Security Is Applied IT
Most people break into cybersecurity the wrong way. Here is what I actually tell people who ask me how to get started.
I have been asked some version of "how do I break into cybersecurity?" more times than I can count. At chapter meetings, on LinkedIn, after conference talks. People ask because they want a shortcut, and I understand that. The internet has done a good job convincing them one exists.
It doesn't.
The most common version of the bad advice goes: pick a certification, grind it, land a SOC role. From there, anything is possible. The certs being pushed are usually Security+, maybe CEH, sometimes one of the newer vendor-branded options. The pitch is always some variation of "six months to six figures."
I'm not saying Security+ is a bad cert. I have one. But the people who succeed with it didn't get hired because of the cert. They got hired because they already understood the underlying technology and the cert confirmed it. The cert was a signal. The knowledge was already there.
That's the part that gets skipped.
Security is applied IT. You cannot secure what you don't understand. You cannot investigate an alert about a misconfigured Windows service if you don't know what a Windows service is. You cannot triage a DNS poisoning event if you don't know how DNS resolves. You cannot review a Conditional Access policy if you've never logged into Entra ID before the day you're asked to fix it.
I came up through helpdesk, then network and systems administration, before I moved into security engineering. At the time I resented it: I wanted to do the interesting stuff. In retrospect, those years were doing the interesting stuff. Every weird ticket, every broken AD sync, every firewall rule I had to trace through: that's what made the security work make sense when I got there.
I'm not saying everyone needs the exact same path. I'm saying the foundations matter, and skipping them has a cost that comes due later, usually during an incident, usually at the worst time.
What I actually tell people:
Learn Windows and Linux administration before you study for any security cert. Understand how DNS, DHCP, and Active Directory work, not just what they are. Build a home lab. Not to put it on a resume: to get comfortable being in the environment. Spin up a Windows Server trial in VirtualBox and break something. That's the education.
Once you have that foundation, certifications become useful. Security+ validates baseline knowledge. SC-200 is solid if you're heading toward Microsoft environments. Google's certificate is accessible and gets you oriented. What I'd skip: CEH is expensive for what it delivers, and stacking credentials without hands-on time is a fast way to interview badly.
The other thing people consistently underinvest in: community. ISSA chapters, BSides events, OWASP -- these are where you meet the people who will refer you, tell you about the role before it posts, and give you honest feedback about where your skills are. LinkedIn presence matters too. Not for vanity, but because security is a small field and people check.
I put together a structured resource list that maps out the foundations, the certs worth pursuing, the labs, and the communities worth joining. It's opinionated because vague guides aren't useful. If you're starting out or helping someone who is, it's at github.com/scottalt/infosec-resources.
The advice in there is what I wish someone had given me clearly, early. Take the shortcuts where they exist. This part isn't one.
More posts
Breaking Into Cybersecurity: A Roadmap for Students
Cybersecurity is not truly entry-level without serious effort outside the classroom. Here is a nine-step roadmap I wish someone had handed me.
If this was useful, follow me on LinkedIn where I write about Identity, security automation, and security engineering. I also send occasional updates via my newsletter.