Cybersecurity career path: from analyst to CISO

By Luigi Di Lena · June 2026 · 11 min read

I've spent over 25 years in security — from hands-on engineering to leading programs that protect critical infrastructure at scale. Along the way I've watched people move through the ranks, and the path is far less linear than the tidy career ladder diagrams suggest.

Here's what the journey actually looks like at each stage, based on what I've seen work (and what I've seen get people stuck).

The landscape in 2026

The cybersecurity job market is still undersupplied at senior levels. There are plenty of entry-level analysts competing for the same SOC roles. But once you get past the 5-year mark with genuine depth, demand outstrips supply significantly. The challenge isn't finding a job — it's choosing the right path from a growing number of options.

The field has also fragmented. "Cybersecurity" now covers everything from application security to cloud infrastructure protection to governance and compliance to threat intelligence. You can't be deep in all of them, and you shouldn't try. The people who advance fastest are those who develop genuine expertise in one or two domains while maintaining broad awareness of the rest.

Stage 1: security analyst (0-3 years)

This is where most people enter. You're in a SOC, triaging alerts, writing incident reports, maybe running vulnerability scans. The work can feel repetitive, and that's the point — you're building pattern recognition.

What matters at this level:

• Learn to investigate, not just triage. Don't just close tickets — understand why the alert fired and whether it could indicate something larger.
• Get comfortable reading logs. CloudTrail, VPC flow logs, system logs. The ability to reconstruct what happened from raw data is foundational.
• Automate the boring stuff. Write scripts to handle repetitive tasks. This shows initiative and builds engineering skills you'll need later.
• Start studying for one certification. GIAC certifications are well-regarded in the industry. Pick one that aligns with where you want to specialize.

Common mistake: Staying too long in pure alert-triage roles. If you're doing the same work after 2 years, actively seek rotation into a different security function.

Stage 2: security engineer (3-7 years)

You've moved from responding to problems to building systems that prevent them. You're designing security controls, writing detection rules, building automation, conducting deeper investigations.

What matters at this level:

• Develop a specialization. Cloud security, application security, detection engineering, incident response — pick the area that interests you most and go deep.
• Learn to think in systems. How do security controls interact? What's the attack surface of your architecture? Where are the gaps?
• Build things. Tools, dashboards, playbooks, detection pipelines. Engineers who ship things advance faster than those who only analyze.
• Start understanding the business. Why does the company make the security decisions it does? What are the constraints? This awareness separates engineers from future leaders.

Common mistake: Collecting certifications instead of depth. Five certifications and no real project ownership is less valuable than two certifications and a track record of building things that work.

Stage 3: senior security engineer / architect (7-12 years)

This is the fork in the road. You can stay on the technical track (staff engineer, principal architect) or start moving toward management. Both are valid, and the best leaders typically spend time here building credibility before they manage others.

What matters at this level:

• Own outcomes, not just tasks. You're responsible for the security posture of a domain, not just individual projects within it.
• Influence without authority. You'll need to convince other engineering teams to adopt security practices. This is leadership — even without direct reports.
• Communicate upward. You need to translate technical risk into business language. "This vulnerability has a CVSS of 9.8" means nothing to a VP. "This could expose 2 million customer records" does.
• Mentor others. Start developing junior engineers. This builds the skills you'll need if you move into management, and it increases your impact regardless.

Common mistake: Avoiding the management question. By this point you should have a considered opinion about whether you want to lead people or stay deeply technical. Not deciding is itself a decision — and usually leads to drift.

This is the stage where most security professionals get stuck. If you're here and feel like you've plateaued, let's talk about what's actually blocking your next move.

Stage 4: security manager / director (12-18 years)

You're now managing people and programs. Your technical skills matter less day-to-day, but your understanding of the technical landscape is what gives you credibility with your team and your peers.

What matters at this level:

• Build a team, not just hire people. Culture, development, retention — these become your primary concerns.
• Manage up and across. Your effectiveness depends on relationships with other engineering directors, product leadership, and your own management chain.
• Set strategy. You're deciding where to invest limited security resources. This requires understanding business priorities, not just technical risks.
• Develop metrics that matter. Boards and executives want to understand security posture in concrete terms. Build dashboards that tell a clear story.

Common mistake: Staying too hands-on. If you're still doing the technical work, you're not developing your team or building organizational capability. Your job is to make yourself unnecessary for day-to-day execution.

Stage 5: VP / CISO (15-25+ years)

At this level, security becomes a business function. You're in boardrooms, you're managing budgets in the millions, you're accountable for organizational risk. Technical depth still matters — a CISO who can't evaluate a security architecture is at a disadvantage — but it's no longer the primary skill.

What matters at this level:

• Executive communication. You need to explain complex risks to people who don't have a security background, without either terrifying them or boring them.
• Business acumen. Security spending is a business decision. You need to frame it in terms of risk reduction, regulatory compliance, and business enablement — not just threats.
• Political navigation. At this level, security decisions are organizational decisions. You'll need allies, you'll need influence, and you'll need to pick your battles carefully.
• Resilience. CISOs are accountable when things go wrong. The role requires thick skin, good judgment under pressure, and the ability to own outcomes publicly.

The skills that compound across all levels

Regardless of where you are in this path, these skills pay dividends at every stage:

• Writing clearly. Security is full of complexity. The people who can distill that into clear, actionable prose advance faster than those who can't.
• Asking good questions. In investigations, in design reviews, in leadership meetings. The ability to ask the question nobody else is asking is valuable everywhere.
• Staying curious. The threat landscape evolves constantly. The people who stay curious — who read research papers, experiment with new tools, attend conferences — maintain relevance longer.
• Building relationships. Security doesn't happen in isolation. You need allies in engineering, in product, in legal, in compliance. Start building those relationships early.

Certifications that actually matter

Not all certifications are equal. Based on what I've seen valued in hiring at major tech companies:

• Early career: CompTIA Security+, GIAC GSEC, AWS Cloud Practitioner
• Mid career: GIAC GCIH, GIAC GDSA, AWS Security Specialty, OSCP (for red team paths)
• Senior: GIAC GSTRT (strategic leadership), CISSP (for management track), CCSP (cloud security)

But here's the truth: after your first 5 years, certifications matter less than what you've actually built and led. They get you past HR filters. They don't get you promoted.

The timeline is flexible

The years I've listed are rough guides, not rules. I've seen people reach director level in 10 years and others take 20. Speed depends on opportunity, ambition, the organizations you work in, and frankly a bit of luck in terms of the problems you get to solve.

What matters more than speed is intentionality. Know where you want to go, understand what the next level requires, and actively develop those capabilities — don't just wait for someone to give you a bigger title.