I have spent six years in cybersecurity, across SOC analysis, GRC, detection engineering, and security sales engineering. My degree is in psychology.
Nobody on a hiring panel has ever asked me to defend that. What they asked about, every single time, was reasoning: why this alert matters, why this log source, what I would check first and why.
The degree question is the wrong question. The right question is how you prove you can think like someone in the seat before anyone pays you to sit in it. Here is the path I have seen work, for myself and for the career changers I have watched break in since.
Most people without a degree try to out-credential the gap. One more cert, one more course, one more bootcamp, hoping the stack gets tall enough to clear the wall.
I understand why. A cert has a syllabus, a price, and a pass mark. It feels like measurable progress, and the job search offers almost nothing else that does. After months of silent rejections, a progress bar feels like oxygen.
But hiring managers are not measuring the stack. They are listening for whether you reason like a practitioner. The credential gets you past a filter. It has never once closed an offer on its own.
Certifications are signals, not substitutes for understanding.
Start with Security+. It clears HR filters, and that is its job. Avoid the hyper-specific certifications until a role requires them. One good foundational cert is better than three mediocre ones. Then stop collecting.
Build a home lab around one detection story. Spin up a Windows VM and simulate an Active Directory environment. Configure Sysmon logging and forward events into Splunk. Write a basic detection rule for unauthorized access and tune it until the noise stops drowning the signal. That is a SOC shift in miniature, and it gives you an interview answer that sounds like the actual job.
Learn to narrate your reasoning. Interviews are rarely about trivia. They are about how you think and how you communicate. Here are two paths I have actually seen. Path A gets Security+ as their only cert, struggles to find an entry-level role, and spends months sending applications into the void. Path B builds a home lab, joins LinkedIn and Discord communities, researches entry-level SOC positions, and promises to get Security+ during onboarding. Path B gets hired. The difference was demonstrated understanding, not credentials.
The people I've seen succeed do not gather more information. They execute on what they have. They build one thing, document it, and talk about it with specifics. The ones who stay stuck are usually mid-way through their fourth course.
It took me a year of constant interviewing and resume tweaking to land my first break, and I quit a brand-new ISP job two days in to chase the role that became my way in. The feedback loop in this industry is broken; form rejections teach you nothing. Borrowed pattern recognition from people already in the field is the only real shortcut.
Go build something worth detecting.
Keep reading: How to write a cybersecurity résumé with no experience · all field notes →
The free guide, From Psych to Security, covers the full path, my mistakes included. The complete 90-day system is Breaking Into Cybersecurity: The First 90-Days Blueprint.
Get the Blueprint ($47)