Every cybersecurity professional I respect has one thing in common: they understand systems deeply, not just security tools. That understanding comes from hands-on experience troubleshooting, configuring, and maintaining the technologies that security is supposed to protect. My path from IT support at DePaul to cybersecurity research is not unique, but the lessons from that transition are worth sharing.
Why IT Support Is the Best Cybersecurity Foundation
Working the help desk teaches you how systems actually work in production, not how they are supposed to work in a textbook. You learn that users disable security features because they are inconvenient. You discover that "legacy systems" are not exceptions; they are the majority of enterprise infrastructure. You see firsthand how misconfigurations happen and persist.
At DePaul's Technology Support Center, I handled everything from Active Directory account management to network connectivity troubleshooting to hardware diagnostics. Each ticket taught me something about the attack surface. Password reset requests revealed how social engineering could exploit help desk processes. Network issues exposed how traffic flows between subnets. Hardware failures showed how physical access enables attacks.
This hands-on knowledge is impossible to gain from certifications alone. When I later studied penetration testing and network security, I could immediately map theoretical concepts to real environments I had worked in. I knew where DHCP servers lived, how DNS resolution worked in practice, and which ports were commonly open on campus infrastructure.
Building a Lab Environment
The single most impactful thing you can do for a cybersecurity career is build a home lab. Not an expensive one. A laptop with sufficient RAM to run virtual machines is enough.
My lab setup evolved over time. I started with VirtualBox running Kali Linux and a vulnerable target machine (Metasploitable 2). This let me practice basic scanning, enumeration, and exploitation in a safe environment. Later I added more VMs: a Windows Server for Active Directory testing, an Ubuntu server running intentionally vulnerable web applications (DVWA, OWASP Juice Shop), and a pfSense firewall to practice network segmentation.
The key is to treat your lab like a real project. Document your network topology. Write up your findings as if they were professional pentest reports. Keep a journal of what you tried, what worked, and what you learned. This documentation becomes portfolio material and interview preparation.
Certifications That Actually Help
The certification landscape is overwhelming. Here is an honest assessment based on what I have seen matter in hiring and skill development:
CompTIA Security+ is the standard entry point. It is vendor-neutral, covers a broad range of security fundamentals, and is recognized by government and corporate employers. Study for it actively, not passively. Set up labs to test the concepts as you learn them.
AWS/Azure Security Certifications matter because cloud security is where most organizations need help. Understanding IAM policies, security groups, encryption at rest and in transit, and cloud-native security tools is increasingly non-negotiable.
CEH (Certified Ethical Hacker) provides a structured overview of offensive security techniques. The certification itself is a baseline, but the knowledge areas it covers, from reconnaissance to exploit development, form a useful mental framework.
Practical Certifications like OSCP (Offensive Security Certified Professional) carry the most weight with technical employers because they require you to actually exploit systems in a hands-on exam. If your goal is penetration testing, this should be on your roadmap.
Do not chase certifications for their own sake. Choose certifications that align with the specific security domain you want to enter, and supplement them with practical experience.
Making the Transition
The gap between IT support and cybersecurity is narrower than most people think. Here is how to bridge it:
Start security work within your current role. Volunteer for security-related tasks: reviewing access logs, helping with phishing awareness training, or documenting incident response procedures. This builds security experience without changing jobs.
Contribute to security projects. Open-source security tools always need contributors. Writing detection rules for Snort, contributing to security documentation, or building practice labs and sharing them on GitHub demonstrates initiative and skills.
Network with security professionals. Attend local security meetups, join CTF (Capture the Flag) competitions, and participate in online communities like r/netsec or security-focused Discord servers. Many security jobs are filled through referrals.
Document everything publicly. Write blog posts about your lab experiments. Share your pentest reports (against your own lab machines). Create GitHub repositories with your security tools and scripts. A visible track record of security interest and activity matters more than a resume bullet point.
The Long View
Cybersecurity is not a destination; it is a direction. The field is broad enough that you will spend your entire career specializing, pivoting, and learning new domains. What matters is building a foundation of genuine technical understanding and maintaining the curiosity to keep exploring. The path from IT support to cybersecurity is not a step up. It is a natural continuation of understanding how technology works and how to protect it.