Pathway · Career changer → cybersecurity

Career change to cybersecurity, starting from the honest place

No IT background. Want to work in security. Two things are true at once: direct entry into cybersecurity is possible — a genuine zero-experience credential exists — and for most career changers the realistic route goes through IT support first, because security work is built on a networking and systems foundation that IT support gives you directly. This page says both plainly and gives you the cited sequence either way.

The honest on-ramp

The route most career changers actually take

IT support is the on-ramp most people actually take into cybersecurity — not because it is required, but because security work depends on a networking and operating-systems foundation that most non-IT careers have not built. Going through IT support first is faster, cheaper, and more direct than trying to learn those fundamentals in a vacuum while also preparing for a security exam.

If you want to start building security knowledge directly — or you already have a relevant background (compliance, healthcare IT, physical security, investigation, military) — the ladder below is for you.

You are here

What actually transfers — and what does not

Per O*NET (U.S. Department of Labor), investigation habits, procedure discipline, and documentation practice transfer into security work on specific work activities: identifying objects and events, processing information, communicating findings, and following documented procedures. Those overlaps are descriptive, not a promise the switch is easy: networking, operating systems, security tooling, and log analysis are the real gap for most non-IT career changers, and it is learnable. See the cited overlap for your specific background:

The realistic target role

Cybersecurity Analyst

Occupation-level BLS median: $129,180 (SOC 15-1212) — a national occupation figure that skews senior; entry SOC-analyst and security operations center roles typically pay below the median, and this is not a certification salary or a promise. BLS projects +28.5% employment change for this occupation (2024–2034) — a forecast, not a guarantee.

The honest certification ladder

Four credentials, in the order that actually reflects reality

Fit labels derive from each vendor’s own published eligibility — entry-friendly, conditions-apply, or experience-gated — not from what would be easiest to sell you. The CC is shown first because it is the genuine zero-experience security entry; the “not yet” entry is shown on purpose.

CC - Certified in Cybersecurity Designed for entry · exam $199 · Difficulty 25/100 (Foundational)

The genuine zero-experience security entry. ISC2 states no work experience is required — this is the credential if you want to start building security knowledge before you have an IT background.

Vendor’s recommended background: No work experience required

CompTIA Security+ Reach — conditions apply · exam $439 · Difficulty 45/100 (Moderate)

The standard security baseline — but third-ish in reality, not first. The vendor-recommended background (Network+ and roughly two years of IT work) is real; pair it with actual IT experience, not instead of it.

Vendor-recommended before it: CompTIA Network+ (a recommendation, not a registration gate).

Vendor’s recommended background: CompTIA recommends Network+ plus about 2 years of security/systems-administration experience (a recommendation, not a requirement).

CompTIA CySA+ Reach — conditions apply · exam $439 · Difficulty 75/100 (Hard)

Analyst level — after Security+ and time with actual security tooling, not before. This is the step from knowing security concepts to doing security analysis.

Vendor-recommended before it: CompTIA Security+ (a recommendation, not a registration gate).

Vendor’s recommended background: Network+, Security+, or equivalent knowledge, with a minimum of 4 years of hands-on experience as an incident response analyst, security operations center (SOC) analyst, or equivalent experience (a vendor recommendation, not a requirement).

CISSP - Certified Information Systems Security Professional Not yet — experience-gated · exam $749 · Difficulty 80/100 (Expert)

On this track, but not yet, and that is intentional. The experience requirement is a vendor gate, not our judgment. The Associate of ISC2 path is shown on the certification page.

Why not yet: full certification requires 5 years of relevant paid work experience — a vendor requirement, not our judgment. ISC2 Associate pathway: passing this ISC2 certification exam without required experience can lead to Associate of ISC2 status (up to six years for this exam path).

Fees and eligibility from each vendor’s official pages (cited and dated on the linked certification pages). Difficulty is the RoleMath structure-based score — the exam’s difficulty, never a pass rate or anything about you.

The money picture

What it costs, and the levers that can cover it

The exam fees above are the floor; budget for one retake and for renewal (both CompTIA and ISC2 certifications carry ongoing maintenance requirements — upkeep is part of the real cost). Two levers matter most for career changers without employer support: WIOA can fund training and exams through your local American Job Center (eligibility is determined locally, not by us), and Workforce Pell reaches short-term certificate programs at eligible community colleges. Both are covered with sources and caveats on the funding page:

The study path

Free and official first

Every certification above has a free-study page built from the vendor’s official objectives and free resources — no paid prep is required to start, and we sell no training. Instructor-led courses are worth considering mainly when a funding lever covers them; self-study plus the exam fee is the cheap path.

Common questions

Career change to cybersecurity, answered honestly

Can I get into cybersecurity with no IT experience?
Rarely directly — and most content selling that idea is selling you something. Security work assumes operational context that usually comes from IT support or adjacent IT work first, which is why the realistic route for most career changers runs through an IT support role. What IS genuinely open from zero: ISC2 Certified in Cybersecurity (CC), which ISC2 states requires no work experience. Start there, get into IT work, and build toward the security seat.
What is the lowest-barrier security certification to start with?
On this page, ISC2 Certified in Cybersecurity (CC) — it is the genuine zero-experience security credential and the least expensive entry on the ladder above (exact fee and difficulty shown there, cited). "Lowest barrier" is about eligibility, not ease: it still requires real study.
Should I take Security+ first?
Usually not first. CompTIA’s own recommended background for Security+ — shown in the ladder above, cited — is Network+ plus around two years of experience. You can register without it, but skipping the background is where self-study most often stalls. The sequence that works pairs Security+ with actual IT work, not instead of it.
Do I need CISSP to start in security?
No. CISSP is experience-gated by ISC2 — full certification requires years of cumulative paid work in its domains (the exact requirement renders in the ladder above, cited to ISC2). It appears on this page so you can see the whole track honestly, including the part that is not yet available to you. The Associate of ISC2 route exists for people who pass the exam before the experience.
How long does it take to change careers into cybersecurity?
No honest fixed answer exists — it depends on your starting background, the hours you can give it, and whether you route through IT support first. RoleMath does not publish time-to-job promises. The planner personalizes the sequence against your actual background, budget, and hours, and shows the staged path with sources.

One low-commitment next step

Take the readiness check on your first target cert (free, no email required) — it compares what you know now against the official exam domains and tells you honestly where you stand. Then personalize the whole path.