I didn’t change careers because I had a sudden breakthrough.

To be honest, cybersecurity had always been hovering there in the background, like a software update I kept clicking “Remind me tomorrow” on. I just didn’t think it was meant for people like me. I assumed the industry was reserved for hoodie-wearing undiscovered geniuses who lived in dark basements, not someone who spent their day faffing about in PowerPoint.

For a decade, my world was Learning and Development (L&D). I spent my time trying to help people change their behaviour and, with any luck, make good decisions at work. I was also the person responsible for creating that “Mandatory Compliance Training” we all know and love. If you’ve ever had to click “next” a hundred times while dying a little bit inside just to get back to your actual job: I am truly, deeply sorry.

The Night-Shift Tinkerer

Then life happened. Along came kids, a mounting “to-do” list, and about an hour of peace at the end of the day. In that hour, usually spent in a state of semi-exhaustion, I found myself tinkering. I was messing about with radios, poking at things on TryHackMe, and listening to endless podcasts about cyber heists.

I enjoyed it as a way to unwind, but I never connected it to a “proper” career. It was just a hobby, until I started noticing that most of the security disasters I was reading about weren’t actually technical failures. They were human ones.

The Realisation

It was rarely a “zero-day” exploit from a nation-state. Usually, it was:

• Someone clicking a link they definitely shouldn’t have.
• Someone being pressured into a rushed decision.
• Someone finding a “convenient” workaround for a security control because they didn’t understand why it was there in the first place.

That all felt very familiar. I’d spent ten years immersed in behavioural change, habits, and why people do what they do. Meanwhile, the standard corporate response to these breaches was usually “MORE MANDATORY TRAINING”, a solution I knew, from bitter experience, was usually a complete waste of everyone’s time.

That’s when it clicked. Cybersecurity was full of the exact same human puzzles I’d been solving for years; it was just a different, slightly more interesting playground.

The “Slow and Messy” Pivot

I didn’t quit my job or go on a three-month “bootcamp” to reinvent myself overnight. My route was slower and significantly messier. For practical reasons, taking a pay cut wasn’t an option. I had to bridge the gap while keeping the lights on.

I kept learning the technical bits because I actually enjoyed them, not because I was being graded. I put my hand up for anything even vaguely IT-adjacent. At one particularly chaotic company, I volunteered to run the phishing simulations. After all, phishing training is still training, isn’t it?

I had an absolute blast. I realised that my L&D background meant I wasn’t just “sending tests”, I was actually thinking about the psychology of the click.

You Aren’t Starting at Zero

Eventually, after a few years of hovering around the edges, an internal role opened up and I moved into cybersecurity full-time. And that’s when the “imposter syndrome” finally took a hit.

It wasn’t the technical work that surprised me, it was how much I’d underestimated my own skills and experience.

The skills I’d assumed didn’t “count”; communication, influencing stakeholders, designing learning, and understanding human psychology… they turned out to be the exact things many technical teams struggle with most. I hadn’t started from zero at all. I’d just been standing in the corridor, assuming I wasn’t allowed into the room.

The Moral of the Story

If you’re eyeing a move, remember that my “leap” was actually just a series of small, slightly awkward steps:

1. Nurture the curiosity without the pressure of a grand plan.
2. Get involved in your current role (even the bits no one else wants).
3. Network & be visible. If you’re the person who volunteers for the “boring” security stuff, you’re the one they call when a role opens up.
4. Stop devaluing your experience. You probably don’t need to start from scratch. Your previous career has already given you a set of skills that the cyber industry is crying out for—even if the job descriptions are written in a way that suggests you need to be a robot.

Back yourself. Believe that what you’ve already done actually counts. You’re likely a lot closer than you think.