Product Security Group (PSG) offers Security Ladders; a collection of documents to categorize the knowledge and experience expected of security experts at a given point during their careers.
Well, in our journey through the ranks we had to make these up as we went. That coupled with the number of folks we mentor asking us how to advance, we felt the best way to help is to open source what we developed so the community could benefit from what we have learned. They are by no means complete but they are a good start for folks that need some guidance.
PART 1 - We don't need no stinking ladders
PART 2 - No I've been nervous lots of times
PART 3 - Harry I've reached the top
Specific area folders in
root specifies a specific career track in the security field. Initially, Security Ladders covered 7 security areas:
- Chief Security Officer
- Information Risk
- Infrastructure Security
- Physical Security
- Product Security
- Business Security Managers
- Security Operations (SOC)
These initially included three file types:
- [AREA]_Generalist.md - Expected functional duties/knowledge
- [AREA]_NICE_MAPPING.md - U.S. Federal NICE equivalents
- [AREA]_Boston_Ladder.md - salary/time-at-level expectations for Boston
Additionally, there is a folder called ( GENERAL_KNOWLEDGE GK) This folder contains the business/non-functional skills that are required for each level. There are three files in the folder.
* GK_Generalist.md - This outlines non-functional skills required for your level. * GK_Management.md - This outlines management specific skills for those positions. * GK_NICE_Mapping.md - Like the other roles, we added a generic mapping to NICE.
How do I use these files
- Start with the function you are looking for and locate the folder.
- Open the file (Abbreviation)_Generalist.md - this contains the functional requirements for each level.
- Find the level you are looking for and review the skills.
- Open the GK_Generalist.md located in the General_Knowledge folder to see the non-functional for the level you are looking for.
- Review the non-functional skills.
- To determine where you sit in the salary department, we provided Boston-area salary information. Just a note: Salaries in Boston tend to be roughly 25% greater than the US national average.
- If you are basing you program on National Initiative for Cybersecurity Careers and Studies, we have provided a basic mapping to the NICE roles/skills we thought were relevant.
PSG anticipates, with collaboration throughout the security field, to add more specific career ladders in each area and expand on salary/time expectations in other geographical locations.
Pull requests are welcome. For major changes, please open an issue first to discuss what you would like to change.
If you want to create a brand-new ladder, we provided a template directory that has an example of each type of file.