Can you break into the world of cybersecurity without experience? It’s a question that’s been searched countless times according to Google Trends—even peaking in recent years.
Ultimately, it’s doable, at least to a certain extent, according to Tia Hopkins, Field CTO and Chief Cyber Risk Strategist at eSentire. “Yes, you can get into cybersecurity if you have no experience, but not if you stay in a place of no experience. Do things to build your understanding and capabilities continuously—you can’t be a locksmith if you never learn anything about locks.”
ADVERTISEMENT
UNC Kenan-Flagler’s #1-ranked online MBA
STEM-designated. Tar Heel ROI. No compromises. Visit Website
Global cybersecurity non-profit ISC2 says the total gap of cybersecurity professionals is around 4 million. According to Fortune Business Insights, by 2028, the cybersecurity market is forecasted to reach $366.10 billion.
So, if you want to learn how to safeguard digital assets on the offensive or the defensive, the work is out there. But, with layoffs looming, you have to keep learning or “evolving,” as Hopkins puts it—turning your zero experiences into opportunities.
What is cybersecurity?
Cybersecurity is the protection of data, networks, and important information stored online, in servers, and in the cloud from criminals. It can take an offensive stance, too, trying to find hidden vulnerabilities in existing systems and poking holes to avoid shortfalls in networks.
The good guys in this industry, or white hats, are trying to achieve network nirvana—the balance between protection and penetration.
From credit card details to medical records, private information holds immense value when in the wrong hands. That’s why when you’re logging into a device or website, you’re asked to create a strong password or forced to double authenticate.
How to break into cybersecurity with no experience
Fortinet’s 2023 Cybersecurity Skills Gap Global Research Report reveals a compelling trend: 90% of cybersecurity industry leaders prefer to hire those with tech-related certifications, a leap from 81% in 2021. That same number of leaders are also willing to invest in their employees’ cybersecurity certifications.
This means that companies see value in experts, but they’re also willing to hire a good candidate with less knowledge and then train and certify them up to standard as time comes. Here’s how to show potential employers that you’re the teachable even if, right now, you’re in a place of no experience:
1. Understand yourself and the cybersecurity playing field
Start with figuring out what you’re good at, and ask yourself what the world needs and what you can get paid for.
“That’s when you land on your purpose,” Hopkins explains. “Combine all of that to find out the types of roles that you’d even like.” There are a lot of transferable skills that you might not think would help you in the job search. For example:
What you’re good at: “You might even have a knack for breaking things,” says Chris Evans, Chief Hacking Officer and CISO at HackerOne. Cybersecurity leaders might use a trait like your inherent clumsiness, for example, as a reason to hire you.
What the world needs: That’s because of the popular term “penetration testing” or “pen testing” for short. It’s the offensive method of identifying holes and weaknesses in a company’s security network, breaking the system before malicious hackers can.
Pen testing is a form of ethical hacking—a certifiable skill that hiring managers seek in information security and security operations center analysts. According to the U.S. Bureau of Labor Statistics, the information security analyst growth market is expected to expand 32% by 2032.
What you can get paid for: Indeed shows that in the U.S., penetration testers with 1–2 years of experience earn an average of $171,000—this can be the job you migrate to after getting one of the following entry-level ones. With less than a year of experience, information security analysts earn around $75,000 annually, while security operations center (SOC) analysts earn approximately $87,000.
The soft skills cybersecurity employers are looking for
You might already have the soft skills people are looking for. Here are some notable ones:
Communications and emotional intelligence: According to Hopkins, chief information security officers (CISOs) and technical leaders struggle to speak through the lens of the people listening. “If a CISO is talking tech, speaking in bits and bytes, to a CFO listening in dollars and cents, that communication will go nowhere, right? Know your audience and speak the language that needs to be spoken. Then actively listen.”
Curiosity: “For me, it means you’ll keep up with the industry on your own time. You can’t get complacent,” Hopkins says. The ability to speak about the latest technology or newest cyber threats, like artificial intelligence, quantum computing, and blockchain, will help you stand out among other applicants.
Acting like an owner: Evans says he looks for ethical hackers who can be future leaders. “Someone who, when a problem comes up, can charge into it and think of ways forward and new solutions—whether it’s a technical problem or even if it’s their job. I’m looking for someone who doesn’t make excuses.”
Passion: For Hopkins and other higher-ups, passion is the linchpin. She says, “You gotta love it, or you’ll get burnt out quickly.” Active participation in the community is paramount. Hack the Box’s Capture the Flag (CTF) tournaments are great for technical practice and growing online clout. Also, being active on blogs and forums such as 0x00sec and Reddit’s r/blackhat provides valuable networking opportunities, the opportunity to learn and ask questions, and places to make your name more well-known.
The different domains of the cybersecurity landscape
There are a lot of domains and departments inside the cybersecurity sector. But knowing what each sector does will help you narrow down a career trajectory you’d be interested in pursuing. It’s worth noting that some of these domains have overlap.
IT security
Focussing on safeguarding an organization’s info-tech infrastructure, assessing weaknesses, and implementing security measures. Job titles: Security analyst, security engineer, security administrator
Network security
Managing and analyzing firewalls, VPNs, intrusions, and general user traffic along a wired or wireless network. Job titles: Network security engineer, network security analyst
Cloud security
Designing cloud architectures and managing cloud-specific security compliance requirements. Job titles: Cloud security architect, cloud security specialist
ERM (Enterprise Risk Management)
Collaborating with stakeholders to assess and mitigate organizational risks, developing risk-management strategies, and identifying potential issues. Job titles: Risk manager, risk analyst, information risk consultant
User education
Educating and training employees, creating awareness campaigns, and providing safe-computing seminars. Job titles: Security awareness trainer, security awareness specialist
Security operations
Investigating, monitoring, and responding to alerts, threats, and incidents. Job titles: Security awareness trainer, security awareness specialist
Help desks
Forgot your password? This is the team that provides technical support to users. Job titles: Help desk technician, user support specialist
Career development
Deciding which certifications and skills are standard to enter and grow in the industry. Job titles: Skills development advisor, certification manager
Career development
Designing, coding, testing, and making software, hardware, tools, and services better. Job titles: Security software developer, product security engineer
Data governance and regulatory compliance
Handling legalities and establishing policies, overseeing data handling practices, and ensuring companies are following laws. Job titles: Compliance officer, data privacy manager
Digital forensics
Investigating cyber incidents and collecting evidence by recovering deleted files, sometimes even being asked to testify in legal proceedings. Job titles: Digital forensic analyst, incident response specialist
2. Learn the fundamentals of the role you’re interested in
Next, after researching a role that interests you, it’s time to learn how to do the job. Some of the best ways to learn without first-hand, on-the-job experience are to study for and to complete certifications.
Get certified to show employers that you understand the fundamentals
Certifications enhance your job prospects and showcase your dedication to learning. The entry-level ones are particularly valuable for high schoolers and career changers entering new fields. While exploring, remain vendor-agnostic, opting for more general knowledge and commonly accepted certs.
“If you’re chasing a random certification that someone online tells you to get, you’re wasting time,” Hopkins says. “It’s okay to explore and figure out where you want to go. But until you’ve done that, I never recommend anyone go beyond these certs at first.”
Here are the initial certs to consider applying for:
- ISC2 Certified in Cybersecurity (CC): This free, entry-level certification covers the foundational knowledge, skills, and abilities required for any beginner cybersecurity role.
- Certified Ethical Hacker (CEH): This certification from EC-Council costs anywhere from $1,699 to $2,049 depending on test location—it covers white hat hacking and proves that you can think like a hacker and be on the offensive.
- GIAC Penetration Testers (GPEN) Certification: This $1,699 certification covers advanced password attacks, Azure, the fundamental concepts associated with exploitation, and more.
- CompTIA Security+: This $392 certification validates your ability to assess the security of an organization and manage cloud, mobile, and Internet of Things (IoT) environments, as well as demonstrate your knowledge of laws and regulations.
Keep in mind that many of the most prestigious entry-level certifications will waive degrees and work experience requirements. Some of them, like the Certified Ethical Hacker certification from the EC-Council, require you to take one of their training courses.
Differentiate yourself from the competition
If everyone has the same certifications and skills, what separates you from another applicant? Many people face this problem as they look to enter the workforce.
“We’re in a world where we’re just too over-rotated on credentials,” Hopkins says. That’s where volunteer work, bug bounty hunting, and exploring content come into play.
Consider internship or even volunteer opportunities
Both volunteering and interning are great ways to get your questions answered while getting hands-on experience and adding to your network. Companies like ISC2 and the Women Cybersecurity Society offer a range of opportunities, from performing cybersecurity health checks on small businesses to writing blogs.
“Every opportunity to interact is an opportunity,” says Hopkins. “It wasn’t about how much they are going to pay me or how much visibility I am going to get,” for her, it was about getting involved and practicing with real systems, dealing with real clients, and learning the language.
Become a bug bounty hunter
Getting your hands dirty is something Jason Rader, VP and Chief Information Security Officer at Insight Enterprises, recommends, too. “Go to the careers page and look at everything they say they do—not just the security jobs, but the engineering jobs and the developer jobs—because you’ll figure out the systems they use. Then figure out if you know anything about them.”
Afterward, you can try to hack them and find vulnerabilities. Ethical hacking might lead to reporting real issues inside a company’s security network. The practice of discovering a bug or exploit, reporting it to the company, and receiving a reward is commonly known as a “bug bounty.” Many organizations, from Microsoft to Google, have established bug bounty programs to incentivize freelancers to find and report bugs and exploits.
Legally speaking, bug bounty hunters need consent and proper authorization to infiltrate a company’s software defenses, but there’s a lot of money to be made if you stay within the scope of your assigned task.
Watch, listen to, and create content
One of the benefits of social media is the abundance of information on all kinds of subject matter. You can learn much from industry experts after you sift through the good and the bad.
Evans says that if Fortune magically wiped his brain tomorrow, he’d first voraciously consume YouTube content as a fast track to getting his career back. “When I started 25-plus years ago, there was almost nothing [available in terms of online education], and now there is. I’d probably go into a deep rabbit hole of spending months reading everything, watching everything. There’s just so much out there. It’s like Candyland for hackers these days.”
You can dive into your own rabbit hole, learn as much as possible about a subject, and then upload your findings to social media. One quick scroll through apps like TikTok and Instagram, and you’ll find that people who upload useful content are perceived as knowledgable authorities in a subject and typically gain audiences.
3. Show off your work and rise to the top of the resume pile
Now that you’ve learned what role you’re aiming for and how to do it, you need to freshen up your resume and create a portfolio to showcase your knowledge, skills, findings, and newfound certifications. This is the action plan you need to take to get your first cybersecurity job.
Hacking your cybersecurity resume
Step one in resume building is understanding that you’re up against a robot. According to the experts Fortune interviewed, the cybersecurity industry is one of those industries that uses automated resume parsing to sift through candidates. These systems are looking for keywords and phrases in your documents, and if you don’t have them, sadly, you’ll be tossed in the garbage pile.
However, job descriptions tell you exactly what they’re looking for, keywords and all. Rader advises people to use it to beat the bot: copy and paste and ChatGPT. “It takes about two minutes to figure it out. Grab the job description, put it into AI, and design your resume bespoke for that particular job to get the interview.”
According to an experiment conducted by MIT Sloan Ph.D. student Emma Van Inwegen and her co-researchers, job applicants who had algorithmic assistance received 7.8% more job offers and were more likely to be hired in their first month on the platform than the unassisted control group applicants.
Just make sure your resume sounds overly AI-generated. Be sure to provide or add accurate information about your past experiences to avoid getting caught in a lie during interviews with potential employers or hiring managers.
Setting up your portfolio
When garnering attention from hiring managers, your online portfolio takes center stage. If you don’t have an elaborate web presence, a simple website or online profile showcasing your code snippets, reports, case studies, and presentations will suffice.
Or, even easier, ensure your GitHub and LinkedIn accounts are up-to-date and well-organized. A hiring manager should be able to grasp your professional identity at a glance. Highlight your certifications, competition victories, blog contributions, relevant internships, and volunteer work.
Being active on these sites, posting about your work, and commenting on other people’s posts are good ways to get the algorithm to notice you, thus placing your profile in the hands of potential employers.
Rinse and repeat until you’re hired
After you create your resume and portfolio, it’s time to apply and interview until you get hired. According to a report from Lehigh University, it generally takes between 100 and 200 applications to land a job. Remember, you’re starting from scratch. So, be realistic, look for entry-level positions, and reach out to your network for leads—keep applying and learning.
“You can’t necessarily expect to have success overnight,” Evans says. “All of the best hackers I’ve seen had tenacity, and they worked hard at the beginning. They read a lot of free resources. If, at first, you don’t succeed, try, try again, and success will come.”
