Career development and next steps
You've built security programs, trained developers, managed risks, and embedded security into your organization. Now what? The skills you've developed as a Security Champion open doors to multiple career paths in security—and beyond.
This chapter helps you chart your next steps, whether you want to stay in your current role with deeper skills, transition to a dedicated security position, or leverage security expertise in engineering leadership.
What you've learned
As a Security Champion, you've developed a rare combination:
| Skill area | What you've learned |
|---|---|
| Technical security | Vulnerability assessment, secure coding, threat modeling |
| Risk management | Risk assessment, prioritization, business communication |
| Compliance | Frameworks, audits, documentation |
| Leadership | Influencing without authority, building programs, training others |
| Communication | Explaining security to developers and executives |
| Project management | Running initiatives, measuring progress, stakeholder management |
This blend of technical depth and business acumen is valuable—and uncommon.
Career path options
Path 1: Stay and deepen
Continue as Security Champion while deepening expertise.
What it looks like:
- Remain in current role (engineering, DevOps, etc.)
- Security Champion is 20-40% of your job
- Become the go-to security expert in your organization
- Potentially evolve to "Staff Engineer with security focus"
Who it's for:
- You love your current domain (development, infrastructure)
- Security is interesting but not your sole passion
- You want breadth over depth
Skills to develop:
- Advanced threat modeling
- Security architecture patterns
- Mentoring other champions
- Security strategy at company level
Certifications: GWAPT, GWEB, CEH (hands-on, not management-focused)
Path 2: Application Security (AppSec)
Move into dedicated application security.
What the role involves:
- Security review of applications and code
- Building security into SDLC
- Developer training and enablement
- Managing AppSec tools (SAST, DAST, SCA)
- Bug bounty and vulnerability management
Titles:
- Application Security Engineer
- Product Security Engineer
- Security Software Engineer
- AppSec Analyst
Skills to develop:
- Deep expertise in OWASP vulnerabilities
- Proficiency in multiple languages for code review
- Automation and tooling development
- Threat modeling methodologies (STRIDE, PASTA)
- Bug bounty triage
Certifications:
- OSCP (Offensive Security Certified Professional)
- GWAPT (GIAC Web Application Penetration Tester)
- BSCP (Burp Suite Certified Practitioner)
- CASE (Certified Application Security Engineer)
Resources:
- PortSwigger Web Security Academy — Free, comprehensive
- OWASP Testing Guide
- HackTheBox — Practice environment
- PentesterLab — Progressive learning path
Path 3: Cloud Security
Specialize in securing cloud infrastructure.
What the role involves:
- Securing AWS/GCP/Azure environments
- Identity and access management at scale
- Infrastructure as Code security
- Container and Kubernetes security
- Cloud-native security tools
Titles:
- Cloud Security Engineer
- Cloud Security Architect
- Infrastructure Security Engineer
- DevSecOps Engineer
Skills to develop:
- Deep knowledge of at least one major cloud (AWS/GCP/Azure)
- Infrastructure as Code (Terraform, CloudFormation)
- Container orchestration security (Kubernetes)
- Cloud-native security services (GuardDuty, Security Hub, etc.)
- Zero trust architecture
Certifications:
- AWS Security Specialty
- GCP Professional Cloud Security Engineer
- Azure Security Engineer Associate
- CKS (Certified Kubernetes Security Specialist)
- CCSP (Certified Cloud Security Professional)
Resources:
- AWS Security Documentation
- GCP Security Best Practices
- Kubernetes Security
- Cloud provider free tier for practice
Path 4: Security Architecture
Design security for systems and organizations.
What the role involves:
- Designing secure system architectures
- Security standards and patterns
- Evaluating and selecting security technologies
- Guiding development teams on secure design
- Enterprise security strategy
Titles:
- Security Architect
- Principal Security Engineer
- Security Solutions Architect
- Enterprise Security Architect
Skills to develop:
- System design and architecture
- Enterprise security frameworks
- Network security design
- Identity architecture
- Security economics and ROI
Certifications:
- SABSA (Sherwood Applied Business Security Architecture)
- TOGAF (The Open Group Architecture Framework)
- CISSP (Certified Information Systems Security Professional)
- Cloud architect certifications
Path: This is typically reached after 5-10 years in security or engineering. Strong foundation in either development or infrastructure is required.
Path 5: Governance, Risk, and Compliance (GRC)
Focus on security management and compliance.
What the role involves:
- Risk assessment and management
- Compliance with standards (SOC 2, ISO 27001, PCI DSS)
- Policy development and maintenance
- Audit management
- Third-party risk management
Titles:
- GRC Analyst
- Security Compliance Manager
- Risk Manager
- Security Program Manager
- IT Auditor
Skills to develop:
- Deep knowledge of compliance frameworks
- Audit preparation and response
- Risk quantification
- Policy writing
- Vendor assessment
Certifications:
- CISA (Certified Information Systems Auditor)
- CRISC (Certified in Risk and Information Systems Control)
- CGEIT (Certified in Governance of Enterprise IT)
- CISM (Certified Information Security Manager)
Who it's for:
- You enjoy process and documentation
- Communication and organization are strengths
- Less hands-on technical work
Path 6: Security Leadership
Lead security teams or become a CISO.
What the role involves:
- Building and managing security teams
- Security strategy and budget
- Executive communication
- Board reporting (CISO)
- Incident response leadership
Titles:
- Security Manager
- Director of Security
- Head of Security
- VP of Security
- CISO (Chief Information Security Officer)
Skills to develop:
- People management
- Budget planning and justification
- Executive communication
- Business alignment
- Crisis management
Certifications:
- CISSP (foundational)
- CISM (management focused)
- MBA (for business credibility)
- Executive education programs
Path: Typically requires 10+ years in security with progressive management responsibility. Many CISOs have backgrounds in engineering, audit, or consulting.
Path 7: Security Consulting
Advise multiple organizations as a consultant.
What the role involves:
- Security assessments and audits
- Building security programs for clients
- Penetration testing (if technical)
- Compliance guidance
- Incident response support
Titles:
- Security Consultant
- Principal Consultant
- Managing Consultant
- Practice Director
Pros:
- Variety of environments and challenges
- Higher earning potential (especially independent)
- Broad experience accumulation
Cons:
- Travel and client demands
- Business development pressure
- Less depth in any one organization
Path: Big 4 (Deloitte, PwC, EY, KPMG), boutique security firms, or independent practice. Strong network and reputation matter.
Certifications: what's worth it
Not all certifications are equal. Here's a practical guide:
Entry to mid-level
| Certification | Focus | Difficulty | Value | Cost |
|---|---|---|---|---|
| CompTIA Security+ | Broad security fundamentals | Moderate | Good entry point | $392 |
| CEH | Ethical hacking basics | Moderate | Known but dated | $1,199 |
| CySA+ | Security analysis | Moderate | Growing recognition | $392 |
| AWS Security Specialty | AWS security | Moderate | High if using AWS | $300 |
Mid to senior-level
| Certification | Focus | Difficulty | Value | Cost |
|---|---|---|---|---|
| OSCP | Penetration testing | Hard | Highly respected, practical | $1,599 |
| CISSP | Broad security management | Hard | Industry standard for leadership | $749 |
| CISM | Security management | Moderate | Valued for managers | $575+ |
| CCSP | Cloud security | Moderate | Growing importance | $599 |
| GIAC certs | Various specialties | Hard | Highly respected | $2,499-$8,000+ |
What really matters
-
Experience beats certifications. A portfolio of real work matters more than letters after your name.
-
CISSP is the MBA of security. It opens doors for leadership roles but won't make you technical.
-
OSCP proves you can hack. Respected because it's a practical exam, not multiple choice.
-
GIAC certs are expensive but deep. The training is valuable; the cert validates the training.
-
Cloud certs are increasingly important. AWS/GCP/Azure security specialties are worth the investment.
-
Avoid cert collecting. 3 meaningful certifications beat 10 entry-level ones.
Certification study strategy
- Pick one at a time. Focus beats fragmentation.
- Use official training. Especially for GIAC (included in exam fee).
- Practice exams are essential. Especially for CISSP, OSCP.
- Study groups help. Find others preparing for the same cert.
- Employer sponsorship. Many companies pay for relevant certifications.
Building your security network
Connections accelerate careers. Here's how to build your network:
Online communities
| Community | Focus | Link |
|---|---|---|
| OWASP | Application security | owasp.org |
| ISC2 Community | Broad security | community.isc2.org |
| Reddit r/netsec | News and discussion | reddit.com/r/netsec |
| Security Twitter/X | Real-time discussion | Follow security researchers |
| Discord servers | Various (HackTheBox, etc.) | Community-specific |
| Local ISSA/ISACA chapters | Professional associations | issa.org, isaca.org |
Conferences
| Conference | Focus | Size | Cost |
|---|---|---|---|
| DEF CON | Hacking, research | Large | Low (~$300-400 cash) |
| Black Hat | Enterprise security | Large | High ($2,500+) |
| BSides | Local security community | Small-medium | Low (often free-$50) |
| RSA Conference | Industry/vendor | Large | High ($2,500+) |
| OWASP AppSec | Application security | Medium | Moderate |
| fwd:cloudsec | Cloud security | Medium | Moderate |
Best ROI for networking: BSides events (local, affordable, community-focused).
Building visibility
Write about security:
- Blog posts about what you've learned
- Contribute to OWASP projects
- Write for company blog
Speak about security:
- Local meetups (low barrier to entry)
- BSides CFPs (competitive but achievable)
- Company internal talks (practice ground)
Contribute to open source:
- Security tools
- Documentation improvements
- Bug reports and fixes
Share on social:
- LinkedIn articles and posts
- Twitter/X threads (if comfortable with the platform)
- Answer questions on Reddit or Stack Overflow
Personal development plan
Create a roadmap for your growth:
## Personal Security Development Plan
Name: [Your name]
Current role: [Role]
Target: [Where you want to be in 2-3 years]
Date created: [Date]
Review date: [Date + 6 months]
### Current state
**Technical skills:**
- Strong: [List]
- Developing: [List]
- Gaps: [List]
**Certifications:**
- Held: [List]
- In progress: [List]
**Experience:**
- Years in security: [#]
- Key accomplishments: [List]
### Goals
**12-month goals:**
1. [Goal 1 with measurable outcome]
2. [Goal 2 with measurable outcome]
3. [Goal 3 with measurable outcome]
**24-month goals:**
1. [Goal 1]
2. [Goal 2]
### Action plan
**Q1:**
- [ ] [Action item]
- [ ] [Action item]
- [ ] Milestone: [What success looks like]
**Q2:**
- [ ] [Action item]
- [ ] [Action item]
- [ ] Milestone: [What success looks like]
**Q3:**
- [ ] [Action item]
- [ ] [Action item]
- [ ] Milestone: [What success looks like]
**Q4:**
- [ ] [Action item]
- [ ] [Action item]
- [ ] Milestone: [What success looks like]
### Resources needed
- Budget: $[amount] for certifications/training
- Time: [hours/week] for study/projects
- Support: [mentor, manager sponsorship, etc.]
### Tracking
| Date | Review notes | Adjustments made |
|------|--------------|------------------|
| | | |
Common career mistakes
-
Chasing titles over skills. "Security Architect" at a small company may mean less than "Security Engineer" at a tech giant. Focus on what you'll learn.
-
Certification hoarding. Taking every cert available dilutes focus. Pick the ones that matter for your target role.
-
Ignoring soft skills. Technical depth without communication skills limits career growth. The best security leaders can talk to engineers and executives.
-
Staying too long in one place. 5+ years in the same role without growth signals stagnation. Either grow internally or move.
-
Moving too fast. 6-month job hopping looks bad. Stay 2-3 years to demonstrate impact.
-
Neglecting the network. Jobs and opportunities often come through connections. Invest in relationships.
-
Not documenting wins. When promotion time comes, you can't remember what you accomplished. Keep a running log.
-
Waiting to be promoted. Do the job you want, then get the title. Don't wait for permission.
Transitioning to a security role
If you want to move from Security Champion (part-time) to security (full-time):
Internal transition
Advantages:
- Known quantity
- Existing relationships
- Understand the business
Approach:
- Express interest to your manager and security leadership (if exists)
- Document your security accomplishments
- Propose a role or expanded responsibilities
- Get formal budget/headcount approved
- Transition responsibilities gradually
Pitch: "I've been functioning as our security point person for [X] months/years. I've [list accomplishments]. I'd like to formalize this into a dedicated security role. Here's what I'd focus on: [priorities]. Here's the impact: [expected outcomes]."
External transition
When to look externally:
- No room to grow internally
- Want to join a dedicated security team
- Seeking different company culture/scale
- Compensation not matching market
How to position yourself:
- Lead with Security Champion experience
- Quantify impact (vulnerabilities prevented, programs built)
- Show breadth (technical + program management)
- Highlight relevant certifications/training
Resume focus:
## Security Experience
**Security Champion** | [Company] | [Dates]
- Built security review program covering 100% of production deployments
- Identified and remediated 47 vulnerabilities before production
- Developed and delivered secure coding training for 30 developers
- Led SOC 2 Type II certification effort (achieved in 6 months)
- Reduced critical vulnerability MTTR from 14 days to 3 days
**Key Projects:**
- Implemented SAST/DAST in CI/CD pipeline
- Designed and deployed secrets management solution
- Conducted threat modeling for 5 major product features
Interview preparation
Technical areas to review:
- OWASP Top 10 (in depth)
- Threat modeling (be ready to whiteboard)
- Your technology stack's security considerations
- Recent high-profile vulnerabilities
Behavioral questions to prepare:
- "Tell me about a time you pushed back on an insecure design"
- "How do you balance security with developer productivity?"
- "Describe a security incident you handled"
- "How do you prioritize security work?"
Questions to ask them:
- "What does the first 90 days look like?"
- "How does security work with engineering teams?"
- "What's the security team's relationship with leadership?"
- "What are the biggest security challenges here?"
What's next for you?
The Security Champion role has prepared you for multiple paths. Take time to reflect:
-
What energizes you? Which parts of security work excite you? Follow that direction.
-
What's your 5-year vision? Work backward from there.
-
What's your risk tolerance? Startups vs. enterprises? IC vs. management?
-
What's your learning style? Self-study vs. formal training? Hands-on vs. conceptual?
-
What trade-offs will you accept? Money vs. learning? Stability vs. growth? Specialization vs. breadth?
Workshop: career development plan
Part 1: Self-assessment (1 hour)
- List your current skills (technical and soft)
- Identify gaps for your target role
- Review your accomplishments as Security Champion
- Assess what energizes and drains you
Deliverable: Self-assessment document
Part 2: Research target roles (1 hour)
- Browse job listings for roles you're interested in
- Note common requirements (skills, certifications, experience)
- Identify 3-5 people in those roles (LinkedIn, network)
- If possible, request informational interviews
Deliverable: Target role requirements summary
Part 3: Create development plan (1 hour)
- Use the personal development plan template
- Set 12-month and 24-month goals
- Define quarterly actions
- Identify resources needed
Deliverable: Personal development plan
Part 4: Take first action (ongoing)
- Schedule your first action item
- Tell someone about your goals (accountability)
- Set calendar reminders for plan review
Deliverable: First step taken, accountability established
Conclusion
Security compounds. Every policy you write, every developer you train, every incident you close cleanly — it all builds. The organization gets harder to attack. You get better at the work.
You started this course learning what a Security Champion is. You're finishing with the tools to run a program, build a career, and make decisions that hold up under pressure. Whatever direction you take next, you're not starting from zero.
What's next
The appendix sections cover ISO 27001, SOC 2, and building a security team — reference material for when you're ready to scale. Or return to the course overview.