Are you stressed out right now? I’m stressed out. Most Americans are, and cybersecurity job seekers are definitely not an exception. I do a ton of career mentoring and career clinics, and I see… the brunt it. The last few mentoring Sundays I’ve done, I have had two or more people burst into tears. It wears me down emotionally, too. It’s time, internet. We need to have a talk about the terrible state of the cybersecurity jobs market.
Let’s talk about the History of Cybersecurity Jobs (Part 1). Not to age myself, but I’ve been doing this for a pretty long time. It was a different era when I got into the field, like a lot of managers and senior folks today. 25 years ago, network security was mostly (don’t jump on me, pedants) a single role that people often got pushed into out of necessity. Hackers would sometimes make the move, but it was often an admin. 15 years ago, cybersecurity had a standard path into most roles, that was SOC shift work straight out of college or a tech school, or some other low level tech role. Passion was looked at more than credentials – nothing more than a Security+ was typically required. After a couple years doing alert triage, you would move on to something more specialized.
Then, things went south. Around 5 years ago, the universities and boot camps really caught on to the fact that even those entry level SOC jobs paid… pretty well. They weren’t as outsourced as software development, web dev, or help desk. To make them even more appealing to for-profit educators, at the time there were only a few certification companies offering training, and a couple universities. A huge, juicy market to for-profit educators.
Then, there were the damned “skills shortage” studies.
They say that 99% of statistics without citations or evidence are made up. This is one of those cases. Is there a “skills shortage” in cybersecurity? Well, it really depends on who you survey! If you ask me, with an impossible caseload of critical infrastructure cybersecurity cases, of course I will say I need more trained and passionate people. If you ask someone who looks at the woeful lack of diverse thinking in malware reverse engineering or threat intelligence, of course they will say we need to broaden our hiring. If you talk to people struggling with cloud tech debt, or new privacy regulations, they will all point to the challenges in finding qualified talent. Yes, there are open, unfilled jobs, and the challenges adversaries pose to …everything… keep compounding.
You’ll notice none of the jobs I just named are the typical entry level tracks of “junior pen tester” and “SOC analyst”. The very roles that those for-profit education organizations latched on to and developed hundreds of cookie-cutter Bachelors’ and Masters’ curriculum to fill. Then sold as a golden ticket (especially to veterans and underprivileged people)!
So now we have a big, Big, BIG problem. The universities, colleges, and boot camps sold the hell out of an entry level skills shortage that does not practically exist, and everybody in those programs just graduated, all at once. I cannot express how numerically and logistically dire things are. In the US, my peers are reporting upwards of 100 qualified candidates (after HR screening) for SOC roles. Red team has always been far worse. These numbers mean HR and recruiters can (and sometimes must) keep raising the minimum bar to entry to the most basic, entry level cybersecurity roles. Where 10 years ago, a two-year degree or similar work experience was more than enough to land a job with a basic certificate like Security+, and a university graduate was a shoo in, today I see this horror as typical minimum requirements for getting interviews in entry level SOC:
- Bachelor’s degree in IT (Computer Science or Engineering preferred over Cybersecurity)
- Two plus years of full time general IT experience, such as a help desk role or systems admin.
- Second-tier SOC certification such as Cisco CyberOps or CySA+ completed.
- Community work such as conference volunteering, CTF placement, or development of tools.
- Right to work without visa sponsorship.
That’s like, the absolute bare minimum that is getting people calls, and it’s incredibly worrying. It is doing a couple of negative things to the industry. First, it’s making candidates way less diverse, as they must have the money, time, and resources to fill those expensive check marks. They’ve also all had pretty much the same cookie-cutter (and sometimes out of date) education. That’s really bad as we face more resourced and adaptable adversaries.
Secondly, these restrictive hiring practices often don’t come with a great pipeline into the niche and senior roles we do really need to fill. Yes, there really are roles in cybersecurity where hands-on-experience is a must. They just are not entry level, and require exposure. That obligates us as organizations and seniors to ensure juniors can make it there! Somebody has to give them a chance.
What does this mean for seniors and hiring managers? We need to mentor more. Offer more clinics and training for free. We must be careful in our job posting requirements and try to not gate keep non-traditional backgrounds. Stop assuming people’s route in will be the same as ours was. It is much, much harder today, and they have to do a lot more work to even land an interview.
What does this mean for universities? There are some good schools out there doing good stuff in cybersecurity. However, if your school is selling an entry level skills shortage in 2025, shame on you, for leaving us to pick up the pieces after your grads can’t even land an internship in months in this horrible market. Seriously, y’all salespeople can go to hell. If you’re a decent human, please evaluate the currency and relevance of your curriculum. Cover non-traditional niches and encourage critical thinking and lifelong learning. Set reasonable career and salary expectations!
What does this mean for job seekers and students? Firstly, I’m so, so sorry. This is the real talk, not gatekeeping. I see dozens of you a month and a lot of you are doing everything right. Ten years ago, you would have gotten a job in under a month. Now it is taking a year. You are going to have to go a lot farther in expanding your resume and networking with hiring authorities than your predecessors did. It will not be easy, and you will not make as much money. Certifications will be a must.
It will be incredibly hard to get a role without either a four year degree, or substantial IT work experience that translates. Find a mentor. Have a very clear plan about what niche you are targeting and consider roles other than SOC analyst or pen tester. I’m not going to name the more ‘janitorial’ roles, because if I do then those will be swarmed too. Think outside the box about cybersecurity jobs that need to be done but aren’t being oversold by schools as cool and sexy. I’m cheering for you, please don’t give up.
Source: Lesley Carhart
Source Link: https://tisiphone.net/2025/04/01/lesley-what-happened-to-the-cybersecurity-skills-shortage/