Can you actually change career into cyber security?
Yes, and I've watched dozens of people do it — but not the way most job adverts imply. There's no six-week bootcamp that turns a non-technical adult into a hireable analyst. There is a realistic, well-worn path: pick a lane, build proof of skill, and target the entry roles that actually hire career changers. I'm Michael. I spent 25 years in the tech industry, the last stretch of it running programmes at VP level, and I hold the CISSP. These days I tutor career changers and working analysts 1-to-1, in English and Polish, through Korra Studio. This guide is the overview I wish someone had handed me — the rest of our guides go deeper on each branch.
The three paths people actually take
Almost everyone I work with fits one of three starting points, and the right first move is different for each.
| Starting point | First move | Typical entry role |
|---|---|---|
| Already in IT (helpdesk, sysadmin, network) | Add a security cert on top of your existing skills | SOC analyst, security admin |
| Non-technical background, any age | Build fundamentals first — networking, Linux, one scripting language | Junior SOC analyst, GRC assistant |
| Ex-military or ex-forces | Translate existing clearance/discipline, use resettlement support | SOC analyst, security operations |
If you're coming from an IT helpdesk or sysadmin role, read from IT support to cyber security — that's the fastest of the three paths because you already understand ports, logs and tickets. If you've served, military to cyber security in the UK covers the resettlement funding routes by name. And if you're mid-career with a mortgage and no time to quit your job, switching to cyber security while working full time is the realistic version of this, done in evenings and weekends rather than a dramatic leap.
Age comes up constantly. It shouldn't stop you, and I've written a whole piece on career change to cyber security at 40 because the concerns at 40 are genuinely different from the concerns at 25 — and mostly imagined rather than real.
What actually gets you hired
Certificates alone don't get you hired. Employers hiring junior analysts are looking for evidence you can do the job's boring core: read logs, follow a process under pressure, and explain what you found in plain English. A CompTIA Security+ or similar entry cert signals baseline knowledge, but the thing that moves you from "another applicant" to "shortlisted" is a home lab, a couple of write-ups of things you've investigated (even simulated ones), and being able to talk fluently about how TCP/IP, Windows/Linux logging, and basic network defence fit together.
Here's the sequence I actually recommend, in order:
- Networking fundamentals — subnetting, the OSI model, how DNS and HTTP actually work. Don't skip this to jump to "hacking" content; it's the foundation everything else sits on.
- One operating system, properly — Linux command line at minimum, ideally alongside Windows administration basics.
- One entry certification — Security+ is the standard baseline in the UK market; see is CompTIA Security+ worth it for when it's the right call and when it isn't.
- A home lab — a couple of VMs, a SIEM you set up yourself (even a free one), some logs to analyse. This is what interviewers actually ask about.
- Applications aimed at the right roles — SOC analyst, IT security analyst, GRC assistant. Not "cyber security manager." See how to become a SOC analyst in the UK for what that first role actually looks like day to day.
What I tell my students
The thing I say most often, and the thing most people don't want to hear: stop collecting certificates and start building evidence. I've tutored people with three certifications and zero interviews, because a certificate proves you sat an exam, not that you can do the job. I'd rather a student spend a month building a small home lab, breaking it, fixing it, and writing two paragraphs about what went wrong, than spend that month memorising another acronym list. Recruiters and hiring managers see hundreds of CVs with the same cert stack. A student who can talk with genuine curiosity about a log anomaly they chased down themselves stands out immediately — and it's also just a better way to actually learn the material.
The second thing: you don't need a computer science degree, and you don't need to start over from zero. Whatever you did before — customer service, retail management, forces logistics, IT helpdesk — almost certainly gave you something transferable: attention to detail, working under pressure, documentation discipline, or literal technical groundwork. Cyber security without a degree in the UK is the norm for the analysts I work with, not the exception.
Realistic timelines and costs
Budget roughly £300–£1,500 for the first year, mostly certification exam fees and maybe a lab subscription, not tens of thousands on a bootcamp — and treat any six-figure salary promise from a course provider with real scepticism. SOC analyst salaries in the UK for junior roles tend to sit in a modest, unglamorous range that only improves with two to three years of experience. Timelines vary a lot by how many hours a week you can put in, but six to twelve months of consistent evening study is a realistic runway from "interested" to "first interview," not the six weeks some adverts suggest.
Where a tutor actually helps
Self-study works, but it's slow because you're debugging your own confusion alone. A cyber security mentor shortens that loop — someone who's actually worked in the industry can tell you in five minutes what would have taken you two evenings of forum posts to half-figure-out. If you want a second opinion on your plan before you spend a penny on courses, book a trial lesson and we'll map out the path that fits your actual background, not a generic template.
FAQ
How long does a cyber security career change realistically take?
Most people I tutor need six to twelve months of consistent part-time study to go from "interested" to their first serious interviews, assuming five to eight hours a week. It's slower with less time, faster if you already have IT experience.
Do I need a degree to get into cyber security in the UK?
No. Most junior analysts I've worked with came in through certifications, home labs and a relevant first role, not a computer science degree. A degree helps for some graduate schemes, but it isn't the only door.
Which certification should I get first?
For most career changers, CompTIA Security+ is the standard first step in the UK market. It's broad, respected by employers as a baseline, and doesn't assume prior security experience.
Is 40 (or older) too late to switch into cyber security?
No — I tutor career changers well into their 40s and 50s. Employers hiring junior analysts generally care more about demonstrable skill and reliability than age.