Written by – By someone who really wants you to succeed!
Finding your first job in cybersecurity (which us security nerds call ‘InfoSec’) can feel overwhelming. There are way too many job titles, technologies, and acronyms to keep track of. There’s also no clear career or training pathway to get there (for instance, if you want to become an accountant, the steps are clear, it’s not for cyber), which can be frustrating. But I have a secret for you: you do not need to know everything right away (or ever). You just need find the right direction for you, have good people in your corner, and a willingness to learn.
I have spent many years helping people make their first moves into this field, and I have seen again and again that the following steps can help you land your first role. What follows is a practical, updated road map for getting your first cyber security job (also known as information security).
1. Figure out which cybersecurity job is right for you
This is the most difficult step! Cybersecurity is not a single job, it’s an entire field of work. We have computer science at the top of this hierarchy, then underneath we have information security (sometimes called cyber security), and underneath that we have an entire umbrella of cool jobs! Titles include: application security, cloud security, GRC, incident response, penetration testing, product security, DevSecOps, and threat hunting, to name just a few. Each one uses different skills, tools and problem solving approaches. All of them help protect people. You can read about even more jobs here.
To figure out which job you want, start by exploring. Watch videos about what those jobs are like, especially interviews about said jobs. You can find several “what is this job like” interviews by watching episodes from season 1 of my old podcast (We Hack Purple Podcast), which I made specifically to help people join our field.
Read job descriptions, and think about if that job sounds ‘right’ for you. Take beginner friendly courses. Talk to people who are already working in the field, and ask them a million questions. Give yourself time to discover what feels interesting and what does not, and ask yourself if you think you would be a good fit for that job.
In my 30’s I switched from programming to penetration testing and figured out that it was not right for me. Penetration testers need to be patient and have good attention to detail, which are not my specialty. Quite frankly, I found it kinda lonely being by myself, testing all day (as the world’s most extroverted human being, that was hard for me). Then I discovered application security, where I got to do something new every single day and constantly talk to people like the social butterfly I know I am. I wish I could have known at the start that AppSec was where I belonged, I could have saved myself two years of time training for the wrong job….
Let’s save YOU some time. Read about the different types of jobs, talk to people, join communities, ask questions, and try things out until you feel fairly confident you know what you want to transition into. Once you know that…
2. Find a professional mentor
A mentor can guide you in a way that books and videos cannot. They are a person you trust, who has your back. They can help you choose the right path for you, point you toward high quality resources, introduce you to great people, and offer advice based on their experience. Most importantly, a good mentor believes in you and helps you stay on track. This person will offer the best advice they can, AND keep your secrets.
You do not need a famous mentor. In fact, really well-known people usually have no time to share with you. What you need is someone who cares and has enough experience in the area that interests you to offer you good advice (and that doesn’t mean they need 20 years experience either!). Many cybersecurity communities offer free mentoring programs, and you will be surprised how often professionals will say yes if you ask nicely, explain what you are looking for, and tell them how hard you are working to get it.
I run an informal mentor matching program every Monday on Twitter(X), BlueSky, LinkedIn, and Mastadon (Infosec.Exchange server) called #CyberMentoringMonday. It might help!
3. Join learning communities
Switching careers is easier with friends! Join communities that focus on the area(s) you are interested in learning about and working in, make friends, and then tell everyone that you want to transition. I have made SO MANY FRIENDS via OWASP and other wonderful InfoSec communities. Communities you may want to check out: OWASP (for AppSec), DevSec Station (for developers who care about security and AppSec folks – coming soon), Women of Security (for women and non-binary folks), B-Sides (for anyone), Def Con (for hacking), ISACA, ISSA, Women’s Society of Cyberjutsu (for women in cyber), WISP (for women who like privacy), for starters. There are WAY MORE out there, use your fav search engine to look for your people. The effort will be well worth it, I promise.
A community can help you find people to learn with, encourage you, tell you about job opportunities, provide you with mentors, share invites to events, include you in open source projects, and provide genuine friendships. Being an active member of a community also shows future employers that you are engaged and contributing to the field.
4. Learn the skills required for the job you want
Once you choose a direction, focus your journey on learning how to do the job you want to have. Trying to learn all of cybersecurity is impossible. Instead, learn the skills that matter for your specific job of choice.
You can: take on-demand, online courses, do hands-on labs, attend live training or workshops (which can be online or in person), read books, follow blogs, videos and other online content, or do a capture the flag contest. There are podcasts, news articles, newsletters, YouTube channels, content creators (like me!), and more. Anything that helps you learn is good, even if it’s not a traditional way of learning. Cybersecurity is a fairly hands-on type of profession, so look for opportunities where you can get your hands dirty as often as possible (for instance, reviewing code, fixing bugs, running a SAST/DAST/SCA/secret/IAC scanner, etc. if you want to one day work in application security).
Trying out the job you want is really important, to make sure it’s the right one for you. Try to find opportunities to “do” the job you’re interested in, as soon as possible.
5. Volunteer to help the security team at your current workplace
If you have a job, and your company has a security team, ask if you can help. Many security teams are overwhelmed and would be more than happy to have some assistance. This is a GREAT way for you to get experience, to offer value to your workplace, and to show them you might be a fantastic choice when they open a new position on the team. Note: this worked for me!
You might help with documentation, secure coding tasks, compliance work, threat modeling, incident response investigations or vulnerability management. Even small tasks help you gain real world experience and create internal connections that might lead to future roles.
Not everyone can do this, but if you can, it is one of the fastest ways to get practical experience. This is how I got my first security job. Well… I actually did 100% of the things on this list, but this one REALLY helped!
5.5 Become a Security Champion
If you are a software developer become a security champion. This is the #1 best way to get into application security. This only works, of course, if your company has a security champion program…. But if they do, join it! This is a very, very common way for people to transition onto the AppSec team. You get to learn, while being paid your salary, and getting to know the AppSec team plus they way they run their program. You become the perfect candidate because not only do you have the skills they need but you have 1) corporate memory and 2) preexisting good relationships with all the other developers. A security champion is a dream come true for the AppSec team when it comes to hiring.
6. Tell everyone you know about your career transition
This part feels uncomfortable, but it works. Tell your friends, family, coworkers, neighbours, everyone at the new community you joined, and your online network that you are transitioning into cybersecurity and which specialty you will be focusing on. No seriously… Tell everyone!
A message like this could work:
“I am transitioning into cybersecurity with a focus on application security. I am learning and building experience wherever I can, so please let me know if you hear of anything that might help or if there’s someone you think I should meet.”
People cannot support you if they do not know what you are aiming for. And telling people means they will hold you accountable.
When I decided to write my second book I told the internet (my followers) that I was ‘writing my next book’. I knew that I could not let them down, which meant I HAD to write it. They held me accountable (in a supportive and kind way, not a demanding way). They asked me how it was going, if I needed help, where I was at. And each time it lit a fire under my butt to keep writing. It ensured that I never gave up, even when it was hard.
7. Build work experience by volunteering
Experience is the biggest hurdle for people new to any field, but there are many ways to get it before you land your first paid job. Look for open source projects that need help (OWASP has several!). Offer to assist small nonprofits that want to improve their security, perhaps by doing a pentest for them or reviewing their code for vulnerabilities. Participate in beginner-friendly bug bounty programs. Ask your network and community if they know of places you can volunteer, ask them for ideas too. You can create your own open-source projects to practice and then share what you learned in a blog or on your social media. All of these count as experience and help you grow your skills.
In order to get my first full time job as a penetration tester, I did a volunteer PenTest. I scanned a web app with burp suite and did all the manual testing I could think of (I was very inexperienced at the time), then scanned the underlying infrastructure with Nessus, and I wrote up a report. I was told that ‘wasn’t enough’, so I fixed all the bugs, and showed them that. We went back and forth over 4 months, with several informal interviews. Eventually they gave in and hired me! My persistence paid off in the end.
8. Build an online portfolio
A portfolio is a display of your work, for whatever field you work in. For a career in tech, this can be a blog, a GitHub repo, a YouTube channel, a website, whatever. The purpose is to help people understand what you are capable of. It does not need to be complicated or fancy, but you want it to show off your skills. A GitHub profile full of contributions or code you wrote, a blog with a write up of various project you’ve worked on, a collection of labs you completed or a list of certificates of competition for online courses is something that shows that you work hard. Employers appreciate seeing proof of your abilities, even if you’re just aiming for a junior role.
9. Polish your LinkedIn profile
LinkedIn is an important platforms for cybersecurity job seekers. Recruiters use it constantly. Is the platform perfect? No, it is not. Will 100% of future employers go check you out there before hiring you? Yes they will!
Update your headline to reflect the job you are looking for. You can see mine in the image, I put “trainer” and “keynote speaker” to try to tell the world that’s what I want to be. Yours should reflect what you want as well. Write a short, friendly summary about your transition into cybersecurity. Add your courses, projects, communities and volunteer experience. Make it easy for people to know what you are learning and where you want to go. You don’t need to post everyday like I do, but try to post every time you do something you are proud of.
10. Apply for the job! Even if you don’t feel ready
Most people wait too long to apply for jobs. They feel like they should learn more first. Apply anyway!!! Job descriptions are more wish lists in cyber, not necessarily requirements. Also, the security industry is famous for asking for way too much. If you think maybe you can do the job, and you know you WANT to have the job, apply for it.
Special note for women: if you think you’re not ready ask a male friend if they would apply if they were you. If they say yes then GO APPLY FOR THAT JOB! RIGHT NOW!
I had someone ask me to review a job description for an application security job in 2023. It said ten years experience in AppSec, and I said that was ridiculous. I explained that I only had 9 years AppSec experience and I literally wrote the book on AppSec. I said “If I can’t apply, WHO CAN APPLY FOR THIS JOB?!??!?!?!” The very nice person changed it to 5 years. 😀
With this in mind, please apply for the job!
11. Practice interviewing, ask someone to review your resume, and do all the other normal job-prep stuff!
Try mock interviews with mentors, friends or community members. The more you practice, the calmer and more confident you will feel during real interviews. Get someone to review your resume to ensure it looks good and there are no typos. Write up a template cover letter that explains what you want, your learning and other efforts, and have it ready for when you’re applying for jobs. Ensure you have references (even just community members to say that you show up every month) at the ready. Do all the stuff you would normally do to try to find a job, and plus some of the other things in this blog post, and you should be all set!
I hope this blog post helps you find your way into our industry. I assure you we need all the help we can get, and we would be very luck to have you!