Field is unusually open to career changers (durable talent gap — Tier 2; don't quote a number).
Cheapest move: a lateral stretch at your current employer, where environment knowledge is an asset.
Certifications, decoded (REAL certs; confirm current details with the issuing body)
Cert
Body
Stage
Neighborhood
Prep in this book
Security+
CompTIA
Foundational
Everyone (first cert)
Whole book; 1–7, 16, 26–28
Network+
CompTIA
Foundational
Networking base
6–7, 10
CySA+
CompTIA
Intermediate
Blue team / SOC
Part V; 2, 10
SSCP
(ISC)²
Found.–interm.
Hands-on ops
Parts II–V
GSEC / GCIH / GCIA
GIAC/SANS
Interm.–adv.
Deep blue / IR / detection
21–25; 22, 10
CISSP
(ISC)²
Mgmt/expert
Breadth, leadership
Whole book (8 domains ≈ 8 parts)
CISM
ISACA
Management
Security mgmt / GRC lead
26–27, 36–38
CISA
ISACA
Interm.–mgmt
Audit / GRC
26, 28, 36
CRISC
ISACA
Interm.–mgmt
Risk
27, 29, 36
OSCP
OffSec
Advanced
Red team (offensive)
(Companion offensive volume)
Cloud security (AWS/Azure/GCP)
Cloud vendors
Intermediate
Cloud
15; 31, 32
CCSP
(ISC)²
Interm.–adv.
Cloud (vendor-neutral)
15; 31, 32
Staging decision rule: foundational (Security+, after Network+ if weak) → intermediate matched to your
neighborhood (CySA+/GIAC · CISA/CRISC · cloud/CCSP) → management/expert (CISSP, CISM) when experience
supports it.Never chase CISSP first (multi-year experience requirement; signals "manager" over an
empty résumé). Certs are door-openers, not skills — always back one with a story in the interview.
Home-lab & portfolio checklist
Build
What it practices
Chapter
Windows + Linux VMs, harden them
Baseline hardening
11
Wireshark / Zeek on your own traffic
Network analysis (normal vs. abnormal)
10
Free/community SIEM + write detections
The core SOC loop
21–22
Practice IR on a provided vulnerable VM
NIST IR lifecycle
24
Free-tier cloud: misconfigure → detect/fix
Cloud posture
15
Isolation is mandatory: host-only/NAT network, never bridged to anything you do not own (Figure 39.2).
CTFs (jeopardy: forensics, network, crypto, reversing): sanctioned → legal practice of
offensive-flavored skills. The organizers provide/own the targets — that is what makes it authorized.
Portfolio = your proof: public repo (detection rules, bluekit), lab & CTF write-ups, explainers,
open-source contributions. The write-up matters more than the solution (it proves communication).
The experience paradox (need a job to get experience) is broken by lab + portfolio, not by certs.
Ethics & authorization (the line, and the law)
Professional ethics = authorization first. Use these skills only on systems you own or have
explicit, written permission to test. The line between defender and criminal is authorization, not
capability or intent.
U.S. CFAA (Computer Fraud and Abuse Act) broadly criminalizes access "without authorization" /
"exceeding authorized access"; other countries have equivalents (UK Computer Misuse Act, etc.). General
description, not legal advice; the statute's exact bounds have been litigated.
When unsure whether you have authorization, you do not — and you do not act.
Authorized practice grounds: your own home lab; a CTF whose organizers invited you in; a published
bug-bounty / vulnerability-disclosure program (within its scope).
Responsible disclosure: report privately to the owner, give time to fix, never exploit or dump
publicly. A security.txt / bug-bounty creates an authorized channel — use it; don't freelance.
The career ladder (depth → breadth + influence)
Rung
Mostly does
Promoted by
Analyst / junior (entry)
Triage, investigate, learn the environment
Competence, curiosity, follow-through
Engineer / senior analyst
Build & operate specific defenses; mentor
Deep technical skill; ownership
Architect
Design how defenses fit; set standards; build-vs-buy
Systems thinking (see the whole)
Manager / director
Own a domain/team; budget, hiring; strategy→work
Leadership; work through others
CISO
Strategy; own org risk; the board; translate
Communication + business judgment
Threshold concept:the skill that earns each promotion is NOT the next rung's skill. Depth →
engineer; systems thinking → architect; communication/business → CISO. Careers stall by over-investing
in the last rung's skill.
Hardest transitions: engineer→architect (stop optimizing your piece; see the system) and
architect/manager→CISO (the top job is barely technical).
"Up" is not the only direction: senior individual contributor (principal engineer, distinguished
researcher) is legitimate and well-paid. The ladder is a map, not a mandatory track.
GRC is one of the most direct routes to CISO (it is the language of security management) with the
least tooling dependence.
Your own development plan (replaces the Meridian increment): (1) target neighborhood, (2) skills-gap
self-assessment vs. a real posting, (3) staged certification roadmap, (4) home-lab + first-portfolio
plan, (5) learning + ethics commitments in your own words. No bluekit module — career development
is judgment, not code.
Common pitfalls
Asking "how do I get into cybersecurity?" (vague) instead of "which kind of security problem do I
want?" (actionable).
Chasing the CISSP (or any management cert) first, before the experience exists.
Treating a certification as proof of skill instead of a door-opener you must back with stories.
Assuming your first role is your only option (missing the cheap lateral stretch).
Building a lab/portfolio you can't speak to, or never building one and relying on certs alone.
Crossing the authorization line "just to check" — capability and good intentions are not permission.
Over-investing in the current rung's skill and stalling at the next transition.
A development plan that lists "everything" — which says nothing. Be staged, specific, and honest.
We use cookies to improve your experience and show relevant ads. Privacy Policy