Infosec experts share their career stories on how to get into cybersecurity with no experience

When starting a career in cybersecurity with no experience, there are lots of questions that pop into our heads:

“How can I get into this industry if I don’t have any experience or technical background?”

“Cybersecurity is such a vast field, how and what do I choose?

“How do I know I made the right decision and focused my time and energy in the right direction?”

If these questions go through your mind, you are not alone. There are no perfect answers, only opportunities to try out and discover what works for you.

As a non-technical person who works as an infosec content marketer, I can say from experience that joining this community is a never-ending learning and development process.

Be patient and “trust that the dots will somehow connect in your future”, as Steve Jobs once said.

Because I know how challenging this infosec journey can be for non-technical people, I interviewed 9 cybersecurity pros and asked this:

What’s one particular piece of advice you’d give someone who wants to start a career in cybersecurity but doesn’t have a tech background (degree) or experience?

I hope you’ll learn a lot and get your dose of inspiration from these non-linear career stories, which cover a wide range of roles, both technical and non-technical.

A big thank you to all these nine wonderful women for their generosity and kindness in sharing their infosec career paths and what they’ve learned so far.

Featured infosec specialists

1. Gabrielle Hempel – Cloud Security Engineer at Cigna, Security Researcher & Hacking is Not a Crime Advocate
2. Chris Kubecka – Distinguished Chair at Middle East Institute Cyber Program and Founder of HypaSec
3. Helen Oakley – Product Security Architect at SAP and co-founder of the Leading Ladies Cyber community
4. Rebecca Herold – CEO, The Privacy Professor Consultancy and CEO, Privacy & Security Brainiacs
5. Kim Crawley – Cybersecurity Content at Hack the Box
6. Cori Faklaris – Doctoral student researcher at the Human-Computer Interaction Institute at Carnegie Mellon University
7. Jenny Radcliffe – also known as The People Hacker, Social Engineer, Keynote Speaker, host of the award-winning podcast “The Human Factor”
8. Lynsay Shepherd – Lecturer in Cybersecurity and HCI at Abertay University
9. Bev Robb – Cybersecurity writer, editor, and social media expert for cybersecurity startups and small businesses

Believe in yourself and have a constant thirst to learn about this field

Gabrielle Hempel switched to the tech and security landscape only 3 years ago. Before that, she worked in genetics and pharmaceutical science. Her degrees are in Neuroscience and Psychology.

I had little tech background besides using a computer for school and work, and it was definitely overwhelming to figure out where to start.

My advice for anyone who wants to start a career in security but doesn’t have a tech background is to be willing to be like a sponge! If you can, narrow it down to a specific area you’re interested in—the information security world is so vast, there is no way to learn everything.

What helped her the most while starting her infosec career was:

“The basics. I started learning from the beginning: basic information technology, then networking, then security. Look for creative ways to learn: online videos, podcasts, Discord channels, information security communities. These are all awesome ways to get involved and learn.

Speaking of cybersecurity certifications, Gabrielle highlights:

“Certifications are a tricky subject. Some companies prefer them, and others don’t seem to care. If there is a specific area you want to go into, like cloud technology, it may not hurt to get one.”

Her advice for those who want to get into cybersecurity is “being able to show what you are learning is a fantastic way to get your foot in the door.”

Chris Kubecka has over 20 years of relevant, professional experience including the US Air Force.

For those who want to enter cybersecurity, Chris advises everyone to:

“join the fight, this is our Rosie the Riveter moment, we need more people, especially women in the field. Tech is biased enough as a whole. “

She also believes that:

“There are so many different paths you can start, without a degree or a million euros worth of certs. One major thing lacking in the field, people who can communicate tech into real speak management and executives can understand and digest.”

We hope you’ll take a moment to reflect on Chris’s valuable advice on what it takes to join a field with no experience or technical background.

“As a person who hires, I’d rather hire someone eager to learn vs. straight out of university with no real-world experience or worse. A person with a mountain sizes ego can’t work in a cohesive team. Nobody knows everything about the field, but if you are willing to learn and grow you can conquer it. Lastly, always believe in yourself.”

You can read more insights and discover fascinating stories from her vast experience in this interview we did with her in 2019 or view her live presentation from DefCamp.

Helen Oakley reminds us how non-linear our careers are and what it takes to become a successful cybersecurity pro:

“There isn’t a single determined path and every individual can find their way to transition into the cybersecurity field. However, people do a few common aspects and become successful cybersecurity professionals: I would combine them in three stages: research, try, pursue.

Cybersecurity is a vast domain with lots of directions you can try. Helen mentions that research can help discover specific cybersecurity areas of interest to focus on and to encompass a better understanding of the industry:

“During your research stage, you’d identify for yourself which direction (domain) in cybersecurity you’d like to go, because based on that you will determine your further learnings, focusing on that area.

She also recommends:

“Attend various cybersecurity events/sessions, read and listen to podcasts – there is plenty of content to research various cybersecurity topics that will help you understand where in the cyber field you want to go.”

But research isn’t effective until you actually try and gain hands-on experience. That’s why Helen thinks this the trying stage is the part where “you try tools for yourself (in a dedicated testing environment, of course), join a workshop, CTF, or whatever you find that interests you. Getting your hands dirty with the labs, research, and maybe even tasks at your current job (if applicable).”

Research and trying things out will help you get a better understanding of key concepts in cybersecurity and be ready to grasp an opportunity in the field. However, Helen reminds us about the importance of being involved in the infosec community and building relationships with infosec peers.

“Last but not least, you enter the stage of pursuing your dream job. You can take an official training, or maybe you have an option on taking some of the security tasks partially in your current job. Keep in mind, many typical and non-security jobs can have some level of security responsibilities too and it could be a good way to start your career through the so-called soft transition. Read the job description, between the lines, what do they really want you to do. And, of course, network with the cybersecurity community to hear more about opportunities and build your connections.”

Be persistent and focus on your specific skills that are transferable to cybersecurity

With more than 25 years of IT, infosec, & privacy experience, Rebecca Herold brings an interesting perspective to the table.

She thinks that:

“roughly 2/3 of the issues that need to be addressed to have a comprehensive cybersecurity program require skills that are not technology-based. In fact, some of the most effective and successful CISOs have zero backgrounds in systems engineering, architecture, programming, or other types of technical skills, and do not have degrees in computer science or mathematics.”

Rebecca also speaks about specific skills you need in two areas of cybersecurity, which are equally important.

“For administrative and operational controls, you need to have great communications skills, be a good listener and enjoy learning and applying critical thinking.”

She adds other skills that are transferable to cybersecurity in this specific area: “be proficient at planning and anticipating changes, understanding how business works, the full ecosystem of the business, or how to involve the correct team members for the wide range of technical and non-technical cybersecurity controls.”

It’s also essential to have “logical thinking, an ability to identify and understand needs, and then consider and create a plan for how to meet the needs, and how to communicate and ensure security policies and supporting procedures are clear, feasible.”

“For physical cybersecurity controls, you need to identify where all types of computing devices and storages are located that are used for your organization’s business processing, how to identify physical threats coming from any environment where those devices are located, and ways to protect the associated data and processing devices that are involved.

With the explosion of new tech and exponentially more data in the past couple of decades, being able to identify where smart things (internet of things devices), and environments put data and computing devices and other hardware at risk of unauthorized access, damage, etc. will continue to grow in importance as more things become smart and integral parts of our societal environments.”

Rebecca sums up that you can have a successful cybersecurity career if you focus on soft skills such as research, communications, planning, logical reasoning, problem-solving, and risk management skills that are transferable to this field.

“You also need to have the desire to learn about technology where necessary to support making good cybersecurity decisions. My advice to those without tech backgrounds, experience, or degrees is to commit to working on the skills I just described. Then, go for it!“

Kim Crawyley’s words pack a lot of wisdom and highlight the importance of being persistent and not giving up no matter how many challenges arise.

“There are lots of free educational resources online. I work for Hack The Box, which has free online pentesting training programs, but there’s also CodeAcademy, MIT’s free courses, and lots more.

When you accomplish something technical, be very loud about it online. Shout it from the rooftops. If you use Twitter, tag #infosec. I got where I am today due to Twitter.

Be persistent. It may take years, but keep working at it. And write a resume that emphasizes your technical projects, even if they’re hobbies, rather than your formal education.
To this day, I’m still a high school dropout, and yet I’m considered to be a cybersecurity expert.”

She also confesses that luck played an important role in her career success.

“But also remember that capitalism is cruel and unjust and if you don’t succeed, it’s not completely your fault. Luck was a major factor in my success.
And remember to hack all the things.”

If you’re keen on pursuing a career in ethical hacking and dig deeper, Kim is also the co-author of “The Pentester Blueprint: starting a career as an ethical hacker” book.

With relevant academic experience in the field, Cori Faklaris recommends getting “familiar with the tech involved and be able to prove that you have the chops.”

While contexts are different, learning from others’ experiences can encourage us to take a leap and try.

For Cori that happened on the job, as her company “needed someone in an IT role with specialized domain knowledge, and I was able to start learning under the mentorship of others.”

However, if you don’t get this opportunity to get a mentor for guidance, Cori thinks that it helps:

“taking classes and getting a diploma or certification. When learning in a formal training or degree program, you’ll be exposed to many concepts and tools in your training that you could not find on your own. Plus, you’ll get a taste of what suits you better – the engineering side, or the operations side. Then you’ll know whether this career is for you.”

Jenny Radcliffe focuses on the human element of security and talks about it with her guests in the podcast show.

Drawing on her story, Jenny believes that:

“You don’t necessarily need tech skills to work in the cybersecurity industry but it does help. So I’d try and get a basic understanding of the concepts and main issues that people work with.”

She also thinks that keeping abreast of cybersecurity news and ongoing learning will help you reach a point where you have strong knowledge and understanding of key concepts.

Stay across the cybersecurity news and follow one or two key newsletters or shows to keep you up to date. Follow a couple of people who put out good regular content and go to Youtube and watch talks and explainer videos.

I’d start with anything that interests you from Bsides events, which are packed with insightful and valuable talks from people speaking about their passions.”

Jenny opens up and talks freely about her non-technical background in cybersecurity. What matters most is to have a thirst for learning and discover your key strengths and transferable skills and abilities in this industry.

“It’s fine not to be technical. I’m not, and I admit it freely, but I am informed and think critically about the industry and some of the agendas within it, and I have a good set of complementary skills, so I bring something to the table.

Finally, try and find the area that interests you and pursue knowledge and contacts within that first. It’s very easy to be overwhelmed by the breadth of topics in this industry and end up going down rabbit holes with a bad case of scope creep, so try and pace yourself at first and get to know a few things at a time.”

So if you’ve ever felt like Jenny, please remember *this* learning process is part of the journey and you will reach a point where you have strong knowledge and understanding of key concepts.

If you enjoyed her valuable piece of advice, you can also listen to this podcast episode and learn about some penetration testing jobs she’s done.

For someone who works in the academic field for years, Lynsay Sheperd’s advice is on point reminding us (once again) about the transferable skills that apply to cybersecurity:

“It’s often assumed that a degree in ethical hacking or computing is required to work in cybersecurity. Whilst this is true for some of the more technical roles, there are other routes into the field.

Many companies are now focused on the human aspects of cybersecurity, in addition to technical issues. Work in this area sits at the intersection of human-computer interaction, security, psychology, and sociology and requires people from different backgrounds.

My advice would be to consider how your specific skill set could apply to cybersecurity. Look at different job roles posted online – you will find that some do not require technical degrees. Once you have experience in your first position, you can begin to explore different roles.”

Bev Robb, cybersecurity writer, and infosec connaisseur, also emphasizes the idea that technical background isn’t a deal-breaker if you’re eager to learn more about this field: 

“Cybersecurity isn’t just about hacking—it’s about finding a path within the cybersecurity sector that interests you and building your skills around it.

If you are passionate about learning and have a strong desire to understand how technology works—don’t let a non-technical background stand in the way or limit your possibilities. “

 “Your path you must decide.” — Yoda

If you’re ready to embark on this adventure and kickstart your infosec career, here are a few helpful ideas and resources to help focus your efforts in the right direction.

Key takeaways from these infosec pros:

• Be willing to be a sponge and look for creative and fun ways to learn: online videos, podcasts, information security communities, etc.
• Nobody knows everything about the field, but if you are willing to learn and grow you can conquer it. Always believe in yourself.
• Get your hands dirty with the labs, research, CTFs, and network with the cybersecurity community
• Some of the most effective and successful CISOs have zero backgrounds in systems engineering, architecture, programming, or other types of technical skills
• Be persistent. It may take years, but keep working at it.
• Get familiar with the tech involved and be able to prove that “you have the chops”
• Get a basic understanding of the concepts and main issues that people work with.
• Many companies are now focused on the human aspects of cybersecurity, in addition to technical issues. Identify your specific skill set that could apply to cybersecurity
• Don’t let a non-technical background stand in the way or limit your possibilities

We plan to keep this interview series open and update it constantly, so keep an eye on it. If you want to contribute, I’d be happy to hear from you! Feel free to reach out to me on LinkedIn or Twitter.