ISSA Cybersecurity Career Lifecycle (CSCL)


Companies are having a hard time finding the security professionals with the right combination of business and technical savvy that they need to combat growing threats, and schools are not graduating enough students with the necessary skills or experience for entry-level positions. It is imperative that we attract new talent and that new entrants, as well as those further into their careers, have a path to follow to accelerate their success. With the introduction of our Cybersecurity Career Lifecycle, we are creating a structured approach to career growth within this unique and rewarding profession.” – Stefano, Assistant Professor, Politecnico di Milano; Director, ISSA International; and Chair, ISSA International Conference


The ISSA Cybersecurity Career Lifecycle (CSCL) is a comprehensive professional development framework mapping five stages of the cybersecurity career lifecycle to empower cybersecurity professionals – students to Chief Information Security Officers (CISOs) – to know where they are in their career, where they want to be next, and how to accelerate their growth on the right path.

CSCL is divided into 5 stages, with the opportunity for a variety of paths within each level.

Pre-Professional: any individual who has not yet (and never has) obtained a position working in the cybersecurity field. This may include anyone who has interest in working in this area with or without formal training and education in the field. Examples of individuals and or situations who may be part of this phase are: individuals who are switching careers (former military, IT, retail, law enforcement, etc.) and students (high school or university).

Entry Level: An individual who has yet to master general cybersecurity methodologies/principles. Individuals in this phase of the lifecycle may have job titles such as; associate cybersecurity analyst, associate network security analyst, and cybersecurity risk analyst for example.

Mid-Career: An individual who has mastered general of security methodologies/principles and have determined their area of focus or specialty. Individuals in this phase of the lifecycle may have job titles such as; network security analyst, cybersecurity forensics analyst, application security engineer, network security engineer. Individuals who are nearing the “senior level”, may begin to hold job titles such as senior network security engineer, senior cybersecurity analyst for example.

Senior Level: An individual who has extensive experience in cybersecurity and has been in the profession for 10+ years. These individuals have job titles such as senior cybersecurity risk analysis, principal application security engineer, director of cybersecurity, etc.

Security Leader: An individual who has extensive security experience, ability to direct and integrate security into an organization. These individuals have job titles such as Chief Information Security Officer, Chief Cybersecurity Architect, etc. After extensive periods of leadership – some become recognized industry leaders.

For each stage, the framework provides a common definition of the required Knowledge, Skills, and Aptitudes (KSAs) and responsibilities; how to be successful in each level; and how to get from one career stage to the next. Each level can have multiple tracks and path options.


Presentation on the Cybersecurity Career Lifecycle

(Click the graphic.)

CSCL_Brief.jpg