Too old to hack? Too late to try? Welcome to cybersecurity anyway
Think it’s too late to get into cybersecurity? Myths of the prodigy hacker might be killing real opportunities for career changers, an expert says.

Image by Cybernews
Think it’s too late to get into cybersecurity? Myths of the prodigy hacker might be killing real opportunities for career changers, an expert says.
You scroll through job boards, your cursor hovering over yet another opening for a “junior” security analyst – ten bullet points deep in certifications and acronyms you barely recognize. Somewhere between “SOC2 compliance” and “SIEM management,” it hits you: is it already too late?
The world keeps telling us that cybersecurity is wide open. It's the fastest-growing, most talent-hungry industry of the next decade. And yet, the deeper you go, the more it feels like a secret club for hacker prodigies, ex-military red-teamers, and 22-year-old CTF wizards who’ve been rooting Linux boxes since middle school.
If you’re 30, 35, 40, or older, trying to pivot into cyber from another career – or worse, starting from scratch – it’s hard not to feel like you missed the boat. Every blog post says "just start," but no one talks about what it actually feels like to be the oldest intern in the Zoom room.
But Reddit does. In one thread in the cyberpros subreddit, dozens of users shared their own late starts in cyber.
“Got my first IT job at 31, SOC analyst at 32, now a security engineer at 33,” one user wrote. Another added, “I got hired in cybersec right before I turned 35. There's always a chance if you want it bad enough.”
Others chimed in: 34-year-old apprentices, 41-year-old master’s students, and even a 47-year-old cyber newcomer who said the “perpetual learning” is what keeps them going.
For every regret about not starting earlier, there’s someone who simply started anyway. Still, the question lingers: in a field that glorifies speed, genius, and constant evolution, is there still room for late bloomers?
After working to bridge the job and skills gaps in the cybersecurity industry, Jon France, Chief Information Security Officer at ISC2, thinks, "Absolutely."
First of all, you need to be fluent in solving business problems
It’s easy to fall for the hype: headlines scream about cybersecurity’s job boom, massive talent gaps, and six-figure salaries just waiting for anyone who can spell "phishing." But the actual job market has been stagnant.
“The need is booming. The need has never been more pressing,”says France.
However, economic slowdowns and regional contractions have cooled things down in places like the US, even while some European markets grow. There are jobs, yes, but not as many as are needed, and certainly not as many as the bootcamp ads make it seem.
So, is it realistic to pivot into cyber in your 30s, 40s, or later? According to the expert, it is – but you need to be smart about it. Entry-level doesn’t mean young.
“Some career changers can actually use some of their experience in their fields to show a propensity to logical, critical thinking, creative thinking,” he says.
In fact, some of the strongest candidates come from non-tech backgrounds. “We’re seeing the maturation of cybersecurity professionals who are being asked to solve business problems, not just security problems.”
Certifications help, but they aren’t everything. Experience – whether from IT, compliance, or even distinct fields like law or finance – can transfer well. What do hiring managers really look for? Problem solvers. Logical thinkers who understand how an organization works. People who can learn, communicate, and think creatively.
France gives an example of a cybersecurity worker who had initial training in medieval history. Nonetheless, he managed to become a standout analyst, thanks to strong critical thinking and the ability to solve business problems, not just tech ones.
Not everyone wears a hoodie and hacks
There’s a persistent image that still haunts cybersecurity like a ghost in the machine – the lone genius in a hoodie, hunched over glowing monitors, fingers flying as lines of code crack through digital vaults. But the truth? It’s far less cinematic.
“I didn’t wear my hoodie today. I could have done, you know, if I wanted to play to a stereotype” France jokes.
The myth that you need to be a master hacker to break into cybersecurity is one he’s eager to shut down. “No, you don’t have to be a tech pro. You don’t have to be a hacker. But you do have to be interested.”
He speaks from experience.
“Don’t ask me to code or to go and back into a system. I can’t do it. And yet I’m in cybersecurity.”
Instead, he emphasizes the importance of mindset over hard skills: “Understanding the human condition, understanding how humans work, and things like threats and threat mapping… I lovingly say, if you want to get into cybersecurity, you need to be able to think like a criminal. And that’s really fun – without actually being a criminal. Right?”
It’s a mental game first and foremost.
“Not every cybersecurity pro is a hacker. Not everyone has deep penetration testing skills and [is] able to crack systems. It’s not that at all.”
In fact, some of the most critical roles in cyber are far from technical. “Some people are policy people who write good, applicable policies to guard against risk.” In other words, there’s more than one way to defend a system – and not all of them involve breaking into it first.
You don’t need to be a unicorn
In any fast-growing field, there’s always that quiet pressure to be one of the “chosen” – the ones who started hacking at 12, won hackathons in college, and are now being courted by tech giants before turning 25. For career changers, it can feel like showing up to a game that started years ago.
But the expert says that thinking is exactly what the industry needs to abandon, as it is not a solution to the general cybersecurity problem.
“If you only ever want to recruit and retain ‘unicorns’, you are going to be looking for them for a very long time, or you’re going to have to pay an incredible amount of money for them.”
Instead, he offers a different approach: making space for a larger group of entry-level folks and giving them a chance to actually level up.
“Do not hire unicorns, hire a herd of horses,”jokes France.
Cybersecurity as a profession is still young. It didn’t even really take off until the '90s, and even widely recognized certifications like the CISSP have only existed for about three decades.
Unlike traditional fields like medicine or finance, there isn’t some century-old career ladder to climb, which makes space for people coming in from all kinds of directions.
That might include people with no formal background at all.
“We’ve got to be a little more open to career changes and embracing people that want to come into our profession that may not have experience, a background, or a degree.”
HR does not always know what they are hiring
Still, breaking into cybersecurity isn’t entirely about what you know – it can also hinge on how well the gatekeepers understand the field.
Traditional HR may not understand what’s required. HR teams write descriptions without input from cybersecurity experts, which might bring bizarre results, such as job postings that claim to be entry-level but demand top-tier certifications like the CISSP – a certification that requires at least five years of experience, and seem authoritative but don’t align with real entry-level roles.
This is why industry bodies are working hard to educate not just future job seekers, but also recruiters and hiring managers.
“We’re working hard to educate recruiters,” he says, referring to setting unnecessarily high bars for beginners.
It is not only about technical skills
Once someone lands a job in cybersecurity, what challenges should they expect? The expert’s answer is clear: one of the biggest hurdles is letting go of the idea that technical mastery alone is enough.
“The challenge… is getting over the myth that it’s all about technical skills. It’s not. It’s about understanding business,” he says.
“That’s one thing I impress upon my team and other people who are junior in the industry.”
Many new professionals enter with a mindset focused solely on hard skills: “I want to be a penetration tester, so I’ve got to learn how to look at network statistics, I’ve got to understand log files, I’ve got to understand the latest technologies.”
But according to him, that’s only part of the picture.
“The wider part of it is: why are you doing this? What are you protecting? And what’s most important to the business?”he says.
This understanding is crucial to effective cybersecurity work because, without knowing the business context, technical actions can lack direction or impact.
He sums it up with a striking line: “How can you protect the thing if you don’t understand what the thing is?”