There's two things you need to be successful in cybersecurity: 1) you need to have a "security mindset", that is, an adversarial way of thinking, and 2) you have to know the system.

Since it's borderline impossible for an entry-level engineer to know the system well enough to be effective, there's no such thing as an "entry-level cybersecurity engineer".

I'm probably going to get some hate for this post, so let's unpack this.

First of all, what is the "system"? The system is whatever system, technical or human, that you want to attack or defend.

If you are on red team, you need to know the system better than defenders, ideally better than the people who designed the system in the first place.

If you are blue team, you need to know the system well enough to anticipate attacks and proactively defend against them.

Examples of the system include an operating system, a bespoke in-house application, human policies and procedures (a management system), and so forth.

What does this mean for entry-level engineers looking for a job in security?

Well, the way I look at is as follows. If you want to work in AppSec, go be a developer in the language/framework you want to secure. How are you going to do AppSec work if you have no experience as a developer?

Likewise DevOps --> DevSecOps. How are you going to be effective in DevSecOps with no Devops experience? And likewise IT admin --> IT security.

How are you going to manage a SIEM and run incident response if you don't know all of these systems combined?

And how can you be an effective CISO without a global view of all the systems—both technical and management systems—and how they all work together?

You have to know the system if you want to secure the system.