Moving into cybersecurity from a purely management role, without hands on IT experience, can sound appealing. I understand why. On paper it looks like a strategic pivot. In practice, I do not recommend it. You may be that person and be insulted! Lol
Cybersecurity is built on IT fundamentals. Protecting systems assumes you know how those systems actually work, how they fail, and how they are fixed. For most people, that means doing the part they do not want to do, starting lower, getting hands on, and learning the details. Including programming and scripting skills too. Languages like python truly helps! But most of my work was with scripting languages such as powershell.
I’ve lived this path myself. The strongest security professionals I’ve worked with started as junior system administrators, network admins, or hands on operations engineers. They learned how to patch systems, configure operating systems, manage identity, troubleshoot outages, and understand real world failure modes. Only then did security responsibilities make sense.
What I strongly disagree with is the influencer narrative that anyone can jump straight into cybersecurity with little or no IT background. That advice sets people up to struggle. Worse, it erodes trust. No one fully trusts a security professional who cannot manage or remediate the systems they are responsible for protecting.
I’ve seen this firsthand. During a penetration test for a company, their IT manager was unable to remediate basic findings. They did not know how to properly patch a Windows server, modify registry settings to address a vulnerability, or configure the firewall to block a port I flagged. These were not advanced security tasks. They were core system administration skills.
In many cases, that gap exists because the person was promoted into management as a people leader, not as a technical leader. That path is common and not inherently wrong. But it does mean they may never have learned how the underlying environment actually works.
Stepping back from a people role into a skilled technical role can be uncomfortable. It may require humility, taking classes again, shadowing help desk or junior admins, and rebuilding hands on troubleshooting skills. For some, that feels like moving backward. In reality, it is the only path forward that works.
Over time, someone who chooses this route can become a cybersecurity professional that people trust, both the teams they work with and the systems they protect. Skipping those fundamentals rarely ends well.
Cybersecurity is not a shortcut career. It is an extension of solid IT experience, not a replacement for it.
Who Can Successfully Make the Transition
There are exceptions, and they matter.
People who began their careers hands on, spent years in system administration, networking, or operations, and later moved into management often transition into cybersecurity successfully. Even if they have not touched a keyboard in years, they still understand how systems behave under pressure. That mental model does not go away.
The key difference is whether the technical foundation was ever there. Leadership layered on top of experience works. Leadership without that base usually does not.
Better Adjacent Paths for IT Managers
For those in IT management who are drawn to cybersecurity but do not want to fully reset their careers, there are adjacent paths that make far more sense.
Security governance, risk, and compliance roles. This path can be great with project management skills!
Security program management. A more administrative path like that can be great to some!
Vendor risk and third party assessments. This can be very lucrative and I have done this too.
Security architecture in partnership with strong technical teams.
These roles still require technical literacy, but they do not demand deep day to day system administration. More importantly, they allow experienced leaders to contribute without pretending to be something they are not.