Career Change to Cybersecurity at 40

What made you leave teaching?

It wasn't one thing, it was a slow accumulation. Sixteen years at the same high school in Norwood. I taught Algebra 2 and Pre-Calculus. I was good at it. I got "Teacher of the Year" in 2019, which comes with a plaque and a $200 gift card to Staples. That's not sarcasm. That's the actual prize. I loved the kids. I loved the math. What I couldn't sustain was the system around both. The administrative burden got worse every year. More testing requirements, more documentation, more meetings about meetings. My planning period, which was supposed to be 47 minutes, got eaten by IEP meetings, parent conferences, and hallway duty three days a week. I was grading papers at 10 PM most nights. My husband, Jerome, would come downstairs and find me at the kitchen table with a stack of tests and a red pen. I was 41 and tired in a way that sleep didn't fix.

The cybersecurity part started because of a student. Marcus Freeman, junior year. He came to me after class and said "Ms. Watkins, is cybersecurity a real career?" He'd been watching YouTube videos about penetration testing and he wanted to know if the math skills he was learning in my class would transfer. I said I'd look into it for him. I spent the next two weekends researching cybersecurity careers. I made Marcus a handout about career paths, salary ranges, and relevant certifications. And then I kept reading. I kept reading because the field was interesting in a way that teaching had stopped being interesting. The pattern recognition, the logic, the analytical thinking. It was math, applied to a completely different problem domain. I told Jerome I wanted to study for the Security+ certification. He said "like, as a hobby?" I said "no."

What was the certification process like at 42?

Hard. Not because the material was hard. I taught math for 16 years. I can learn structured content. The hard part was time. I was teaching full time and studying at night. I used Professor Messer's free YouTube course for the CompTIA Security+ content and supplemented it with the official study guide, which cost $59. I studied from 9 PM to 11 PM, four nights a week, for about four months. Jerome handled bedtime for our two kids, Avery and Tate. Avery is 12 and Tate is 9. They knew Mom was "studying for something" but I didn't tell them I was thinking about leaving teaching because I wasn't sure I would. I didn't want to promise a change I might not make.

I passed the Security+ on my first attempt. Cost was $392 for the exam fee. Then I signed up for a cybersecurity bootcamp through a local community college. Twelve weeks, Saturday classes, $3,800. The bootcamp covered networking fundamentals, SIEM tools, incident response procedures, and basic forensics. I was the oldest person in the bootcamp by at least 10 years. Most of the students were in their 20s, coming from help desk roles or fresh out of college. The instructor, a guy named Vincent, was 31. He'd been in cybersecurity for seven years. That's seven more years than I had, and he was 12 years younger than me. That math was uncomfortable. I sat with it.

Total investment to get my first cybersecurity job: $4,251 in hard costs (exam fee, study guide, bootcamp tuition), approximately 400 hours of study time over six months, and the emotional weight of being a beginner at 42 in a field where beginner is the default age of 24.

How did you actually get hired?

I applied to 63 jobs. I tracked them in a spreadsheet because I'm a math teacher and I track things in spreadsheets. 63 applications, 8 phone screens, 4 interviews, 1 offer. The offer came from a financial services company in downtown Cincinnati. They hired me as a Tier 1 SOC analyst at $67,000. My teaching salary was $62,000 after 16 years. So I got a $5,000 raise to start over in a brand new field at the bottom rung. That math is, I don't know, it's a lot of feelings in one number.

I think they hired me because of the teaching background, not despite it. In the interview, the SOC manager, a woman named Yvonne, asked me how I handle high-pressure situations with incomplete information. I told her about the time a student had a seizure in my classroom during a test and I had to simultaneously call the office, clear the desks around him, keep 28 other students calm, and remember the protocol for seizure response. She nodded and said "that's incident response." She was right. It is.

What does the teaching background actually give you in the SOC?

Three things. First, pattern recognition. I graded approximately 160 tests per week for 16 years. That's roughly 133,000 tests. When you've looked at that many student answers, you develop an almost unconscious ability to spot the one that doesn't fit. The wrong answer that looks right. The right answer that was arrived at incorrectly. In the SOC, this translates to alert triage. I can look at a queue of 50 alerts and the one that feels different, the one where the pattern breaks, I notice it. Yvonne commented on this during my 90-day review. She said I have good "instinct" for alerts. It's not instinct. It's 133,000 tests.

Second, documentation. Teachers document everything. Lesson plans, grade books, IEPs, behavior reports, parent communication logs. I am extremely good at documenting what I did, when I did it, and why. In the SOC, documentation is at least 30 percent of the job. My incident reports are thorough. Yvonne says they're some of the cleanest she's seen from a Tier 1 analyst. That's not because I'm a better analyst. It's because I've been writing detailed records of what happened in a room for 16 years.

Third, teaching people. When I find something in an alert that's worth learning from, I write it up and share it with the team. My colleagues call these "Joy's lesson plans." I'm slightly embarrassed by this but also slightly proud. The SOC has four analysts and we all learn from each other's investigations. Turning an incident into a teaching moment is literally what I was trained to do. The subject matter changed. The skill didn't.

What's yours?

The identity loss. For 16 years, I was Ms. Watkins. I had a classroom with my name on the door. I had former students who would see me at Kroger and say "Ms. Watkins, you were my favorite teacher." I had a role in a community. I was somebody specific. Now I'm a Tier 1 SOC analyst, which is the cybersecurity equivalent of a first-year teacher. Nobody knows my name outside of a four-person team. I don't have former students. I don't have a door with my name on it. I have a badge and a desk and a queue of alerts.

Jerome noticed it before I did. He said I seemed quieter. Less sure. And he was right. When you're an expert at something for 16 years and then you become a beginner at something else, the confidence doesn't transfer. The competence does, but the confidence doesn't. Every time I ask Yvonne a question that a 25-year-old analyst would already know the answer to, I feel it. Not embarrassment exactly. More like grief for the version of me that knew everything and never had to ask. That version is gone. This version asks questions and learns and grows and is, I believe, building something real. But the gap between who I was and who I'm becoming is where the hardest part of this career change lives. The money was easy to accept. The identity change is still in progress.

Why did you leave law enforcement?

I was a detective in the financial crimes unit of the San Antonio Police Department for 14 years. Before that, I was on patrol for four years. So 18 years total with the department. I investigated fraud, embezzlement, identity theft, money laundering. By the end, probably 70 percent of my cases involved digital evidence. Bank records pulled from online portals. Emails. Cell phone data. Transaction logs from payment processors. I was doing digital forensics without calling it that, using tools I'd mostly taught myself because the department's cybercrime unit was five people for a city of 1.5 million.

The tipping point was a case in 2023. A local business owner reported that someone had gained access to his company's bank account and transferred $340,000 to accounts in three different states over 11 days. The access was through compromised credentials from a phishing email. I knew what had happened within about two days of investigating. I could trace the phishing email, the compromised login, the wire transfers. I knew the money was gone. The business owner, a man named Carlos Fuentes, he built that business over 22 years. He was standing in my office and his hands were shaking. And I had to tell him that the money was likely unrecoverable because the receiving accounts were already emptied and the actors were overseas.

What bothered me wasn't that I couldn't solve the case. I could identify what happened. What bothered me was that the crime was preventable. If that company had multi-factor authentication on their banking portal, the compromised password wouldn't have mattered. If they'd had email security that flagged the phishing email, it never would have reached the inbox. The crime happened because the defense didn't exist. And I was standing on the wrong side of the timeline, investigating after the fact, when I could have been on the other side, preventing it before it happened. I talked to my wife, Isabela, about it that night. She said "then go prevent it." So I did.

How did you make the transition?

I started studying while I was still on the force. Security+ first, which I passed after about three months of studying. Then CySA+, which took another four months. I used my lunch breaks and the hours after the kids were asleep. My son, Gabriel, is 15. My daughter, Sofia, is 11. They were used to Dad working long hours, so the studying didn't disrupt the routine much. The disruption was internal. I was a detective studying for an entry-level certification at 42. That's humbling in a way that's hard to describe to someone who hasn't done it.

I took a voluntary separation from the department after 18 years. I left a salary of $86,000, a pension that would have been full at 20 years, and a health insurance plan that cost $210 per month for the whole family. I want to be clear about what I gave up. Two more years and I would have had a full pension. I left with 18 years of service, which qualifies me for a partial pension starting at 55. But the full pension at 20 years was worth about $42,000 per year for life. I walked away from $42,000 per year in guaranteed income because I believed I could do more good in a different chair. Isabela and I talked about this for three months before I did it. She's a dental hygienist. She makes $58,000. We had savings. We could absorb the gap. But the gap was real.

$86,000 as a detective to what as a threat analyst?

My starting salary was $72,000. So I took a $14,000 pay cut to start over. In San Antonio, $72,000 is livable. Not comfortable, but livable. Our mortgage is $1,680 per month. After taxes, health insurance (which now costs $640 per month because I lost the government plan), and my 401k contribution, my take-home is about $3,800 per month. Isabela's take-home is about $3,400. Together we're fine. Separately, I'd be cutting it close. The health insurance cost alone, going from $210 to $640 per month, that's $5,160 per year in additional expense that doesn't show up in the salary comparison. When people say "I took a $14,000 pay cut," the real cut is closer to $19,000 once you factor in benefits.

I'm now at $78,000, after a raise at my one-year mark. The trajectory is there. My manager, a woman named Liz, told me that analysts with my investigative background typically reach $95,000 to $110,000 within three to four years if they continue certifying. The GCTI certification, which I'm studying for now, should help. But "should" is a word that has no defined value in a spreadsheet, and I'm a man who likes defined values.

What does the detective background actually give you in cybersecurity?

Investigation methodology. Fourteen years of detective work taught me how to build a case. How to follow evidence chains. How to identify what's missing from a picture, not just what's there. How to interview people, which in cybersecurity translates to interviewing logs. The log is the witness. It tells you what happened, when, and sometimes why. But like any witness, it has gaps, and knowing what questions to ask the log to expose those gaps, that's detective work with a different medium.

Liz put me on a threat hunting team after three months, which is fast for someone at my level. She said my investigation instincts made me better at threat hunting than analysts with twice my cybersecurity experience. I don't fully believe that, but I understand what she means. When I look at network traffic logs, I'm not just looking for known bad indicators. I'm looking for behavior that doesn't make sense. A user account accessing a system at an unusual time. A process running on a server that doesn't match the server's purpose. A DNS query pattern that suggests someone is exfiltrating data in small chunks. These are the same instincts I used when I was reviewing bank statements for a fraud case. The suspect's spending pattern would change, and the change would tell you where to look next. The data is different. The instinct is the same.

The thing the detective background does NOT give me is technical depth. I know how to investigate. I don't always know how the systems I'm investigating work. My colleague, Noor, she's 26 and she can read raw packet captures the way I read witness statements. When I look at a PCAP file, I need to reference documentation. When she looks at one, she sees the conversation happening between the machines. That fluency takes years to develop, and I'm behind. I will always be behind someone who started at 22. The question is whether my investigative skills compensate for the technical gap, and right now the answer is "mostly, but there are days when it doesn't."

What's yours?

The loss of authority. As a detective, I had a badge. I had legal authority. When I walked into a room, people answered my questions because the law required them to. I could subpoena records. I could compel testimony. I could make things happen with the weight of the state behind me. In cybersecurity, I have a Jira ticket. I have "recommendations." I have "findings." And the people on the other end of those recommendations can say "thanks, we'll get to it" and then not get to it, and there is nothing I can do except escalate to my manager, who escalates to their manager, who has a conversation that may or may not result in action.

The powerlessness is specific and constant. I identified a threat actor infrastructure pattern last month that matched activity we'd seen targeting three of our clients. I wrote the analysis, Liz approved it, and we distributed it as a threat advisory. One of the three clients acknowledged the advisory and took action. One said they were "reviewing it." The third didn't respond. In law enforcement, if I identified a credible threat to three people, I could take action. In cybersecurity, I can only advise. The gap between knowing something is a risk and being able to do something about it is the widest distance I've crossed in this career change, wider than the pay cut, wider than the identity shift. I went from "the law says you have to fix this" to "our advisory suggests you consider addressing this." Some days that gap is fine. Some days I think about Carlos Fuentes and his shaking hands and I wonder if I'm actually doing more good in this chair, or if I just moved to a more comfortable version of the same helplessness.