Is 40 too old to start a career in cyber security?
No. I'll say that plainly because it's the question I get asked most, usually by someone who has already half-convinced themselves the answer is yes. I'm Michael — CISSP-certified, 25 years in the tech industry including VP-level programme leadership, and I now tutor career changers 1-to-1 through Korra Studio. Some of my most capable students started in their 40s and 50s, and every one of them had an advantage 22-year-old graduates don't: two decades of workplace judgement, the ability to write a coherent email, and the discipline to actually finish what they start.
What actually changes at 40
The mechanics of getting hired don't change with age — you still need fundamentals, evidence of practical skill, and a targeted first application. What changes is the internal conversation. People in their 40s tend to over-plan and under-apply: three more courses "just to be sure" before sending a single CV. Meanwhile a 24-year-old with a fraction of the knowledge applies to twenty jobs and gets an interview because employers hiring junior analysts aren't looking for perfection, they're looking for "can this person learn on the job and not panic under pressure." That second part, frankly, favours people with more life experience, not less.
There is one real practical difference: financial pressure. Most people considering this at 40 have a mortgage, dependants, or both, which rules out quitting a job to "go all in" on a bootcamp. That's not a disadvantage, it's a constraint that shapes the plan — see switching to cyber security while working full time for how to structure study around an existing job rather than around fantasy free time.
A realistic plan, in order
- Audit what you already have. If you've managed people, run projects, handled compliance paperwork, or done any IT-adjacent work, that's not nothing — GRC and security operations both value exactly that. Don't discard 20 years of transferable skill because none of it says "cyber" on the CV.
- Pick one lane. Security operations (SOC analyst) or governance/risk/compliance (GRC) are the two most common entry doors for career changers. Trying to prepare for both at once slows you down.
- Get Security+ or equivalent. It's the standard UK baseline certification and signals you understand the fundamentals without requiring prior security experience.
- Build one small, real project. A home lab, a documented mini-investigation, anything that proves you can apply the knowledge rather than just recite it.
- Apply to junior roles, not "manager" roles. This is the single biggest mistake I see 40-somethings make — applying for roles that assume years of security experience because the job title feels more appropriate to their age. It isn't. Everyone starts at the bottom of a new field.
What I tell my students
I tell every career-changer in their 40s the same thing: your CV should lead with what you can prove, not apologise for what you don't have. I've seen students bury a decade of solid project management under a nervous line like "no formal cyber experience yet" — delete that sentence. Let the fundamentals, the certification, and the home lab speak for themselves, and frame your prior career as the reason you'll be a reliable hire, not a liability you need to explain away. Confidence on paper is a skill you can practise, and it matters more at this stage than another certificate.
What this costs and how long it takes
Budget for exam fees and maybe one lab platform subscription — realistically a few hundred pounds in year one, not the thousands some bootcamps quote. Timeline-wise, six to twelve months of steady evening study is typical if you're doing this alongside a full-time job, faster if you can dedicate more hours. There's no fixed finish line; the goal is "ready to apply confidently," not "expert."
If you want a structured second opinion rather than guessing at the plan alone, book a trial lesson and we'll build a study plan around the hours you actually have, not an idealised version of your week. For the fuller map of entry paths, the cyber security career change guide is the place to start before narrowing down.
FAQ
Will my age count against me when applying for junior cyber security roles?
Rarely, in my experience. Hiring managers for junior SOC and GRC roles care far more about demonstrable fundamentals and reliability than age. If anything, employers often value the steadiness that comes with more work experience.
Do I need to quit my job to make this change at 40?
No, and I'd actively discourage it unless you have significant savings. Most successful career changers I've tutored did this part-time over six to twelve months before applying, keeping their income stable throughout.
What if I have no IT background at all?
It's slower but entirely doable. Start with networking and operating system fundamentals before anything security-specific — skipping that step is the most common reason self-taught career changers stall.
Which entry point is better at 40 — SOC analyst or GRC?
It depends on your prior career. If you've done technical or IT-adjacent work, SOC analyst roles play to that. If your background is more in compliance, audit, project management or policy, GRC is often the faster route in.