The most common question about security jobs is how to get the first one. How does one break into security? Where are the entry level security jobs? I went to school and got a bachelors in Information Systems Security. Even before leaving school, I started looking for entry level information security jobs. That concept, an entry level information security job, was built on a flawed premise. They don't exist.
My bias is built around that time period - 2008. The market collapsed, we had unemployment so high congress had to vote to extend unemployment benefits and kick out a stimulus check, and no one was hiring. No one. And, with a few notable exceptions, people were hoarding information. Talks were as technical as you could get, and conferences were financially restrictive - especially to those who didn't have jobs. And people were scared. They were so scared they were hoarding information, doing everything in their power to make sure their company couldn't fire them. They hid the keys to the kingdom, and made sure no jr levels could move up and take their positions. Tales of the older workers making 3x that of junior employees being laid off, or RIFfed (reductions in force), were daily occurrences. Trust between employees and management was at an all-time low. No matter the company culture, everyone's IT got gutted. That affected the world today: Soaring GDP and stagnant or falling wages, everyone wants contractors and not FTEs, and fewer companies are willing to pay for training for anyone not of their mission critical staff. To a degree some of that is changing, but that change exists primarily in specialized areas.
What are the barriers? First and foremost, you don't know what you don't know. I fight with Rest API coding as I took a coding class in 2006 and 2007. It was in visual basic. My coworker can puzzle through these issues in less than an hour when they take me days. I have to hunt through forums of questions to find more questions I didn't know to ask. Even for the veterans, not knowing what we don't know teeters on the edge of crippling. Secondly, I never had a mentor. There was no guiding hand to show me the way. I was the fat, straight, white guy. No one wanted another one of those in the pipeline. Plus, I was not a drinker, so I was never in the social circles of the people in power. I had to fight for my information, learning akin to strip mining or scorched earth, and there was no forgiveness for mistakes. I moved around a lot. Those who had mentors were guided through pitfalls with ease, and taught how to learn, as well as what to learn. Third, the career path was not defined. Listen to any faux humble "I'd never use the phrase thought leader" types, and they talk about a career path utopia where certs are pointless, and they'd take a skill set over formal education any day of the week. Next time you see this, look at the background. I would bet a steak dinner that they are A) ex-military, B) worked for a Federal Government three letter acronym, of C) both. The most notorious of these people went military to NSA - and yes, that's more than one person. So, unless you are 18 with high technical skills about to join the military, most of their career advice is for naught. This fog completely obscures any vision of entry level security.
There is one thing you need to know, above all else. Burn this into your brain in large flaming letters.
THERE IS NO ENTRY LEVEL SECURITY JOB.
People will try to argue that. To do so violates one of my most important maxims: words matter. You can't approach that statement without trying to change the meaning of words. People do online. They then violate another maxim: deal with the world as it is. It's like a triad, pick two. You can have an entry level job, you can have a security job, or you can do entry level security. Entry level jobs don't carry the level of responsibility that security jobs have. Entry level security work is not something people pay for with the risk associated. Security jobs require a degree of expertise that far exceeds anything we think of as entry level.
Starting points in security depend on your background. Security analysts who work in SOC (Security Operations Center) environments have backgrounds looking at operating systems or network traffic, or both. They take expertise in a previous life as a sysadmin or network admin, and parlay that into looking through alerts for outliers in data transmission or deltas (differences) in configurations. SecDevOps were DevOps people who learned to secure and bugfix their code, and the code on their systems. Network admins become firewall admins. Though I loathe to make the comparison, switching from one of the early IT jobs to security is akin to the evolution of a Pokémon, Abra to Kadabra to Alakazam. You can't move up until you've made a firm grasp on the previous level (without potentially crashing your career).
Deal with the three hurdles. First, all you need is a concept. Do you want to secure a network? Secure Windows//Mac//Linux operating systems? Attack networks? Build secure code? Start simply by googling that concept. There are numerous and extensive papers, articles, podcasts, and videos on nearly every subject. Or, even better, search twitter. You will find many a person who tweets and writes about these concepts, and those who will retweet those who do. In doing so, you will clear hurdle one, and make it most of the way over hurdle two. The online community can act as a crowdsourced mentor. Read the writings of established professionals. Look at their histories on LinkedIn and see the evolution of their job titles. Look where they started and you will see you can come from nearly anywhere and get to security. Some are even approachable at conferences and talks. When you look at those histories and talk to those people, you will see that there are some basic funnels to get to where you want to go, but those aren't the only paths. Find something you want to do and pour yourself into it in your soon to be not free time. You will build yourself into a subject matter expert and that will have value. And that will help you clear hurdle number three.
If I could do it again knowing what I know now, what would I do differently?
If I was in college I would find a paid internship. This gets you in and working in a professional environment, and working with the tools they don't have in schools. Plus, it gets a real company on your resume, and then you aren't someone with no experience.
If I was in a career rut, I would build a home lab (very inexpensive with virtual machine software). I would play with tools like Wireshark, looking at traffic. I would rip apart group policy on multiple Windows operating systems. I would read about system vulnerabilities and how to attack them, then test it out. I would find free tools that mimic what the expensive stuff does, to make it easier to work with the tools I have never touched, as the underlying idea is the same.
Where I am now? I would keep learning. I would keep working to make sure I'm not ashamed for not knowing an answer my dramatically younger colleagues take for granted. I'd use twitter more as a learning and networking tool, and as an outlet to share my view on topics I feel are underrepresented.
It doesn't get easier. But then again, neither does life. Keep pushing forward.