Breaking into Infosec: A Comprehensive Guide to Landing Your First Cybersecurity Job
The global cybersecurity workforce shortage has never been more acute. A 2022 survey by (ISC)2 pegged the deficit at 3.4 million unfilled positions, with 70% of organizations reporting that staffing shortages directly impact their ability to secure systems and data.
This dire situation, however, presents a huge opportunity for aspiring information security professionals. The US Bureau of Labor Statistics projects "information security analyst" will be the 16th fastest growing job over the next decade, with 35% growth and the addition of over 56,000 jobs.
But while demand far outpaces supply, breaking into the infosec field is far from easy, especially for career transitioners without prior cybersecurity experience. Landing that first job can feel like an insurmountable catch-22.
So how exactly do you crack into this high-demand, high-impact field? As someone who transitioned from full-stack web development into application security engineering, I‘ll share the key steps that worked for me and for many others who broke into infosec successfully.
Understand the Infosec Landscape
The first step is researching the vast and varied landscape of cybersecurity to understand what roles and specialties pique your interest. "Infosec professional" is an extremely broad umbrella encompassing myriad job functions.
On the offensive security side, you have penetration testers, red teamers, bug bounty hunters, and exploit developers trying to emulate and anticipate adversary actions to uncover vulnerabilities.
On the defensive side, you have blue teamers, security engineers, incident responders, malware analysts, threat hunters, and SOC analysts working to monitor, detect, investigate and remediate threats.
In terms of governance and compliance, you have roles like security auditor, GRC analyst, privacy engineer, and security awareness trainer.
And those are just a few examples. Infosec also intersects with many other domains like software engineering, cloud infrastructure, networking, data analytics, fraud prevention, physical security, and beyond.
While it‘s good to explore what‘s out there to inform your studies, entry-level infosec roles tend to be more generalist. You likely won‘t start off as a highly specialized threat hunter or reverse engineer from day one.
Common entry-level job titles include (with average US salary figures from Glassdoor):
- IT Security Specialist – $71,398
- Junior Penetration Tester – $84,881
- Information Security Analyst – $76,472
- Cybersecurity Technician – $69,423
- Associate Security Engineer – $90,230
Focus on building a solid technical foundation and a portfolio of practical experience first. Specialize later.
Develop Core Technical Skills
Source: NIST NICE Cybersecurity Workforce Framework
Fundamental to breaking into infosec is developing technical proficiency across disciplines like networking, system administration, web application development, and programming.
Some specific high-demand skills to focus on, based on data from CyberSeek and job postings:
- Networking protocols and concepts (TCP/IP, DHCP, ARP, subnetting, etc.)
- Windows and Linux system administration, configuration, and hardening
- Cloud service provider fundamentals (AWS, Azure, GCP)
- Security tools like Nmap, Wireshark, Burp Suite, Metasploit, SIEM platforms
- Scripting languages like Python, PowerShell, and Bash scripting
- Web application security concepts (OWASP Top 10, SQL injection, XSS, etc.)
While it may seem daunting, you don‘t need to be an expert in everything right away. Develop a baseline understanding, go deep on what interests you most, and learn the rest on the job.
In my experience as a full stack developer, deep knowledge of how applications and APIs work behind the scenes was invaluable for securing them. Understanding things like authentication flows, databases, caching layers, message queues, and microservices helps you build a threat model and spot vulnerabilities.
Pursue Education and Experience
There are many paths to gain infosec knowledge and skills, each with their own pros and cons. Let‘s break each down:
College Degrees
A computer science or cybersecurity degree is still the most traditional path. 35.2% of infosec workers have a bachelor‘s, 23.2% have a master‘s, and 3.2% have a doctoral degree.
Pros:
- Structured curriculum covering theory and practice
- Networking with peers and professors
- Access to career fairs, internships, research labs
- Many employers require or strongly prefer degrees
Cons:
- Expensive upfront investment ($30-50k+ for bachelor‘s)
- Time consuming (2-5 years)
- May lack hands-on experience and current tools/tactics
Certifications
Certifications are a popular alternative or augment to degrees. In a 2020 Cybrary survey, 69% of organizations believed certifications prepared candidates for a job. Some of the most in-demand entry-level certs:
- CompTIA Security+
- Certified Ethical Hacker (CEH)
- GIAC Security Essentials (GSEC)
- Offensive Security Certified Professional (OSCP)
- Cisco Certified CyberOps Associate
Pros:
- Demonstrate specialized domain knowledge
- Takes less time than a full degree (2-6 months)
- More affordable than degrees ($300-$1500 per cert)
- Many employers pay for certifications
Cons:
- Knowledge can be out of date compared to rapidly evolving threats
- Requires self-study for hands-on experience
- Some certs are viewed as too theoretical vs practical
Bootcamps
Coding bootcamps have recently expanded into cybersecurity. Well-known programs like Programming School, Fullstack Academy, Evolve Security Academy, and SecureSet Academy offer immersive 12-24 week courses.
Pros:
- Practical, hands-on, skills-based curriculum
- Condensed timeframe vs college (3-6 months)
- Lower cost than degree programs ($10-20k)
- Career coaching and hiring partner network
Cons:
- Significant upfront cost and time commitment
- Extremely fast pace and intensive workload
- Varying job placement rates and post-grad support
Self-Study
Perhaps the most flexible but challenging path is self-directed study using free and low-cost online resources.
Pros:
- Maximum flexibility and lowest cost
- Huge array of free learning content available
- Can immediately apply knowledge to hands-on projects
- Demonstrates initiative, drive, and independent learning
Cons:
- Requires intense self-discipline and direction
- Easy to get overwhelmed by the sheer volume of resources
- No formal support system or access to mentors
- Doesn‘t "prove" knowledge to employers like degrees/certs
Some of the top recommended resources, based on community consensus on Reddit and Quora:
- freeCodeCamp‘s cybersecurity curriculum (free)
- Professor Messer‘s Security+ and CySA+ courses (free)
- TryHackMe‘s 100+ hands-on hacking rooms ($10/mo)
- Hack The Box‘s CTF and pentesting challenges ($20/mo)
- SANS Cyber Aces and CyberStart Game (free)
- O‘Reilly for Teams security learning paths ($49/mo)
The "correct" path is the one that fits your learning style, schedule, budget, and goals. Don‘t let imperfection or lack of resources be a barrier to starting – just start!
Engage with the Infosec Community
Cybersecurity is a small world – everyone seems to know each other. This can be hugely advantageous when seeking to break into the field and find job opportunities.
Start locally by attending conferences, workshops, CTFs, and meetups. Search Meetup, Eventbrite, and local chapter sites for events in your area. Some of the largest associations to check out:
- ISSA – Information Systems Security Association
- OWASP – Open Web Application Security Project
- BSides – grassroots community conferences worldwide
- ISAC – Information Sharing and Analysis Center
When attending events, resist the urge to just passively listen and leave. Introduce yourself, ask questions, share your projects and learning journey. Offer to volunteer for the next event or to help with a group initiative.
The infosec community is extremely welcoming to enthusiastic beginners. Seasoned professionals love sharing knowledge and "giving back" to the community.
For example, I met a security engineer at a BSides conference who later referred me to my first infosec internship. I stayed in touch, helped organize the following year‘s conference, and continue to collaborate with them to this day.
Globally, Twitter is the platform of choice for infosec. Follow a wide range of practitioners, researchers, and companies to stay up to date on:
- Original research and fresh vulnerabilities
- New tools and open source projects
- Technical blog posts and tutorials
- Infosec conferences and gatherings
- Job openings and career advice
Some must-follow accounts, based on community roundups:
- @briankrebs – investigative cybercrime journalist
- @troyhunt – creator of HaveIBeenPwned and Pluralsight author
- @gossithedog – British security researcher and activist
- @RachelTobac – hacker, CEO of SocialProof Security
- @kevinhipoet – bug bounty pioneer, Intigriti co-founder
- @hacks4pancakes – the "Beyonce of Infosec", educator and pentester
Follow who they follow to branch out your infosec network. Like, share, and reply to interesting tweets. Join in on discussions and share your own learning.
You don‘t need a huge following. Even a small but engaged network can surface valuable opportunities. I‘ve seen people score jobs from a single Twitter conversation!
Showcase Your Knowledge and Skills
Tangibly demonstrating your knowledge through content and contributions is key, especially if you don‘t have prior professional experience or education.
Some ideas to build your infosec portfolio:
- Write blog posts detailing projects, sharing tutorials, or exploring concepts
- Share code snippets and tools you‘ve built on GitHub
- Record videos and walkthroughs of things you‘ve learned or hacked
- Give a workshop or talk at a local meetup or conference
- Contribute to open source security tools and frameworks
- Complete and post CTF challenge walkthroughs
Real-world examples speak volumes to employers and the community. Just by starting this article and presenting at a meetup, I got my first freelance pentesting gig!
Polish Your Online Presence
In a 2022 survey by ResumeBuilder, 82% of HR professionals searched for job candidates on social media – especially cybersecurity roles given the sensitive nature of the job.
Does your online presence pass the "employer sniff test"? Some quick tips:
- Update your LinkedIn headline and summary to highlight your infosec aspirations and learning
- Add your GitHub, blog, or personal website to your social profiles to feature your projects
- Share your infosec blog posts, talks, and media mentions
- Engage professionally in infosec conversations, offering help and insightful questions
- Don‘t post anything blatantly controversial or offensive – keep it classy!
Think of social media as an opportunity, not a liability, to proactively shape your professional brand and share your work.
Find and Apply for Opportunities
With community connections and a body of work, you‘re ready to actively seek infosec jobs. But where to look?
Popular job boards (Dice, Indeed, LinkedIn Jobs, r/cybersecurity jobs) can be a good start to gauge requirements and get some applications under your belt.
However, referrals and networking reign supreme. Circulate that you‘re actively seeking entry-level roles to your connections. Search LinkedIn for 2nd/3rd degree connections at companies you‘re interested in. Reach out politely with a message like:
"Hello [name], I‘m transitioning into infosec and saw that you work at [company] while researching roles. I really like [specific detail] about the company‘s security practices. As an aspiring [role], I wondered if you‘d be willing to chat about your experience sometime? No worries if not, but I appreciate any insights you can share!"
If you hit it off and impress them, these informal chats can turn into employee referrals – a powerful way to get your foot in the door.
Tailor your resume for each role. Study the job posting for keywords and mirror them. Provide links to your portfolio, GitHub, and social profiles.
Focus on highlighting related skills and projects. No experience? Use personal projects and volunteer work to show practical application of knowledge.
For example, I leveraged my web development experience and linked to a security writeup of my own app to land my first infosec application security role.
Above all, persistence is key. You may face countless rejections before landing your dream role. Keep learning, keep applying, keep gathering feedback. The journey is a marathon, not a sprint.
Keep Growing and Giving Back
There you have it – the essential game plan for breaking into infosec. But the learning doesn‘t stop once you‘ve landed your first gig.
Continual growth is the hallmark of a successful infosec professional. The threat landscape evolves at a breakneck pace. Today‘s cutting-edge tactics are tomorrow‘s old news. You must constantly refresh your knowledge and skills.
Some ideas to keep leveling up:
- Continue building and documenting projects outside of work
- Earn progressively advanced certifications as you specialize
- Attend security conferences to stay on top of emerging research
- Read and listen to infosec news daily (try thecyberwire.com, ISC StormCast, Risky Business podcast)
- Participate in CTF events and hacking challenges
- Mentor others looking to break into the field
Pay it forward by becoming a mentor, volunteering for community initiatives, and sharing your knowledge. The infosec community is a hugely collaborative space – you learn from others, others learn from you.
Never Stop Learning
Cybersecurity is a challenging but immensely rewarding field filled with constant learning, impactful work, and a tight-knit community.
There‘s no one "right" path in – but there is a wrong path: never starting. Follow the roadmap above and you‘ll be well on your way to an exciting infosec career.
But remember – there is no finish line in security, only continuous growth and new horizons to conquer.
Stay curious, stay humble, and never stop learning. Keep honing your craft and uplifting others in the community. Step by step, with grit and persistence, you‘ll achieve your infosec dreams.
Now stop reading and start doing – your first infosec job awaits!