How to start your cybersecurity career: Expert tips and guidance

As businesses strive to protect their data and privacy, the demand for skilled cybersecurity professionals continues to grow. This article provides expert advice to help you navigate the early stages of your cybersecurity career, offering practical tips and insights.

Brian Honan, CEO at BH Consulting

When advising people at the start of their cybersecurity careers, I recommend that they focus on human networking.

I strongly recommend that people get involved in the cybersecurity community/industry. This will not only give them a feel for the industry to see if it suits them but will also help them create connections with people who may be able to offer them a job at some point or some guidance when applying for a role.

Also, as someone who hires people, if I have two people with the same experience and qualifications, I will always go for someone who can demonstrate they have a security interest. People can do this by:

• Writing blogs, posting on LinkedIn or other social media platforms about security topics, e.g., their experiences in learning security, how they solved a particular issue, and their thoughts on a breach that may be in the news. It doesn’t matter if others have already written about those topics; by writing their piece, they demonstrate they can communicate ideas in writing for others to read.
• Follow people who are in security on social media, and don’t be afraid to interact with them.
• Take part in local security meetings. There may be an OWASP chapter or an ISC2 chapter that those starting their careers could attend and get a chance to meet others.
• Go to security conferences and exhibitions to learn more and network with people.
• Some local security conferences, such as one of the many BSides events, may need volunteers to help organize and run the conference. Again a great way to get involved in security and to get known in the industry
• They could also consider offering their IT and security skills to some local charities to secure their systems. This will give them some good experience, benefit a charity, and look good on their resume.

Biljana Cerin, Information Risk, Business Development and Project Lead, Infoedge

My opinion about starting a career in cybersecurity is a very strong one: if you don’t have a true passion for the field, if you find it a “trendy” profession at the moment, and are not willing to learn, listen, and expand your professional comfort zone every day, taking full responsibility for your actions, you should stay away from it. It may sound inappropriate, but I am comfortable saying it now that everyone has experienced the consequences of poorly managed security processes and controls due to numerous security incidents almost happening weekly on a global scale.

Information security is a serious issue and should be taken seriously by all the participants – whether entry-level professionals or top management. So, for someone just about getting in the field, I’d suggest giving yourself an honest answer to the question – am I interested in this? And am I ready to dedicate my attention to my future field of expertise?

Once the answer is yes to both of these questions, I’d try and find a mentor who can guide me through the significant amount of information, knowledge, and requirements related to the field and pursuing formal education through colleges, universities, or specialised seminars by well-respected organizations, should the finances or arrangements with the employer allow. If it is not an option, a self-study with the help of mentors and experienced colleagues is an excellent second option. I would recommend vital networking through professional associations, and as soon as you feel confident about some, no matter how small, professional domain, I’d suggest getting “out there” and presenting your knowledge – within your team, a department maybe as the next step, and as you grow further, through available professional communities’ events.

If you are to work in this field, you must believe in yourself and earn the trust of others.

Stay focused and honest with yourself, keep learning each day, and take responsibility for your actions, and you will soon establish yourself as a trustworthy information security professional.

Byron Rashed, VP of Product Marketing at DigitSec

The best advice I would give is to start building an excellent technical background, stay ahead of the learning curve, achieve accreditations, and keep within the community to share information. Understand that the threat landscape is ever-evolving and concentrate on the “big picture.” Understand the industry and the business you want to be in. For example, if you are interested in retail, ensure you have a good knowledge base of e-commerce and UX.

An advantage for those who want to start a cybersecurity career is to learn network topography, not just the security stack. Understand the complexity of networks (IT, OT, IoT, SCADA, etc.) and how that fits in. Develop an understanding of how SaaS and other software are integrated into the network and learn their security aspects. For example, if an organization uses a SaaS, what are the limitations of liability of the provider, is there a shared responsibility model, and what tools are used to protect and monitor the applications and the users?

Keep up to date with the latest cybersecurity news that includes breaches, safeguards, legislations, compliance, etc. Understand the adversaries. Research the REAL dark web, their motives and the techniques they have used and are developing. Returning to the industry of interest, what are the most common threat vectors, and how would you mitigate risk? These are all things that should be researched and looked into when starting a cybersecurity career.

I have read and agree to the terms & conditions

Leave this field empty if you're human:

Ian Campbell, Senior Security Operations Engineer, DomainTools

Coming to security operations from a non-traditional background, I’ve had the good fortune to work under and with some of the best minds in information security and DNS. From past to present, leadership has exemplified a rarely discussed aspect in the articles I’ve read: the critical and intricate role of trust in cybersecurity. Good internal and external relationships with the company require folks to trust that you will value and respect their intelligence, time, and confidentiality. It’s an information economy, but the largest and most impactful pipelines through which information flows are the ones expanded by trust and credibility.

Building trust requires consistent effort every day, but once lost, it can be a long and difficult journey to regain—if it’s even possible. If you plan to be a security practitioner, strive to be a trusted practitioner.

Another practice to begin early is establishing repeatable processes. You will repeat the same work tasks repeatedly across multiple jobs. Learn to build your flexible plug-and-play frameworks to make tasks more accessible and to make resolutions more predictable. Adjust the frameworks when needed and as your skills and knowledge base expand. By focusing on creating and following repeatable, standardized processes, the impact on efficiency and quality will be noticeable.

The last suggestion I’d like to emphasize is to share what you learn. It’s a surprisingly good way to test your retention and improve critical communication skills. Engage with the community by sharing what you’re reading, working on, succeeding, and struggling with. To quote the poet Mary Oliver, “Instructions for living a life: Pay attention. Be astonished. Tell about it.”

Joseph Cooper, Cybersecurity Recruiter, Aspiron Search

Starting a career in cybersecurity can be a daunting process, but it doesn’t need to be! Don’t be afraid to ask questions, as it truly is the only way you will learn, and try your best to embrace every opportunity as they can be vital stepping stones for long-term career growth in the field.

It’s also really important not to limit yourself to strictly cyber-focused roles. Many accomplished cybersecurity professionals began their journeys in foundational IT positions such as network administration, help desk support, or system administration. These roles can offer valuable experience and a deep understanding of the technical infrastructure that cybersecurity relies on.

In addition to that, social networking is a crucial tool in this industry, so reach out to people and build connections, LinkedIn is such a powerful tool to do this!

Santiago Holley, Lead Analyst at Crypto ISAC

There are no true “entry-level” jobs in cybersecurity that don’t involve hands-on technical work. Unfortunately, many traditional educational institutions don’t provide the necessary education or training for entry-level Security Analysts, SOC Analysts, Incident Handlers, Forensic Analysts, or Penetration Testers. As a result, individuals looking to start or pivot into a cybersecurity career must find alternative ways to gain these practical skills, such as self-teaching, internships, apprenticeships, or on-the-job training.

Aspiring cybersecurity professionals should focus on studying and practicing specific knowledge domains, which are highly valued by hiring managers, often more so than a four-year degree. These domains include SOC processes & methodologies, SIEM operations, tactical analysis, log analysis, threat hunting, Active Directory attack analysis, network traffic analysis, malware analysis, and DFIR operations. Many free and paid resources offer hands-on training in these areas, such as Hack The Box, TryHackMe, Coursera, Udemy, and Cybrary.

Before pursuing a career in cybersecurity, consider if you are a lifelong learner. Staying current with new skills and tradecraft is crucial in this field. Unlike the Los Angeles Police Department, where extensive training is provided to any new recruit before they go on patrol, many companies and organizations do not offer comprehensive training for cybersecurity roles. Therefore, self-motivation and a commitment to continuous learning are essential for success in this career path.

Fill out the form to get your free eBook:

First name *

Last name *

Email *

Job title *Please selectChief Information Security OfficerChief Security OfficerChief Technology OfficerCybersecurity DirectorCybersecurity ExecutiveCybersecurity LeadCybersecurity ManagerCybersecurity Product ManagerHead of Cyber SecurityHead of Information SecurityHead of ITInformation security DirectorInformation security ExecutiveInformation security LeadInformation security ManagerInformation security Product ManagerIT DirectorIT ExecutiveIT LeadIT ManagerIT Product ManagerOther CybersecurityOther ITOther Information SecuritySOC ManagerVice President

Company *

Country *Please selectAfghanistanAlbaniaAlgeriaAmerican SamoaAndorraAngolaAnguillaAntarcticaAntigua and BarbudaArgentinaArmeniaArubaAustraliaAustriaAzerbaijanBahamasBahrainBangladeshBarbadosBelarusBelgiumBelizeBeninBermudaBhutanBolivia (Plurinational State of)Bonaire, Saint Eustatius and SabaBosnia and HerzegovinaBotswanaBouvet IslandBrazilBritish Indian Ocean TerritoryBrunei DarussalamBulgariaBurkina FasoBurundiCabo VerdeCambodiaCameroonCanadaCayman IslandsCentral African RepublicChadChileChinaChristmas IslandCocos (Keeling) IslandsColombiaComorosCongoCongo (Democratic Republic of the)Cook IslandsCosta RicaCroatiaCubaCuraçaoCyprusCzech RepublicCôte d'IvoireDenmarkDjiboutiDominicaDominican RepublicEcuadorEgyptEl SalvadorEquatorial GuineaEritreaEstoniaEswatini (Kingdom of)EthiopiaFalkland Islands (Malvinas)Faroe IslandsFijiFinlandFranceFrench GuianaFrench PolynesiaFrench Southern TerritoriesGabonGambiaGeorgiaGermanyGhanaGibraltarGreeceGreenlandGrenadaGuadeloupeGuamGuatemalaGuernseyGuineaGuinea-BissauGuyanaHaitiHeard Island and McDonald IslandsHondurasHong KongHungaryIcelandIndiaIndonesiaIran (Islamic Republic of)IraqIreland (Republic of)Isle of ManIsraelItalyJamaicaJapanJerseyJordanKazakhstanKenyaKiribatiKorea (Republic of)KosovoKuwaitKyrgyzstanLao People's Democratic RepublicLatviaLebanonLesothoLiberiaLibyaLiechtensteinLithuaniaLuxembourgMacaoMadagascarMalawiMalaysiaMaldivesMaliMaltaMarshall IslandsMartiniqueMauritaniaMauritiusMayotteMexicoMicronesia (Federated States of)Moldova (Republic of)MonacoMongoliaMontenegroMontserratMoroccoMozambiqueMyanmarNamibiaNauruNepalNetherlandsNew CaledoniaNew ZealandNicaraguaNigerNigeriaNiueNorfolk IslandNorth Macedonia (Republic of)Northern Mariana IslandsNorwayOmanPakistanPalauPalestine (State of)PanamaPapua New GuineaParaguayPeruPhilippinesPitcairnPolandPortugalPuerto RicoQatarRomaniaRwandaRéunionSaint BarthélemySaint Helena, Ascension and Tristan da CunhaSaint Kitts and NevisSaint LuciaSaint Martin (French part)Saint Pierre and MiquelonSaint Vincent and the GrenadinesSamoaSan MarinoSao Tome and PrincipeSaudi ArabiaSenegalSerbiaSeychellesSierra LeoneSingaporeSint Maarten (Dutch part)SlovakiaSloveniaSolomon IslandsSomaliaSouth AfricaSouth Georgia and the South Sandwich IslandsSouth SudanSpainSri LankaSudanSurinameSvalbard and Jan MayenSwedenSwitzerlandTaiwan, Republic of ChinaTajikistanTanzania (United Republic of)ThailandTimor-LesteTogoTokelauTongaTrinidad and TobagoTunisiaTurkmenistanTurks and Caicos IslandsTuvaluTürkiyeUgandaUkraineUnited Arab EmiratesUnited Kingdom of Great Britain and Northern IrelandUnited States Minor Outlying IslandsUnited States of AmericaUruguayUzbekistanVanuatuVatican City StateVenezuela (Bolivarian Republic of)VietnamVirgin Islands (British)Virgin Islands (U.S.)Wallis and FutunaWestern SaharaZambiaZimbabweÅland Islands

State *StateALAKAZARCACOCTDEDCFLGAHIIDILINIAKSKYLAMEMDMAMIMNMSMOMTNENVNHNJNMNYNCNDOHOKORPARISCSDTNTXUTVTVAWAWVWIWY

Privacy policy *

• I have read and agree to the Privacy Policy and would like to be updated on ISC2 certifications, educational resources, and offers.

Submit