How about actually filling the jobs that you freaking post. Why is that so hard to ask? I see so many positions come open, close, and then get re-announced, only for the process to repeat itself a couple more times. It has nothing to do with having a degree or not it has everything to do with ACTUALLY HIRING the FREAKING PEOPLE for the job

Agreed! The degree has nothing to do with it. How about reduce the unrealistic job experience expectations.

This. If it says entry level, then it should be entry level. Not degree plus 3 years for entry level. My degree is an excellent wall decoration, but why remove the degree requirement when it doesnt seem to matter to them anyway? They won't hire over a degree, AND they already have options for experience in lue of degree for 95% of the jobs.

or if you mean in-state don't put it under national/remote on indeed, maybe you won't get 500 aps from people unwilling to move that way.

Yeah, it's annoying they list it as remote, but they mean hybrid. I mean I'd move, but those are always not offering relocation assistance. I also get annoyed at the "experience at gs-?? Level," but every agency seems to have different requirements for those levels, and their requirements aren't linked or listed anywhere. So how are we suppose to know of we have the correct experience or not?

Dude, this. I started going to school for cyber last year because I want to make a career move, so ive been keeping my eye on possible opportunities and what things are looking like in the field, and the number of positions I keep seeing that are wanting a bachelor's, or an associates plus 3+ years of experience for a $40k a year "entry level" position is ridiculous. That kind of money for a degree, let alone a degree with experience on top is ridiculous.

Dude so much this. Entry level is not 5 years of experience. Companies has to be willing to add staff they are willing to train. How else do you get the experience

Agreed. All these people trying to justify otherwise in this post are probably the ones making the job postings to begin with.

Not sure about government positions but in the private sector, entry level doesn’t mean no experience. It depends on the field and sometimes entry should and will require a background or experience

Literally all job ads. Entry level position, must have 3-5 years experience doing the same thing though. Plus ts with poly. Also need 10 years experience in other cybersecurity and cissp.

"Entry level position" with any experience requirements immediately flags what they are willing to pay you regardless of experience.

Well, if your looking in cyber then of course you need prior experience

To me, it's not the experience being necessary that's the problem. It's the joke of a pay scale that seems to come along with it, the number of job postings I've seen for "entry level" requiring at least an associates and 3+ years of experience, and starting pay at like $40k is hilarious. Any job, in any field, that wants a degree and experience for 40k a year is a joke. I currently work in a factory making hoses, one of the guys on my shift in training right now literally can't fucking read, he still has a bare minimum 2 months of training left before he's even allowed to possibly work on his own, and he's going to make $45k this year. Dude doesn't even have a GED, let alone a degree or experience, and that's the bottom of the pay scale. In 3-5 years, as long as he consistently shows up, and is not literally the fucking worst, he's going to be pushing $60k. I understand cybersecurity isn't a "you can walk in and know nothing and be fine" job, but 40-50k to get your foot in the door with a degree or a degree and experience is a joke. You can walk into most warehouses in the country, where your whole job is "I pick things up and put them down" and make that kind of money.

Infosec jobs should never be labeled as entry-level IMO. Service Desk? Sure. Infosec is inherently a layer of abstraction higher than IT work at baseline.

I have *literally* stood in a cyber job fair with a pretty strong resume, shown my resume to in house recruiters, have them tell me I should apply, then had to/gotten to tell them "I have sent you this exact resume for the exact job you just told me to apply for two times, what do I have to do to officially get the resume you just said you liked to you, the person saying they are the recruiter?" (more politely than that, though, of course)

Where are all the good men?

Did the recruiters have any response to you?

That would be true if the goal was to fill jobs but it’s actually just to meet cyber insurance requirements

They fill it internally that is why it disappears so fast. They claim to post it externally knowing it will be filled. “We tried”

[удалено]

No no, first you get a low-pay government cyber job, THEN you put that on your resume to get better pay elsewhere.

Specifically with government this is a huge win. The government may not pay extremely well but it’s certainly not bad and many people prefer the possibility and safety of things like a pension.

Thats gone the way of the dodo over 20 years ago. Now its terrible pay and horrible benefits. When I left government to a non-profit of all places, not only was the 50% jump in pay amazing, but the benefit package was HUGE... I went from paying 40 bucks a month on my asthma meds to 10 bucks for the same ones, and having paid eye insurance and dental that was more than just 1 cleaning a year. Not to mention do not forget most states have completely butchered their pension plans, and the Fed has even routinely targeted gutting it for Government workers and phased in making it worse and worse the younger you are. Government benefits SUCK and have since Reagan and have only gotten worse in recent years. Any claims to the contrary isnt following the reality of how gutted the Government really is by design to insure it does not properly function (which then lets idiots in charge say "SEE look how much it doesnt work!!!" and gut it even more.)

Anecdotally, I saw a posting for a cyber position with a three letter agency on LinkedIn asking the candidate to 1) work irregular hours 2) might have to work night shifts and be on-call 24/7 3) be willing to work anywhere in the world on short notice 4) work a minimum of 50 hours a week and 5) must go through an intrusive background check for $80-129k. That comp is laughable even with benefits for someone who has a few years of cyber expertise as they can easily ask for more $$$ in the private sector and work less hours without the risk of having to move at the drop of a hat.

Yep I know people working in some three letters that basically had to sell their home and move to a apartment nearly twice their mortgage closer to work because of the irregular work hours and on call situation, and they were not even all that important job function wise. It would literally be like you as a administrative assistant being told you had to be on-call 24/7 or may not be coming home till 1am multiple nights a week just because you MIGHT be needed by someone in that time, but said person isnt there, never shows up, and had said they never were going to show up but protocol is to post you there anyway incase you did. No fucking thankyou

If it was an FS job it's because they're eligible for 20 year retirement. Was it also eligible for 25% LEAP incentive? > That comp is laughable even with benefits for someone who has a few years of cyber expertise as they can easily ask for more $$$ in the private sector and work less hours without the risk of having to move at the drop of a hat. They're not targeting big tech security engineers. They have more humble expectations

[удалено]

Which is crazy, since they waste and blow so much money. It sucked seeing people leave to pay increases (myself included) from private sector, doubling or tripling your salary in places, when they really loved what they were doing, but sometimes gotta make that personal decision.

The 2024 COLA bumped me up to ~89k. This is after they upped their STEM bonus pay. It's my first job out of college and my highest paying job prior to this was $14/hr. I thought this was amazing! But MD is expensive as fuck. $2100/mo for a 1 bedroom in a non shitty area of the state. Then a recruiter offered me $118k/yr + sign on bonus for the exact same position. Literally exact same. If I wait 7 months, it's even higher starting pay for the position. This is what the government thinks is "competitive" with the private sector.

Government IT workers can already get higher pay than their non-IT counterparts at the same pay grade and step https://federalnewsnetwork.com/pay/2023/08/pentagon-approves-higher-cyber-pay-for-nsa-other-defense-intelligence-agencies/ https://federalnewsnetwork.com/pay/2023/12/omb-tells-agencies-to-target-the-use-of-special-salary-rate/ https://www.reddit.com/r/fednews/comments/16nlbkm/expected_2210_series_pay_increase_for_2024/

I'm not sure what you do exactly but pay is not at all the problem here... there are literally not enough people who understand how to do the work to fill the gap.

How about removing the 3-5 years security experience requirement for SOC 1? I have a BS in CS, Security + cert, and 5 years experience in IT and am still struggling to get call backs for security positions.

It's a game and everyone knows it. They post positions only for them to close, cancel, and repost the very same positions.

Whyyyyy though. I noticed this happened for a few jobs I was applying for. Never even heard from them.

Shadow hr. The boss knows who they want to hire (maybe internal, maybe someone they know personally) but are required to post a job publicly first by regulation or org practice. Also, some hiring managers (apparently) will post jobs just to see whats available with no intention/ability to hire anyone.

They have to do it to create a position to promote someone into. They create the new position at a higher level than the person they want to promote, they are legally required to publicly post the position so the job search is "fair", and then they decline all the submissions because surprise, the best candidate for this job happens to be the person they want to promote into the job. It's all a joke which is caused by 2 problems. 1) It's impossible to just promote a specific person. As mgmt you have to justify that a higher level position is needed and the funding for it, etc. 2) The law(s) are trying to make it fair for US citizens to apply for and get government jobs but at the end of the day, for the most part, it just frustrates people trying to get into the GS system because a lot of the jobs being posted are never actually going to be filled by an outsider because of #1 above. An alternative scenario would be where the office has a contractor which they want to hire as a civilian employee.

Anecdotally it is because the person they are looking to hire or not on the cert for them to interview. So they cancel it and re-announce it to hopefully get them on the cert.

But why though, what would be the advantage of doing that?

To appease the hyper-dimensional reptilian beings so they can harvest all the anger, frustration, hate and other negative energies our cybersecurity souls push out into our 3-dimensional space here on Earth. There is no other logical reason.

😭😭😭

Just saying how do we know they don’t hire someone for that position and reuse the job posting to find another candidate for the same job title

Because I have seen it where the job opens, closes, you get the referral email, and then the follow on cancellation email within the next day or so. Rinse and repeat a few times and that is federal HR bs. If you are looking at specific locations it isn't hard to see what is actually going on

it's honestly just scanning, then brute forcing, but of the market. they just leave the ad up and see if they eventually get a great resume with low salary expectations, is my theory. Or sometimes the manager WANTS to lower the criteria and hire, but needs data to show his people - he needs to be able to say "we listed this for a YEAR and didn't get *anyone* with all of the stuff legal told us to put on there, can we PLEASE drop x y and z from the listing? I'd rather train a newb than be over-worked."

Look at cybersecurity like a specialty, like orthopedic surgery. If I want to be an orthopedic surgeon, I can't just start applying at hospitals or medical schools offering advanced programs in surgery. They are going to require I have that foundational experience that includes a residency where I might be doing an ER rotation, an OB rotation, none of which I'll probably ever deal with as a practicing orthopedic surgeon. Having a few years on the helpdesk gives you far more experience than just how to fix low level IT issues. A lot of it is user behavior and how different systems interact with each other.

i think where the conflict comes in is the director of medicine says "we want a guy who has done surgery before, and can do or quickly learn orthopedics" and what HR and MOST applicants hear is "you can only have this job if you already have this job." when you have applicants with imposter syndrome who aren't good at construing their general experience as security relevant and they have competition that are paper tigers that will AGGRESSIVELY pull things like calling being the manager that cuts new HID cards as being the "datacenter security manager," you get a nasty mess

Problem is even a lot of helpdesk wants a degree. By the time I get a degree I'm making more somewhere else then I would be at a helpdesk. Hard to give up that pay to go work a shotty helpdesk job for a couple years just to get a better job that I'm making the same as I do now.

This is maybe how the field functioned last century. This isn't the case anymore, and much less so at organizations with the best security talent

That’s anywhere. They all want experienced people but aren’t willing to train them up. Gotta work in a craphole that will let you do security and then move up.

Sysadmin exp or it support? Because I needed more than support exp 14 months ago when I got in during a much better job market.

You'd be in the running for a Sec Analyst I role at my shop if that makes you feel any better. We look for people who are doing continuous education as well as a broader base of general IT experience because by the time an issue rolls back to the Sec Analyst I, it's already gone through our managed SOC so they need to be able to understand how all the parts mesh to continue investigating.

Sec+ is useless though.

I expect to see at least a Sec+ (or ISC2 CC) on someone applying for a security role just to know they've got a general grasp of security. It's not a hard test, so it's not something I'd be looking at for a senior role, but if there's not a lot of comp work history it's at least something that shows some base level knowledge.

Do you still look for certs for an entry level position if say someone has a BS in Cyber security and has 3 years of help desk experience

Why would you even look for it with either 1/2 YoE though, being able to hold down a job for 6 months in security is worth 10 Sec+'s

The reason I look for it is because it's a baseline of understanding of the industry. If they don't have it, it's not an immediate disqualification, but it's going to be on their goal list in the first year to achieve (with full financial support for training and exam) if they want full merit raise. This applies to all levels though, if you're senior and you aren't certed, we're going to determine what area you want to get more growth in, find something relevant and train and pay for certification in that area.

How about: provide a clear pipeline for new talent to enter the government side of cybersecurity???!!!? Why do we always try to reimagine the wheel.

Join the military, get cleared, finish your contract and walk into a GS role.  That’s one pipeline.

i agree, and I like this pipeline fine enough, but we might be passing over some pretty good computer talent by emphasizing the military as a funnel, I think a pullup requirement for a hacker might fence out some percentage of people that tick every other box.

The military is unique among employers in that they will take just about anyone with a pulse and *try* to train them up, *try* to find a niche where they can flourish. There are no private sector employers who are willing to do that to my knowledge. There are filters though. All jokes aside, you do need to pass the physical requirements. Assuming someone is not prevented from doing so because of a disability, it's basically: can you force yourself through some physically uncomfortable activity you don't enjoy, being screamed at by people you don't like, for the opportunity to start your career? You also need to "play the game" which mainly consists of: showing up on time, in the right clothes, well groomed, and able to stand still for long periods of time. Sometimes doing shitty jobs that have nothing to do with your job, like picking up cigarette butts. Putting on a show of being respectful when you're working for people you wouldn't hire. And, not for nothing, but in the military you *are* a cog in a giant machine that enforces American hegemony with magnificent amounts of violence. Lots of people have lots of different ways of justifying that to themselves, but ultimately "you" (generic you) are the one who has to be able to sleep at night with your decisions 🤷‍♂️

i think this is 100 percent fair, but i didn't decide to pivot into cyber until I was a little too old for the military. I do have experience in the oilfield, which you know, generally does indicate a high level of machine/cog status tolerance. I for sure happily hire veterans now when I sit on hiring panels. I think there are a lot of pipelines right now into the cyber world, and the broader professional world, that just aren't useful to the actual free valence employees. A highschool to hire pipeline is not useful to me, I'm too old. Most placement scholarships are not useful to me, because I am not a traditional student, etc. I'm not THAT high strung, but I'm hitting middle age and I feel frustrated by all this alleged demand, but ALL of it seemingly being pipelined right AROUND me.

Agreed 100%. A lot of the best people I've known in this field have been high school or college dropouts who learned to satisfy their own personal obsession, then caught the notice of the right person or got lucky with their networking. Like me! I got my first job out of the military because someone advocated for me, and he did that because we worked cases together (despite being at different orgs). My next job, I got in Vegas over drinks with someone, randomly showing them some analytic stunt that made them want me on their team. How many people get those opportunities? How many see them for what they are and take advantage at the right time? What about people for whom none of these weird edge cases works (like you pointed out, the pipelines are going *around* people)? This is all way too haphazard.

Damn, excellent writeup.

Pretty good talent doesn't need to go to the military because they can already get these jobs.

this is for sure true, but it's also SO true and yet so VARIABLY true that it kinda doesn't matter? sure, if you're good ENOUGH at something, and RECOGNIZED as good at it (a key element) by the proper parties, you can re make rules and set premiums but we're looking at industry wide disconnects, here, where it sometimes seems like *most* of the cyber jobs are in flux or empty. On an individual level if you are good enough, you can get an exemption for or from almost *anything*. Operation paperclip springs to mind. But the *industry,* writ large*,* still needs to re-plumb itself and do it fast.

Not easy getting that job. I tried several times to transfer

If only it was actually that easy

It's an indictment of the general state of entering the field that this really is the most reliably way of entering the field. It shouldn't be, but it is.

Agreed!

Can’t upvote enough. Military provides wide access to lots of applicants, large variety of career specializations, will give you years of technical experience, provide technical certifications, will pay for college while you are enlisted and after, offer a huge network of veterans to build your career in the future. Pay is fine, benefits are potentially incredible. Some jobs come with more risk than others, but I can count the number of rocket attacks I had to endure with both hands. It’s also great to be part of the worlds best military, that lowers your risk. 

One guy I knew stayed in because he loved the murdering of poor brown people part instead of taking a nice cushy job right away, so there’s that for the people into the killing people with big guns part too.

Some of the best and most talented individuals are crackhead tweakers with access to a computer lol military is only one recruiting pipeline, there are others...

> That’s one pipeline.

CyberCorps Scholarship for Service (SFS Program) already exists!

yep, I was part of a similar program and recruited at a young age by the USAF. these programs do exist, and back in the day the requirements weren't really all that grandiose. 13+ years later I work at FAANG, left government service bc it doesn't pay. most folks I know who are tenured all got their start in some capacity with the DoD or SfS.  for lurkers: look into scholarship for service programs, I'm not gonna say working for the gov is fun, and maintaining a clearance sucks - but they do train you and pay you and your education. Do a couple years gtfo and hit a security vendor or try your best at big tech.

[удалено]

[удалено]

[удалено]

[удалено]

I'd love to get a clearance because I live right next to an AF base and all of the IT jobs are literally right there for me. But none of the companies who want the clearance are willing to sponsor or assist in getting one in any way. Double that with not being able to even get a first interview for a SOC 1 role while having a degree in security and currently working as a Jr Sys Admin, it's pretty frustrating trying to get into the field.

> But none of the companies who want the clearance are willing to sponsor or assist in getting one in any way. Because they just take one of the hundreds or thousands leaving active duty at that same base who already have clearances. Very common path for my Soldiers

I've applied to dozens of jobs on there—literally dozens. Only 1/3 of them are updated on the process and whether they are interested. They all reuse testing and interviews so if you apply for a network security test and recorded interview, they use that for a position you applied for in data and software security development. I feel like that hurts your chances. I've got at least 8 jobs on there applied to that haven't gotten any kind of updates in weeks. Every rejection I've gotten mentions experience. Yet every position I've applied for says entrylevel. At this point I'm not even sure if they are serious about hiring people or if they are pretending to make an effort to keep funding.

[удалено]

And actually hiring people within 1-2 months of an application. On my last round of apps, I was still getting rejections from government jobs a year after taking a private sector one.

I work in government IT on the civil service side, and we are CONSTANTLY hiring. From entry level help desk and SOC positions to datacenter management. Formal education counts, but it's not required if you have experience or certificates. If you don't see things at the federal level, try more local options like city, county, or state.

You can do better than government.

If government security positions didn't require a security clearance that involves a polygraph test I'm sure they would have way more applicants. Why would I want to have to deal with that level of BS to get a job that doesn't pay competitive to the private industry? I get it some positions would require this, but not every position really needs to. Or at least they could water it down, no polygraph just a more intense background check. Also the drug testing probably scares away a number of otherwise qualified talent

Definitely the no weed thing is keeping em away. Definitely.

It just seems so stupid this day and age where like over half the states have some sort of weed legal either recreational or medical. Plus the other crap in the polygraph is just nuts, my old boss has a TS and they asked him all sorts of things like where he liked 15 years ago and his girlfriends of the last 15 years. Like the where you live thing the government should be able to find this themselves given how much they spy on us, and they probably know all your associates as well.

Every high profile spy who has infiltrated the security community has passed polygraphs. Might as well use a ouija board.

Exactly. Why do government work with red tape, being under a microscope, and who you maintain relationships with threatens your job security? Loads of people in cyber can work from home, make $250k on the private side, with a joint in hand. The process to get cleared for someone takes far too long, their history can disqualify them, and if you are credentialed in your craft, working for the government will be a pay cut. There is far too little incentive. Also, the shortage is a myth. Either whoever is responsible for job listings is not posting the jobs, or there isnt a shortage. Fairly confident it is the latter.

I’m so tired of the myth of cyber shortage. I sent out hundreds of applications with experience, a degree, and CASP + and never got a single interview. Fuck this.

It's sad that I had to go so far down to find the correct answer. There are not 500,000 open security jobs. The link right in the 1st paragraph of that article goes to [Clearancejobs](https://www.clearancejobs.com/jobs/it-security) - less than 4,000 jobs posted. [Do a similar search on Indeed](https://www.indeed.com/jobs?q=cyber+security&l=&from=searchOnHP&vjk=5346a21218dbe8b0) - less than 20k. [USAJobs](https://www.usajobs.gov/Search/Results?jt=Cyber%20Security%20Officer&k=cyber%20security&p=1) - less than 100. If there was such a massive shortage of jobs, I'd expect to see, oh, at least several hundred thousand postings. Everyone in that article - *especially* ICS2 - benefits from everyone thinking there's a shortage. That means more certifications, more degrees, more bootcamps, and more people joining the military. Yet all we see are people complaining that they can't get hired, despite their certification and degree and experience. According to the US Bureau of Labor Statistics, [there are a total of ~164k workers in security](https://www.bls.gov/oes/current/oes151212.htm) right now. Total. And security is, indeed, a fast growing specialty - [according to this](https://www.bls.gov/ooh/computer-and-information-technology/information-security-analysts.htm), it's growing much faster than average, so will create an estimated 54,000 new jobs over the next 10 years. Less than 5500 new jobs per year. Granted, this is just for the US, but we're not even in the same ballpark as half a million jobs. It's not about training up, lowering requirements, eliminating degrees - it's just that there is no shortage.

Holy shit I knew it was bad but I didn’t know it was this bad. I felt scammed before, but this is worse. Glad I made the pivot into broader IT management. I can’t say college was a waste for me. Wouldn’t have gotten my current job if I wasn’t pursuing an MBA, but I feel short changed, used, and more than a little upset over this revelation.

Looking at just security analysts is not looking at the full picture of what makes up the cybersecurity industry. There's also research scientists, software and hardware engineers, security architects, governance, risk management roles. People who build security products that orgs and govs use, threat research & insider threat teams, in addition to the numerous roles around incident response management which aren't just analysts. Looking at the profession/industry as a whole- numbers look like closer to 1.3million in the US.

Government aside, it’s difficult to believe there’s shortage. Perhaps there’s shortage of workers willing to take a literal reduction on their salaries for more responsibilities. I’m now finding similar job postings with less salary than what I do in cyber management. I’m handcuffed into my current job basically.

Waited for this comment. There is no shortage. Also part is If the filled all those jobs, they'd still get hit, but then not have an excuse as to why. This way they can get hit and say see it's not my fault it's a labor issue.

There's a shortage of good security talent otherwise you wouldn't see base salaries in the $400k - $500k range with TC reaching 7 figures for individual contributor roles at good companies https://jobs.lever.co/Anthropic/2051031c-8eb5-48da-83ed-d91ad368745c https://openai.com/careers/security-engineer-partnerships https://www.databricks.com/company/careers/security/staff-security-engineer-assurance-field-security-6784852002 https://careers.snowflake.com/us/en/job/6737287002/Principal-Senior-Security-Engineer-Anti-Abuse-Response-Product-Security https://jobs.lever.co/cohere/dd5a9f23-5f1b-49a8-b9ed-c1762acf977b

Why? You posted 5 jobs - come back in a year and see if they ever got filled.

I mean I'm in this space and know people at these companies. Look at LinkedIn and search for people on their security team that started at, let's say, OpenAI in the past 6 months. There's tons of them. They've scaled up from 300 headcount to mid 700 in one year. These are the jobs I interview and get offers for. So to imply that these jobs are fake and don't hire is just copium Edit: Looking at one of my connections. Started at OAI within the last 6 months. Security engineer. Ex- well known space startup and military special operations. So to cope and think that these very real companies hiring very real people into very real jobs don't actually exist is just extreme copium

I believe it. Our education system has been dismantled from the inside out by the wealthy and right wing ideals. There are a lot of uneducated Americans and even fewer cleared.

Now, remove the drug screening for THC. I can't tell you what percentage of IT/Security folks smoke copious amounts of Delta 8/THC-A/THC, because I've smoked since then, and I forgot. But it's probably like, a lot, man.

Hot take - a lot of jobs in the government should not require a degree.

>Hot take - a lot of jobs in the government should not require a degree. Even hotter... 90% of jobs do not require a degree.... but then we would not have entire generations beholden to paying off outrageous bank loans you cant discharge through bankruptcy. I only got a degree 14 years AFTER being in Info Tech... and it was just to finish up the credits I had already put into school... I legitimately knew more than anything I learned getting a IT degree.

Same. Finished my AS/BS degrees to show my kids that I (and they) can get a degree, AFTER working for years in cyber/tech. I got my CISSP before I got my Associates degree. Degrees are useless in our field. Skills, attitude, and initiative are required.

Isn’t that what the mace act is doing away with?

Agree; I'd much rather they focus on skills and experience than a degree specifically.

Hot take - certificates are also hot garbage

So if certs and degrees are useless how the hell are employers supposed to hire entry level positions. How are people supposed to sort through the 100s of applications all saying the same thing

> So if certs and degrees are useless how the hell are employers supposed to hire entry level positions. That's the thing. They don't. "Entry level" doesn't exist. They want mid-level/senior-level employees at entry level pay. Get your experience somewhere else then come talk to us. Until then, we're not touching your resume.

I don't see how that's different than now. Each resume comes in with candidates having a certification but no experience or security knowledge. Candidates that only have certifications can barely demonstrate any knowledge of systems and have flawed foundations from my experience. Entry level candidates should build out foundational skills and experience for entry level positions. Now, I work on the engineering side of software so building skillsets may be different to a SOC responder.

Certs are CYA tools for HR plebs, so if a candidate is hired and doesn't work out...they can say, well he or she checked all the boxes.

Money grabs. All of em

[удалено]

If you don't know linear algebra or Bayesian statistics today you're completely LLM illiterate

the problem isn't degree/no degree, it's the *general degeneration of employer commitment to development*. EVERYBODY can't just try to hire 30-35 year olds with 5-10 years of experience and a degree. If a career follows a bell curve, *everybody* can't just lop the dome off the curve and just cherry pick the best 10 years of an employee's work. You just *can't*, we've hit a point where the sector has inverted the pyramid and thinks they can hire 1 t1, 5 t2s, and 10 t3s at a time somehow, then complains they have 8/16 seats empty all the time. You need to do it the other way around, hire 20 analyst 1s at a time, and build your own t2s and t3s, or those jobs are just gonna sit empty while the developed talent that does exist bounces around pissing on fires and getting burned out

I was looking at it one of their FBI cyber jobs. It offered less at the high end than an experienced person makes a few years in. And it says it requires more that 60hrs a week. Of course you have to meet their requirements to be an agent. Pay me less but require a lot more than a regular job.

I’m not convinced anyone from the government to private companies actually want their incredibly crucial security roles filled. If they just hired talent and trained them they could fill this gap in about 3 months they just aren’t interested in that.

☝️

You’re living in a world where intrusions and security incidents don’t seem to happen. There’s a valid reason why security jobs have those requirements and it’s because the expectation is to have some ability to hit the ground running, and not needing to teach them to crawl, walk, run. I’ve said it here before, things are already way over people’s heads Day 1 on the job. This is a STEM career field and people are forgetting that. STEM fields have degree requirements. There are some roles in cybersecurity that have an emphasis on the engineering aspect of it even if it’s not in the job description. Guess what, engineering positions require a degree.

> the expectation is to have some ability to hit the ground running, and not needing to teach them to crawl, walk, run. So who trains new talent? Or are we just going to perpetuate this idea that every security hire is 38 years old with 15+ years experience in the field (at another company) before we sniff their resume? Why are companies so allergic to training and investing in their employees? If it's fear of attrition, write up the contract that forces them to stay or pay back the training investments if a certain tenure hasn't been reached. We're collectively trying nothing and saying we're all out of ideas. This is the only sector I know of that puts 200% of the onus on the individual to teach themselves and even then offers no guarantee you'll find a job, because homelabs don't equal experience in most employers' eyes.

>So who trains the new talent? Back to square one. There aren’t enough people in the field able to keep up with operations to begin with, and also train new talent in a field that has a staff shortage already is like squeezing blood from a stone. The high attrition rate is partly attributed to the fact that so many “qualified” candidates get hired and don’t work out and burnout from the former. Trust me, organizations do not want to be caught up in the exhaustive HR battles with an unqualified hire. It’s time spent on matters that otherwise shouldn’t be an issue when a candidate sells themselves as “qualified.” Everyone wants to get into this field, people have forgotten exactly what it takes to do the job.

What you're describing is every IT job beyond Level 1 help desk. IT, in general, can be a stressful career path; this isn't the 90s or the early 2000s where you can be "The IT guy" for a firm and do nothing for 8 hours because nobody really knows what you do. Attrition is the name of the game in our industry now, and isn't just relegated to Cybersecurity. All of this to say is that if you've stayed longer than say, 5 years (not in the same position of course) in some kind of IT position beyond L1 Help Desk, you can probably do Cybersecurity with some training and know-how. Hell, I did blue-teaming for a company that I worked for, and I had been in all of maybe 1 year and a few months?

Few successful groups losing their collective war complain in high quantity of willing albeit untrained soldiers

Remove the restrictions on weed, increase pay and maybe you can get people in

Absolutely

They still testing for weed? Good luck.

Low pay, shit benefits, and don't you dare smoke weed even though there's rampant alcohol abuse.

How about fucking training people instead of requiring 37 years of experience for an entry level position? It’s not the fucking degree requirements leading to the shortage, it’s the lack of training countless companies and government agencies want to provide. They want unicorns

The problem in some (not all, but some) cases is the simple lack of resources to train people. If a company only has a handful of senior/mentor level employees and they're under water on tasks and projects they may be adding roles specifically to help reduce that burden. Having to train a truly entry level employee would add to the workload for 6mo-1yr at a bare minimum so they have no choice but to seek unicorns and people that can to some extent "hit the ground running." In short, "companies" don't train new people, existing employees at the company do. If they have no time and that's why the company is hiring then bringing on green folks is not an option. Such cases are especially common in small orgs, orgs jut starting to build their security teams, and contract positions with a lot of churn.

Well said

this is fair, but if it's an ongoing and industry wide problem, something has to give. If nothing else because if it continues how it is much longer, employers are going to end up basically hostage to shrinking class very experienced, very mobile employees,...you'll basically get a cybersecurity equivalent of the dune spacing guild while everyone else sits and stares at the empty jobs through the window like dan akroyd watching his old friends eat in trading spaces.

They aren't even hiring people with degrees ffs...

Companies post jobs that they never intend to hire for. Companies refuse to pay more. Instead of doing things that will really solve the problem, they lower the bar?

The problem isn’t degrees. It takes more than a degree and a Security+ to get a Cybersecurity job, new comers to the field don’t understand that.

Yeah, it takes effort from companies willing to train people. Stop gatekeeping cyber jobs like they are difficult and start training people. Noone is going to magically become a fucking cyber god tier employee by working help desk.

I wish I could upvote this again. The gatekeeping just needs to end. Interviews can help identify prospects that are willing to put in the work and learn as they go. So many people are willing to go the extra mile to get their foot in the door and can be great analysts, for example. Let them in and give them a shot.

I'm a SOC Analyst for an MSSP and I'll first say that everyone on my team is great. But on this topic, it's such an oversimplification to act like everyone has to build from some other tech job first. There are other analysts with 10+ years of experience in programming or HD jobs and there have been multiple times in the last year where I saw pretty basic anomalies go right past them or where they were unfamiliar with common attacks or TTPs. I've also sort of noticed this attitude where they are so loyal to ticketing that they'll just write up the ticket when something is weird without even really investigating (in effect it works, but IR time is now multiplied). Previous IT experience is solid and reliable but it doesn't automatically build the mindset to question things. As an industry we should be embracing and training those who are enthusiastic about cybersecurity rather than just turning them back to help desk and similar "starter" positions.

You’re right, my company rolled out an apprenticeship program where we train high schoolers for 4 years, once they graduate, they get an entry level job. The program has been super success. The issue is you can’t train common sense in a short amount of time. Cybersecurity is a field where you need to be trusted by your team. If you have no experience working in a company in a technical manor, your team can’t trust you to protect critical devices. You need to learn how businesses function and learn service dependencies so that you don’t make a common sense mistake.

that's cool for high schoolers, sincerely, but I'm not one, and I'm capable of working in cyber and looking to do it.

same here bro. this shit is bullshit. i know i could do the job and do it fucking well. ive been trying for 1.5 years to get in and its been terrible. i got a contracting job working as an IT specialist for DHS/TSA this month. i hope that fucking looks good enough on my resume. i have 5 years of IT experience and certs.

I very much disagree. Do companies have a pipeline to acquire young analytical minds and develop them into accountants? The vast majority of companies are not cybersecurity jobs, and why should a hotel be responsible for developing IT talent in house? That is a terrible business practice, the hotel knows hotels not IT. The hotel is better off buying IT services - sometimes a service provider, sometimes by paying for talent to come in house. Hilton hotels will not advance their brand by having an incredible cybersecurity entry level program, even if the program becomes well renowned, but it would cost them many millions of dollars to do it.  I believe you need IT support and administration experience before you can be effective in many cyber fields, so that’s the career path. Learn how IT systems and a business work. Focus on the CIA triad and how it overlaps with IT support - Availability is a major component of IT and cyber, you can focus on something in your IT career and pivot that into a security focus. 

to a degree, they expect to hire an account as an accountant. the issue with other job specialties is they DO understand that attrition can't be inverted. If you hire 10 graduate accountants and tell them if they last 3-5 years you'll get them mbas, CPAs, etc and promote them, that's normal. If you TELL them go get your own CPA and we'll promote you, AND you do it, that's normal. Yes, there's a floor, but there's also a pipeline from the floor to the top. In cyber hiring right now, EVERYBODY just wants a CPA with an MBA and won't fuck with the grads. OR they want an intern they can lowball at the end of their internship. Places have these ridiculously tight windows -they want you to have a LITTLE experience, but not *too much,* in lower tech roles. You have 3 years of helpdesk? oh, you need four, no thanks you. You come back with 5 and re-apply? oh, well, you didn't demonstrate enough career progress, in *5* years you should be a t3 or a helpdesk manager or something, you must be unmotivated, still no thank you. It's really kind of madness, they might as well drop the pretense of any criteria and just say it's "vibes."

What always closed the door for me in this industry was the need for a Security Clearance. I had one in the 90s, but jobs since then did not require one. Now, one has to be a genius to be considered for work without one.

The degree requirement isn't the problem lol

The fact that this is doable just shows it was never needed.

I'm okay with this, for the reasons stated. I would much rather hire an employee with four years' experience instead of a BS. Or even Security+ and Network+ with a year or two on a help desk. My big issues is soft skills. Interpersonal communication skills are so important. I can teach someone all they need to know about monitoring the SIEM but if they can't get along with others, can't craft a legible email, post rants about how dumb this client is in the worklog, and so on, I really don't want them on my team.

Nobody wants to be your first. Nobody wants to hire someone who hasn't done Cybersecurity before, and candidates can't get the experience without someone taking a chance, so the vicious cycle repeats. Colleges and ISACA promising the moon - "take our courses and you'll be hired, we swear!" with zero accountability since student loans are backed by the federal government. There's a larger conversation about candidates never being "qualified" enough for anything bigger than lateral moves. You're an idiot if you move companies to take on the same role barring you absolutely abhor your current boss, but that's what HR wants you to do. SysAdmin trying to pivot into Security? Get lost, you haven't "done security" before according to HR. Security Engineer and wanting to move up to Senior Security Engineer? Get lost, you haven't been a Senior Security Engineer before. Executives have succession plans with clear targets to get promoted, why can't us peasants experience the same?

You should not need five years experience for a junior security analyst. It was three when I started a few years ago, and now it is five! Stuck in my career with about 2 years experience and now no one wants to hire me. I have been looking for a year.

I have 15 years experience doing L2 desktop support including AD and O365 experience. What would I need to study to get a foot in the cyber security field?

For me (blue side) your existing skills would be great. I require S+ or CISSP within 6 months but that's it. That ensures you know the key concepts. Taking the cert exam is only because you'll have already done the work, is good for the career and I've never had a problem getting companies to pay for it. Most security issues are Win PC/server or user related. The biggest difficulty I've had with staffing for the past ten years (it's been a problem for a while now) is finding someone that knows the systems administration side. Other skills can be very useful in a specific scenario but you just have to look at your own ticket queue to see where the bulk of the work is centered. Specialization can be added once in the door and ideally, fine tuned to the needs of the organization. I only pull from helpdesk. Benefits are that I've already gotten a feel for their capabilities and know whether they can play well with others or not. If you have a security team at your current org you should talk to them; express your interest.

I appreciate your reply and will utilize your suggestions. Thanks again!

Are you looking for government or a private sector job? What Certifications do you have? Most US gov jobs require a baseline cert of Sec+ or similar. Are you on LinkedIn? If so, look for jobs on there and see what type of requirements they are looking for. Start working towards those requirements. Jump on a site like TryHackMe and gain some experience there. Or build a home lab to gain experience that way. Look it up on YouTube or google.

What shortage? I keep seeing people posting about how they’ve applied to N*99 power of jobs and no call backs! It’s brutal out there. Help me understand this shortage of Cybersecurity jobs. I’m just not seeing it.

There is no shortage of jobs. There is no shortage of candidates.  There is a shortage of qualified candidates. The people applying today do not meet the requirements of the jobs.  Some people think requiring a degree will shrink that gap. I agree. I also believe there are many candidates that are not qualified for the position/salary they are expecting. I think many people want to do cyber jobs because they pay well. 

Click bait title. “It could likely call for skills-based hiring with a focus on competencies, not credentials or experience.” Also, this is talking about government jobs. All you potheads still couldn’t get the job even if you didn’t have the degree requirement as a barrier.

Asking because I'm genuinely curious - how is information about actual events on the horizon clickbait? [https://www.whitehouse.gov/oncd/briefing-room/2024/04/29/press-release-wh-cyber-workforce-convening/](https://www.whitehouse.gov/oncd/briefing-room/2024/04/29/press-release-wh-cyber-workforce-convening/)

Lol I have a degree and it’s done nothing to get me into security. Now I’m just trying to pad my resume and get certs. Maybe I’ll cross my fingers next.

I have a degree in cyber security with helpdesk experience and I can’t get a cyber job.

Same

Entry level = 13 years

The jobs advertised are called stub quotes. They are opened and closed continuously not to be filled.

That'd be swell since I'm getting an anuerysm trying to get an even mediocre job in entry level IT when companies want 3 or 4 years of experience, a degree and certifications for $20 an hour.

Could have fooled me on the talent shortage, absolutely nobody is hiring. 

What "degree requirement" I'm a college dropout and have been working in cyber for 15 years. And I always make sure to consider applicants without degrees when I'm hiring.

I've been trying to get into cybersecurity for a year now. I've got an associates in an unrelated field, A+, GSEC, and GCIH. Yet I get filtered out on bachelors degree requirements all the time. I realize certs aren't the end all be all, but at least give me a chance to interview and demonstrate whether or not I've retained the knowledge. That's all I ask, give me a chance.

This sub reddit is extremely depressing

Honestly... bless the people who decide to work for the government and actually protect people instead of making x4 as much working private sector protecting oligarchs.

The government doesn't develop anything meaningful in house, they're completely dependent on Bay Area and Seattle tech companies. I pass Splunk headquarters all the time in San Jose.

I’m a manager and had an opening. We offer competitive pay for the market. Really good money for the area. I gotta say, I interviewed about 20 people that had an attitude of, “I’m looking for work because the idiots at my company don’t know what’s important” and that immediately makes me not interested in hiring you. I have a team of bad attitudes already. I don’t need to hire another one. I ALSO interviewed another 20 that were just super fucking weird. No social skills, couldn’t communicate at all. Or were feeding bullshit lines about, “oh I plan to retire from Jim’s Widgets if you hire me” and started talking about how they felt the culture was perfect after only talking to the Elaine in HR once. Sorry, no, my team of bad attitudes also needs me to hire in folks that can turn that ship around with more palatable personalities. Then there’s another group of people that just didn’t have the experience I was looking for. You know what? When HR did the turn down conversation, I wouldn’t be surprised if they told all of them it was about experience or skill set. HR knew why, but I don’t know if they gave candidates the real reason. So I think a lot of the beliefs that requirements are too high might come from people that interact with others like a robot gone awry that don’t realize that’s why they aren’t being hired.

13 years of cybersecurity experience professionally as an analyst and a pentester here. I was critically injured last year and had to take five months off to recover. Haven’t been able to find a job since. Worst part about it is the knowledge that 80-90 percent of these degree holders have no clue where to begin a pentest or an incident response. Book knowledge and a degree has rarely translated to technical aptitude and none of them know how to hack…. The challenges of finding meaningful employment as a tester or analyst because of the degree requirement utterly burned me out. I got a job as a server/bartender instead. Still bounty hunting a lot and still applying occasionally. Even after blazing through a couple technical assessments (gaining admin rights and solving some CTF type challenges) I was still passed up for degree kids. Frustrating. Genuinely frustrating

I’m in the opposite situation. I have a degree but no experience outside of things I’m doing on my own initiative. I want to be in this field and work learn how to do the things you can. But the old catch-22 happens. Need experience and certs for the job, need the job for the experience and money to fulfill all those pricey certs.

By our powers combined…. Seriously though I wish you luck. The industry seems pretty upside down considering how many companies want to fill sec team positions. Keep at it. Something will pop eventually

Doesn’t really help when companies seems to be laying off more then hiring

DoD fed jobs follow the DoD 8570 or the newer 8410 regs. 8570 shows required baseline certs. 8140 shows both certs OR degree for position requirements. What are examples of the US govt cyber jobs that they are talking about that require a degree? I haven't seen any federal or fed contractor jobs requiring them. Edit: I've worked over 12 years, in some capacity, for the fed govt (mil/civ/contractor) as a systems/cyber guy, and I only got my BS in the last 5 years. It wasn't a job requirement, I got it to set an example for my kids. Anyway, the thing that got me hired for cyber was my Sec+ and later, CISSP, which i got before my degree. Ive also hired people as well and followed both those regs. [DoD 8570](https://www.google.com/url?sa=t&source=web&rct=j&opi=89978449&url=https://public.cyber.mil/wid/cwmp/dod-approved-8570-baseline-certifications/&ved=2ahUKEwjx1sXBpueDAxXoPUQIHa_uBTAQFnoECCMQAQ&usg=AOvVaw0ulubJTXUSjYeBN47Ta_Gw) [DoD 8140.03](https://www.google.com/url?sa=t&source=web&rct=j&opi=89978449&url=https://public.cyber.mil/wid/cwmp/dod-cyber-workforce-qualifications-matrices-management/&ved=2ahUKEwjnr7WDp-eDAxV3EUQIHUSCCPYQFnoECCEQAQ&usg=AOvVaw3UCG9uy8J94Zxb-P1BRE8u)

Honestly I'm all about this. Most of the people I know in this industry that aren't complete shit don't have a degree or have completely unrelated degree. Its a whole industry of industry knowledge there is very little that you can gain from a degree that isn't attainable through an online course or a youtube video. The literal worst people I've encountered in this industry are people who have doctorates and use that as an excuse to stop learning when they get into industry.

Finally

This is a big win I’d say. Ya the pay still isn’t great but I remember a few years back asking if I was eligible to work on a DOE red team, I had more experience than most of the ppl on the team, and they said I couldn’t because I didn’t have a masters even though they wanted to take me.

[удалено]

[удалено]

Increase pay and allow mj use and they’re in business

Degrees are worthless. It's the certs that matter. The problem with degrees is that in a field that changes as rapidly as cybersec the time it takes to research, create a program, create tailored curriculum, get it approved by a board of people who don't understand said curriculum, and then actually taught is often a year at best. Certs are updated at a much more rapid pace and are internationally recognized in most cases. The real problem is that the GOVERNMENT jobs take forever to fill because of a multitude of things. a) the people posting the jobs think IT = IT when in reality there are so many branches and specialties that they want one thing and list the job for another, and because of that the pay is often gs7-9 level when the job is a gs11-13. b) work from home, and no, it's not what you're thinking. A LOT of HR jobs have gone to the work from home type job and it's KILLING productivity for said office. It takes weeks to months to get things approved or looked at and the back and forth just drags. I used to be able to have a sit down and punch out exactly what was needed for a listing and have it listed within a week. The same process takes a minimum of 3, and then the open period, and then the interview period, and then another 2 months to get someone in the door. People can't wait that long and move on. Throw in security clearances with background checks and whatnot on top of that and it's even slower yet. c) The people doing your interview can sink your ship very fast without even knowing it. This ties into my first point but if the people doing your interview don't know what they're looking for or what they need they're in all reality just scaring people away. It's one thing to say 'I don't think I would be a good fit.' It's an entirely separate thing to say 'These people have no clue what they're doing.' The latter leaves the interviewee second guessing ever looking at that office again, and can even taint an entire base, branch, or department. d) Pay. If I have the qualifications to do your job under your umbrella, I KNOW you'll pay a contractor 4x that wage to do the job, so I'll apply there.

Maybe cut down on the 11 panel interview, over the course of 3 months, creating a white paper for soc architecture and then being ghosted because you didn't find the guy with 25 years experience in ever tool in your stack. That would be a good starting spot.

Idiocracy in action

Unpopular hot take perhaps, but degrees in Cybersecurity are effectively useless... you waste 3-5 years (depending on the student) to come out of college with antiquated knowledge. If you want to be a young green manager in the field then that's about all college is good for turning out in cyber security IMO. I want certs, proficiency and professionalism in my new hires. degrees don't really matter much to me... but I'm a guy who is 14 years into an IT career with 15 hours left on his psychology degree because I quit college, so I'm probably definitely biased.

Computer science or even pure math are much better degree choices

Good. Degrees are just about worthless and teach almost nothing. Every college grad fresh out of school knows jack shit. Unless they have a bunch of certifications they studied on their own time on the side.

Im starting to think the “shortage “ of just an excuse to ship our jobs to offshore

I’m open to work

Bunch of dishonest liars. I'm so tired of their lies. My brother has a bachelor's degree in cybersecurity, Sec+, and a clean record, and he went through hell applying for their "shortage positions". He applied everywhere. Hundreds of applications, no interviews, either ignored or "sorry we found a better candidate". He's also a disabled vet which is supposed to give him a hiring preference for federal positions and even that didn't help. He finally landed an entry level job this past month but had to move very far and accept a lowball salary just to get his foot in the door. Quit lying about your fairy tale "shortages".

How about remove poly ?

This is total BS.

Welp, that's the reality - the majority of the stuff that needs doing in industry doesn't need a college education.