So, you want to get into CyberSecurity

This is just a collection of pieces of advice I have provided to friends/family/acquaintances over the years. It isn’t an end all list or guaranteed roadmap of how to get a career in cybersecurity, but it is hopefully a start for someone out there!

Keep in mind as I write this, I have only ever been a part of small cybersecurity teams, where ownership is spread around and all hands are consistently sharing responsibilities. The idea that larger companies actually have TEAMS of people dedicated to Vulnerability Management, Incident Response, Threat Intelligence, even, User Training is bonkers to me. That perspective has led me to the conclusion that Security operatives have to either a) know everything or b) Be able to find the answer to nearly everything. Any given morning you may have to review a pull request for a new feature and spot bad ideas before they get to production, and then in the afternoon you may have to be pulling forensic images and diving into incident response.

The number one skill set, for any security person, is the patience and capability to research, read content, and take action based on new information.

There are other things though, that make people much more marketable to recruiters and hiring managers!

College versus Certificates

Both? Both? Both! Both is good

— Miguel and Tulio, The Road to El Dorado

Papers matter to A LOT of people. There is a massive movement that hates colleges and thinks certifications don’t actually mean anything, but the people in the movement and the people who are hiring security folks, don’t completely overlap in a venn diagram.

College is a great choice, and having an Associates or Bachelors helps out a ton. It’s only a piece of paper, but you will learn a ton of stuff (if you put in the effort), and some colleges now include certificate courses that help you get a further leg up. Local colleges can often help you network with local people and businesses. Plus, you will be able to network amongst your classmates to develop relationships that can help you down the road.  

Certificates can be extremely valuable. SANS GIAC certs are very expensive ($7,000+) but are the best in the business. Recently Wild West Hacking Fest has started offering some other great training courses as well, with much more affordable pricing. Other starter certs are Security+ and CEH. None of these are free though – so don’t worry about these unless you are positive you can get them the first time.  
Non-security related intro certs like the: Network+, A+, AWS CCP, Microsoft basic certs, etc.; are very relevant! As a Security operative you have to know what you are talking about and be able to operate on different technologies. You may know how to dig into packets like a pro, but if you are handed a desktop machine and asked to ‘harden’ it, what do you need to do? Being adaptive is extremely important for security folks.


Labs and practice are hugely important – for any field in Technology. If you don’t have a single degree or certification, but can demonstrate that you have hands on keyboard skills then any security team will pick you up. The following questions are critical for a security person: 

My number one recommendation to anyone trying to break into the technology realm, regardless of if you are trying to be in security or not, is to follow along with The Cloud Resume Challenge. That challenge exposes you to a number of different technologies, coding languages, and ideas. Plus, it gives you an amazing platform to build a space for yourself and your own personal brand!

Career Path

There is no cookie cutter career path in cyber land. One of the best books about cybersecurity in the world is The Cuckoos Egg by Cliff Stoll. Cliff was an Astronomer/Physicist and is now a glass blower. So anyone and everyone can break into cybersecurity if you have the desire! Also, it is probably a good thing to NOT start as a cybersecurity operative, and instead go into operations or development first. Security is about responding to and remediating risk generated by other business units; gaining experience in those other business units helps you to understand how to manage risk better.

Help Desk is a great starting point, especially if you stay with a company and promote up to Security. Help desk sees where users struggle, where there are security gaps in the identity management processes, and other critical pieces of the business landscape that an infosec person simply won’t. They also are probably going to see incidents bubbling up faster than you might think, the perfect example is a Ransomware outbreak when your endpoint protection isn’t working as well as you might like. Help desk will be flooded with tickets about systems rebooting randomly, weird filenames, etc.

You could also start out as a junior network engineer – a great place to get exposure to networking fundamentals and technologies. The OSI model is a bit outdated in our cloud driven businesses today, BUT you will still find reasons to know what a VLAN is, how to troubleshoot network problems, and it gives you a great understanding of how to build better firewalls.

Sysadmin is another awesome spot – you will develop server and software management skills that will help you in the long run.  Regardless of what role you have in cybersecurity, you will probably interact with a server somehow. Whether that is collecting logs, hardening, vuln analysis/remediation; you will need to know how to remote into a server and work securely. Hopefully you have a jump box!

Junior developer or and automation engineer are both excellent places to jumpstart as well! You must be able to write code (whether that is ‘software’ code or ‘Infrastructure’ code, doesn’t matter) to thrive in today’s startups and cloud based companies.  Particularly in incident response, automation is the key to quickly depriving attackers of resources and eradicating the threat they represent.

Word of caution: Similar to IT – Security is a Business Cost Center. This means that prior to good developers, a business will cut IT and Security – and before IT, Security will probably get cut. We don’t generate business value, we reduce business risk, thus reducing business cost (which in a weird way generates value off paper). Which is the final piece here – you have to understand what generates business value, and how to help the organization to achieve that.  

Final Words

It’s not what you know, but who you know and who knows you

All of the above advice is great and will help you land an awesome job if you give up chunks of your time to invest in your learning. To really land an awesome job though, you must network with people. Build up relationships around the industry, join Slack channels and Discord servers, find forums you can be active in; take the time to manage your relationships as if they were as important as your social media. The cybersecurity industry is like any other, there are a ton of great people and great minds inside of it. Like others though, there are bad apples, and just awful human beings.

Find a few good quality recruiters, and keep your relationships with them cordial and open. If they have opportunities, entertain them and practice your interviewing skills! You don’t have to take a new job, and there is no reason not to treat interviewing unlike any other skill set.

Good luck in your hunt!