You will often read the answer is "yes." It's not correct in a binary sense: there are cases where people break into cybersecurity directly. However, it's correct in a more general sense: a lot of people will start outside of cybersecurity - somewhere else in software, IT, risk, compliance, etc. - then move in to cybersecurity.
Not many go direct, and extremely few manage to go direct to an engineer-level position without prior professional experience. Those that do go direct may have amassed exceptional knowledge and skill outside of a professional environment, may have been lucky with their network, or may have the luxury to attain advanced certifications or degrees without financial concern. It is likely a mix of several factors.
Conversely, many others have bills coming due, and can't take years away from a paycheck to build skills/amass certifications/etc., so they will start in roles closer to their expertise or skill level and build their careers from there.