Security demand is real, but most roles assume IT fundamentals. Here is the realistic, defensive route in.
The problem
Cybersecurity is marketed as a high-demand field you can jump straight into, so beginners aim there first, then stall when every job posting assumes IT experience they do not have. The demand is real; the 'no fundamentals needed' promise is not.
Why this matters now
Workforce studies like ISC2's keep highlighting a security skills gap, and EU bodies such as ENISA emphasise defensive capability. But the same sources describe roles that assume networking, systems and identity knowledge. Knowing this early prevents months of applying to roles that were never entry-level.
The skills-gap headline is real, but it is widely misread. A shortage of experienced defenders is not the same as a shortage of entry-level seats — most openings are for people who can already be trusted with production systems. That is why so many career changers who aim straight at 'cybersecurity' feel the door is stuck: they are applying for the second rung of a ladder whose first rung is ordinary IT experience.
The practical framework
Think of security as a second floor that needs a ground floor. Build the ground floor first, then climb:
- Fundamentals: operating systems, networking, identity, and how systems actually fail.
- Bridge roles: IT support, helpdesk, junior sysadmin, or cloud support, where you see real incidents and real users.
- Defensive entry: monitoring, logging, patching, identity hygiene, and security awareness, learned defensively and ethically.
A quick word on the 'SOC analyst as a first job' idea: it happens, but even entry SOC roles usually expect you to read a log, understand what a normal network looks like, and explain an alert in plain language — all of which are far easier to learn from a support or systems seat first. This article is strictly defensive: it is about protection, governance and good practice, never attack techniques.
What beginners often get wrong
Skipping fundamentals and chasing exciting offensive-sounding content. Beyond being a weak career strategy, it points learning in an unhelpful direction. Beginner security value comes from awareness, logging, patching, backups, identity and defensive thinking, not from attack tooling.
There is also a credibility cost. An interviewer can tell within minutes whether someone has actually run and restored a backup, watched a patch break something, or reset access for a locked-out user — versus someone who has only watched videos about hacking. The first person is hireable into a defensive role; the second is not yet, no matter how enthusiastic. Real defensive value is unglamorous and that is exactly why it is valued.
A better path
Earn a bridge role, build IT fundamentals, and learn security defensively on top. You will be a far stronger security candidate having seen how systems behave in production than having memorised concepts in isolation.
How to learn security defensively as a beginner, concretely: keep your own devices patched and write down what changed; set up multi-factor authentication and document why it matters; practise taking and restoring backups; read the logs your own machine already produces and try to explain them; and study the basics of identity and access. Foundational, defensive certifications (for example CompTIA Security+) map to exactly this kind of knowledge. Every one of these is legal, ethical, and directly relevant to a first defensive role.
Example roadmap
A realistic, defensive route (a shape, not a promise):
- Build fundamentals: OS, networking, identity.
- Take a support or sysadmin bridge role.
- Learn defensive basics: logs, patching, backups, identity hygiene, awareness.
- Add a foundational, defensive certification once its objectives match your target roles.
- Move toward a junior defensive security role with real fundamentals behind you.
Realistic bridge roles that lead into security include IT support and helpdesk, junior systems or network administration, and cloud support — each puts you next to real incidents, real users, and real logs. From there, a move into a defensive security seat (monitoring, vulnerability hygiene, identity, GRC-adjacent work) is a credible next step rather than a leap.
What to do this week
- Build OS, networking and identity fundamentals first.
- Target a bridge role (support, helpdesk, junior sysadmin, cloud).
- Learn security defensively: logging, patching, backups, identity.
- Avoid framing your learning around attack techniques.
- Document defensive labs to show practical understanding.
How to tell it is working
Progress in an IT transition is easy to fake to yourself and hard to fake to an employer, so measure the things employers can see. You are on track when, each week, you can point to one new artefact (a lab note, a troubleshooting write-up, a small script) and explain it in plain language. You are on track when you can name your target role without hesitating and list the skills it asks for. And you are on track when your CV and profile use the same words as the job descriptions you are reading. If a week passes with hours of video but nothing you could show or explain, that is the signal to change the routine, not to push harder at the same thing. Keep a short log of what you produced each week; over a couple of months it doubles as both a portfolio and proof of consistency, which is exactly what a hiring manager wants to see from someone changing fields.
A realistic note on pace
Career-change advice tends to swing between two unhelpful extremes: 'anyone can do this in a few weeks' and 'you need a four-year degree first'. Both are wrong for most people. The honest answer is that it depends on your starting point, the time you can protect each week, the language you are working in, and the roles your local market actually hires for. Be sceptical of anyone promising a fixed timeline, instant placement, or a specific salary on day one; realistic guidance talks in ranges and trade-offs, not promises. What you can control is consistency and visibility: small, steady, documented progress toward one clear role beats sporadic bursts of enthusiasm aimed at everything at once. Protect a few focused hours a week and defend them like any other commitment, because steady beats heroic almost every time.
Turn your non-IT experience into an asset
If you are coming from manufacturing, hospitality, retail, logistics, finance, administration, customer support or the trades, you are not starting from zero. Those jobs build exactly the skills IT teams complain are missing: calm problem-solving under pressure, clear communication with frustrated people, documentation, prioritisation and reliability. The mistake is to hide your old career as if it were an embarrassment. Instead, translate it. 'Handled escalations on a busy shift' becomes evidence you can triage and de-escalate, which is most of helpdesk work. 'Reconciled daily figures' becomes attention to detail and process discipline. Write one or two lines per past role that map a real responsibility onto an IT-relevant strength, and use them in your CV and interviews. Career changers who do this well often interview better than fresh graduates, because they can talk about real situations, real stakes, and real people.
How to read a job description like a map
A job description is not a wish list to feel intimidated by; it is a map of what the employer values, written in their own words. Read several for one target role and mark three things. First, the skills that repeat across postings: those are your priorities, in roughly that order. Second, the 'nice to haves' that appear only occasionally: safe to skip at first. Third, the exact phrasing the employer uses, because mirroring it (honestly) in your CV and profile is what gets you past keyword filters and human skim-reads alike. You do not need to match every line to apply; most postings list an ideal candidate who rarely exists. If you cover the repeated core and can show a little proof, you are a legitimate applicant, not a pretender.
Where SHIFT 2 IT fits
Inside SHIFT 2 IT, I go deeper into turning your current background into a realistic roadmap toward your first target IT role — including how this fits the bigger sequence of learning, proof and positioning.
Final thought
Cybersecurity is a genuinely strong destination. It is just rarely the first stop. Build the ground floor, take a bridge role, and you will reach security as a credible candidate rather than a stalled applicant.
Key takeaways
- Security demand is real, but most roles assume IT fundamentals.
- Use a bridge role to build real-world experience first.
- Beginner security value is defensive: logs, patching, identity.
- Avoid building your learning around attack techniques.
If you are planning a move into IT, start by choosing a target role before choosing certifications.
This article is part of my SHIFT 2 IT series for people moving into IT realistically.
Top comments (0)