With all the advice out there on breaking into cybersecurity, I figured I’d share my own experience. Most companies touting a talent shortage conveniently have a “silver bullet” to sell you, whether it’s a certification, a boot camp, or some other shortcut. These have their place, but in today’s market (May 2026), they do very little to set you apart. Here’s what actually worked for me.

Build the Foundation First

Before moving into security, I worked in IT, first as a systems operations specialist (a fancy title for help desk), then as a systems administrator. Those roles gave me hands-on experience with a wide range of foundational topics like Linux and Windows administration, system hardening, networking, automation, project management, and collaboration.

That foundation matters more than most people realize. Boot camps and certifications tend to focus narrowly on one skill set, often skipping the broader IT knowledge that makes a security professional effective. A simple example is a SOC analyst who doesn’t understand networking protocols. They’ll struggle to distinguish genuinely malicious behavior from routine noise in something like DNS traffic. Having that foundational IT experience closes that gap in a way that a boot camp just can’t replicate.

Turn Your Current Role into a Proving Ground

While working as a sysadmin at MSGCU, I started asking how I could better secure the systems I was already managing. That curiosity turned into action pretty quickly. I found plaintext protocols still in use across the environment, things like telnet and unencrypted HTTP, and realized we had no incident response plans for a wide range of scenarios. Over the following year I remediated those issues and built out playbooks that were distributed across the IT team.

That work didn’t go unnoticed. I was soon tasked with rolling out a vulnerability management program and a SIEM. Getting the tooling up and running was the easy part. The harder work was tuning alerts, reducing false positives, and figuring out how to prioritize remediation in a way that actually made sense for the business. That meant a lot of collaboration, sitting down with application owners to understand what normal looked like for their systems and working with teams to find realistic patching windows.

Around the same time I enrolled at Western Governors University to finish my Bachelor’s degree. Their self-paced model and flat-rate pricing, which bundles in several certifications, fit well with a full-time work schedule, and my employer covered most of the cost.

Close the Gaps on Your Own Time

After about a year of security-adjacent work, I hit a ceiling. There was no dedicated security role to move into and no budget for further tooling. So I started learning penetration testing on my own using platforms like TryHackMe and Hack the Box. I have some thoughts on TryHackMe specifically that I’ll save for another post, but Hack the Box was where I did most of my meaningful learning. There was no hand-holding, just a lot of trial and error, but over time I got more and more comfortable working through the challenges on my own.

Make the Move

With a solid IT background, hands-on security project experience, and some self-directed offensive security practice under my belt, I started pursuing full-time security roles. Even with all of that, the job search wasn’t easy. Networking made the difference. A recruiter reached out about an application security analyst position, made a strong case for my transferable skills, and the interview process went really well. A few weeks later I had the role.

What I’d Tell My Past Self

If you’re a sysadmin thinking about making this move, start by changing how you think about your current role. Instead of just keeping systems running, start asking how someone could break them. Find the gaps in your environment, fix them, and document everything you did. Learn offensive security on your own time. Network with people already in the field. The transition takes patience but if you’re in IT and already thinking this way, you’re closer than you think.

TLDR: Get into IT first, take security seriously in whatever role you’re in, and fill the gaps on your own time. Certifications and boot camps can help, but they won’t replace a solid foundation. The jump is doable, it just takes patience.