There is a general shortage of IT people. Developers especially and cyber security. Pay is good in security, although its hard because you have to be constantly learning and evolving.

CREST certification is a good place to start. You will be hard pushed to get a role without something like that. Some companies will take grad level people in and train and certify them but that might be too big a pay cut for you.

Just on quick browsing it looks like you already need quite a bit of practical experience for a CREST certification?

OK - where to start...

Cyber Sec' covers a very broad sector. What your friend does for Airbus may be entirely different from what other's do, and what you may want to do. So I think it is most important to decide what you want from a job/career. The good news, is that in the long term, your salary level will be easily achievable in many different areas of cyber-sec, and I see no reason why you could not make a change.

So - do you have any natural ability/instinct/interest? Many of the researchers, developers, coders have a natural interest. If you are going in cold, competition is hard (there is strong demand for those with the skills, but less demand for somebody who cant demonstrate a long term interest), and there is a mountain of learning to climb. If you don't, then you may be better looking at a different area... For example Technical support for the big Security vendors or Security specialists is a good way in. From there you can launch into dev, pre-sales, solutions Architecture, installation etc. In fact pretty much anywhere.

If you don't want a hands on tech role at all, you can still work in cyber sec. Project management, Program management, Product marketing and sales all existing within cyber sec. In fact if I go a step further, I know a fair few MD's, VP's and General Managers who all only work in Cyber Sec.

I agree that training is a good place to start. And if you have experience/aptitude then CREST makes sense. But other certs include CISSP, CompTIA Security+, CISM or some of the SANs courses. People will argue the value of these, but they are at the well respected end of the certifications, and will help you to demonstrate to an interviewer that you are keen, have done your homework and committed. If I were interviewing for a support role, and a applicant had decided to change career, and had got themselves one of these off their own back, then I would be happy hear them out.

Fantastic, thank you!

Definitely not chasing the money as I do just fine now. Just looking for something interesting that will give me a job that's fairly future proof.

My work are paying for it so it makes no difference to me. I'd like to know that what I learn is "right" if that makes sense, and one of those is to pass an exam. Once I have done Security+ then I can look at what is next.

Yes there is a shortage, I would probably look at security data governance and risk rather than Cyber. I feel that Cyber is becoming more automated and this will only increase over the next 5 years.

ISO27001 qualifications is where i would start and do the base ones plus a specialism.

Probably worth doing COBIT next.

All the above can be done on your laptop without attending a class or exam centre.

Next go through the SANS institute catalogue and pick some courses that feel you have an interest in.

I would study for ISACA CRISC and then see if you can get a entry level position somewhere.

After 12 months do the CISSP and then you are ready to do start some mid-level training.....

I'd stick as a chef if you want future proof! IT is constantly evolving and what is hot right now, is dead in the water a few years from now... so expect to keep learning and feeling 'new' throughout your entire career if you stay as an individual contributor.

Also, if you have something about you, consider getting into sales rather than a technical job. Pay can be astronomical (seven figures) if in the right place at the right time and can make it happen).

Starting in sales, normally means starting at the bottom (Business Development AKA Cold calling to give leads to someone else) but if you are any good, you'll be owning accounts/deals in their entirety within a short period of time.

As a guide, our entry level BDR (Business Development reps) earn $45k base with $27k commission plan (Uncapped) at the start.. you could be 22 years old and your first job.

A 10 year+ experienced senior account executive could earn $500k+ easily in a good year in my company. I've known sales reps in other companies get to the $1m range, but these are rare and normally selling huge ($20m+) contracts over many years.

Sorry for the dollar figures, I am in the US. But just run these numbers through an exchange to get pounds. Either way, we pay the same across our entire company.