Okay, so - long story short, you need both.

I know collectively we're understaffed in security in general, but I am also sick of this "everyone from every walk of life wants to be and can be security" mindset, seen too many people come in who don't know the first thing. I don't mind helping out my juniors, but if you come at me with questions and obviously no prior knowledge or even attempt to research on your own, I am going to help you along to the door.

And not everyone can be red team, that's what a huge portion of people want, because it sounds sexy and they listen to too many podcasts. There are not that many positions for that specific job.

Personal rant aside -

Paul Jerimy did a good sort of layout of certs and where they fall in the various security domains.


So where do you want to be? Risk? Software? Ops? Network?

Certs will help you get hired, but if you have no experience aim for junior positions.

The best security people spend a few years in another position, a network or systems admin or developer first, to learn the ropes within what will become their specialty, got time and really want to be good, go that route.

Off in the weeds Minority Opinion -- All the other advice here is great. I think there are 2 other things that might not normally be covered, and you should know them.

Know and understand what a Data Diode is, and how to properly use one to enable provably secure egress of data without ingress of control in monitoring situations.

Know what capability based security is. Be able to explain the confused deputy problem. If you understand this, you'll never trust Linux, Windows, MacOS or almost any other OS.

that is all

Why not both?

Actual practice is invaluable. Would you hire a lorry driver that had only ever studied the theory of driving, and never actually got behind the wheel of a truck?

But certifications do two things:

One, they cover the material in a rigorous, reliable fashion. If someone passed the cert, it can be safely assumed that they have a certain minimum understanding of the subject, even if it isn’t deep or comprehensive. Sure, you can still “train to the test” and emerge certified without even knowing how to turn on a computer, but I would argue that this is even more difficult to pull off than a legitimate mix of study and practice.

And two, they give HR a checkbox that can be easily checked off. Keep in mind that the vast majority of HR departments have absolutely no clue what the job entails. For any position within ICBM range of IT, at least 90% of what is on your CV is complete gobbledygook to them; a wizard’s incantation in ancient Latin. It’s why you need to be exceedingly careful with acronyms/abbreviations vs full names of any skills or talents or achievements… using one where the other is expected can have your application binned because they don’t realize that one is functionally identical to the other, and that checkbox doesn’t get checked off. They _quite literally_ do a “paint by numbers” in order to gatekeep the applications that come in.

As such, HR departments _absolutely adore_ official/formal education because it typically has consistent and simplified naming, allowing the focus of the education to be vaguely grokked by a non-technical person. That name allows them to put a tick in a checkbox that covers a whole host of job/hiring requirements, and relieves them from an entire metric arseload of hard thinking and intellectually intensive evaluation.

It’s also a lot easier to input into hiring software.

You are still getting mixed advice here from learn to code to get OSCP.

There are two pathd, in the US that is: get an IT job, certs and then entry level security or get a degree and then entry level security.

The ideal entry level security job is a SOC analyst where you learn incident handling and a breadth of security knowledge and hopefully get your company to sponsor SANS training or GIAC certs (only because they are expensive). I know people with OSCP who are smart and struggle with incident handling, malware analysis,etc..., I say that because as awesome as OSCP is unless you want to be a pentester only it only gives you bits and pieces of what you need to succeed outside of offensive work. Certs are great at getting you interviews but the rest (knowing your shit) is up to you.

If someone tells you to avoid certs, do yourself a favor and disregard everything they say. Certs don't prove anything other than demonstrate you are good enough to make it to a phone screen interview but that part is crucial. As far as training, SANS is the best to get you started, not finished. What I mean is your company (hopefully) pays a lot of money for the training not so you master stuff but so you know what to google for and then master stuff.

Usually after your entry level gig, that's when you specialize.

Even if you want to be a pentester, work in a SOC first so you understand how defenders work when you try to evade them later on!

That aside, outside of typical corporate arena there are other entry jobs where you get really good at coding and do appsec stuff (code review mostly I believe) where prior coding experience plus something like oscp helps.

There is also a ton of vendor babysitting (manage tools/appliances) , compliamce,vuln management,etc... but they are usually not entry level unless you have a good degree.

Everyone in security needs to know the basics like risk, impact, vulnerability and threat to start with. Moreover, you need to see what threat actors are doing and be familiar with their techniques no matter what you do. That's why I recommend your first gig to require incident handling.

Also, find a boring messy company to start with so you can leanrn stuff when they get pwned and probably wear many hats because they are too cheap to hire enough people but that means exposure for you lol.

You don't need certifications to get a job if you have knowledge of various security topics. But if you don't, certifications are a great start to gain that knowledge. Also majority of security interviews will ask you questions from various parts of security so it's best to learn those topics. First figure out which part of security you want to work in and then take the shortest path to get a job in that part of security.

For compliance work you need certifications. Security+ as a start. AWS and Azure to stand out from the crowd, then CISSP and CISA and whatever other certs company requires.

For network security. Certifications matter. Network+, Security+, CCNA.

For blue team. Certifications matter. Security+, Microsoft, Linux, Network+, etc.

For pentesting. Skills matter more but certifications will help you with interview questions and getting first job. Web App testing knowledge is the most important, followed by code review and netpen knowledge. Security+ and Network+ certs to answer security related interview questions. OSCP to help you with learning how to use tools, how AD attacks work and getting a boost over other candidates.

There’s lots of worthwhile advice here to pick from.

For suggestions of practical activities to help build your skills and knowledge, or to frame it in a wider cyber context, you may find Cyber Springboard [1] useful. I’ve set it up to help others looking to get into cyber roles.

I’ve used the Cyber Security Body of Knowledge CyBOK [2] to help organise the activities.

There’s lots still to do in building pathways, mapping to job roles etc.

Feedback and suggestions are appreciated.

Edit: it may also be worth looking at the different specialisms and seeing what interests you most. The UK Cyber Security Council have a careers route map [3] which may be useful to you.

[1] https://cyberspringboard.com/

[2] https://www.cybok.org/

[3] https://www.ukcybersecuritycouncil.org.uk/qualifications-and...

Aside from the guidance offered in the other comments, look at working at a cybersecurity vendor where there are multiple tracks. At a big vendor there are the traditional IT security roles for network, endpoint, cloud, GRC, IAM, etc. But there are also roles in sales, marketing, operations, product management, and administration. All have entry points that do not require cybersecurity expertise. But you can work your way from an entry role in any direction.

54% of 3,175 cybersecurity vendors are hiring still this year.

If you get lucky you may work for a high flying success and participate in their IPO. At any rate it can be a lot of fun.

It depends on what you want to do, and the kind of organizations you want to work for.

Information Security is a big field. Is there an area of it that's especially interesting to you, or are you still figuring that part out?

Lots of great advise here. Only thing I’d add is look at the junior positions that you might not associate as security, but definitely do touch on it: helpdesk, deskside support, etc. Often they’re thankless jobs, but it’s a great foot in the door. Get in there, make it known you want to be the security dude, and take on as many security-related projects/tasks as you can. Offer to help out with security awareness and training initiatives (employees often suck at security). Work on some junior certs simultaneously.
* Learn to code. If you can read and write code, it will boost your effectiveness in your role. * Read "The Art of software security assessment", "Network Security Assessment" and "Web Application Hackers handbook". They're quite old now but good content. * Participate in CTFs. * Play on practice platforms like HTB. * Work through Portswigger labs, its free and top quality content. * Attend local security meetups and conferences, network.
Lots of great advice from people so far.

My two cents: not a lot of people talk about doing entry-level consulting as a pathway into in-house security roles but it's worth considering (and not without its bad parts as well).

I wrote this blog post about it if you're interested: https://www.akatz.org/posts/cybersecurity-grads-should-consi...

Cybersecurity is a vast field of careers, so you're going to need to be more specific.

If you're wanting to get into the technical side of things, a great generalist technical background is a good base to start from.

Certifications are important in many segments, but having a diverse set of skills is more important.

Cybersecurity is very broad and somewhat poorly defined.

Why is cybersecurity appealing to you? What is your current level of expertise/background/education? What do you mean when you say "cybersecurity career?"