How a marketing professional changed course for cybersecurity

Is it ever too late to make a career change? One cyber professional doesn’t think so.

Lucie Cardiet, cyber threat research manager at AI security company Vectra AI, told IT Brew that she started out in sales and marketing. However, curiosity about cyberattackers eventually led to her current career in cybersecurity.

How it started. Cardiet’s background is in digital marketing, with a strong focus on web design and development. She spent a few years freelancing for the websites of small businesses and IT companies, and started working with Vectra AI in 2021 as a freelance web marketing consultant. She then joined the team full-time in 2022 as a marketing manager, before leaping to the cybersecurity team in 2024.

“When I joined Vectra AI, I cared about the technical health of the site, but the real mission was bringing in traffic,” Cardiet wrote in an email to IT Brew. “Trust is what makes that work, especially in cybersecurity, where the audience has zero patience for marketing language and is hunting for content that actually teaches them something.”

At Vectra AI, she had to write cybersecurity-focused content, driving her to deeply understand the topic. “I did not get the chance to study engineering, so I went into sales and marketing,” Cardiet wrote. “But I read a lot, and what I have learned is that with curiosity and motivation, you can take yourself further than your original path suggests.”

How curious? Cardiet said that when she first started training in cyber, she discovered open-source intelligence (OSINT), or the practice of drawing from public sources like social media and websites to evaluate cyber threats. From there, her training consisted of hundreds of hours of self-study, including the StationX cybersecurity series, as well as practice on Hack The Box and TryHackMe, which led to certification tracks like Certified Ethical Hacker (CEH).

Although she initially thought a career change to cybersecurity wouldn’t be successful because she wasn’t “initially technical,” Cardiet committed to continually educating herself.

“I don’t know everything, and I’m still learning,” Cardiet said. “That’s what’s fun about it. I think I’m on the path where I’m learning but I’m sharing what I learn every day with people, just for the sake of sharing…I really believe that anyone can be anything if they really wanted.”

How it’s going. Cardiet described her current position as flagging cybersecurity incidents and online behaviors to educate others on recent attacker patterns; she’s also interested in how threat actors behave, particularly in the context of social engineering.

In an email, Cardiet said she sees a repeated pattern of attackers who like to talk about the ease of deceiving victims.

“They can exploit CVEs [common vulnerabilities and exposures], and AI is going to make that easier, but the more common path is a human mistake or a human being manipulated,” Cardiet wrote. “Misconfigurations are human mistakes. Social engineering is exploiting the human directly: phishing is the only surface, there are insider threats, and increasingly attackers do not even need to target your people.”

She pointed to attackers impersonating a third party or infiltrating a system through vulnerabilities in otherwise-trusted software-as-a-service (SaaS) tools. Cardiet’s additional focus is on the implications of these attacks.

“There is no perfect defense, so you have to assume an attacker will get in,” Cardiet said. “Prevention is not enough on its own. You need something that spots attacker behavior once they’re already inside, post-compromise.”

What Cardiet wants others to know. Attackers rely on pressure, she said, and use “your emotions against you—urgency especially. If a message or a call is making you feel like you have to act right now, that is the signal to stop and think.”

Cardiet also cautioned that other cybersecurity professionals may want to keep a close eye on their digital footprints.

“Be careful what you share on social networks,” Cardiet said. “Where you live, when you travel, your hobbies, your family. All of it helps an attacker craft a message that feels personal and trustworthy, and that is the kind of message you do not see coming.”