invaluable, which paradoxically limits your career mobility.

The Solution: Maintain breadth while building depth. Learn adjacent technologies. Understand the problems your tools solve, not just how to operate them. When Splunk gets replaced by a competing SIEM, your general log analysis and correlation skills remain valuable.

Pitfall #2: Avoiding Management Assuming It’s Selling Out

The Problem: You love technical work and view management as abandoning your technical roots. You watch less-skilled colleagues get promoted into leadership while you remain technically superior but career-stagnant.

The Solution: Recognize that leadership amplifies impact. As a senior analyst, you protect one organization. As a security director, your decisions protect thousands of employees and millions of customers. Technical work and leadership aren’t mutually exclusive at senior levels—they complement each other.

Pitfall #3: Certification Collecting Without Application

The Problem: You accumulate impressive certifications (CISSP, OSCP, GCIA, etc.) but lack practical experience applying that knowledge. Your resume is impressive, but interviews reveal surface-level understanding.

The Solution: Implement what you learn. Build home labs. Contribute to open-source security projects. Write about your experiences. Certifications validate knowledge; demonstrable skills get you hired.

Pitfall #4: Ignoring the Business Side

The Problem: You focus exclusively on technical excellence while remaining willfully ignorant of business operations, financial considerations, and strategic planning. You’re frustrated when “obviously necessary” security initiatives get rejected due to “stupid business reasons.”

The Solution: Learn basic business and finance. Understand how your company makes money. Frame security recommendations in business terms: ROI, risk reduction, competitive advantage, regulatory compliance. Security professionals who speak business language become indispensable advisors, not just cost centers to be minimized.

Pitfall #5: Staying Too Long in Comfort Zones

The Problem: You’ve mastered your current role. The work is predictable, stress is manageable, and you’re excelling. But you’re not growing, and the industry is moving faster than you are.

The Solution: Deliberately make yourself uncomfortable. Take on projects outside your expertise. Volunteer for cross-functional initiatives. Change employers every 3-5 years if internal advancement isn’t happening. Comfortable careers rarely become exceptional ones.

Accelerating Your Security Analyst Career Progression: Strategic Moves

Strategy #1: Build Visibility Beyond Your Team

Most security analysts are invisible to executive leadership. Change this:

• Volunteer to present at all-hands meetings
• Write blog posts about security initiatives (with approval)
• Present at local security meetups or conferences
• Participate in cross-functional projects
• Contribute to company-wide security awareness programs

Visibility creates opportunities. When director-level positions open, your name should immediately come to mind.

Strategy #2: Develop a Specialty (But Not Too Soon)

Early in your career, be a generalist. Learn everything. But around the 5-year mark, develop a specialty that differentiates you:

• Cloud security architecture
• Threat intelligence and hunting
• Security automation and orchestration
• Incident response and forensics
• Application security

Specialists command higher salaries and more interesting opportunities than generalists at senior levels.

Strategy #3: Network Strategically

The cybersecurity community is surprisingly small. The person you help today might hire you tomorrow. Invest in relationships:

• Attend security conferences (BSides, DEFCON, RSA)
• Participate actively in online communities (r/netsec, r/AskNetsec)
• Join professional organizations (ISACA, ISC², OWASP)
• Maintain LinkedIn relationships authentically
• Mentor those behind you on the career path

Many of my best career opportunities came from relationships built years earlier, not from job boards.

Strategy #4: Document Everything and Build Your Portfolio

Create tangible evidence of your impact:

• Maintain a “wins” document tracking accomplishments
• Build a GitHub portfolio of security tools and scripts
• Write blog posts explaining complex concepts
• Create and share threat hunting queries
• Document lessons learned from incidents (anonymized)

When negotiating promotions or job offers, specific evidence of impact beats vague claims of competence.

Strategy #5: Consider Strategic Job Changes

Internal promotions have limits. Sometimes the fastest path up requires moving laterally:

• 3 years at Company A (Junior → Analyst)
• 2 years at Company B (Senior Analyst)
• 3 years at Company C (Team Lead)
• 2 years at Company D (Manager)

Each move brings new challenges, broader experience, and typically 15-30% salary increases. Organizations rarely match the external market for internal promotions.

Industry-Specific Security Analyst Career Progression Paths

The security analyst career progression path varies significantly by industry. Here’s what you need to know about different sectors:

Financial Services (Banking, Insurance, Fintech)

Unique Characteristics:

• Highest regulatory scrutiny (PCI-DSS, SOX, GLBA)
• Premium compensation (15-25% above market average)
• Emphasis on compliance and audit readiness
• Frequent third-party assessments

Career Acceleration Factors:

• Understanding financial systems and transaction flows
• Fraud detection and prevention expertise
• Regulatory compliance knowledge
• Incident response during trading hours

Typical Progression:
Junior Analyst ($60K-$80K) → Analyst ($80K-$105K) → Senior Analyst ($110K-$140K) → Manager ($145K-$190K) → Director ($180K-$250K)

Healthcare (Hospitals, Pharma, Medical Devices)

Unique Characteristics:

• HIPAA compliance critical
• 24/7 operations (can’t take systems offline easily)
• Life-critical systems require careful security balance
• Significant IoT/medical device security challenges

Career Acceleration Factors:

• Understanding healthcare workflows and clinical systems
• Medical device security expertise
• HIPAA compliance deep knowledge
• Experience with legacy system security

Typical Salaries: Generally 10-15% below financial services but with better work-life balance.

Technology Companies (Software, Cloud, SaaS)

Unique Characteristics:

• Fast-paced, innovative environments
• Cloud-native security focus
• DevSecOps integration
• Product security responsibilities

Career Acceleration Factors:

• Development/coding skills highly valued
• Cloud platform expertise (AWS, Azure, GCP)
• Application security knowledge
• Automation and scripting proficiency

Compensation: Competitive base salaries plus equity compensation. Total comp can exceed financial services at senior levels.

Government and Defense

Unique Characteristics:

• Security clearance requirements
• Strict compliance frameworks (NIST, FedRAMP)
• Slower pace but higher job security
• Pension benefits

Career Acceleration Factors:

• Security clearance (Secret, Top Secret, TS/SCI)
• Government compliance expertise
• Patience with bureaucracy
• Understanding of government acquisition processes

Compensation: Base salaries 20-30% below private sector, but comprehensive benefits and pension offset this.

Consulting and Professional Services

Unique Characteristics:

• Exposure to multiple industries and technologies
• Travel requirements (30-50% for many firms)
• Project-based work
• Faster skill development through variety

Career Acceleration Factors:

• Broad technical skillset
• Strong communication and client management
• Ability to quickly adapt to new environments
• Business development and sales skills

Compensation: High base salaries plus bonuses tied to utilization and sales.

Salary Negotiation Strategies for Career Advancement

Understanding security analyst career progression includes mastering salary negotiation. Here are strategies that have worked for me and others I’ve advised:

Strategy #1: Always Negotiate (But Know When)

The Rule: Always negotiate job offers. Companies expect it, and you leave money on the table if you don’t.

Exception: Don’t negotiate until you have a written offer. Negotiating too early signals desperation or poor judgment.

How to Negotiate:

1. Express enthusiasm for the role first
2. Cite specific market data supporting your request
3. Frame it as alignment, not confrontation: “Based on my research of similar roles in [city], the market rate for someone with my experience in [specialty] typically ranges from $X to $Y. Can we align the offer with that data?”
4. Be prepared to walk away (but only if you genuinely will)

Strategy #2: Negotiate Total Compensation, Not Just Salary

Beyond Base Salary:

• Signing bonuses (one-time, doesn’t affect future raises)
• Annual performance bonuses
• Equity/stock options (especially in startups and tech companies)
• Certification reimbursement budget
• Conference/training allowance
• Remote work flexibility
• Additional vacation days
• Professional development time

Example: A $5K salary increase costs the company $5K annually. A $10K signing bonus costs $10K once. Many companies have more flexibility with one-time bonuses than ongoing salary commitments.

Strategy #3: Use Competing Offers Strategically

The Power Move: Having competing offers dramatically strengthens your negotiating position. Companies will stretch budgets to secure candidates being actively recruited elsewhere.

How to Use Ethically:

• Be honest about competing offers
• Never fabricate offers (you’ll get caught)
• Don’t play companies against each other maliciously
• Use offers to validate your market value, not as threats

Script: “I’m very interested in joining your team, and this role aligns perfectly with my career goals. I do want to be transparent that I’m currently evaluating another offer with a base salary of $X. I’d prefer to work with you given [specific reasons], but I need the compensation to be competitive. Can we discuss options?”

Strategy #4: Timing Your Moves for Maximum Leverage

Annual Review Cycle: Most companies have fixed raise pools (3-7% typically). Getting promoted during these cycles means your raise comes from that limited pool.

Promotion Before Review: Try to get promoted 6 months before annual reviews. Your new salary becomes the baseline for the annual raise, effectively compounding your increase.

External Offers: The market typically values your skills higher than your current employer. Strategic job changes every 3-5 years accelerate salary growth faster than internal advancement.

Strategy #5: Document Your Impact Quantitatively

The Problem: “I did good security work” doesn’t justify raises. Quantified business impact does.

How to Document:

• Threat detection improvements: “Reduced mean time to detect from 48 hours to 6 hours”
• Cost avoidance: “Identified vulnerability preventing estimated $2M breach”
• Efficiency gains: “Automated 15 hours/week of manual analysis through scripting”
• Risk reduction: “Decreased critical vulnerabilities by 60% through proactive hunting”

Keep a running “wins” document. Update it weekly. Come review time, you’ll have concrete evidence of value delivered.

Conclusion: Your Security Analyst Career Progression Journey

Your security analyst career progression journey is unique, but the principles remain constant: continuous learning, strategic skill development, meaningful certifications, and building a professional network. The security analyst career progression path I’ve outlined provides realistic timelines and expectations based on industry data and real-world experience.

Remember: security analyst career progression isn’t just about climbing the ladder—it’s about finding the path that aligns with your interests, strengths, and life goals. Whether you aim for technical depth as a principal security engineer or executive leadership as a CISO, the cybersecurity field offers unprecedented opportunities for those willing to invest in continuous growth.

The most successful security professionals I know share common traits:

• Curiosity: They’re genuinely interested in how things break and how to protect them
• Resilience: They recover from setbacks and learn from failures
• Adaptability: They embrace change rather than resist it
• Communication: They translate technical concepts for diverse audiences
• Initiative: They don’t wait for opportunities; they create them

The field needs talented professionals at every level. The 4.8 million-person cybersecurity workforce gap won’t close soon, creating opportunities for those who pursue this career path strategically. Use this guide as your roadmap, but remember that your journey will include unexpected detours, fortunate breaks, and learning opportunities disguised as setbacks.

Start where you are. Use what you have. Do what you can. Your security analyst career progression begins with the next certification you pursue, the next skill you develop, the next person you mentor, or the next security control you implement.

The industry is waiting for professionals who combine technical competence with business understanding, who can both investigate incidents and communicate risk to executives, who can lead teams while staying connected to the technical work they love.

Your path to CISO—or wherever your unique security analyst career progression leads—starts today.

Frequently Asked Questions About Security Analyst Career Progression

References:

1. https://www.reddit.com/r/ITCareerQuestions/comments/1fh2wut/career_roadmap_from_fresher_to_cybersecurity/
2. https://cybersecurityguide.org/careers/security-analyst/
3. https://www.dropzone.ai/resource-guide/soc-analyst-career-guide-roles-tiers-salaries-2025-edition
4. https://www.imd.org/blog/digital-transformation/cybersecurity-career-paths/
5. https://www.coursera.org/resources/job-leveling-matrix-for-cybersecurity-career-pathways
6. https://ine.com/blog/top-5-cybersecurity-career-paths-for-new-graduates-in-2025
7. https://www.pluralsight.com/resources/blog/cybersecurity/cybersecurity-career-guide-2025
8. https://pg-p.ctme.caltech.edu/blog/cybersecurity/cybersecurity-career-paths
9. https://www.cyberseek.org/pathway.html