I’ll share a few thoughts I’ve picked up over the years on breaking into information security. My goal is to help those working their way into infosec, whether starting out or a mid-life career change. I encourage you to share your experience with others and help them follow you. I’ll keep this article updated with new info as I learn it.

Update 2025: Not much has changed since the original post in 2021. I’ve re-written some areas for clarity and added some resources at the bottom of this article.

Be a Lifelong Learner

If you only take away one thing from this: be a lifelong learner.

Security changes rapidly and constantly. Every day, a new attack, new defense, new way to accomplish something, a new way to look at a problem, or a new solution to that problem.

I’ve struggled with this personally. We choose a career that requires constant effort over one that seems easier in the long run and doesn’t feel like such a rat race. There’s no end to security, it isn’t a 9 to 5 job. There is no ultimate stopping point where we put down our tools and declare everything secure. For most of us, this isn’t a shortcoming, yet it takes a certain personality and mindset to thrive in this environment. Someone who is curious about the world, how things work and how they break, is a good fit for infosec. It takes someone who really loves to dig into things and doesn’t sweat too much about working overtime.

“If you’re standing still, you’re falling behind”

-Mark Twain

The Chicken and Egg problem

One of the most challenging and infuriating roadblocks to breaking into infosec is that employers want experienced candidates yet it’s nearly impossible to gain such hands-on experience without being employed in the field. This leaves many job openings and not enough skilled people to fill them. This chicken and egg problem led to the “skills gap” we have now. On a positive note, we have negative unemployment and relatively high salary averages. As a con, some infosec pros are burned out because we’re doing the work of multiple people and can’t get ahead of the demand.

Some employment “gatekeepers” want candidates with certain certifications, and they won’t budge. Take, for example, the CISSP certification. It requires three to five years of work experience, and yet some entry-level security roles list it in job openings. Thankfully, this specific situation is slowly improving. Some employers, the ones I suggest looking for, are less rigid on technical requirements and look at how well-rounded a candidate is along with their potential for growth.

There are many ways to handle the skills gap:

• Most importantly, seek out knowledge (lifelong learner)
• Demonstrate that you’re a “go-getter” and don’t wait for someone to tell you what you should learn because employers usually don’t offer a complete training. They may not know exactly what they need. On the bright side, there is so much knowledge out there, much of it is accessible to anyone.
• Take on new or different responsibilities at your current job. Create opportunities that put you in the right place at the right time.
• Get good at finding creative ways to solve problems with limited resources, because that is what you will often do in daily infosec work.

Soft Skills

The technologies you learn today will be relevant for a few years, then you need to learn something new. The soft skills you learn will last a lifetime. Throughout your career, don’t lose focus on personality, trainability, and team fit. Anyone can be trained with technical skills, buy you can’t train good attitude.

Soft skills are crucial for infosec because you’ll do these things every day:

• Communicate complex topics to people with diverse backgrounds, skills, and knowledge levels
• Run effective meetings (virtual and in-person)
• Build partnerships and trust when security seems to be the last thing on anyone’s mind
• Solve difficult problems by helping find a way to “yes” rather than being the department of “no”
• Writing impactful reports and emails that move people to act, phishing emails to entice people to click, and blog posts like this one to inform
• Learn emotional intelligence to “read the room” and connect with others
• Learn to empathize with others to build trust and respect
• Expect that problems will need grit and tenacity to solve, this starts with the grueling hiring process and, in often, the non-existent training programs in many organizations
• Develop the will to take massive action

Hard Skills

Everyone’s path into security is different, yet there are patterns. Most security professionals I work with have an IT or network background, a few have legal or business backgrounds. The security field is incredibly broad, there is a lot to do, and most of it doesn’t involved wearing a hoodie in a dark room.

I feel my past experience in networking and general computer knowledge helped me immensely as a penetration tester. Someone having experience in systems administration, Linux, Windows, especially Widows Active Directory, is a great fit in security. A web application developer has a good path into security considering everything they need to know to build secure web applications.

Knowing how to build systems helps you break them. Knowing how to break systems help you explain how to make them more resilient.

Someone with a legal background can thrive in many areas of security as this work is closely tied with legal and regulatory matters, contracts, insurance, compliance, and risk-management. Those with business management or project management skills can naturally pivot into these roles after learning security basics. My point is that someone doesn’t have to be a technologist to be successful in the security field.

Plan Ahead

Where do you see yourself in five years? It isn’t necessary to plan your entire career in detail, but it is a great idea to plan your next one or two moves. Things change rapidly and planning beyond three years is nearly impossible, I suggest thinking in a 1-3 year outlook.

A highly recommended book, titled Smartcuts, illustrates a point about riding waves. It translates to studying the landscape, anticipating the next big wave – and position yourself in the right place at the right time to ride it.

Networking

The security field is full of genuinely great people willing to share their time and knowledge. Many dread the idea of “networking,” schmoozing, rubbing elbows, or whatever you want to call it. Think of it as building relationships, getting to know people, and sharing experiences. Some people you meet will become lifelong friends.

Securing people tend to be open to sharing their knowledge, experiences, and stories because the high demand created a situation where few are concerned about downsizing and layoffs. When there is no benefit to keeping knowledge closed. If you’re trying to break into security, there are individuals and groups everywhere willing to mentor and advise.

As an introvert, I was hesitant to attend noisy and crowded networking events to small talk with people I didn’t know. In reality, many IT and security professionals are predominantly introverts. If you are, then you’ve come to the right place!

Learn about the various security-related local groups and conferences. While COVID made it more difficult to meet in-person, most gatherings are starting to return to “normal” and in-person or hybrid. Be sure to check out Security BSides, 2600 groups, ISSA groups, and DEFCON Groups. These are either free or very low-cost and accept newcomers with open arms. Get involved by volunteering at a local BSides conference. You/re guaranteed to meet genuinely great people.

Imposter syndrome

Imposter syndrome is that feeling when you’re among some of the most highly-accomplished, experienced, and knowledgeable people who will discover that you’re a fraud and don’t belong. Fight this feeling, we all feel it from time to time, but it is nonsense! We all start somewhere and not even the superstar elites of any field know everything.

Do be genuine. Humbly admit when you don’t know something – and have a willingness to learn and give back when you can. The security field is a tight-knit community and your reputation is everything, so protect it.

Going for it

Some job seekers apply only to jobs where they meet most or all the requirements. If you do this, you’re aiming low and selling yourself short. You are essentially overqualified for the role the moment you start. I suggest aiming above your current level. Rather than knowing everything for the job, be the applicant who is most willing to learn and work hard. Show that you have that fire under you.

Present yourself honestly. All of us lack some skills, show you are willing to learn and grow into the role. Position yourself as a refreshing alternative to someone with decades of experience – who may be deeply set in their ways, with a negative attitude, or poor work ethic. Someone with fire and tenacity is exactly what an employer may be looking for. You don’t have to be the ideal candidate fulfilling all of the job requirements; you just have to be better than the other candidates.

When you step out of your comfort zone with good intent, it leads to growth.

Sources of knowledge

Security certification books, videos, or training such as CISSP and Security+ contain valuable knowledge even if you don’t plan to pursue the certification. My number one recommendation: read a CISSP study guide. The CISSP is very broad and well rounded and helps any security professional understand the field and their place in it.

There are a huge number of security-related podcasts. There are Twitter/X, Bluesky, and LinkedIn security-related topics and blogs for news and current events. YouTube has hundreds of hours of recorded conference talks and tutorials; it is a great way to catch up on conferences. Various subscription training like Cybrary, INE, Pluralsight, Stackskills, Udemy, and countless others provide in-depth security as well as broad IT-related topics to fill gaps in your knowledge.

The field is very hands-on and we have many safe and legal environments to practice skills. This is a golden age of plentiful computing power, storage, and how-to guides on building home or cloud-based labs. You can build virtual networks, scan them for vulnerabilities, exploit those vulnerabilities, fix them, learn to read logs to see how attacker’s actions are detected. A few hands-on experiences include Hackthebox, Tryhackme, and Vulnhub.

Books:

48 Laws of Power
Art of Deception
A Burglar’s Guide to the City
Countdown to Zero Day
Crime Dot Com
Cyber Privacy: Who Has Your Data and Why You Should Care
Cybersecurity Career Master Plan
Cybersecurity First Principles: A Reboot of Strategy and Tactics
Data And Goliath
Emotional Intelligence 2.0
Everybody Lies: Big Data, New Data, and What the Internet Can Tell Us About Who We Really Are
Extreme Ownership: How U.S. Navy SEALs Lead and Win
FAIK: A Practical Guide to Living in a World of Deepfakes, Disinformation, and AI-Generated Deceptions
Fancy Bear Goes Phishing: The Dark History of the Information Age in Five Extraordinary Hacks
Fatal System Error: The Hunt for the New Crime Lords Who Are Bringing Down the Internet
Hacker, Hoaxer, Whistleblower, Spy: The Many Faces of Anonymous
Hackers: Heroes of the Computer Revolution
Hacking the Hacker: Learn From the Experts Who Take Down Hackers
How the Internet Happened
How to Lead When You’re Not in Charge
How to Win Friends & Influence People
Human Hacking: Win Friends, Influence People, and Leave Them Better Off for Having Met You
If It’s Smart, It’s Vulnerable
Inside the Criminal Mind
Liespotting: Proven Techniques to Detect Deception
McMafia
Messing with the Enemy: Surviving in a Social Media World of Hackers, Terrorists, Russians, and Fake News
Navigating the Cybersecurity Career Path
Overcoming Imposter Syndrome
Phishing Dark Waters: The Offensive and Defensive Sides of Malicious Emails
Phishing for Phools: The Economics of Manipulation and Deception
Psychology of Information Security
Physical Red Team Operations: Physical Penetration Testing with the REDTEAMOPSEC Methodology
Range: Why Generalists Triumph in a Specialized World
Red Team: How to Succeed by Thinking Like the Enemy
Sandworm
Scary Smart: The Future of Artificial Intelligence
Schneier on Security
Social Engineering: Science of Human Hacking
Social Engineering: The Art of Human Hacking
Social Engineer’s Playbook
Soft Skills: The Software Developer’s Life Manual
Spam Nation: The Inside Story of Organized Cybercrime – from Global Epidemic to Your Front Door
Start With Why
Steve Jobs (Biography)
Team of Teams: New Rules of Engagement for a Complex World
The 7 Habits of Highly Effective People
The Age of Surveillance Capitalism
The Art of Invisibility
The Code Book: The Science of Secrecy from Ancient Egypt to Quantum Cryptography
The Dark Net: Inside the Digital Underworld
The Dichotomy of Leadership
The Five Dysfunctions of a Team: A Leadership Fable
The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics
The Security Consultant’s Handbook
This Is How They Tell Me the World Ends: The Cyberweapons Arms Race
Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency
Tribe of Hackers: Cybersecurity Advice from the Best Hackers in the World (standard, Red Team, and Blue Team)
Unmasking the Social Engineer: The Human Element of Security
When Gadgets Betray Us: The Dark Side of Our Infatuation With New Technologies

Podcasts

Covert Access Team Podcast
Cyber Security Headlines**
Cybersecurity Mentors Podcast
Darknet Diaries
Defensive Security Podcast
Down the Security Rabbithole
Hacker Valley STudio
Hacking Humans
Malicious Life
NeedleStack
Paul’s Security Weekly
Risky Business
SANS Internet Stormcenter Daily**
Secure AF
Security Noise
Security Now**
Smashing Security
The FAIK Files
The Industrial Security Podcast
The Social-Engineering Podcast

**If you listen to anything, listen to these marked

News Sources

Following current news is something a cybersecurity professional does. We have to because there is constant change in the field. I suggest using the Feedly app (Android and iOS). It aggregates RSS feeds into one place. The following is a starting list of resources in Feedly:

Orange Cyberdefense
0patch blog
AlienVault Security Essentials blog
Veracode Application Security Research, News, and Education
Black Hills Information Security blog
BleepingComputer
Tripwire blog
Cisco Talos blog
Cloud Security Alliance
Covert Access Team
Cyber Security Sauna
Cybercrime Magazine
CyberScoop
Cyberwarzone
Darknet (darknet.org.uk)
Darkreading
Electronic Frontier Foundation
EPIC – Electronic Privacy Information Center
Exploit Database
GBHackers Security
Group-IB blog
Hacking Articles (hackingarticles.in)
Have I Been Pwned latest breaches
Help Net SecurityHexacorn
HITBSecNews
Human Risk Management Blog
Infosecurity
Invicti blog
IT Support Guru
KitPloit
Krebs On Security
Latest Hacking News
Living Security blogMalwarebytes
Naked Security
Network World Security
OccamSec
OffSec
Optiv blog
Packet Storm Security
Packt SecPro
Pen Test Partners
Pentestmag
PortSwigger blog
r/cybersecurity
r/InfoSecNews
r/netsec
Rapid7 Cybersecurity blog
Red Siege Information Security
Schneier on Security
Securelist
security | TechCrunch
Security Affairs
Security Archives – TechRepublic
Security Intelligence
Security Latest
Security Through Education
Security Tool Files (Packet Storm)
SecurityWeek
SpecterOps
Talkback Resources
Tenable blog
The CyberWire
The Hacker News
The Last Watchdog
The Register security blog
The Soft Side of Cyber
tl;dr sec
Trend Micro Research
TrustedSec
Web Security Blog
WonderHowTo