Thoughts on Graduates Getting Started in InfoSec

Leigh Leigh

I was approached again online for advice on how a recent graduate ought to go about getting started in InfoSec, and then over the weekend by fellow banner-carrier on the Whit Walks in my village turned out to be in the same boat, so I shared some thoughts.

Here's a summarised version in case it helps anyone break in to the InfoSec scene.

My advice would be:

- Remain open to different opportunities in infosec. I've worked across nearly all disciplines in infosec and having more experience has always proven to be a big differentiator for me as I've progressed.

- If you're technically-minded, push on this and see how far you can go. There is so much to learn - and whilst you don't need to know all of it in detail, having a specialism or a deep interest can really help you progress. Stay curious! I'm sad to say that there is a recent wave of new people entering infosec who don't have a "real" interest in the craft of it. This can be a big way of standing out in a crowd. Dig deep into something and you might find that it's not only interesting, but that you come to develop a top-percentile understanding of it. I found myself reverse engineering malware once upon a time. I ended up being one of a small number of people in the industry taking apart these droppers to block their target domains - you can read about that in my old blog [0] if you like.

- If tech isn't your thing, that's ok too. There are many paths through infosec. Governance, Risk, and Compliance can touch technical but is much more focused on attention-to-detail, stakeholder management, and planning. I was recently asked about this and blogged my answer too - have a read [1].

- So-called "soft skills" are often overlooked in infosec, but this is a mistake. Take the time to build relationships, understand people, understand what drives them. Infosec professionals too often approach situations from a "right vs wrong" / "black and white" point of view. It is rarely that simple. Learn to be great at working with people. Be someone that people come to trust - someone that people see as pragmatic and sensible.

Finally, I think I would say that whilst the market can appear to be a bit flat at times there is definitely work out there. Remain humble. Be willing to work hard. Harder than the guy or girl next to you and you will stand out. Don't hold out for a "dream job" - they'll come in time. What you need is any job in infosec - however much you think it might be less than what you'd hoped. See each job as an opportunity to further widen your experience - which then works to widen your appeal to potential employers. Turn up earlier, stay later. Your superpower right now is your youth and energy - put that to work for you.

Good luck on your journey.



[0] https://medium.com/securitybytes/anatomy-of-a-vba-malware-dropper-fc410c6000c3

[1] https://madsky.github.io/thoughts-on-getting-started-in-grc-as-a-career.html

This article was updated on Tuesday, 2 June 2026

Leigh

Father, Husband, Guitar player, Piano-learner, Xbox-player, Metal-listener, infosec leader WIP.

You should also read: