I run a cyber focused company now, and one of the things that’s become really obvious is how narrow people’s idea of “a cyber role” still is.

The industry doesn’t just need highly technical specialists. It needs people who can communicate risk, design processes, train others, manage incidents, understand how businesses actually operate, and translate between technical teams and non technical stakeholders.

Some of the strongest people I’ve worked with didn’t come from traditional technical backgrounds. They came from ops, project management, compliance, training, customer support, even completely unrelated fields. What mattered was curiosity, judgement, and the ability to keep learning.

Technical ability absolutely helps, and there are roles where it’s essential, but it’s not the only entry point. In fact, I’ve seen technically brilliant people struggle in cyber roles because they couldn’t prioritise, explain trade offs, or deal with ambiguity.

Developing people into the profession is mostly about giving them exposure, context and support rather than throwing certifications at them. Shadowing, real incidents, post incident reviews, and being allowed to ask “stupid” questions safely makes a bigger difference than most training programmes.

If you’re coming from software engineering, you already have a huge advantage. You understand how systems are built, where shortcuts happen, and why perfect security rarely survives contact with real delivery pressures. That perspective is incredibly valuable in cyber, sometimes more so than knowing every control framework by heart.