Want an entry-level job in cybersecurity? It helps to think bigger.

In 1950, a Nobel Prize-winning physicist by the name of Enrico Fermi visited the Los Alamos National Laboratory in New Mexico. As he sat there with his fellow scientists, the topic drifted to flying saucers and the feasibility of faster-than-light travel. Thinking about extraterrestrial life, Fermi blurted out a question:

“Don’t you wonder where everybody is?”

Fermi followed up with a list of calculations. On the one hand, the math said the universe should be teeming with extraterrestrial life, and as a result, we should have been visited long ago and many times over. On the other hand, there were no signs we ever had. 

It was a strange paradox. 

In cybersecurity, there is a similar, mysterious contradiction. On the one hand, there’s a well-reported shortage of 4.8 million cybersecurity professionals globally. On the other hand, it’s notoriously difficult to get your foot in the door. 

It was an issue I pondered on, though not at Los Alamos. For job applicants, it’s frustrating. For companies, it’s critical. For governments, it’s arguably nuclear. After all, cybersecurity is national security. 

And so I asked the question:

“Don’t you wonder where all the cybersecurity jobs are?”

Why it’s hard to get into cybersecurity: Everyone’s trying to sit on the same two seats

When I was a child, I played a game called Musical Chairs. For those not familiar, you arrange a set of chairs in a circle with one fewer chair than the number of players (i.e. six players would use five chairs). While music plays, you walk around the set of chairs, but when it stops, all players must find their own to sit on. The player who misses out is eliminated.

Sounds simple, right? But imagine what would happen if, when the music stopped, everyone tried to sit on the same chair. 

Naturally, it would be chaos. Worse, it’d be illogical. Everyone would be trying to sit on top of each other, while the whole time, the other seats would be free for the taking.

Of course, such a ridiculous thing would never happen in the grown-up world of cybersecurity, right?

Wrong.

Most people are brought up thinking there are two entry-level roles in cybersecurity: people who monitor for threats (SOC analysts) and people who simulate cyberattacks (Penetration testers). 

The result? Everyone applies for the same two fields, resulting in high competition and low availability. 

Meanwhile, all the other seats are still in play just waiting to be filled. 

In-demand cybersecurity roles: Examining the empty chairs

So, where are all these job opportunities I mentioned? If you use NIST’s NICE framework, there are five buckets that cybersecurity roles fall under (I use NICE grudgingly, because it’s not very beginner friendly, but it’s what the industry job figures are grouped in, and that will matter later.) 

1. Oversight and Governance

In the U.S., a fourth of all unfilled jobs are in Oversight and Governance. It’s the place where there’s the most unfilled jobs in cybersecurity, and it’s the most overlooked (which is ironic, given its name). If you’re thinking about an in-demand entry point into cybersecurity, it’s a good idea to start here.

Oversight and Governance is often about using your soft skills to manage cybersecurity-related risks to an organization and less about being hands-on with systems (I won’t say “non-technical people,” because this is a rubbish term and cybersecurity policy is plenty technical). 

It’s a particularly great way into the field for non-IT and non-cybersecurity professionals, because you can demonstrate your aptitude for management, policy, planning, and stakeholder engagement anywhere. 

Oversight and Governance includes—but is in no way limited to—roles like:

• Systems authorization (This has the most vacancies in this domain)

• Secure project management

• Communications security (Comms!)

• Cybersecurity policy and planning

• Cybersecurity curriculum management and instruction (“Okay class, don’t click on phishing emails.”)

• Cybersecurity legal advice

• Cybersecurity control assessment

…And of course, executive cybersecurity leadership, so you know it’s got a good career growth cycle. It also includes the GRC Analyst role, which I’ve done a comprehensive write-up on.

2. Implementation and Operation

Implementation and Operation is the field where you’ll find the second-largest number of open positions. If you’re looking for a more hands-on profession than Oversight and Governance, this is a good fit. As the name suggests, this domain is all about implementing, operating, and fine-tuning technology systems to ensure they operate securely and efficiently.

Implementation and Operation includes roles like:

• Data analysis (This has the most vacancies in this domain)

• Network operations

• Systems security analysis

• Tech support (“Turn it on and off again”)

• Systems Administration

• Knowledge Management

• Database administration

3. Design and Development

We’ve talked about the managers and the operators, but now let’s talk about the builders. Design and Development are all about the people who build those castle walls, researching, planning, developing, and testing secure systems, including on perimeter and cloud-based networks. 

Design and Development includes roles like:

• Secure software development (This has the most vacancies in this domain)

• Cybersecurity architecture

• Software security assessment

• Secure systems development

• Systems requirement planning

• Enterprise architecture

• Systems testing and evaluation

4. Protection and Defense

At number four, we’re finally at the category that most people think of—and compete for—when it comes to cybersecurity jobs. This is where pentesters and SOC analysts fit, as well as a range of other specializations that other people don’t think about.

Protection and Defense includes roles like:

• Vulnerability analysis (This has the most vacancies in this domain)

• Threat analysis

• Infrastructure support

• Incident response

• Insider threat analysis

• Defensive cybersecurity

• Digital forensics

5. Investigation

Investigation takes up only a tiny fraction of the job market—it’s just over 1% of all cybersecurity job openings—but it’s a very important part. Why? Because these are the folks who conduct national cybersecurity and cybercrime investigations, including the handling of digital evidence. This makes it a very niche but incredibly rewarding field.

Investigation really just breaks down into two fields:

• Digital evidence analysis (This is the bigger of the two)

• Cybercrime investigation (More niche, but you could probably use your life story as fuel for a novel)

Conclusion: Cybersecurity has a seat for everyone

As you can see from even a summarized list of roles, there’s far more career opportunities in cybersecurity than just pentesting and SOC analyst—not that there’s anything wrong with those two very important fields. Hopefully you’ve come away from this article with a broader understanding of your options, and feel like a whole bunch of exciting opportunities are now available to you. 

Remember that while this article talks about the most in-demand roles, the best path is the one that works for you. To quote Larry Trittschuh, a USAF pilot who went on to become the CSO for Barclays America, cybersecurity is a very personal decision, and you should choose the path that works for you.

It’s also worth noting that there are a number of other potential causes for the “Cybersecurity Jobs Paradox” that I didn’t cover in this article: poorly worded job descriptions by HR teams who set ridiculously high requirements, cybersecurity leaders being so risk-averse that they hire based on experience rather than potential, and so on. I decided not to cover these as they fall on the business side of things, and are something a job applicant really has little to no control over.

Good luck on your cybersecurity journey! Remember that there are jobs out there, and getting your foot in the door is often the hardest part. Once it’s in there, it can be the first step in a long and very rewarding career, one where you’re part of a global community trying to make the world a brighter place—and doing it from a wide variety of roles. 

In the words of Rumi, “Lamps are different, but light is the same.” 

Want a fun way to find out where you belong in cybersecurity?

I’d highly recommend checking out Pluralsight’s fantasy-themed “Choose Your Cybersecurity Adventure” quiz. It’s an immersive experience that can help you discover which cybersecurity career best matches your strengths and abilities. Also, you’ll have to decide how you’d help out a pair of halflings dancing on a table, so really, it’s win-win.