How to make a late career switch into cyber

In a recent episode of the First Person podcast we spoke to Ian Mountford, a  senior consultant in governance, risk, and compliance who made the decision to switch to cyber at the age of 49 after never previously working in IT.  

Ian told us how hard the change was, principally because the lack of a clear pathway or professional structure. He explained why experienced people are so valuable in cyber, and gave great advice for those looking to make the change in career.  

You can view our interview here, listen to it here, or watch in the box below: 

The challenge of a late career switch  

Ian told us that the biggest challenge to him in making the switch to cyber security was the lack of a clear pathway.  

“I was shocked at how little information there was out there,” he said. “There are YouTube channels featuring people talking sense about what the job entails. But at the same time there’s a lack of professional structure.” 

He described being faced with a bewildering variety of academic courses and certifications.  

“Everybody’s trying to sell their own courses at you,” Ian explained. “It confuses most people because they think that’s the gateway to getting the job and it’s not at all in some cases.” 

Why it matters: experience counts 

Ian told us that he believes strongly in the value of bringing experienced people into cyber security. He also said that in his experience such people develop their careers quickly because they have the soft skills to succeed.  

“Experienced people understand important concepts at a high level, and they can apply their approach to assess and audit clients and get to the nub of what the problems are. 

But Ian described this lack of structure as ‘putting up barriers’ that prevent such candidates making it through. “They look at these massive walls that there are to get over in terms of trying to be a cyber person.” 

He cited a presentation he did at an Australian Information Security Association conference, in which more than 30 people stayed behind asking questions about how to get into the industry.  

“There’s not a lack of good, experienced people that want to do the work. The challenge is getting people to that start line with an engine that’s fully revved up ready to go,” Ian said.  

Starting again at 49 years old 

For Ian these insights are hard won. After a long and varied career in senior roles and running his own businesses, Ian moved to Australia in his late 40s looking for a change of career. Almost immediately he was victim of a sophisticated scam, and a subsequent conversation with a police officer opened his eyes to the challenges and opportunities of cyber security.   

“I’d done consulting, marketing, HR, recruitment. And I thought it’s time to get some solidity in terms of knowledge,” Ian told us. “I thought IT could be a solid career for me until I retire.” 

The decision was clear, the pathway was not.  

“I did some certification, and applied for 30 or 40 jobs. I was getting disillusioned, so I started a cyber security degree course,” Ian explained. 

This was a challenging step for someone who left education more than 30 years previously at the age of 16. Ian found it tough but discovered newfound confidence and appreciation for learning.  

“It showed me the diligence you need to dig into something and pull it apart,” he said. Before telling us how that experience set him on a better path. “I had a conversation with my tutor who said: ‘look, you’re never going to be a technical person. Don’t try and go for technical cyber jobs. Have you heard of governance, risk, and compliance? You don’t need to be a coder’.” 

Ian explained to us that GRC is more conceptual than technical, and this in turn meant that his existing consultative skills and experience became very valuable. A year into his degree course he applied for a role as an associate with a large consultancy.  

“I found myself in exactly the right position for me at the right time,” Ian explained. “I bundled through project management certificates. I prepared as many things as I could to help me be ready on day one. Polished my Excel skills. I was going in fresh, but it worked out. And we’re still here.” 

Speaking with both employer and tutor Ian decided to call time on his degree course after one year. “They said, look, you’ve proved the point. You’re through the door. Now start to look at more specific bespoke things to learn. And that was perfect for me.” (See also: how to be a successful startup founder.)

Getting up to speed 

Once he was in post, Ian thrived. But it wasn’t all straightforward. The technical jargon was a barrier.  

“There’s a fear factor,” he explained. “It doesn’t matter how confident you are, when you hear a term that you’ve never heard before and people are looking at you and nodding as if to say, ‘you know what I’m talking about’, it’s a tough moment.”  

Ian told us that honesty is the only policy. “I had to ask for help. It was humbling because I was in my late 40s. There was an expectation because I was older that I would know all this stuff. I had to admit to myself and everyone else that I need to go a little bit slower.” 

Ian told us that he feels fortunate that he had good managers and colleagues who supported him at this point. 

“The people that you work with can give confidence or they can take it away,” he said. “Some consulting environments are much better structured than others in terms of helping to facilitate growth as a consultant. It’s the same in any job environment.” 

Indeed, one observation Ian makes about IT in general and cyber in particular is that there is a relative lack of focus on soft skills. And that speaks once again to the value of bringing in people with experience of other industries.  (See also: How to be a great Chief Product Officer.)

How to change to a career in cyber: four tips 

We asked Ian to synthesize what he has learnt into tips for someone in a similar situation. How should you approach a late career change into cyber security? Here is his advice.  

1. Ask for help – and be specific 

The most important thing, Ian said, is to reach out to people who can help.  

“Don’t suffer in silence. There’s a lot of people that can help you. You’ve got to be prepared to reach out to people,” he advised.  

Ian said that in his experience people are generally happy to help. But you must respect their time and be specific.  

“You need to have key questions that will help with what you are trying to achieve.” 

2. Demonstrate commitment and learning 

Ian said that people will strive to help those who are seen to be putting in the work. It requires commitment, and some level of personal investment.  

“You’ve got to demonstrate commitment and learning, and you’ve got to be comfortable digging in, working at things that make you uncomfortable,” Ian told us.  

This can be challenging and won’t be for everyone. But Ian said he believes perseverance pays off.  

“You can’t always see where it’s going to end. If you can adopt that kind of determined mindset where you’re not going to be put off when people say no, and you’re going to be smart and value what you can offer, you will succeed.” 

3. Value your existing skills – and work on them 

Ian advised folks to believe in what they can bring to the table based on experience. And to work on the things you can control and improve. 

“Being more organized in terms of time, taking better notes, being clearer in your knowledge before you get on a call when working on something new.”  

4. Do your diligence 

Finally, Ian said that the lack of structure in the industry can create traps to avoid. Not every organization would be good for a new professional making the switch.  

“I found myself in a situation where a colleague gave advice to a client during a call where I was the junior person. I immediately challenged it after the call, and the response was not good enough for me,” he recounted, speaking to a short-lived employment in a boutique consultancy. 

“It made me reflect on the amount of due diligence that you need to do. That was a huge learning point for me.”