Cybersecurity is a dynamic, fast-evolving field that offers a wealth of opportunities for those looking to build a rewarding career. As of 2025, the industry is booming, driven by increasing digital reliance, high-profile breaches, and regulatory demands.
In a recent interview between David Bombal and the cybersecurity expert Gerald Auger, who has 20 years of experience, shared invaluable insights into the field—particularly on Governance, Risk, and Compliance (GRC)—offering a roadmap for aspiring cybersecurity professionals.
This article distils their conversation into a detailed guide for anyone considering cybersecurity as a career, exploring its paths, opportunities, and practical steps to get started.
Why Cybersecurity in 2025?
Cybersecurity isn’t just a job—it’s a necessity for every modern business. From manufacturers to tech giants, organizations face constant threats like ransomware, data breaches, and regulatory scrutiny.
Gerald notes that societal shifts—like widespread adoption of online banking and multifactor authentication (MFA)—have normalized security controls, making it easier to convince businesses to invest in protection.
High-profile incidents, such as the SolarWinds hack or the 2024 Salt Typhoon telecom breaches, keep cybersecurity in the headlines, pushing even C-suite executives and board members to prioritize it.
And what is the payoff? Cybersecurity offers competitive salaries, diverse roles, and a vibrant community. Whether you’re a lifelong learner, a tech enthusiast, or a career switcher, there’s a place for you. But with so many options—red teaming, blue teaming, GRC—where do you want to start?
Let’s break it down.
Cybersecurity Career Paths: Red, Blue, and GRC
Gerald compares choosing a cybersecurity career to picking a science discipline—saying “I want to work in cyber” is as broad as saying “I want to work in science.” Here are the three main paths he highlights:
1. Red Teaming (Pentesting)
What It Is: Penetration testing (pentesting) is a simulated cyberattack used to identify vulnerabilities in a system or network. It helps organizations strengthen their security before real threats can exploit them. Essentially, it involves legally hacking into systems to uncover weaknesses.
Pros: It is an exciting and high-profile career.
Cons: Highly competitive. Gerald estimates that of 10 cybersecurity jobs, only one might be pentesting. Entry-level roles are scarce, and the leap to seasoned practitioner is steep.
Who It’s for? Tech-savvy thrill-seekers who love problem-solving and don’t mind an uphill climb.
2. Blue Teaming (Security Operations – SecOps)
What It Is: Defending systems—monitoring, responding to incidents, and maintaining security (e.g., working in a Security Operations Center – SOC).
Pros: More entry-level opportunities, especially with SOCs, Managed Security Providers (MSPs), or Managed Detection and Response (MDR) firms. It’s hands-on and rewarding.
Cons: Gruelling schedules—think 2 a.m. calls on Christmas Eve. Junior roles often get the toughest shifts, and burnout is real.
Who It’s for: Resilient, detail-oriented individuals who thrive under pressure and want to protect rather than attack.
3. Governance, Risk, and Compliance (GRC)
What It Is: The backbone of cybersecurity programs, GRC focuses on setting policies (governance), managing risks, and ensuring regulatory compliance. It’s less about hacking and more about strategy.
Pros: Booming demand in 2025, with Gerald calling it “explosive.” It’s less technical, making it accessible, and offers strong career growth. Out of 10 jobs, five might be GRC-related.
Cons: Less glamorous—think audits, not zero-day exploits. Some tech purists undervalue it, though Gerald argues its impact is immense.
Who It’s For: Big-picture thinkers, lifelong learners, and communicators who enjoy reading, frameworks, and working with people.
Why GRC Stands Out?
While red and blue teaming get the spotlight, Gerald champions GRC as a foundational and increasingly vital path. Here’s why:
Bridging IT and Business
GRC professionals translate technical needs into business terms. Businesses don’t care about elite hacking skills—they care about profits.
Gerald recounts a real-world example: an engineer installed an unapproved remote access tool to work weekends. Rather than banning it, GRC assessed the business need, secured budget for a secure solution, and kept everyone happy. This ability to say “yes, but securely” sets GRC apart.
Managing Risk Realistically
No organization has infinite resources. GRC involves deciding what risks to accept and prioritize—e.g., implementing MFA before data loss prevention (DLP) for maximum impact. Gerald stresses that residual risk is inevitable, and senior GRC roles focus on intelligent decision-making.
Explosive Growth in 2025
Regulatory frameworks like the Cybersecurity Maturity Model Certification (CMMC) are driving GRC demand. Companies bidding on Department of Defense contracts, for instance, need GRC experts to prove compliance through audits. A $100K GRC hire could unlock multimillion-dollar deals, making it a no-brainer for businesses.
Is Cybersecurity a Good Career Path?
Absolutely, says Gerald. Here’s the breakdown:
- Opportunities: Every business needs cybersecurity, from start-ups to governments. GRC and blue team roles dominate job listings, while pen-testing remains niche.
- Pay: Competitive salaries reflect the demand. GRC roles, especially in audit or consulting, can be lucrative, rivalling sales-like compensation structures.
- Satisfaction: Whether you love technical challenges (red/blue) or strategic problem-solving (GRC), there’s a fit for your passion.
However, Gerald cautions: pentesting is an uphill climb, blue teaming can age you fast, and GRC requires resilience against its “unsexy” reputation. Choose what excites you, not just the pay check.
How to Break into Cybersecurity (Focus on GRC)
Cybersecurity welcomes newcomers, including career switchers. Gerald offers a roadmap, with GRC as the most accessible entry point due to its lower technical barrier.
Step 1: Assess Your Fit
- Red Team: Love tech and hacking? Start here, but brace for competition.
- Blue Team: Okay with odd hours and stress?SOC roles are calling.
- GRC: Enjoy learning, reading, and people? This is your lane. Gerald loves its “video game-like” challenge of allocating limited resources strategically.
Step 2: Build Skills
Technical Basics: All paths need some IT knowledge (e.g., networks, systems), but GRC leans more on soft skills.
GRC-Specific:
- Free Resources: Study NIST 800-series (e.g., 800-37 for risk management, 800-53 for controls) or simpler frameworks like NIST CSF or CIS-18. Practice auditing—e.g., “Does this control exist? Yes/no.”
- Courses: Gerald’s GRC Analyst Master Class teaches policy development, risk assessment, and auditing with labs. He’s offering 10 free seats and a 10% discount for David Bombal’s audience.
- Soft Skills: Good communication is everything. If you are switching to a cybersecurity career from fields like marketing or even parenting, you already have valuable skills. If you have practiced patience, persuasion and problem solving skills, these will come in handy when dealing with executives in high-stake business meetings.
Step 3: Start Small
- Junior Roles: Auditing is GRC’s entry-level gig—checking compliance without needing deep tech expertise. Government and consulting firms (e.g., Booz Allen) hire juniors for federal audits (e.g., FISMA, CMMC).
- Certifications: While not mentioned explicitly, entry-level certs like CompTIA Security+ or CISSP Associate can boost your resume.
Step 4: Network
Gerald highlights the point that the Cybersecurity jobs often go unadvertised and most of the time hiring managers tap known contacts first. It helps if you join Cybersecurity active communities, attend conferences, or participate in boot camps. Even introverts can thrive via online forums.
The 2025 Landscape: Easier Buy-In, Persistent Challenges
Businesses are more open to security in 2025, thanks to mainstream awareness. The board members hear about ransomware on the news, and shareholders demand answers. However, there are budget constraints and the executives hesitate at costly fixes until risks hit their bottom line. This is when the GRC professionals have to speak money (and not technology) to win support.
Final Thoughts: Is Cybersecurity for You?
Cybersecurity is for you if you are ready to find your niche. Red teaming dazzles, blue teaming defends, but GRC builds the foundation. It’s a field of rich rewards, from financial stability to intellectual challenge. All you have to do is live it, talk it and love it. Start with curiosity, take advantage of communities, and pick a path that sparks joy. In 2025, cybersecurity isn’t just a career – it is calling with a seat for everyone.