Starting in cybersecurity: FAQs about how to get your first job
Career advice from Dr. Matthew Lloyd Davies, senior cybersecurity author and researcher at Pluralsight, who helped secure the UK's nuclear industry.
Jul 26, 2024 • 14 Minute Read
Dr. Matthew Lloyd Davies is a senior cybersecurity author and researcher here at Pluralsight. He worked for the Office for Nuclear Regulation as a Nuclear Security Inspector, helping secure the UK's nuclear facilities. He has created over thirty courses for Pluralsight, covering everything from CompTIA Pentest+ Specialized Attacks to wireless and hardware hacking.
So, you’re looking to start a career in cybersecurity. If so, there’s never been a better time to join! In today’s digital age, the demand for specialists has never been greater—cyber threats are only getting more sophisticated, especially with the rise of AI, pushing companies to find professionals who can protect their data and systems. This puts you in the perfect position to be that white knight, riding in to save the day.
However, people have a lot of questions about how to actually hop on that cybersecurity horse for the first time. Do you need to have spent time hacking systems as a misguided youth? What about qualifications? Do you need to slog it out on an IT help desk for a while, even if you’re an established professional?
In this article, I’m going to answer all the frequently asked questions people tend to ask when it comes to getting their start in cybersecurity.
But first, we’re going to start with something a little bit basic: what even is cybersecurity? A lot of people have an image in their mind of what it is, and the reality can be different, so let’s make sure we’re using a common language.
What is cybersecurity?
Cybersecurity is the practice of protecting systems, networks, and programs from digital attacks. These attacks are usually aimed at assessing, changing, or destroying sensitive information, extorting money from users, or interrupting normal business processes.
Most people know this, but what they don’t know is that cybersecurity is a huge field, with many different career paths in it. Contrary to popular belief, it’s not just one person called a “cybersecurity expert”, wearing a black hoodie and defending against attacks.
This narrow view often deters people from joining the industry, because they don’t see themselves as a hacker or programmer. The truth is, someone wearing a tie and asking around your company if they’re meeting government standards could work in cybersecurity, not touching code at all.
There are all sorts of roles in cybersecurity, like:
- Security analysts
- Security engineers
- Penetration testers
- Incident responders
- Threat hunters
- Security architects
- Compliance and risk analysts
- Identity and Access Management (IAM) specialists
- Security awareness trainers
- Cloud security specialists
Because of this public misconception, a lot of people don’t realize they have what it takes to work in cybersecurity until someone else in the field taps them on the shoulder and tells them they do.
Well, I’m here, virtually tapping you on the shoulder now. By the fact you’re reading this article, you have what it takes to succeed in cybersecurity.
Asking questions and being curious is the telltale sign that you’ll succeed in the field. To elaborate, here’s a bit about my story.
How I got my start in cybersecurity
When I was young, I got told off a lot at school and at home for asking “awkward questions.” I wasn’t trying to be impertinent, I just wanted to know what would happen if I did something different from what was expected. Would something break? How would people respond? I learned later in life this is called the “hacker mindset.”
There is no single clearly-defined path into cybersecurity. Once you join the field, you’ll find out everyone has a completely different story on how they got there, and I’m no different. I came from an engineering background, then moved into safety and security research. From there, I transitioned to a regulatory role in the nuclear sector. All along, though, I still had that nagging curiosity: “What would happen if I told a computer to do something it wasn’t designed to do?”
To finally answer that nagging question, I built my own home lab—a combination of virtual and physical devices. I broke things. I fixed things. I broke them again. And through the whole process, I learned a lot.
I realized there would be more people like me who had been told “Don’t ask awkward questions.” I wanted to pass on my knowledge and experience to them, so I became a contract author for Pluralsight. It turned out they liked my content, and so they employed me full time!
Do I need to have already started in IT, like on a helpdesk?
No, but it helps. Cybersecurity is a subfield of Information Technology (IT), so having a foundation in IT concepts will help you understand how different systems work and how to defend them. Working in IT is one way to get this, but you can also pick it up from studying and experimentation.
Some basic IT skills I would recommend you focus on are:
Networking: Learn how data is transmitted across networks; understand concepts like IP addresses, subnets, and network traffic routing.
Operating Systems: Familiarize yourself with different operating systems, especially Windows, Linux, and MacOS, including basic command line use.
Programming and scripting: While not always necessary, having some knowledge of programming and building scripting skills can be beneficial; start with languages like Python, Golang and C.
Web Applications: Understand the client/server relationship between a user’s web browser and a web application, and how they communicate.
What qualifications are needed for a job in cybersecurity?
There is no recipe hack or shortcut for getting into cybersecurity, such as “Add one CISSP, a dash of Python knowledge, and a year on a help desk.” It takes hard work and dedication to get in, and once you join the field, the need for learning never stops. That said, it pays off by being a highly exciting and rewarding career.
That said, I would recommend structured learning experiences. There are many online platforms offering courses and certifications in cybersecurity. Those resources can provide you with guided learning and will help you work towards recognized certifications that will enhance your resume.
Many employers look for certifications, and some I would recommend are:
CompTIA Network+: Builds the core skills necessary to establish, maintain, troubleshoot and secure networks.
CompTIA Security+: An entry-level security certification that covers foundational cybersecurity concepts.
Certified Information Systems Security Professional (CISSP): This certification is often described as being a mile wide and an inch deep. It covers almost the entire cyber security domain in enough detail to give you familiarity with the topics, but doesn’t go into great detail on any of them.
Note that with CISSP, while it says it has a “five year work experience requirement”, some of this can be waived with applicable experience. You can also sit the exam and become an “Associate of ISC2” while you earn the required work experience.
There are also other certs that do not have experience requirements, such as the CCSM, but these lack the same industry recognition.
Do I need to have real-world, practical experience?
Yes, practical experience is crucial in cybersecurity. Theoretical knowledge gained through study is important, but being able to apply that knowledge in real-world scenarios is what will make you stand out. However, don’t freak out—you don’t need to have worked in a security role to prove practical experience.
Here’s some things you can do to gain and demonstrate hands-on experience in cybersecurity:
Build a home lab using old computers or virtual machines to practice different cybersecurity tasks and techniques. Remember to look at both offensive and defensive security.
Look for internships or volunteer opportunities in IT departments. Many organizations are willing to take on enthusiastic learners.
Participate in cybersecurity challenges and competitions, often referred to as Capture-the-Flag (CtF) events. Platforms like ‘Hack the Box’ and ‘Try Hack Me’ are excellent for practical learning and professional networking.
What else can I do to build my knowledge and experience?
Join Cybersecurity Communities and User Group Meetings
Becoming part of the cybersecurity community can provide you with support, resources, and networking opportunities. Engage with professionals, attend events, and participate in discussions. Look out for subreddits like r/cybersecurity and r/netsec, connect with high-profile cyber security professionals on LinkedIn, and join Discord/Slack groups which host specialist security communities.
Stay Updated with Industry Trends
Cybersecurity is a rapidly evolving field. Staying informed about the latest trends, threats, and technologies is crucial for continuous learning and professional growth. Think about following some reputable cybersecurity blogs and news sites such as Krebs on Security, Threatpost, and Dark Reading. Also consider listening to cybersecurity podcasts like Paul’s Security Weekly, Darknet Diaries, and CyberWire.
Build a Professional Network
Networking with other professionals in the field can open doors to job opportunities, mentorship, and collaboration. So, consider attending conferences, meetups, and webinars that interest you, to meet people and learn from their experiences.
Continuously Improve and Specialize
Cybersecurity is a field that requires continuous learning. As you gain experience, consider specializing in areas such as penetration testing, threat intelligence, or incident response.
What’s the one piece of advice you’d offer to anyone wanting to get into cyber security?
Developing a security mindset is crucial. Always think about how important the thing you want to protect is. Then think about how it might be vulnerable to loss, corruption or availability. Finally, think about the most appropriate way to protect it; some things are more important than others, so put more effort into protecting those things.
This mindset will not only help you in your career but also in your everyday interactions with technology.
Conclusion
Becoming a cybersecurity specialist with no prior experience is entirely possible with dedication, continuous learning, and practical experience. Hopefully, this article will help you to build a strong foundation, gain hands-on experience, and develop the skills needed to succeed in this dynamic and rewarding field.
Remember, the journey to becoming a cybersecurity professional is ongoing, and staying curious and proactive will serve you well throughout your career. Good luck!
Additional articles worth reading
Looking for more advice in how to get your start in cybersecurity? We recommend checking out "How to get into cybersecurity with no prior experience" written by cybersecurity expert and PCI Security Standards advisor John Elliott. Otherwise, the articles below offer some great overall advice for furthering your tech career.
Interested in contributing to the Pluralsight community?
If you’ve got an article you want to write, we want to hear from you! Visit our community contribution page and register your interest.