So You Want a Career in Cybersecurity?
I get asked some version of this question a lot.
Sometimes it’s a student after one of my presentations. Sometimes it’s someone reaching out on LinkedIn. Sometimes it’s a friend whose son or daughter is thinking about cybersecurity.
Because I hear it so often, I’ve also read a lot of the advice that’s available online.
Some of it is excellent.
Some of it is outdated.
And some of it is simply wrong.
Before I tell you what I think, let me tell you a story about bad career advice.
The Chemistry Problem
When my oldest son was in high school, he loved chemistry. He excelled in a demanding honors chemistry class, and I happened to have a relative who had spent his entire career as a chemist and was approaching retirement.
I thought it would be valuable for my son to hear from someone who had actually done the job.
So I connected them.
The first question my relative asked was:
“Do you want to move to India?”
My son looked confused.
“Um… no.”
“Then don’t go into chemistry.”
That was the advice.
I learned two things that day.
First, always think carefully before introducing someone to a mentor.
Second, one person’s frustration should never become universal career advice.
My son never pursued chemistry, not because he stopped loving it, but because one conversation planted a fear he never tested.
Ironically, one of his classmates did earn a chemistry degree, found a great job, and never had to move to India.
I see the same thing happen in cybersecurity all the time.
Someone has a bad experience.
Someone struggles to find a job.
Someone dislikes certifications.
Someone loves programming.
And suddenly their personal experience becomes “the only way” to build a career.
It isn’t.
Why You Should Be Careful Who You Listen To
I’ve spent nearly three decades in cybersecurity.
I’ve hired people, interviewed hundreds of candidates, built global security teams, taught graduate students, and spoken at conferences around the world.
One thing I’ve learned is this:
Cybersecurity is far too broad for anyone’s career path to become the blueprint for everyone else’s.
If someone tells you there’s only one way into this profession, be skeptical.
Cybersecurity Isn’t One Career
One of the biggest misconceptions about cybersecurity is that everyone does the same kind of work.
They don’t.
Some professionals reverse engineer malware. Others build cloud infrastructure. Some investigate ransomware, while others write security policies.
Some perform penetration tests. Others brief boards of directors. Some spend their day writing Python, while others spend their day explaining cyber risk to executives.
There isn’t one cybersecurity career.
There are dozens.
Your goal shouldn’t be to “get into cybersecurity.”
Your goal should be to discover which problems you enjoy solving.
Advice I Would Ignore
I’ve seen certain pieces of advice repeated for years.
Some contain a grain of truth.
Most are far too absolute.
“Do You Have to Know Programming?”
No.
Programming is an incredibly valuable skill.
For some specialties, it’s essential.
For many others, it isn’t.
If you eventually become a malware reverse engineer, you’ll probably spend a lot of time reading assembly language.
If you become a security architect, consultant, manager, or CISO, your success will depend far more on understanding technology, communicating risk, and making good decisions than writing code.
Don’t confuse one specialty with an entire profession.
“Do You Need a Computer Science Degree?”
No.
Degrees can absolutely help.
So can certifications.
But neither guarantees success.
Some of the best security professionals I’ve worked with never earned a college degree.
Some had degrees in psychology, accounting, history, and one even had a PhD in Invertebrate Zoology.
Your willingness to learn matters far more than the title on your diploma.
“Should I Collect As Many Certifications As I Can?”
Also no.
Certifications can open doors. They can help you get interviews. They’re worth pursuing but they’re not the destination.
I’ve interviewed candidates with a long list of certifications who struggled to explain basic networking concepts.
I’ve also interviewed candidates with only one certification who impressed me by showing something they built.
Experience, curiosity, and initiative will take you farther than collecting certifications ever will.
“Is AI Going To Replace Cybersecurity?”
No.
AI will absolutely change cybersecurity. In many ways, it already has.
But it isn’t replacing the profession. It’s changing the tools.
The people entering cybersecurity today have access to learning resources that previous generations could only dream about.
Use them.
Learn how to use AI effectively.
Just don’t confuse AI-generated answers with understanding. I’ve been putting that into practice myself, testing what these tools are actually good for instead of simply trusting their answers. One experiment even resulted in an AI-generated podcast about my own work that was remarkably insightful, but still contained a few important factual mistakes.
What I’ve Learned After Interviewing Hundreds of Candidates
When I’m interviewing someone, I’m rarely looking for the person who memorized the most facts.
I’m looking for someone who can think.
Good interviewing works both ways. It's also your first line of defense against candidates who aren't who they say they are.
Can they explain how they approached a problem?
Can they admit when they don’t know something?
Can they describe what they learned after making a mistake?
Can they demonstrate curiosity?
The candidates who stand out aren’t always the ones with the longest list of certifications or the most impressive degree.
They’re the ones who ask the best questions.
One candidate in particular has always stuck with me.
I received a message on LinkedIn from someone who had applied for one of my open positions. They introduced themselves, said they had applied, and wanted to follow up personally.
I hadn’t seen their résumé, so I asked Human Resources about it.
Their response was simple.
“We screened them out because they don’t have a four-year degree.”
That surprised me.
I told HR that a college degree wasn’t one of my hiring criteria and asked them not to filter candidates on my behalf for that reason. This was years before AI and automated application bots flooded every job posting with hundreds of résumés, so it was still practical to personally review applicants.
I brought the candidate in for an interview.
They had no college degree and one entry-level certification.
On paper, they weren’t the strongest applicant.
In reality, they were one of the strongest candidates I interviewed.
They had built their own computer forensics lab at home.
They collected old computers from friends and family so they could practice forensic investigations.
They had taught themselves using YouTube videos, books, blogs, and every free or inexpensive forensic tool they could find.
As we talked, it became obvious that this wasn’t someone trying to collect credentials.
This was someone who genuinely loved learning.
I hired them.
Since then, they’ve continued taking courses and expanding their skills because they genuinely wanted to learn.
“They weren’t chasing certifications.
They were chasing knowledge.”
That’s exactly the kind of person I want on my team. Every time.
Degrees have value.
Certifications do too.
But neither can replace curiosity, initiative, and the habit of lifelong learning. Those qualities are much harder to teach.
Four Skills That Actually Matter
Technology changes constantly.
These don’t.
1. Curiosity
The people who thrive in cybersecurity genuinely enjoy learning.
If discovering something new excites you, you’re in the right field.
2. Communication
One of the biggest surprises for many new professionals is how much time they spend communicating.
Security is often a communication problem disguised as a technical one.
As your career progresses, you’ll spend more time explaining risk than configuring firewalls.
Learn to write.
Learn to present.
Learn to persuade.
Those skills will accelerate your career just as much as technical expertise.
3. Technical Foundations
You don’t have to master everything.
You do need to understand how technology works: networking, operating systems, identity, cloud, applications, AI.
You can’t secure what you don’t understand.
4. Integrity
Cybersecurity is built on trust.
You’ll have access to systems, data, and information that most employees never see.
Your technical skills might get you hired.
Your integrity is what earns responsibility.
Build Instead of Collect
If I were starting today, I’d spend less time collecting certificates and more time building things.
Build a home lab.
Learn Linux and networking.
Experiment with cloud services.
Create a GitHub repository.
Participate in Capture the Flag competitions.
Write about what you’re learning.
Document your journey by writing a blog.
Hiring managers love evidence. Show them what you’ve built.
Your Reputation Starts on Day One
One lesson took me years to fully appreciate.
Your reputation compounds.
People remember who helped them.
Who followed through.
Who admitted mistakes.
Who shared credit.
Who stayed curious.
Most of the best opportunities in my career didn’t come from clicking Apply Now.
They came from relationships that had been built over months or years.
I’ve seen this happen over and over again.
One cybersecurity professional I know documented his job search on Facebook. He had more than fifteen years of experience, a master’s degree in cybersecurity, multiple respected certifications, and had worked in cybersecurity for the U.S. military.
If anyone should have been getting interviews, it was him.
He applied for more than fifty positions and received fewer than ten interviews.
In the end, he landed an outstanding role. Not because of one of those applications, but because a former colleague referred him.
That story isn’t unusual.
The best networking isn’t collecting business cards at conferences or sending hundreds of LinkedIn connection requests.
It’s building genuine professional relationships over time.
Help people.
Stay in touch.
Share what you’re learning.
Be someone others enjoy working with.
One day, when an opportunity appears that isn’t even posted publicly, you want someone to think:
“I know exactly who would be great for this.”
That’s the power of your professional network.
The Best Time to Start Is Now
There’s never been a better time to learn cybersecurity.
The educational resources are extraordinary. The community is welcoming. The technology keeps evolving, and the problems are endlessly interesting.
Will it take work?
Absolutely.
Is it worth it?
Without question.
Cybersecurity has taken me places I never expected.
I’ve traveled the world, worked alongside incredibly talented people, earned patents, built global security teams, taught graduate students, and advised governments.
None of those opportunities happened because I knew everything.
They happened because I stayed curious.
The people who succeed in this profession aren’t the ones who know the most.
They’re the ones who never stop learning.
If that sounds like you, there’s a place for you here.
Where Should You Start?
If you’re wondering what to read, what to watch, which certifications are worth pursuing, or where to build your skills next, I’ve created The Between The Hacks Learning Library.
It’s a living collection of the books, courses, labs, certifications, podcasts, communities, and tools I’ve personally found valuable throughout my career.
Whether you’re just getting started or looking to deepen your expertise, it’s the resource I wish someone had handed me when I began.




