Getting your first job in information security (infosec, or cybersecurity) can be tough. It's (still) a relatively new industry, job roles and descriptions aren't always consistent, and it can be tough to figure out where to get started, what skills you need, and how you can acquire them.
Even more tough, there are a lot of statistics which talk about how many jobs there are in cyber security, making it sound as though it should be very easy to get a job without any experience. The issue is that many of these statistics don't account for the fact that a lot of those open jobs are for more senior roles - it can be quite difficult to find a junior role, especially for someone who doesn't have any experience. So, where do you get started, and how can you show that you have the experience to be great at the job?
First, figure out what part of cyber you'd like to work in!
Contrary to what movies usually show, cyber is a big field and encompasses a lot of jobs other than actively hacking into a mainframe! Jobs span from risk management, to security awareness, to penetration testing (red teaming - this is the hacking most people think of, but it's actually a pretty small percentage of jobs), to security operations center (SOC) analysts (blue teaming), to security architecture (and a lot more). This is a great place to start exploring different career paths, as is this resource. There's a lot of overlap in the types of skills you need to develop for most entry level jobs, but it can be helpful to figure out which skills to prioritize, based on what you're interested in. Here's an overview of common paths from non-technical backgrounds into jobs in cyber.
Decide what makes you interested in cyber.
In many ways information security can be a tough industry - the hours are often long, and it's frequently expected that you will spend time outside of work continuing to study and work on projects (like blogs, podcasts, or labs) throughout your career. The most successful folks I know at every level are constantly learning. That's the case for a lot of fields, but it's worth noting for security because I often hear people tell me that they're interested in getting into security because they think it will pay well or because they think it sounds sexy or cool. Those things can be true, but it often comes with long hours and long stretches of very dull tasks, which can be somewhat disillusioning for people who expect the type of hacking you see in movies. It's worth determining if you're committed or passionate enough on the topic to want to keep studying throughout your career.
Since we're assuming you don't have any experience (or formal education) in security, we'll start there. Ideally you need to gain some knowledge and experience in these technical areas:
- Networking (protocols like DNS, TCP/IP, etc.)
- Programming (concepts, scripting, etc.)
- System administration (Windows/Linux/AD/etc.)
- Applications (programs which run on servers)
Before you learn how to break something, or to secure it, you need to understand how it works. Plus, as a security professional, you'll have to work closely with network/infrastructure engineers, developers, and sys admins, and the more you understand of their job, the better you'll able to work with them. There are a number of different ways to get that knowledge:
First, if a degree-granting program is an option for you (without being too expensive), it can be beneficial, as many employers and government agencies (at least in the United States) still require a degree in order to consider a job applicant. Though 4-year college degrees can be cost-prohibitive, community colleges can be a more cost effective option, and FreeCodeCamp is working on an affordable degree program.
Additionally, university reduces the need for self motivation, since someone else is setting your curriculum and testing you on it (which can be very helpful!). That's not to say that you can't get a job (or an education) without a degree - but it does make it a little harder, and there's a less straightforward path. One of the biggest advantages of universities is that you have built-in mentors in the form of your professors and teaching assistants and study groups in the form of your peers. Also, employers will try to directly recruit candidates from the university (often via job fairs dedicated to the university, or to university students more generally and hosted by third parties) and are prepared to hire for entry level roles. If you're pursuing a self-study plan, you have to go find those opportunities yourself. On the other hand, degrees are expensive and can be time intensive!
If you opt for the degree route, I typically recommend a computer science degree. Computer science is a fairly well understood discipline and teaches skills which are easy for interviewers to test (it also offers you a wide range of career options). Cybersecurity majors are relatively new, and vary in curriculum. Some are essentially computer science degrees with a couple security classes tacked on, and some are primarily risk based degrees, with little technical component (which is great if you're looking for a role in risk, but not if you're looking for a job as a SOC analyst or penetration tester). Given the relative newness of these degrees, and most hiring managers' (un)familiarity with them, I typically recommend opting for a better understood and more standardized computer science degree.
A second option is certifications. They can also show that you have some basic skills, though how important they are and how well they're regarded depends on the hiring manager and the certification. I typically advise Security+ for folks just getting started in cyber.
I also recommend that folks usually avoid EC-Council certifications. The one you're most likely to see referenced is the CEH (Certified Ethical Hacker), but I don't recommend it because it isn't a well-respected technical certification for penetration testing, and because in recent years there have been some concerns about how EC-Council (the organization which administers the exam) approaches sexism and racism within cyber, and about how often they update the technical information in their exams. I'm not a big fan of any of their certifications. You can read my full guide to information security certifications here.
Alternatively, there are boot camps specifically targeted at helping people get cybersecurity jobs. They typically provide flexible options for attendance, and a structure/curriculum for learning. These have the advantage of usually being much cheaper and shorter than a 4 year degree, but aren't usually as comprehensive, and vary significantly in quality. Universities typically have to be accredited by a governing body, and there's no similar governance for boot camps. I don't recommend (or recommend avoiding) any specific bootcamps, but I do advise doing careful research before committing to one (reading reviews, talking to past students, asking what the rate of job placement is, etc.) in order to ensure you'll end up with a return on your investment. Typically bootcamps work best for folks who are self-motivated and eager to learn - they provide the structure, and they depend upon the students to do a lot of studying and work outside of the class structure.
Finally, there's self-study! The benefit of self-study is that it's free and you can set your own schedule. The downside is that it can be hard to both set your curriculum and teach yourself without knowing if you're missing key pieces - determining how to set a curriculum is hard. Also, there are a TON of cybersecurity learning resources out there and it can be hard to figure out which ones are high quality, and which ones you should skip. Finally, self study requires a lot of dedication and self-accountability. It can be very easy to put your studies on a pause or for life to get in the way.
If you opt for self-study, here are a couple resources to get you started. I would recommend FreeCodeCamp as the first stop - it's well structured, clearly laid out, and there's lots of support along the way. Past this, there's much less structure, and the best way to learn is to pick something that you find interesting, dig into it, and when you get stuck, start googling. Some of the smartest people I've met in security are folks who followed that template - they read something, or heard something in a meeting that they didn't understand, and they googled it. That led them to something else they didn't understand, so they googled that, and so on, all the way down the rabbit hole. That can be a frustrating process, but it's also an effective one over the long term, and one which will mean you have in-depth knowledge over a range of domains.
- FreeCodeCamp is a great place to learn how to code (and to join a very supportive community to help you on your journey!)
- Cybrary offers a number of free and paid courses, though they are very certification focused. I used their CISSP class as one of my studying resources for that exam and found it very helpful. This can be helpful if you have a specific certification in mind (like Sec+).
- Daniel Miessler has a list of suggested projects to complete here (it serves as a nice mini curriculum for building an at-home lab for any security professional)
- A free web security course (penetration testing)
The most important part of this is less that you study specific things, than that you set goals (here's how to do so effectively), and that you stick to them. You'll need to learn how to keep learning sustainably, without burning out, because learning all of the above takes time, and even once you have a job in security, you'll constantly be learning. Any new vulnerability, exploit, or technology will mean that you have to learn something new in order to effectively protect your assets and networks.
Get involved with your local community.
Getting to know people in your area who already work in cyber can be hugely beneficial. It's a great way to learn new skills, find out who is hiring, find a study buddy, and make professional connections. Meetup is a great place to get started, as are international groups which have local affiliates like BSides, DefCon, OWASP, WiCyS (Women in Cybersecurity), WoSEC (Women of Security), Cyversity, WISP (Women in Security and Privacy), Blacks in Cybersecurity, and Women's Cyber Jutsu. Many of these groups also offer free webinars and training options for folks (even if you don't identify with the affinity group which they represent).
Once you've started going to events (and introducing yourself to the folks who are running the event), try volunteering for one! Community groups are almost always looking for more volunteers and if you are dedicated, show up on time, and help out, they're likely to be thrilled to have you. After you've shown that you're a reliable volunteer who isn't afraid to jump in and help out, see if you can join a committee or the board of a group (this may take a few months). This will help you make friends, and it's a great thing to talk about in a job interview (especially if you don't have much on the job experience to talk about).
Start checking out conferences, as they're another great way to meet people in cyber security and pick up some additional skills.
CFP Time and Cybersecurity Conferences list security conferences across the globe and are a good place to get started looking for events in your area. You don't have to go to expensive ones (though some of the affiliate groups I listed above offer scholarships to conferences, as well as their own conferences, which is a great way to attend for free or a low cost), but many local ones are fairly cheap, or have a free/cheap virtual option. Go and treat it as a learning opportunity (not a partying one). Take notes and strike up a conversation with the people who attend the same talks (that's a great ice breaker!). If you really liked a talk, reach out to the speaker on LinkedIn or Twitter and tell them what you liked about the talk - be specific. Now you have topics to talk about in a job interview!
Get involved with the global cyber community.
A lot of the security community is on Twitter, LinkedIn, or Mastodon and joining these sites is a great way to get connected with them. Following people and groups who work in cybersecurity can be very helpful because they will often post about jobs they're hiring for, free classes, trainings, webinars, and conferences, among other things. It can also be helpful to start engaging in the conversation and treating it like an opportunity to network. Looking at the authors of FreeCodeCamp's cyber articles is a great place to start. From there, check out the authors of the blogs listed in the resources section below, as well as their followers and the folks they follow. This is a great way to find jobs to apply to, as well as interviewing advice, or to stay up to date with the latest cybersecurity vulnerabilities and news (a popular job question).
Start producing content.
Once you've started learning, it's time to start creating content to show what you've learned. You can start a podcast, give a conference talk, write a blog, create projects on Github, or stand up a home lab. The goal is really just that you have something to show for the learning that you're doing - that you can demonstrate what you've learned to a hiring manager. Also, it doesn't have to be ground-breaking. Often I see folks get stumped - they think that they're not the foremost expert on C++, for example, and so they're hesitant to create any content on the topic at all.
However, often just having a unique perspective can be helpful - you can (for example) write (or give a talk on) 'An introduction to C++' and chances are you can reach someone who isn't quite as far along on their coding journey as you are and can benefit from your experience. This is a great way to add content to your resume, to help out the community, and to give you a chance to practice skills like writing, communicating with different audiences, and presenting (all of which are incredibly important in information security).
Write a great resume.
Now you've gained some experience, it's time to put together a resume. You'll want to include all the projects you've built, the groups you've joined (and are now on the board of!), and the things you've produced. You should also include past jobs with transferrable skills. If you're applying for a job in security awareness, do you have any experience creating trainings which aren't related to security? If you're applying for a job as a SOC analyst, can you highlight past experience writing daily reports? Even if none of your past jobs were in technology roles, you can probably identify skills or responsibilities you had which are similar to those in the job posting. Those can be valuable skills to highlight on a resume when applying for jobs.
Finally, start applying for jobs.
Leverage your connections from in person groups and conferences, any volunteering you've done, and your online connections. Tell people that you're looking for entry level roles doing X, and ask them to think of you if they hear of any similar opportunities. Often recruiters go to local tech events, and you can connect with them about potential job opportunities there. Use those leads, in addition to online job boards and in person job fairs at conferences, and start applying!
Some other advice on breaking into security from some very smart folks:
- Starting an InfoSec Career - Lesley Carhart
- Building a Successful InfoSec Career - Daniel Miessler
- Thinking of a Cybersecurity Career? Krebs on Security
- How to Break into Security - Charlie Miller
- How to Break into Security - Richard Bejtlich
- How to Break into Security - Jeremiah Grossman
- How to Break into Security - Bruce Schneier
- How to Break into Security - Thomas Ptacek