Answering THE Question: How do I get into cybersecurity?
It’s a question raised time and time again. I attended a talk recently hosted by the BCS, and one of the younger audience members asked it. It is a perfectly reasonable question, yet one that I find myself prickling against -perhaps because, after two decades in the field and now managing the team at AnchorSec, my own vantage point is far removed from that of someone trying to enter the industry for the first time. It is easy to forget the uncertainty and frustration that accompany the early stages of a career in cybersecurity.
In truth, the underlying challenge is not unique to cybersecurity. Any profession that is in vogue, highly competitive, or perceived as highly skilled tends to generate the same anxieties and the search for a clear entry path. Cybersecurity simply happens to be a marked, contemporary example of this broader trend.
The Debate Around ‘Entry-Level’ Cybersecurity Roles
A common narrative suggests that it’s nigh on impossible to enter the cybersecurity industry as an entry-level candidate. In my experience, this is not strictly accurate, and while there is competition for entry-level roles, many of the capable professionals I have worked with entered the field from non-technical or unrelated backgrounds. Some came from service-industry roles; others were students with no prior industry experience. Likewise, my own first professional role was in cybersecurity - in at the deep end as a junior pentester. Admittedly, this perspective reflects a UK-centric experience and a period when the industry was somewhat less saturated, but the principle remains: aptitude and commitment can outweigh traditional prerequisites.
The Real Issue: Competition and Differentiation
So, entry-level roles do exist. The challenge is how to differentiate yourself given the sheer competitiveness of the field. Cybersecurity is widely perceived as well compensated (at least in the long term), intellectually stimulating, and ‘cool’. Job postings routinely attract over a hundred applicants. In such an environment, candidates must find ways to differentiate themselves meaningfully.
This is where many aspiring professionals falter. Their interest is often passive rather than active. They seek a single certification, course, or shortcut that will ‘unlock’ a job. They want a curated, linear path - something that minimises uncertainty and maximises efficiency. But this mindset is fundamentally misaligned with the nature of the profession.
The Importance of Self-Directed Learning
Cybersecurity is a fast-moving domain. Success requires the ability to learn continuously, process large volumes of information, and adapt to new technologies and threats. The most valuable skill is not mastery of a specific tool or framework, but the ability to learn independently and effectively.
Relying too heavily on curated content undermines this. Certainly, courses have their place, and sometimes people need guidance on where to start, but when everything is pre-packaged, the individual never develops the ability to sift through information, evaluate sources, experiment, or build understanding from first principles. These are the very skills that compound over time, building true proficiency rather than superficial awareness, and distinguishing an expert from a practitioner.
There is no shortage of resources: books, virtual machines, lab environments, open-source tools, operating systems, and community-driven projects. Nothing prevents an aspiring professional from experimenting, building, breaking, tinkering, and learning. Yet very few do this consistently or with genuine intent.
So, How Does One Enter Cybersecurity?
The answer is straightforward, though not necessarily easy:
Read…extensively.
Do things. Explore, experiment, practice.
Applications alone achieve nothing without the underlying knowledge, curiosity, and determination required to perform the role, even at junior level. As an employer, I would always favour a driven junior candidate who has spent time reading, building labs, writing proof-of-concepts, and demonstrating genuine engagement with the field over someone who has completed a single certification and spent a few hours on Hack The Box.
In my experience, a candidate who genuinely wants to excel, who is curious, enthusiastic, and already as knowledgeable as they can be without having done the job day to day, will win over a lot of hiring managers and recruiters. Not because they’ve memorised buzzwords, but because that attitude is the best predictor that they’ll keep learning once they’re in the seat.
The reality is that the knowledge required to become a compelling candidate is more accessible than ever. The barrier is rarely access - it is effort.
Many people will claim they are interested in the field and speak confidently about that interest, but far fewer have taken meaningful steps to demonstrate it.
What Should I Do Right Now?
The following guidance is framed specifically around penetration testing, though the same principles apply across cybersecurity disciplines with only minor adjustments in emphasis.
There is no stronger starting point than extensive reading. Begin by building a solid general understanding of offensive cybersecurity through core texts such as the following:
The Web Application Hackers’ Handbook
Hacking Exposed: Network Security Secrets and Solutions
Grey Hat Hacking
There are, of course, many other books that offer valuable insight into particular specialisms, including The Shellcoder’s Handbook and Reverse Engineering. However, working through the first three will provide a strong foundation and a clearer sense of the paths available thereafter.
While reading is essential, practical experimentation is equally important. Downloading applications such as Damn Vulnerable Web Application and working through some of the vulnerabilities described in The Web Application Hacker’s Handbook can be particularly useful. Infrastructure-focused practice can be approached in a similar way, although it is generally more complex. Whatever your focus, there is a wide range of intentionally vulnerable systems designed to be set up and deployed on local networks for hands-on learning.
Additionally, the process of building and maintaining a personal lab environment is highly valuable in its own right.
Of course, independent reading and experimenting can be usefully supplemented by more structured learning platforms such as Hack The Box and TryHackMe. These platforms, along with formal training courses, certainly have their place. However, the key to becoming truly effective in cybersecurity lies in learning how to learn, persevering through difficulty, and cultivating a sharp mind that can critically adapt to new information. In practice, these skills are the foundation for meaningful contributions to the cybersecurity community.
