The Importance of a Career Plan in Security and How to Create One
For a few years now, every January 1st I’ve spent a couple of hours planning what I want to learn over the next 12 months. This simple but effective activity helps me define my goals, define a clear plan with activities, resources, and timelines, establish metrics, and most importantly, the plan I create on that first day of the year helps me stay motivated and focused, which is essential in any field we work in.
In this post, I’ll share the methodology I use each year and some simple tools that will help us take that first step.
Step 1 – Assess the Current State
The inspiration to create career plans comes from an episode of The Simpsons, where Homer wants to become an inventor and decides to create a plan using Thomas Alva Edison as his reference. From that episode, I took the following ideas:
Knowing where I am today — what I know, and what I do day to day in my job
Having a reference person (a mentor, our boss, a professor, or someone we follow on Twitter or LinkedIn)
Example:
I currently work as a Security Engineer in Incident Response, and my main responsibilities are:
Responding to security incidents
Analyzing intelligence reports to extract the tactics, techniques, and procedures (TTPs) used by adversary groups
Developing hypotheses based on the above and running threat hunting campaigns
Creating detection rules to identify malicious activity
Step 2 – What do I want to learn and why?
In this phase, we should ask ourselves:
Am I happy with my current role?
If the answer is yes: What should I learn or what skills should I develop to improve in my role? What new things do I want to do within it?
If the answer is no: Do I want a new role? What do I need to learn for that new role or job?
These answers will help you identify what you really want to learn.
Let’s continue with the previous example, assuming that I answered “yes” — I’m happy with my current role:
I want to learn more about incident response in public cloud environments, since cloud attacks are on the rise
I need to create more efficient detections, because threats are evolving daily, and so must my detection capabilities
I want to write threat intelligence reports for my clients, as threat intelligence is a fascinating area
I need to become a better communicator in a second language, because I now interact with more global teams
This example makes it clear what I want to learn and my motivations for doing so. However, now I need to set clear goals.
Step 3 – Define Goals
If we want something, we must set specific goals. One technique is to define SMART goals (Specific, Measurable, Achievable, Relevant, and Time-Bound).
Understanding SMART Goals:
Specific: Our goals should be clear and specific so we know exactly what we’re working toward. For example, instead of saying “I want to learn more about Detection Engineering,” a specific goal would be “I want to learn how to create high-fidelity rules using YARA and SIGMA.”
Measurable: How will we measure our progress and how will we know when we’ve achieved the goal? For example, dedicating one hour a day to creating rules in YARA for the next 100 days. 😉
Achievable: Goals should be realistic and achievable. While they should challenge us, they shouldn’t be so difficult that they become demotivating.
Relevant: Our goals should be aligned with our professional or academic aspirations.
Time-Bound: We should define a timeframe for each goal. Having a deadline for completion creates a sense of urgency and helps us stay focused.
Step 4 – Document and Execute the Plan
Simply, we should write down our goals in a way that allows us to track them. In my case, I use a simple spreadsheet where I record my goal, purpose, start and estimated completion dates, a deliverable that serves as evidence that I learned something (an article, code, a class, etc.), and finally, my progress. This is what my 2024 plan looks like.
And this was the plan from previous years, as you can see, my study plan is based mainly on books, but it applies to courses or projects.
We can use other task management tools, such as Trello, nTask, Notion, and others. I personally like using GitHub through the projects module and creating each goal as an issue.
Step 5 – Measurement
It’s important to keep the plan up to date. I recommend scheduling recurring sessions in your calendar (at least once a month) or setting reminders to review your plan. During these sessions, check your progress and make adjustments if needed. For example:
Let’s say I review my plan and see that I’m at 60% progress toward my goal. I have three days left to complete my mission — so I’ll need to make some adjustments.
A technique I use in these cases is to estimate how much time I need to complete the goal. Let’s say I need 12 hours to finish — based on that, I divide the hours by the number of days remaining (12 / 3 = 4), meaning I need to dedicate 4 hours per day over the next 3 days.
In the past, I used to just extend the deadlines, but I no longer recommend that — moving one goal usually means postponing the rest, and in the end, our plan should be a commitment.
Here are some questions to ask yourself during the evaluation:
Am I getting closer to achieving my goal?
What obstacles have I encountered, and how can I overcome them?
Are my goals still relevant and achievable?
How and when to adjust goals?
Sometimes, it’s not as easy as simply adjusting the deadlines at the end. We may face common scenarios such as:
Did we underestimate the difficulty?
Maybe the topic is more complex than expected, or we need more resources like infrastructure, virtual labs, books, or even extra money.Have new opportunities emerged?
Have personal or professional priorities changed?
It’s completely normal for certain factors to impact our goals. What’s important is to identify, analyze, and adjust accordingly.
To wrap up this post, here are three final thoughts:
I encourage you to create a study or career plan — even if you’re reading this and you’re not currently working in cybersecurity.
“I don’t work in security; it’s a new field for me,” or “I just finished high school or university — how do I build a career plan?”
👉 We’ll cover that in the next post 😉If you’re working in cybersecurity and want a free session to help you create your career plan, just leave a message in the comments.
🎯 The first three people to contact us will get a free mentoring session to build their career plan.