How I got into cyber security after the Army
A field note on moving from Army radio systems and project delivery into cyber security without treating it as starting again.

I did not switch into cyber security from the Army. Not cleanly. Not in the way people sometimes describe career moves now, as if there was a single moment where I crossed a line from one identity into another.
I moved through roles, contracts and environments that kept adding weight to the same basic foundation: communications, systems, delivery, risk, pressure and people. Cyber security became the obvious name for work I was already circling for years before it appeared properly in my job title.
If you are a service leaver, an engineer, a project manager or someone in an adjacent field looking at cyber, that distinction is worth understanding. A switch can make you feel like you are starting again. Building lets you see the value in what you already carry.
What the Army actually trained me for
I joined the British Army in 1998 and left in 2008 as a Radio Systems Manager, while also serving as a Physical Training Instructor.
Nearly ten years across varied postings, exercises and operational tours gave me a certain way of looking at work. Not a romantic one. A practical one.
Comms systems had to work in environments where they could not just look right on paper. People needed the right information at the right time. Equipment had to be understood, maintained, configured and trusted. There were ranks, personalities, pressure, fatigue and consequence. You had to translate between people who cared about outcomes and people who cared about detail.
You also learned that basics done consistently beat clever plans that fall over when the environment changes.
None of that was cyber security.
All of it shows up in cyber security work every week.
The best security work is not just technical. It is operational. It asks what the system is for, who depends on it, how it can fail, who can abuse it and what happens when something breaks at the wrong time.
That way of thinking was already being built.
The bridge years
I left the Army in 2008 and joined BT Global Services as an Installation Design Consultant. A year later I moved to QinetiQ as a Radio Systems Domain Specialist, working in defence training. Alongside that, I picked up CCNA, CompTIA Network+ and an HNC in Telecommunications.
This is the bit some people skip when they tell pivot stories.
There is usually a stretch where you are not sure where you are heading. You are not where you were and maybe you miss it. I did. But you are not fully where you are going either. You do the work in front of you, and if you pay attention, that work starts shaping the next move.
For me, that stretch was networks, comms design, training and delivery. All relevant later. None of it labelled as cyber at the time.
Looking back, I can see the thread clearly. At the time it just felt like trying to stay useful, keep learning and build something solid after leaving a life that had given me structure.
Africa: where security stopped being theoretical
From 2011 to 2015, I project managed technology installs in places where the threat model was not a slide deck.
First with Ophir Energy, supporting oil and gas exploration drilling operations across land and marine sites. Then with African Minerals in Sierra Leone, running a programme that included server upgrades, CCTV, access control, industrial control systems, fleet management and telecoms on a working mine the width of London.
You do not manage those kinds of projects without thinking about who can get to what, who can shut what off and what happens when something goes down.
You think about access. You think about resilience. You think about recovery. You think about physical and technical dependencies sitting on top of each other. You think about the gap between the drawing and the environment. You think about what a failed system means when people, production, safety and logistics depend on it.
That was cyber security work in everything but the job title.
It was also where I got serious about programme management as a craft. I completed ILM Level 7, APMP, PRINCE2 and MSP in 2014, using up my military learning credits while working between stints away. Partly because the funding was there. Mainly because the work demanded better structure.
The bigger the environment, the less useful vague effort becomes. You need scope, ownership, communication, sequencing and follow-through. You need to finish what gets started.
That has stayed with me.
The cyber role at Bramfitt
I joined Bramfitt Technology Labs in 2018 as a Cyber Security Programme Manager.
The work moved across energy, retail and manufacturing clients. Penetration testing strategy. Cloud migration security. Vulnerability management. Secure development lifecycle. Managed security services. Security control consulting. More recently, AI security and governance.
The threat actors were different and the tooling was sharper, but the operating model felt familiar.
Understand what you are protecting.
Find out how it actually breaks.
Communicate cleanly across the people who need to act.
Finish what gets started.
Certifications followed where they earned their place. CISM. GCCC. ISO 42001 Lead Implementer for the AI governance work. MIT’s AI strategy course for the business framing.
I would like to say I chose them all with a perfect plan. In truth, the path (and boss) chose most of them for me.
That is probably how it should be. Training should serve the work. It should give you language, structure and sharper judgement. It should not become a substitute for delivery.
A simple model for moving into cyber
If you are coming from the military, engineering, infrastructure, project delivery or another adjacent field, do not start by asking whether you are “cyber enough”.
Start with better questions.
What systems have you already been responsible for?
What risks did you have to manage when those systems failed?
Who did you have to communicate with under pressure?
What judgement did the work force you to build?
Where did you already deal with access, resilience, recovery, misuse, dependency or consequence?
Those questions help you find the cyber relevance in your own background without pretending your gaps do not exist.
Because there will be gaps. Of course there will. You may need stronger technical depth, better security language, more familiarity with frameworks, clearer understanding of threat actors or more exposure to testing methods. Fine. Fill the gaps.
But do not confuse gaps with starting from nothing.
A lot of people arrive in cyber with practical experience they have not learned how to name. They have managed critical systems, led projects, dealt with failure, handled pressure, coordinated technical teams and explained risk to people who needed to make decisions.
That counts.
It does not make you finished. It means you have started.
The lesson if you are thinking about a similar move
If you are in service, engineering, infrastructure, project delivery or anywhere adjacent to cyber and wondering whether to switch, you may not need to switch at all.
You may need to identify what you are already doing that counts, name it properly and find an employer who values operational fluency as much as the certification list.
Certs have their place. They give structure, language and a signal that you have done the work to understand the field. But they are not the work itself.
The work is judgement under pressure across complex systems with people who do not always agree.
It is seeing the gap between the diagram and the real environment.
It is understanding what happens when something breaks and who needs to act.
It is knowing that a finding, a risk register or a test report is only useful if it helps someone make a better decision.
If you have done that somewhere else, you are not starting from nothing.
You have already started.
Consultant delivery note
The strongest cyber consultants are rarely just tool operators.
The good ones understand systems, people, pressure, ownership and consequence. Technical skills can be developed, but delivery judgement is harder to teach.
If you already have that from another environment, do not dismiss it. Name it properly. Build the technical gaps. Get around good people. Take the move seriously.
Then carry your weight.




