Want to work in cybersecurity but have no experience? 5 things you can do to gain experience and get your foot in the door
Continue reading
Get clear on your goals
Before gaining hands-on experience to help you land a job, you must first understand what kind of a career you want — at least to start — and what skills you may already have.
Understand different roles in cybersecurity
The demand for cybersecurity experts is booming. However, many entry-level cybersecurity jobs require experience. How can you gain experience for a role that demands it as a prerequisite?
Don't worry about this paradox. Every seasoned cybersecurity veteran was once in your shoes, and there are proactive steps you can take right now to overcome this experience barrier.
This guide provides a practical roadmap with five proven methods to help you get real-world cybersecurity experience. From leveraging online labs and ranges to engaging in CTF challenges, creating passion projects, volunteering your skills and networking, you'll discover many ways to showcase your abilities.
Get clear on your goals
Before gaining hands-on experience to help you land a job, you must first understand what kind of a career you want — at least to start — and what skills you may already have.
Understand different roles in cybersecurity
While generally considered a technical field, there are opportunities for people with all interests and backgrounds. You can broadly divide cybersecurity into these types of roles:
- Technical: Work directly with systems, networks and software to protect against cyber threats.
- Managerial: Oversee cybersecurity initiatives within an organization.
- Compliance: Focus on ensuring an organization meets the legal and regulatory requirements for data protection and privacy.
Many people don’t fully understand the range of cybersecurity career options available. That’s where on-demand training libraries like Infosec Skills can be especially valuable, explained Keatron Evans, Infosec VP Portfolio and Product Strategy and instructor, in a recent webcast. They allow you to try several different courses and hands-on labs to get a taste of the different paths available.
"What you're gravitating to, whether it's the more technical stuff or the more policy stuff, is what will guide you to the right path," said Evans.
Feeling paralyzed by indecision is a common hurdle many aspiring cybersecurity professionals face.
"We can overanalyze to the point that we are inactive," Evans explains, "Don't be afraid to pick something wrong." Don't wait to find the "perfect" role before taking action. The best way to discover what truly resonates with you is to dive in and start exploring.
Evaluate your transferable skills
You might be surprised at how your existing skills and experience can translate into the world of cybersecurity. If you have a background in project management, honed your analytical skills in a research role or possess excellent written and verbal communication abilities, there's a place for you.
Penetration testers leverage analytical thinking to identify vulnerabilities and systems, while software developers often have strong coding backgrounds. Both security auditors and forensics professionals excel at meticulous attention to detail, a skill you can gain in many professions.
How to build practical experience
Now, we'll look at some actionable methods to empower you with real-world skills and tangible accomplishments to showcase your capabilities and build experience.
1. Use labs and online education cyber ranges
Numerous online platforms offer cyber ranges, which are simulated environments where you can practice your skills in a safe place. Here, you can:
- Apply your knowledge to defend simulated systems from cyber threats
- Learn how to hack systems to identify vulnerabilities ethically
- Build software that is resistant to common exploits
As Keatron Evans mentioned above, Infosec Skills cyber ranges are one example of such a platform, offering a variety of hands-on labs to develop practical cybersecurity skills.
You can also set up a home lab instead of using a paid service. This allows you to experiment, test tools and build your own simulated environments. Here's some advice on how to get started:
- Hardware: Invest in a computer (a used one can work) and consider using a virtual machine manager like VMware or Proxmox to create isolated testing environments.
- Software: Free and open-source security tools are available for various tasks. Explore options for firewalls, intrusion detection systems and operating systems.
- Templates: Create templates of pre-configured virtual machines to save time and avoid repetitive installations.
- Practice: Experiment with different security tools and scenarios. Simulate attacks, test defenses and get comfortable in this controlled environment.
Getting digital forensics experience at home
A digital forensics lab is one example you could build. Amber Schroader, founder and CEO of Paraben, has these tips for creating a digital forensic home lab:
- Have a computer dedicated solely to forensic analysis
- A repurposed microwave makes a great Faraday cage
- Disconnect your internet connection when actively examining evidence for optimal security
"The biggest thing [with digital forensics] is maintaining that chain of custody," Schroader says. She added that it's crucial to follow procedure because "even though a device is powered off, you never know what's going to happen."
FREE role-guided training plans
2. Engage in capture the flags
Think of capture the flags (CTFs) as gamified labs where you put your cybersecurity skills to the test in a fun and competitive environment. There are many free and paid CTF options available, with VulnHub being a popular free platform that offers a variety of challenges.
In a CTF, teams or individuals race to solve a series of cybersecurity challenges that might involve:
- Exploiting vulnerabilities in software or systems
- Recovering hidden flags within the challenges
- Thinking creatively to overcome obstacles
You can find CTFs at various difficulty levels and participate individually or join a team to collaborate with other cybersecurity enthusiasts. Here are some tips to make the most of your CTF experience:
- Read the rules carefully and follow them
- Take notes to document your thought process and solutions
- Don't be afraid to search the web because CTFs are all about leveraging available resources
- Learn new programming languages to expand your toolkit
- Do a post-mortem after each CTF to analyze your performance and identify where you can improve
Building skills through CTFs
"Even though a million people have solved the challenge, no one's going to solve the challenge like you," explains Infosec Skills author Jasmine Jackson about the benefits of CTFs. "You just learn a lot — and you can take it back to your job."
Jasmine emphasizes that CTFs allow you to develop creative solutions and build practical skills directly applicable to real-world cybersecurity scenarios. They're a valuable addition to your cybersecurity skill set and can be a great talking point during interviews.
3. Create or contribute to projects
Brainstorming cybersecurity solutions and building projects in your free time are valuable learning experiences. Don't be discouraged if something similar already exists. The process of creating it yourself, whether it's a security tool or a write-up on a specific vulnerability, helps solidify your understanding of cybersecurity.
Also, countless open-source cybersecurity projects need your help. Contributing to these projects lets you learn from experienced developers, gain exposure to real-world codebases and build your reputation within the cybersecurity community.
Here are some tips to help you find the perfect project, whether you're going it alone or working with others in open source:
- Identify your interests: What specific areas of cybersecurity spark your curiosity?
- Explore GitHub: GitHub is a popular platform that hosts a vast number of open-source projects. Search for projects that align with your interests and skill level and see if they are looking for contributors, or use what you find as a starting point for your own project.
- Start small: To build your confidence, begin with smaller contributions to open-source projects like documentation, or create your own small projects that you can add to as you learn.
Showcase your work on GitHub
"GitHub is a central rallying point for the world's open-source developers to come together," says Jacob DePriest, the VP Deputy Chief Security Officer at GitHub. "It allows you to showcase your work and collaborate with others."
Learning how to use GitHub is a great way to step into the world of software development. You can't ignore it, especially if you're new to coding, explains DePriest in this Cyber Work Hacks episode explaining the fundamentals of GitHub.
4. Volunteer for work
Building practical cybersecurity experience doesn't always require a formal job title. Volunteering your skills for cybersecurity-related initiatives offers a unique opportunity to gain valuable hands-on experience while giving back to the community.
Many organizations don't have the resources to invest in cybersecurity, so they may be open to volunteer work. It can even be a small project, like making sure they have multi-factor authentication enabled on their accounts and educating them on best practices. Then, as you get familiar with them, you can look for other security-related projects to help them — and your resume.
What should you learn next?
Volunteering can help you:
- Build practical skills: You'll get to apply your knowledge to practical scenarios, learn new tools and techniques and solidify your understanding of cybersecurity concepts.
- Develop communication skills: You'll learn to explain complex cybersecurity concepts clearly and concisely, a valuable asset in any career path.
- Expand your network: You can build relationships with mentors, potential employers and fellow enthusiasts, opening doors to future opportunities.
"If there's a social cause that you care about or a social group you're part of, odds are there's a cybersecurity concern right there," explains John Bambenek of Netenrich and Bambenek Consulting. Examples of where you can help include:
- Schools and libraries: Help them implement strong cybersecurity practices and educate students and staff about online safety.
- Non-profits: Look for non-profit organizations, such as food banks and animal shelters, that may need assistance securing their digital infrastructure.
- Community outreach programs: Many government agencies and cybersecurity firms run outreach programs to help underserved communities stay safe online.
5. Implement networking strategies
Building your network in cybersecurity isn't about collecting business cards. It's about forming genuine connections with people who share your passion for the field. Here's how to strategically network and make those connections:
- Shift your mindset: Focus on what you can learn and offer to others instead of just what you can get.
- Craft your introduction: Develop a concise introduction highlighting your skills and interests.
- Be generous: Look for opportunities to connect with people in your network and offer resources that might be helpful.
- Join a community: Actively participate in cybersecurity events and professional organizations. Here are a few ideas:
- Women in Cybersecurity (WiCyS): A global community for women and allies in cybersecurity.
- VetsinTech (VIT): Focuses on helping veterans transition their skills to cybersecurity careers and offers a network of professionals in the field.
- Information Systems Audit and Control Association (ISACA): A broad cybersecurity organization that offers certification, training and resources.
- Information Systems Security Association (ISSA): A non-profit that offers local chapters and provides education, networking and career development resources.
How WiCyS builds a community
"We unite communities of aspiring and thriving women in cybersecurity to collaborate and share our knowledge, our network, as well as mentorship,” explains Dara Gibson of Optiv. “We create opportunities through professional development programs, conferences, webinars and career fairs. And sometimes it's just wine conversations and networking."
Obtain certifications with "hands-on" experience
In addition to the five methods above, certifications also play an important role by adding credibility to your resume and providing a structured path to complement your hands-on experience.
Traditional certifications provide foundational knowledge, but some go the extra mile by incorporating hands-on elements. These can be a great way to demonstrate your ability to apply what you've learned in a practical setting. Examples include:
- CompTIA: Many CompTIA certifications incorporate performance-based questions (PBQs) into their exams. They simulate real-world scenarios, requiring you to troubleshoot problems, configure settings and analyze data.
- Offensive Security: This vendor offers certifications like the OSCP (OffSec Certified Professional), an advanced certification that includes a practical exam. Here, you have 24 hours to demonstrate your penetration testing skills in a hands-on environment, mimicking real-world attacks.
More advanced certifications may require you to validate years of real-world experience before you can get certified.
Understanding performance-based questions
To illustrate CompTIA's approach, let's explore their PBQs for the Security+ certification. These PBQs are designed to evaluate your ability to execute security tasks and think critically in practical situations.
CompTIA categorizes PBQs into three types:
- Scenario-based questions: You'll be presented with a cybersecurity problem and asked how you'd fix it.
- Simulation questions: These will put you in a simulated environment with cybersecurity tools, like firewalls, and ask you questions about using them.
- Drag-and-drop questions: These questions challenge you to organize steps in the correct sequence, such as building an incident response plan.
To excel at PBQs, leverage online labs, virtual machines and real-world simulations to familiarize yourself with security tools and scenarios you may run into during the exam.
Show how you stay updated
Cybersecurity is always changing, with new threats emerging and innovative solutions being developed all the time. Demonstrating your knowledge of these threats and solutions is another way to show your experience to employers and let them know that you're staying informed of what's happening in your industry.
FREE role-guided training plans
Keep up with cybersecurity news
Make it a habit to regularly read cybersecurity news from reputable sources. This will help you stay abreast of the latest trends, threats and vulnerabilities. Many publications offer free daily or weekly newsletters that deliver concise summaries straight to your inbox, like Infosec's newsletter or Zack Whittacker's This Week in Security.
Following cybersecurity experts on social media, like LinkedIn, TikTok or X, is another great way to stay informed. These professionals often share valuable insights, news updates and even job postings.
Utilize webinars, podcasts and Infosec resources
There's a wealth of free and informative resources available online to deepen your cybersecurity knowledge and develop practical skills. Here are a few to get you started:
- Infosec Resources: We offer a vast library of webinars, articles, whitepapers, case studies and ebooks featuring industry experts.
- Cyber Work Podcast: Join the Infosec team in weekly conversations about cybersecurity skills, jobs and industry trends.
- Cyberwire: This popular podcast tackles cybersecurity news and current events.
- Recorded security conferences: Many security conferences offer free recordings of their presentations, featuring talks from leading cybersecurity professionals (Black Hat and DEF CON, for example)
Become a cybersecurity professional
The overwhelming demand for skilled cybersecurity professionals is the norm, and if you are looking to become one of them, don't be discouraged by the experience barrier. You don't need years in the industry or a fancy degree to get started.
Here is a recap of the tips to get you moving forward:
- Explore different paths: Try what interests you and discover what ignites your passion.
- Gain practical experience: Use labs, online cyber ranges, CTFs and create or contribute to cybersecurity projects to learn hands-on.
- Stay informed: Immerse yourself in the world of cybersecurity news, podcasts and webinars to stay ahead of the curve.
- Pursue certification: Certifications can add value to your resume and validate your acquired skills.
- Start somewhere, and don't be afraid to pivot: Don't wait for the "perfect" opportunity. Take action, gain experience and refine your path as you learn and grow.
With dedication, exploration and the resources outlined in this guide, you can overcome the experience barrier and step constantly into your cybersecurity career.