Everyone focuses on what you don’t know yet. The certifications you lack, the tools you haven’t done. That’s real - there’s a technical gap and it needs work. But there’s a parallel story that gets less attention: what you’re bringing in.
After ten years teaching Economics at junior college level in Singapore, I started a deliberate transition into cybersecurity. I spent a long time focused on the deficit - what I needed to learn. It took longer to see the other side of the ledger.
Teaching forces a specific kind of rigour
In a classroom, you can’t bluff. You might get away with vague phrasing in a meeting or a report, but teenagers will find the exact edge case in your explanation and push on it. Repeatedly. If you don’t actually understand something, you’ll find out in front of thirty people.
That discipline - of knowing where your understanding actually ends - transfers directly to technical work. In penetration testing, unclear thinking leads to missed vectors, weak reports, and conclusions that don’t hold up. The habit of not papering over gaps is the same habit, applied to a different domain.
Teaching also forces you to build mental models that scale. You can’t reteach first principles every lesson - you have to construct frameworks students can carry and extend. Security thinking works the same way. A solid mental model of how authentication flows work, or how memory is managed, is worth more than a list of specific exploits.
Explanation is a technical skill
Pentesting produces findings. Findings have to be communicated - to technical teams, to management, sometimes to people who have no idea what a buffer overflow is and don’t particularly want to learn. The ability to calibrate an explanation for its audience, to cut what doesn’t matter and keep what does, is not a soft skill. It’s craft.
I spent a decade developing that craft in classrooms. It shows up now in report writing, in verbal briefings, in how I structure documentation. The people I work with who struggle here aren’t bad at their jobs technically - they just haven’t had to practise explanation under pressure the way teachers do.
What actually changed
The technical gap was real and took serious work to close. GCIH, OSCP+, OSED - each one required deliberate study and genuine discomfort. The OSCP in particular has a way of revealing exactly what you don’t know by putting you in a lab where knowing matters.
But the things that changed less than I expected: my approach to problems, my comfort with ambiguity, my instinct to document as I go, my ability to stay calm when stuck. Those were already there. Teaching a room full of students who don’t want to be there is excellent preparation for sitting with a problem that won’t yield.
The framing I’ve landed on: the career switch changed the domain. It didn’t change the fundamentals of how I work.
For anyone considering it
If you’re a teacher - or anyone who’s spent years explaining hard things to people who need to act on them - and you’re thinking about security: the gap is closeable. It requires real commitment, structured study, and probably more discomfort than you expect. The certifications that matter (the Offensive Security ones in particular) can’t be crammed. But the baseline you’re bringing in is more valuable than the community will tell you.
Document the transition. Write about what you’re learning. Teaching yourself in public is still teaching.