3 Things I'd Do at 21 to Start a Cybersecurity Career Faster

There are 3.5 million unfilled cybersecurity jobs in the world right now. And yet, freshers — people who have been grinding labs, stacking certs, and studying for months — still can't get hired. Something's broken in the conventional advice. This is the honest version.

Let's be real for a second. When you start learning cybersecurity, the advice you get from virtually everyone is the same playlist: learn networking, learn Linux, get your CompTIA Security+, do TryHackMe labs, repeat. And honestly? That advice isn't wrong. You absolutely need technical skills. Nobody's disputing that.

But here's the uncomfortable truth — every single person trying to break into this industry is doing those exact same things. Same certifications. Same labs. Same fundamentals courses. So when you're one of a hundred applicants for an entry-level SOC analyst role, how does a recruiter tell you apart from the other 99? They often can't. And that's the actual problem nobody talks about.

This piece is based on reflections from experienced cybersecurity practitioners working in the UK and globally — specifically, the three things they wish they had done differently when they were 21 and starting from scratch. Consider this the letter your future self would write back to you.

Think about this. If you needed to hire a photographer for your wedding, what's the first thing you'd ask them? You'd ask to see their work. You wouldn't just take their word for it that they're great. You'd want to see albums, previous events, real examples of their craft. Simple, obvious logic.

Now ask yourself: when a recruiter looks at your CV for a cybersecurity role, what do they actually see? A list of certifications. A line saying "completed TryHackMe learning path." Maybe a GitHub link with nothing in it. That's it. That's the whole picture they have of you. And that's the gap most beginners never close.

A portfolio of work is exactly what it sounds like — a single place where everything you've done is documented and visible. Not buried in a folder on your laptop. Not mentioned vaguely in a bullet point. Actually shown, with screenshots, write-ups, and context.

What should go in it? Here's a practical list:

• Every lab you've completed — what you actually did, what tools you used, what you found, how long it took

• Write-ups for CTF (Capture the Flag) challenges, even the ones you didn't fully solve

• Your home lab setup — screenshots of your network topology, the SIEM you configured, the virtual machines you use

• Any blog posts or articles you've written explaining security concepts

• Certifications, sure — but linked with context about what you learned

• Any open source contributions, even small documentation fixes

Where do you host it? It doesn't have to be fancy. A GitHub profile with well-structured repos works. A free Medium page with technical write-ups works. A simple WordPress site works. The format is irrelevant. The fact that it exists and is linkable — that's what matters.

Why does this make such a difference? Two reasons. First, a CV has to be brief and stripped of detail by its very nature. You can't put screenshots in a CV. You can't walk someone through your thought process on a CV. A portfolio can do both of those things. Second — and this is the one people underestimate — handing a recruiter your portfolio alongside your CV tells them something about who you are. It signals that you take your craft seriously. That you go beyond the minimum. That you document and reflect on your work rather than just completing it and moving on.

One practical note: there's a version of this that catches people out. Spending hours trying to get a portfolio looking perfect rather than actually adding substance to it. Don't do that. A plain GitHub README with genuine, honest documentation of three solid labs beats a beautifully designed website with nothing real in it. Substance first, presentation second.

Start today: pick your last completed lab. Open a new GitHub repo. Write a README that explains what the lab was, what tools you used, what you found, and what you learned. That's it. That's your first portfolio piece. Takes 30 minutes.

When you're a beginner, you tend to think of your job as: learn technical stuff, get certs, apply for jobs. You work at your desk, alone, behind closed doors. Five hours on a lab feels productive. And it is — technically. But there's an entire dimension of career development that this approach completely bypasses, and it costs people months or years in their job search without them ever knowing why.

Cybersecurity is one of the most community-driven industries that exists. And community, in this context, means in-person events, conferences, meetups, and the conversations that happen in corridors and after panels. The people who get hired fastest aren't always the most technically skilled. They're the most visible. They're the ones who are known.

"The more people you get to meet, the more you can tell about the amazing work you're doing. The more you can get visibility for yourself. The more likely it is that you can get a referral, an internship, or a job opportunity in the industry."

— Cybersecurity practitioner with 10+ years in the UK industry

Think about how most entry-level hiring actually happens. It's not through job portals — or at least, the easiest path in rarely is. The easier path is knowing more people, building connections, and trying to get referrals. A referral from someone inside a company doesn't just get your CV looked at — it gets it prioritised. It's a fundamentally different track than cold-applying to a posting on LinkedIn.

So where do you start? Fortunately, you don't need a huge budget for this. Here's the landscape:

• BSides events— community-driven, affordable (often around $100–300 or even free), highly welcoming to newcomers, and held in cities around the world. For beginners, BSides is the gold standard entry point.

• OWASP local chapter meetups— free, technical, and often small enough that you can actually have a proper conversation with the speakers

• ISACA and (ISC)² local chapter events — more compliance and governance focused, but excellent if GRC is your intended direction

• Infosecurity Europe(London) — free expo access for qualified practitioners; massive for networking

• Your city's cybersecurity meetup groups — search Meetup.com, Eventbrite, and LinkedIn Events for security meetups near you

Now here's the part that very few beginners actually do, and it's arguably the most powerful move on this entire list: sign up to volunteer.

Volunteering at a cybersecurity event isn't just about helping out with logistics. It puts you inside the operation. You meet the organisers. And here's the thing about event organisers in cybersecurity — they are very often senior managers, directors, and CISOs. People who have been in the industry for 15 or 20 years. People who are connected to hiring decisions at major organisations. BSidesSF alone recruits around 200 volunteers each year, and many of those volunteers walk away with professional connections they couldn't have made any other way.

You get to literally work alongside them in the capacity of a volunteer. That's a personal connection built in a genuine setting — far more memorable than a LinkedIn connection request from a stranger.

One last thing on this. The reason most beginners don't do this isn't that they don't know it exists. It's that it doesn't feel like "real" work. Doing a lab for five hours feels productive. Going to an event for an afternoon feels like socialising. That mental framing is exactly what's costing people opportunities. Visibility is not a soft bonus — it's half the job search.

Be honest with yourself. How do you currently use LinkedIn? If you're like most people starting out, the answer is some version of: you scroll through occasionally, like a few posts, maybe comment "congratulations" on someone's promotion, and that's about it. Your profile exists. You check for job postings now and then. But you're not really using it.

That's a missed opportunity of enormous proportions. Recruiters actively search LinkedIn for candidates — particularly for entry-level roles where the talent pool is uncertain. A well-optimised profile with visible, genuine activity is actively being discovered by people who could hire you, right now, today. A dormant profile with a basic summary and a couple of certifications listed is invisible.

Here's what treating LinkedIn like a real career tool actually looks like:

• Write a headline that says more than "cybersecurity student." Something like: "Aspiring SOC Analyst | TryHackMe Top 5% | Building skills in SIEM, threat detection, and incident response."

• Post about what you're learning. Finished a lab? Write three sentences about what you found interesting. Passed an exam? Talk about one concept that clicked for you. This isn't showing off — it's building a track record

• Share your portfolio link in your profile and in posts

• After attending a conference or event, post about it. Tag the people you met. Connect with them directly. This is how the three tips in this article actually link together into one compounding strategy

• Comment substantively on posts from people you respect in the industry. Not "great post!" — a genuine thought, a question, a counterpoint. This is how you get noticed by people who don't know you yet

• Reach out directly to hiring managers at companies you're targeting — not with a copy-paste message, but with something specific to their work

The pattern that experienced cybersecurity professionals see again and again when they mentor beginners is this: everyone is working incredibly hard on their technical skills, and almost no one is spending any time on the actual process of getting a job. No recruiter, employer, or company is going to find out about your skills if you don't put yourself out there. Just applying on random job portals and forgetting about it leads to rejection. The easier path in is knowing people, building connections, and getting referrals.

A simple exercise that ties all three tips together: when you finish your next lab, document it in your portfolio. Then post about it on LinkedIn with a link. Then go to a local security meetup and mention it in conversation. You've just made the same piece of work three times for yourself. That's leverage. That's what separates the people who land jobs in six months from the ones still waiting at eighteen months.

The three tips in this article are a loop, not a list. Portfolio → conferences → LinkedIn → back to portfolio. Each one feeds the others. Start any one of them today and the other two become easier.

The thing nobody wants to hear

None of this means you can skip the technical work. You absolutely cannot. If somehow you networked your way into an interview without knowing what a SIEM does or how a phishing attack gets executed, you won't make it past the first ten minutes. The skills are non-negotiable. They're the foundation.

But here's the nuance that most beginner advice skips past entirely: skills are necessary but not sufficient. In a market where thousands of freshers have the same certifications and the same lab hours, technical skill alone doesn't differentiate you. Visibility does. Portfolio does. Relationships do.

If you only focus on technical skills and ignore the three things in this article, you'll be highly capable and completely unknown. If you only focus on visibility and ignore the technical work, you'll get interviews you can't pass. The people who start their careers fastest are doing both — building genuine skill and deliberately putting themselves where the industry can actually see them doing it.

"I would not just spend time learning the technical stuff and doing lab after lab. I would also spend time showcasing it. And things would have been much easier for me."

— Practitioner advice distilled from a decade of cybersecurity experience in the UK

There's also something worth noting about the timing of all this. The conventional wisdom is: learn everything first, then start applying. But that sequence can cost you a year or more. Start building your portfolio on day one, even if the first entries are basic. Start attending events before you feel "ready." Start posting on LinkedIn before you feel like you have anything impressive to say. The learning happens faster when you're simultaneously trying to articulate and show it.

Where to go from here

If you're new to cybersecurity or trying to get unstuck, here's a practical starting point for each of the three things covered in this article:

• Portfolio: Create a free GitHub account, make a repo called "cybersecurity-portfolio," and write your first README documenting any lab you've done. Publish it today.

• Conferences: Search for "BSides [your city]" or check your country's OWASP chapter for upcoming meetups. Find one event happening in the next 60 days and register.

• LinkedIn: Update your headline and summary today. Post something — anything — about what you're currently learning. Make it specific, honest, and short. See what happens.

The cybersecurity industry genuinely needs more skilled people. The demand is real, the shortage is real, and the opportunity is real for people who approach this with the right strategy. Technical skill gets you to the starting line. Everything in this article is about making sure people actually see you standing there.