Associate
I'm in my first cyber/infosec job after being in infra/IT service delivery for the last 12 years. I have no industry specific qualifications although I am doing a CISSP. Speaking with long timers in the industry the opinion is that certificates are good for getting the interview but don't necessarily translate to added value in the role. I don't know if this is broadly the case, just what I've been told. I'm currently in a director/head of position after various It/infra manager jobs. In my current role I wear lots of hats but i'm also at an SME so as others have said you could pick a more specific area and go with that working at a larger company. GRC in gov could be a good fit based on the experience you've stated. My role is strategic however very much hands on due to the nature of the business I work and my day can be extremely varied.