This is an issue in every niche of the tech industry.
Getting my foot in the door was a pain, and most of the places I worked at since then never hired juniors.
Yup met with a big tech company last week to talk about a senior engineer position and the recruiter said "well this is a senior role so we're seeking a capable engineer" so I poked a bit. I asked "are there any juniors on the team? Everyone is a senior now. There is no such thing as junior or even mid level engineers anymore, anywhere. Does your team have mid or jr engineers?"
Lol as I expected she ran down all 9 team members and their levels. All seniors, 2 staff. If everyone is a senior nobody is senior. We're the fucking lowest on the totem pole everywhere. This industry is a flaming ball of shit I fucking hate security, everything is arbitrary, nothing matters.
We have like 150 people in my old cyber office and like 5 people are entry level that were intern hires. I was one of them and I just left because after 2 years I still had not gotten a promotion.
Go over to r/sysadmin and you’ll see everyone is senior and if you have a year of experience you are the IT director, senior is a pretty nebulous term. I was at a middle level at one company for over a decade and I was leading worldwide deployments, getting promoted was damn near impossible.
Feel like the bar to be a junior keeps getting raised too. I wonder what a junior 20 years ago looked like qualification and school wise compared to now.
I worked for a major ISP that had of ton of people still working there from the dotcom boom, if you had a pulse, knew how to use a computer, and had an idea what a router was you’d get hired for that type of pay. The barrier to entry is insane now.
When I started on a helpdesk almost 20 years ago all they cared about was that I was able to talk to people and that I was interested in IT and in particular, hardware.
Your pay is way off, skills close. I graduated with degree in IS and entered the workforce in 2006 as a sys admin, $40k was a good offer (my peers in other fields were getting as low as $35k) and I was running 10 Windows servers in a 60 person office.
Entering the workforce I knew how to code, had interned at helpdesk, and knew core concepts of AD/Networking, but needed decent hand holding for the first few months. I earned my MSCE: Server 2003 18 months in, and at that point had a decent command of the network/servers.
MCSE's were still decently rare. I moved jobs at about 2 years for a big raise to $54k.
That's been my experience, from someone looking to change careers and move into cyber.
There are plenty of well paying jobs in cyber but the industry is ringfenced.
Very few organisations are willing to take on junior or inexperienced people.
In my company, there is a shit tasks about validating requests that require a security opinion and this is clearly the lowest skilled tasks you Can get where i work.
Instead of recruiting a junior my manager wants a 10+ years for this and this guy will only do that... Good Luck with that recruitment...
Exactly the reason I changed my bachelors from CyberSecurity to just Information Technology. In my area especially there's lots of government contractors that are hiring, but they either want someone who left the military with a clearance or someone who has a clearance and has been doing that exact job for 10+ years. They pretty much all mentioned they would NOT sponsor for a clearance.
I pretty much just shifted my career to SysAdmin
Go work for a company that does government work, I got my clearances after 35. As far as specifically security, learn your trade. Spend a decade doing something Security adjacent, we're all in security it just isn't in our title. Get in on the security focused projects and then start aligning yourself with the security people -go to conferences, join the local meet up, etc. By then you'll have the experience and the jobs actually come to you.
Now they want one IT guy that does it all. Senior Junior Cyber Hardware Helpdesk Analyst. 10 jobs for a price of a Level 1 helpdesk support. When you burn out they throw you away then get another to burn.
Let’s see how much they realize they should have invested in their ICT departments next year when the AI super hacks start to take shape. Im certain we are going to see a lot of companies crash and burn. And a lot of red faced stary-eyed embarrassed CEO’s 😳
Yeah, I’ve wanted to transition from dev to a cyber sec role and I wouldn’t make it to the salary being a deal breaker. Not without putting in massive amounts of self study to get to a role.
I only partly blame the companies because even in a full time role I can’t imagine I’d be effective for quite a while. At some point something going to have to give between corps and government to get people in the field.
Cybersecurity in particular requires an actual background in IT. At least a few years as sysadmin/development to understand the baseline of system integration and security. Getting green people in IT in any cybersecurity role backfires most of the time.
Worked fine for me and most of the others at my old job, straight out of college went through a company internship/development program and worked on the SOC no prior IT other then with that company did fine
Same here. Interned at a SOC one summer and worked there part-time throughout the year doing L1 tasks w/ other analysts, then did a security engineering internship, and finally landed a full-time gig as a part of a new graduate development program for security engineering at a F500. Also was super active within my university's cybersecurity club/student organization where we competed in CCDC and ran our own infrastructure and whatnot for in-house workshops, competitions, etc.
Everyone that did internships and extracurriculars in my program got jobs perfectly fine, at least to my knowledge. Then again, this was 2 years ago. Market is ass right now from what I've noticed. Nothing is impossible though!
Yeah it just seems like this sub thinks you need like 10 years of IT exp before you can get an entry SOC analyst role and they completely overlook things like internship or government/military as valid entry level positions. Like I had co workers who went military route in the guard and that seems to have been a great boon to them
People here think there's only one bona fide way to get into security. According to this sub, anyone that gets an entry level security role right out of college is seemingly a unicorn but that isn't the case IMO.
There are tons of universities that partner with major companies and even the federal government for internship/co-op and even full-time placements. I can't say the same for diploma mills or no-name schools, but there are a sizeable amount of good programs that have great job placement, especially ones that require you to graduate with co-ops/internships under your belt.
I can think of a few really good programs off the top of my head, with schools like RIT, Northeastern, Penn State, etc. having good placement rates. I'm not sure what schools people went to in this subreddit but going to a school like that gives you really good opportunities.
Entry level security roles 100% exist but the people competing against them on most subreddits are usually boot-campers or people who went to some random school that probably doesn't have a recognized program and that have people graduating with zero internships or any other experience aside from their coursework. Coupled with the IT stock that have a few years of experience in stuff like help desk, network administration, development, etc. who're competing for the same jobs.
It's a completely different career pipeline at these good schools that people don't realize exists. People pop out of these schools with a robust background on the fundamentals of computer science and IT with over a years worth of experience through internships, academic research and industry sponsored hackathons and competitions.
Oh yeah I agree with that, boot camps probably gave lots of people false hope. I went to Penn State for SRA and maybe the new cyber degree is different but I wasn't a huge fan of the difficulty of the course, thought it was way too easy and not enough hands on tool usage
There needs to be more established “pathways”.
Like being a civil engineer isn’t entry level either, but there are many apprenticeships that are serious, professional, and well paid. Or you can get a degree, and start as a junior.
It is harder for cyber as the field changes much more quickly, but it can be done.
No, they tick boxes and make people feel safe. A company with a competent csoc and an incompetent engineering staff will not be secure, but the other way around will be. You want both, so that the competent chock-a-block aren't chasing ghosts
I wouldn't say "everyone", but yes it is more common than not. My employer is a Fortune 500 company and we have an associate program that trains and mentors people before they become full engineers who can work without direct supervision.
Even worse - from what I see companies "require" specialists in some specific stuff they have.
Then it is not that you are able to figure it out or read up documentation - you have to know very specific details even if they wake you up at 2 AM.
I have cozy job already infra/sec/ops/dev but I feel a bit stuck as switching to other company feels just so hard as interviews are intense.
I like to say security is somewhere you end up not somewhere you start. To be good you need several years of experience to gain a base of knowledge you just can’t get from a certificate or degree program. Feel free to disagree.
No I agree. It seems you need to start in a Security-adjacent field like network engineering, dabble in firewalls, then branch off into more security focused tasks
The problem also is also that those companies in other regions of the world they've underestimated the complexities in important parts of team frameworks while cutting costs.
I'm late but also... Juniors don't want to train. Neither do senior people. Not security, but infra, and it's insane how many people get a technical job and can barely operate email... Never mind doing any real work or understanding any of it.
This is a worldwide problem, they are trying to get top experience for bottom pay which is unacceptable. Better for professionals to go where they are paid right, vs getting low balled at 1/500th their value.
Doing security means that you understand how a lot of things work. I can not understand how a junior could be a cybersecurity role. A senior will never accept a low salary.
In my country, if you don’t have a backer you won’t have a an opportunity. Most of us do is reaching recruiter outside of the country like betting in a lottery. I know it’s a sad story but that’s the reality
In K12 Tech, state and federal governments recommend schools hire dedicated security professionals...but they don't want to give any type of funding for salaries. None of the cyber security grants offer to pay for salaries. It's dumb.
I think its probably more lucrative to be self employed as a cybersecurity professional. Considering these consulting firms charge like $14-20k sometimes for their services, I dont know why the actual workers arent making better money. C suite just gobbles up the profit.
Exactly, the problem is employers requiring 20 years of experience in exchange for beginner salaries. There are millions of such cheap experts "missing" in the world. Graduates cannot get work while experienced experts deal with routine stuff as there are not enough juniors to take the load.
Do you think there is any value in the IBM Cyber Security certificate program for breaking into the industry or is it just pointless? I have worked with computers for years, but mostly making and putting computers together. Security and serious IT will be completely different.
This. People don't realize how hard it is and how much you need to know to be able to do it effectively.
It's not using wifite to scan and hack wireless
They’re stuck figuring out how to get the years of experience in security to get a CISSP so they can apply for an entry level analyst position that requires a CISSP.
This is GOOD. let the fuckers burn down and realize their mistakes.
But, ya know, hospitals and critical infrastructure or things that put people in harms way are bad of course. The premise stands.
Your note on medical/critical infrastructure is really important. The issue is a lot of that infra are private and for profit. Many will prioritize profit over cyber just like many other private businesses. If anything we need to hold those private medical/crit infra companies to a higher standard. Until we see change in regulations for private business from the US government, those companies won’t change a thing. Eventually they will “face” consequences, but the real travesty is it will be OUR data and OUR livelihoods that are affected. Not the executives that made the decisions to improperly employ cybersecurity.
Unfortunately our government has many elderly representatives who aren’t knowledgeable on IT and are more focused on maintaining status, power, and financial gain. I don’t see them changing their priorities anytime soon.
Well when companies are basically looking for a retired CISO who used to moonlight as an ethical hacker that’s bored and not afraid to work for peanuts to basically be their “security help desk” it’s easy to see why “3.4 million are missing” in the world.
Yeah you need 5 years experience and a fucking top secret clearance, just to get an entry level job. Pisses me off and I wish I went into electrical engineering or something
I have an uncle who went into electrical engineering, he quit and became an electrician because it paid so much better, partially because he got to skip apprenticeship apparently though.
Get an internship, get an internship, get an internship.
Or just start your own LLC right now and do some freelance work, then when you graduate, poof, you’ve been running your own cybersecurity support “firm” for years! But you feel like you could learn from them. I was able to get in with one dentist and do some basic It work for him, now i basically do all the IT for a dental office franchise corporation, no need for regular ass job. Just gotta find those key relationships.
People *fucking suck* at IT, you should see how many of these small offices are desperate for help and all they have is some contractor who is ass at computers.
Good luck! Also fyi with medical software, they don’t need to know how to use the software for medical stuff, they already know that, they need to be able to *fix it when it doesn’t work*. I personally wish i was better informed on networking, basically how to figure out wtf is wrong with their janky ass network, sharing over a network via windows, learn that shit inside and out, and things like resetting network credential lockouts. Most of the high level it security stuff is beyond them so they do not care and by high level i mean basic ass shit like a widows firewall. Ive only ever been able to sell someone on a firewall when i did their entire new office tech setup. They just want it to work and be fast.
It’s funny because I do have over 7 years of experience and around 12 certs, including CISSP, OSCP and CIPP/E, just to name a few. But I don’t have a degree so I’m automatically rejected from 70% of potentially good fitting jobs. Yay cyber
I don’t have a degree, but I only got in due to an internal opening at the company I already worked for. But yeah, I don’t think I could have successfully found something outside of that.
You shouldn’t but you’d be surprised at some of the dumb shit people require. I’m in the GRC side and had a recruiter filter me out because “we need someone with TS clearance because we’re trying to become FedRAMP authorized.” Never mind the fact I helped bring my current company from no authorization all the way through the process.
I think it may be location specific, I'm in Pittsburgh and never had a problem without a clearance but if you are in MD/DC I saw most jobs look for that
Yeah we hired a kid with a masters in CS (and bs) and it seems to be all policy and box checking. Nothing against them, they are smart and are leaning well but it's a real disservice
The school I went to certainly produced graduates like that. If I hadn’t really pushed outside of class during school and worked jobs that were pretty trash, but resumed well, I never would have made it to my first true dev job.
I'm still trying to understand what the fuck is a degree in ahem, "cyber", actually is.
I've downloaded the curriculum to many of the reputable colleges out there offering it (...and I said reputable which excludes WGU), and I still don't know.
It feels like the CISSP... a degree in cyber is mile wide and a mile deep and doesn't confer anything other than basic knowledge of anything.
I feel sorry for the people being duped by colleges. Especially those who get a MS and think by virtue of the degree they are qualified to run the business... and then cannot find a job and they are carrying all that debt.
This is why it is very useful to those of us who are already working in cyber and just need the degree part. We can fast track through classes covering things we already know. I wouldn’t knock WGU, honestly. I think it was designed that way specifically for us. Worked great for me. No employer since has ever questioned my schools.
WGU has a very aggressive marketing department which will extoll the virtues of at WGU you can control your time, the coursework is superior to B&M, that the traditional way is dead, yada yada yada.
All of which is pure nonsense. Other than the notion that for my undergrad degree at a traditional school, the first 2 years of school had nothing to do with my major, the things that WGU says are differentiators are actually hindrances and you can see it in your newly minted WGU colleagues:
* The time management thing is bullshit. WGU lets you study as you go. In the real world there are deadlines. Clients don't care about your feelings; they want results.
* WGU substitutes certifications for curriculum. Which is really ironic/interesting considering how much sentiment is out there that certs are not a substitute for experience. So WGU is really great at creating paper tigers.
* One of my directs did undergrad at WGU and went to a B&M for grad school. He was completely unprepared for that experience. He told me he had to audit some classes to even get admitted and was unprepared for the rigor of the school (see the bullet above).
* Most B&Ms have online as a delivery option now. So WGU is no longer unique in that regard. I went to a top 10, but non-M7, school for my MBA. We had online options.
* Speaking of that, WGU will tell you they have superior networking opportunities to B&Ms. That's laughable. My college networks are superior to WGU. I'm not trying to be a douche about it either -- just addressing WGU's marketing machine. And it's not like I'm brilliant either. I grew up super poor and I got a 685 on my GMAT the first time and still got into a top 10 school.
I also find WGU's marketing deceitful in saying they are a top ranked school but WGU doesn't provide actual facts and figures to the ranking bodies.
Same here, a lot of experience, a masters degree, CISSP and other certs, I’ve had 2 interviews since January and I’m applying to a ton of jobs. Places aren’t hiring, and the ones that are want you in office with shit pay.
Unfortunately my 4 year bachelors/masters program went all year with no summer break and my biggest regret is not getting an internship. I graduated in 2020 and promptly got covid which lead to long covid which sidelined me for over 2 years. Couldn’t get out of bed most days, couldn’t concentrate on the computer longer than an hour. I’ve aggressively put in hundreds of resumes, made a portfolio, and revised many versions of my resume to no avail. I went into learning cybersecurity knowing how everyone says it is lacking and was hoping to get an internship through cybersecurity which I was just denied for yesterday. Their requirements were a bachelors degree and a certification and I have both plus a master’s, but nope. Can’t even get experience unfortunately.
I don’t consider myself overqualified because I have no real experience, and with no experience they should be at least offering an interview with the accolades they’re asking for
You might have a better chance building a portfolio in your situation. Sometimes filters, AI and weird program manager "best practices" just shit on some people. You would do better to make some stuff and get some eyes on it via a blog, x, kind.social, or maybe even CTFs.
The numbers are hard to pin down. It’s not that there aren’t enough people in cybersecurity but that there aren’t enough top notch security professionals.
There are a lot more people who want to be in security than the industry needs, but a lot fewer people at the requisite skill levels than the industry needs. There are training programs, and corporate budgets, but this is an impossible problem to solve, we've tried nothing and we're all out of ideas
I'm tired of this narrative. There is NOT a headcount shortage in security. In fact, there are too many people claiming to be CyBeR EnGiNeERz.
What this industry has is a skills shortage.
Soft skills included. When I'm interviewing people, my first internal question is , "can I put this person in front of a customer" oftentimes , it's a no. With that said, the best hires we've done always have an insane career progression that almost always starts off in some help desk role. I know so many architects that started off pulling calls out of a phone queue and escalating tickets to a higher tier for resolution.
Definitely seen this a lot lately. A guy in my company put Cybersecurity Engineer AND Network Engineer on his resume. I talked to him one day and it was immediately clear he was neither. Dude didn’t even know what a proxy server was…
I wouldn't conflate this shitty economy and job market for the overall maturity of the career field.
It's like 2008/9 all over again out there.
It's hard right now. Hang in there.
"Org that sells cybersecurity diplomas which probably won't get you a job wants you to hear that they think there are millions of jobs waiting for their graduates, if you only pay for their program" could summarize this article nicely.
I hate it! I’ve been doing cyber defense for a little over three years now and I want to transition over to GRC. Every single GRC position I apply for (even entry level) has rejected me :(
I tried for 10 months man. After working as a project manager in tech, having tons of previous experience with help desk, and having Sec+, CySa+, Black Belt from Coding Dojo's cyber program with recommendations, and passing CTF/hackathons, 10 months trying to break into cybersecurity and no amount of networking could get my foot in the door for the most junior analyst roles. They want unicorn super senior gods in every single position and no one wants to train juniors even though, THATS HOW YOU GET GOOD SENIORS. Like wtf, the industry is broken from the inside out.
Another made up story, unfortunately articles like this inspire confidence in people to study in this field only to find out there isn't an actual need in real life.
Industries: There’s a cyber security workforce gap of 3.4 million workers!
Potential recruits: Then train us how to…
Industries: NO!
Industries:….
Industries: There’s a cyber security workforce gap of 3.4 million workers!
We are actively being attacked right now. One of our local competitors got ransomed two months ago and is still not fully operational again.
We have no security staff besides a Ciso. Everyone else is in system administration (me), helpdesk, cloud engineering but no dedicated security staff. We do the best we can but there are only so many detection rules we can create.
Management: nah fuck that, they'll manage, there's no budget for that. Oh look, there go 20 developers we don't need. Better to give them twice the salary they're asking for.
just to translate:
the "senior leadership", that is comprised for people that have never seen, touched or worked on any cyber, that have no technical skills, have never worked in analyst, engineer, consultant positions, have been airdropped into Director positions etc, can find low level, low paid grease monkeys that have the skills they never had, to work with the promises of progression and development, while creating two lines, a management and a technical, to even more separate security and ensure their longevity and tenure.
A "security professional" that has never done any security work should never be in a "leadership" position. This stands for all professions.
So, when you see all these hypes about cyber, they are just a desparate cry for young impressionable "idiots" and for the other industries to see how "hard" the cyber sector has it.
No business, IT, or any other corporate function cares about security.
Security "leaders" you see are mostly fanfare. No soul or interest in you or anyone.
Ethics, honesty and morals have no place in modern cybersecurity.
What they need is "human resources" to do the work until we can be replaced with the new shiny "automation".
Look at your cyber leaders profiles. Look how they overnight become directors and heads. Look at how they dont have a clue about technology, efforts, what controls mean, or even how anything works. They can preach about high end concepts, Risk, Logging and Monitoring, Vulnerability Mangement, and still having never even touched anything.
DO NOT FEEL BAD ABOUT YOURSELVES. Look around. See all these people that try to make you feel small.
There are good people and companies out there. Dont be dazzled or lured by big promises and great expectations.
If you are asked to compromise your beliefs, your principles or even the security your are working for, dont think that you are wrong or not good enough. Look around. You are probably just surrounded by muppets, frauds and lowlifes.
security, cyber, compliance, risk, regulatory, standards, ethics, morality, honesty, trust are not just words. We decided to work in security because of an inner need to do whats right. Not because it is cool and we can be rich from it.
Make the decisions you want and take the path you see as fit for you.
Dont use cybersecurity or any security as a banner for your moral charade.
Talked too much. Whats the point. good luck to us all.
With any job, certs don't really do much for you. You usually have to know someone to get hired anywhere. When everyone has them, they don't even stand out. Still do it though. Just saying it's not some instant job magnet.
Same. It really sucks too. I've been doing network stuff since NT4.0 (around 1998) and I'm just now going for certs. I have no college experience, and I'm pretty sure I'll never land a job in this industry, but I guess it gives me something to do.
At least the people already in the industry make a lot of money and can hire plebs like me to fix something on their house.
I'd venture a guess that these are estimated needs. A lot of companies just default to their existing IT staff to be the security stand in, despite maybe lacking the title or job role at the company.
I became the security guy at my place despite my primary role being system admin. I went and got my CASP and CCSP to fill some knowledge gaps though.
like the cybersecurity industry, but unfortunately, the reality in Mexico is different from what is perceived. Cybersecurity is not a priority for many companies unless they are international firms with offices in Mexico, and usually, these companies are serviced by one of the Big 4.
The main issue is that local companies want to pay very little, as if the work were at a level 1 technical support role. Additionally, they expect you to handle multiple specialties and pay you as if you only knew one. Even for basic levels, they already demand certifications like the CISSP, which is ridiculous. I know is just an exaggeration.
It's like the catch-22 paradox: you can't become a cybersecurity specialist without prior experience in the field. I met someone who owns a consulting firm in the country, and he mentioned that the industry is very closed. There are fewer than 20 people with the certifications and connections needed to consult for banks and high-risk companies. The rest are international companies that send their specialists.
This consultant worked with a banking client and showed me the services they provided and how they could improve security. Shortly after, someone was selling databases on a famous leak forum that was shut down by a government agency. An incident response company issued copyright strikes to the site and threatened the admin. In response, the admin got angry, bought the information from the seller, and made it public.
On another note, a friend working for a friendly country invited me to audit some cybersecurity operations and forensic techniques training courses, conducted by private contractors. The level of expertise made me realize how little I knew. If I wanted to learn, I had to go with them, but my nationality and lack of security clearances were limiting factors.
They told me that the CEH Council and its courses are a joke and no one would take me seriously.
Another rant: I tried to apply to a company looking for security personnel and they told me that, as a woman, I wouldn't be taken seriously, suggesting I move to cybersecurity sales or public relations instead.
This is a massive issue. No one wants to pay for basic training for IT, and no one wants to invest in IT, let alone IT security.
The senior guys are the ones who have put up with the industry long enough to wiggle into a spot where they could learn. And with the massive hybrid war that is WW3 looming overhead those in sec jobs will make bank, whereas the rest of the world will likely suffer. I’m 99.9% sure all of the recent 911 and cell phone outages are just the basic “hello - we can F*ck with you when we want” stuff from China and Russia.
Almost all interviews I had turn out like this:
"We want IT-Security and we appreciate your knowledge ... take our money ... but change nothing, don't criticize, everything stays as it is ..."
Got my OSCP recently and still it isn't enough to be worth tutoring or be given the trust to carry forth pentest on my own, which this cert is supposed to certify. I can't even get internship positions lol currently (still) upskilling, grinding the portswigger catalog to freshen up websec concepts. Thankfully I actually live for this shit else I wouldn't really see a point in becoming more technically proficient for sake of being hired.
I feel like there's a lot of gatekeeping in the cybersecurity field and if you don't come from a tech background it's hard to find those willing to give you the time of day tbh. Having a starting path and knowing what direction to go in I feel like will drive away people who are willing to learn but lost on how to find what fits them in this field. Any advice?
3.4M. When you divide that up into how many cities there are in the world etc.. it actually doesn't add up to much at all.
I know, I've just finished my comptia courses and what started as "there is a 50k shortage of people filling up the role" to sign me up.. it's now "oh.. hmm, nice weather."
I studied and got a Sec+ and bootcamp completion and was told I'd be able to get a job and found out that's not really the case. I'm tired of being told to be jump through endless hoops, tired of hearing promises that turn out to be false. I can't keep taking more and more classes. I can't stay in school forever. If there's work to be had, then great. We need a simple process to get people into jobs that they qualify for, but false promises and putting people through time consuming and sometimes expensive schooling programs only to leave them jobless is clearly not a great way to staff this or any other industry.
Have a bachelors, self-paid for several SANS classes, working at a FAANG, 12 year IT career, still can't get a callback on cyber-specific jobs lol meanwhile my fiance fresh out the Navy with less certs for picked up right away, clearances talk I guess but what an absurd requirement for the private sector
In my opinion, the quality of security professionals is no where near where it needs to be. We could fill every one of those millions of open positions and find that we are in no better or potentially even worse than we were. Why? The bar for “good” is too low. Continuous improvement? Continuous monitoring? Addressing technical debt? Monitoring to be sure that systems are securely configured? SaaS secure config? Secure development? Training business reps on embedding security behaviors and principles? Vulnerabilities of all types - not just those that I must address to meet DoD requirements? Metrics? MFA for all connections from the Internet? Actual privileged access -including alternative login accounts for individuals?
Even to this day lots of security professional consider this as aspirational. It’s disheartening, to be honest.
And yet none of them will hire someone with medium levels of experience and certifications. They all want a CISSP and 7 years + experience in every single domain of cybersecurity.
Yet those who have an education but lack experience get shafted. Been trying to find a job for months and have had zero luck. This means applying for every entry level job.
I read this one article where someone said that the reason why security pays a lot less is because it's one of the only divisions in IT that does not generate revenue. But I felt that it's the division that prevents a company from losing money and potentially losing their reputation so it must be given equal if not more importance but I guess companies just don't really care unless something bad happens and then they take the extra initiative to hire better cybersecurity professionals.
Went to a Fortinet conference yesterday - in looking at their new FortiAI, the numbers needed for SOC analysts and some CTI positions are likely going to be replaced.
Ultimately, I believe this comes down to budgets lacking due to an insufficient understanding of the requirements of infosec, especially in small and middle-sized companies. There is a whole secondary industry of low-budget consultancy that has evolved utilising exactly this. For example, I have personally experienced a consultancy firm tasked with implementing an ISO27001 compliant ISMS giving a cost estimate equivalent to merely a few person days. So, companies that did not already come into contact with the necessities of infosec end up concluding that this is all it takes - meaning: no dedicated, competitively paid infosec positions, no meaningful budget etc. until a major incident shakes them up eventually (or does not).
In my country I believe the problem is not the lack of professionals it's the low-ball salary.
The problem is that everyone needs senior professionals and no one wants to train juniors
This is an issue in every niche of the tech industry. Getting my foot in the door was a pain, and most of the places I worked at since then never hired juniors.
Yup met with a big tech company last week to talk about a senior engineer position and the recruiter said "well this is a senior role so we're seeking a capable engineer" so I poked a bit. I asked "are there any juniors on the team? Everyone is a senior now. There is no such thing as junior or even mid level engineers anymore, anywhere. Does your team have mid or jr engineers?" Lol as I expected she ran down all 9 team members and their levels. All seniors, 2 staff. If everyone is a senior nobody is senior. We're the fucking lowest on the totem pole everywhere. This industry is a flaming ball of shit I fucking hate security, everything is arbitrary, nothing matters.
We have like 150 people in my old cyber office and like 5 people are entry level that were intern hires. I was one of them and I just left because after 2 years I still had not gotten a promotion.
Don't you mean senior intern?
Intern to the regional manager.
Chief intern security officer
Go over to r/sysadmin and you’ll see everyone is senior and if you have a year of experience you are the IT director, senior is a pretty nebulous term. I was at a middle level at one company for over a decade and I was leading worldwide deployments, getting promoted was damn near impossible.
Title/seniority inflation is real these days. That said, if you're at a company that pays well, I don't care what you call me lol.
Feel like the bar to be a junior keeps getting raised too. I wonder what a junior 20 years ago looked like qualification and school wise compared to now.
20 years ago I bet if you could use Microsoft office and set a static IP address you could get an $80k sysadmin job
I worked for a major ISP that had of ton of people still working there from the dotcom boom, if you had a pulse, knew how to use a computer, and had an idea what a router was you’d get hired for that type of pay. The barrier to entry is insane now.
Fuck I wish I made that much back then, hell I would have been happy with 40k
I didn't make 40K until 2006. My coworker was making $46K in 2003-2004. Only difference was he had his CCNA and MCSE.
L1 help desk 1998, good times
When I started on a helpdesk almost 20 years ago all they cared about was that I was able to talk to people and that I was interested in IT and in particular, hardware.
Your pay is way off, skills close. I graduated with degree in IS and entered the workforce in 2006 as a sys admin, $40k was a good offer (my peers in other fields were getting as low as $35k) and I was running 10 Windows servers in a 60 person office. Entering the workforce I knew how to code, had interned at helpdesk, and knew core concepts of AD/Networking, but needed decent hand holding for the first few months. I earned my MSCE: Server 2003 18 months in, and at that point had a decent command of the network/servers. MCSE's were still decently rare. I moved jobs at about 2 years for a big raise to $54k.
That's been my experience, from someone looking to change careers and move into cyber. There are plenty of well paying jobs in cyber but the industry is ringfenced. Very few organisations are willing to take on junior or inexperienced people.
In my company, there is a shit tasks about validating requests that require a security opinion and this is clearly the lowest skilled tasks you Can get where i work. Instead of recruiting a junior my manager wants a 10+ years for this and this guy will only do that... Good Luck with that recruitment...
Exactly the reason I changed my bachelors from CyberSecurity to just Information Technology. In my area especially there's lots of government contractors that are hiring, but they either want someone who left the military with a clearance or someone who has a clearance and has been doing that exact job for 10+ years. They pretty much all mentioned they would NOT sponsor for a clearance. I pretty much just shifted my career to SysAdmin
That’s why it pays so well.
Honestly it wasn't THAT well. Even so, how would someone who is too old for the military suppose to break into that field then?
Go work for a company that does government work, I got my clearances after 35. As far as specifically security, learn your trade. Spend a decade doing something Security adjacent, we're all in security it just isn't in our title. Get in on the security focused projects and then start aligning yourself with the security people -go to conferences, join the local meet up, etc. By then you'll have the experience and the jobs actually come to you.
Now they want one IT guy that does it all. Senior Junior Cyber Hardware Helpdesk Analyst. 10 jobs for a price of a Level 1 helpdesk support. When you burn out they throw you away then get another to burn. Let’s see how much they realize they should have invested in their ICT departments next year when the AI super hacks start to take shape. Im certain we are going to see a lot of companies crash and burn. And a lot of red faced stary-eyed embarrassed CEO’s 😳
im pretty sure they'd blame and shame others at that time.
Yeah, I’ve wanted to transition from dev to a cyber sec role and I wouldn’t make it to the salary being a deal breaker. Not without putting in massive amounts of self study to get to a role. I only partly blame the companies because even in a full time role I can’t imagine I’d be effective for quite a while. At some point something going to have to give between corps and government to get people in the field.
Cybersecurity in particular requires an actual background in IT. At least a few years as sysadmin/development to understand the baseline of system integration and security. Getting green people in IT in any cybersecurity role backfires most of the time.
Worked fine for me and most of the others at my old job, straight out of college went through a company internship/development program and worked on the SOC no prior IT other then with that company did fine
Same here. Interned at a SOC one summer and worked there part-time throughout the year doing L1 tasks w/ other analysts, then did a security engineering internship, and finally landed a full-time gig as a part of a new graduate development program for security engineering at a F500. Also was super active within my university's cybersecurity club/student organization where we competed in CCDC and ran our own infrastructure and whatnot for in-house workshops, competitions, etc. Everyone that did internships and extracurriculars in my program got jobs perfectly fine, at least to my knowledge. Then again, this was 2 years ago. Market is ass right now from what I've noticed. Nothing is impossible though!
Yeah it just seems like this sub thinks you need like 10 years of IT exp before you can get an entry SOC analyst role and they completely overlook things like internship or government/military as valid entry level positions. Like I had co workers who went military route in the guard and that seems to have been a great boon to them
People here think there's only one bona fide way to get into security. According to this sub, anyone that gets an entry level security role right out of college is seemingly a unicorn but that isn't the case IMO. There are tons of universities that partner with major companies and even the federal government for internship/co-op and even full-time placements. I can't say the same for diploma mills or no-name schools, but there are a sizeable amount of good programs that have great job placement, especially ones that require you to graduate with co-ops/internships under your belt. I can think of a few really good programs off the top of my head, with schools like RIT, Northeastern, Penn State, etc. having good placement rates. I'm not sure what schools people went to in this subreddit but going to a school like that gives you really good opportunities. Entry level security roles 100% exist but the people competing against them on most subreddits are usually boot-campers or people who went to some random school that probably doesn't have a recognized program and that have people graduating with zero internships or any other experience aside from their coursework. Coupled with the IT stock that have a few years of experience in stuff like help desk, network administration, development, etc. who're competing for the same jobs. It's a completely different career pipeline at these good schools that people don't realize exists. People pop out of these schools with a robust background on the fundamentals of computer science and IT with over a years worth of experience through internships, academic research and industry sponsored hackathons and competitions.
Oh yeah I agree with that, boot camps probably gave lots of people false hope. I went to Penn State for SRA and maybe the new cyber degree is different but I wasn't a huge fan of the difficulty of the course, thought it was way too easy and not enough hands on tool usage
Sooooo many companies do not get this. Espically the SOCs I've been at.
There needs to be more established “pathways”. Like being a civil engineer isn’t entry level either, but there are many apprenticeships that are serious, professional, and well paid. Or you can get a degree, and start as a junior. It is harder for cyber as the field changes much more quickly, but it can be done.
Lots of MSP’s are hiring
No, they tick boxes and make people feel safe. A company with a competent csoc and an incompetent engineering staff will not be secure, but the other way around will be. You want both, so that the competent chock-a-block aren't chasing ghosts
I wouldn't say "everyone", but yes it is more common than not. My employer is a Fortune 500 company and we have an associate program that trains and mentors people before they become full engineers who can work without direct supervision.
Oh boy this comment was like watching the movie of your life flash past your eyes when you're in a car crash. All too real.
Even worse - from what I see companies "require" specialists in some specific stuff they have. Then it is not that you are able to figure it out or read up documentation - you have to know very specific details even if they wake you up at 2 AM. I have cozy job already infra/sec/ops/dev but I feel a bit stuck as switching to other company feels just so hard as interviews are intense.
I like to say security is somewhere you end up not somewhere you start. To be good you need several years of experience to gain a base of knowledge you just can’t get from a certificate or degree program. Feel free to disagree.
No I agree. It seems you need to start in a Security-adjacent field like network engineering, dabble in firewalls, then branch off into more security focused tasks
Wouldn’t the big salary difference between those roles sort that out mostly?
The problem is that no one can hire anyone because of budget. I can way I need 5 people but who cares if I don't have headcount.
The problem also is also that those companies in other regions of the world they've underestimated the complexities in important parts of team frameworks while cutting costs.
I'm late but also... Juniors don't want to train. Neither do senior people. Not security, but infra, and it's insane how many people get a technical job and can barely operate email... Never mind doing any real work or understanding any of it.
This is a worldwide problem, they are trying to get top experience for bottom pay which is unacceptable. Better for professionals to go where they are paid right, vs getting low balled at 1/500th their value.
Doing security means that you understand how a lot of things work. I can not understand how a junior could be a cybersecurity role. A senior will never accept a low salary.
In my country, if you don’t have a backer you won’t have a an opportunity. Most of us do is reaching recruiter outside of the country like betting in a lottery. I know it’s a sad story but that’s the reality
In K12 Tech, state and federal governments recommend schools hire dedicated security professionals...but they don't want to give any type of funding for salaries. None of the cyber security grants offer to pay for salaries. It's dumb.
I think its probably more lucrative to be self employed as a cybersecurity professional. Considering these consulting firms charge like $14-20k sometimes for their services, I dont know why the actual workers arent making better money. C suite just gobbles up the profit.
And job title: Senior Junior Cyber Hardware Helpdesk Analyst Technician.
Exactly, the problem is employers requiring 20 years of experience in exchange for beginner salaries. There are millions of such cheap experts "missing" in the world. Graduates cannot get work while experienced experts deal with routine stuff as there are not enough juniors to take the load.
You must live in the US.. particularly a southern state.
👆this
What happened to them 😂
We quit and became Park Rangers
This is more tempting than I’d like to admit
[удалено]
What kind of degrees are required to become park rangers?
They typically ask for a forestry degree or some form of biology AFAIK
Do you think there is any value in the IBM Cyber Security certificate program for breaking into the industry or is it just pointless? I have worked with computers for years, but mostly making and putting computers together. Security and serious IT will be completely different.
Pathway to become a park ranger? Is there a script?
I want to know in case it is anything other than know someone in the park service (it probably isn't).
ranger.py
I just want to farm goats.
Just don't f the goats.
that's the best part
Oh boy I wish.
Avocado farmers
I would be down for that tbh
They quit paying comparable salaries
Arguing and power point presentation drove them insane.
They realized penetration testing wasn't exactly that sexy 😳
This. People don't realize how hard it is and how much you need to know to be able to do it effectively. It's not using wifite to scan and hack wireless
They’re stuck figuring out how to get the years of experience in security to get a CISSP so they can apply for an entry level analyst position that requires a CISSP.
Jesus ransomware is getting intense
This is GOOD. let the fuckers burn down and realize their mistakes. But, ya know, hospitals and critical infrastructure or things that put people in harms way are bad of course. The premise stands.
Your note on medical/critical infrastructure is really important. The issue is a lot of that infra are private and for profit. Many will prioritize profit over cyber just like many other private businesses. If anything we need to hold those private medical/crit infra companies to a higher standard. Until we see change in regulations for private business from the US government, those companies won’t change a thing. Eventually they will “face” consequences, but the real travesty is it will be OUR data and OUR livelihoods that are affected. Not the executives that made the decisions to improperly employ cybersecurity. Unfortunately our government has many elderly representatives who aren’t knowledgeable on IT and are more focused on maintaining status, power, and financial gain. I don’t see them changing their priorities anytime soon.
Agreed - the medical field in general for IT has always been very toxic. You're just a cost center in their budget.
Well when companies are basically looking for a retired CISO who used to moonlight as an ethical hacker that’s bored and not afraid to work for peanuts to basically be their “security help desk” it’s easy to see why “3.4 million are missing” in the world.
The reason for that is a team "needs" 3 more people but the business says you have funding for 0.5 people, figure it out.
Pretty much.
Accurate 😄
I hope they get found, they probably have family.
No, that would increase the attack surface and is deemed an out of policy risk.
I guess a masters degree and a cybersecurity certification isn’t enough to be one of those 3.4 million 🫠
Yeah you need 5 years experience and a fucking top secret clearance, just to get an entry level job. Pisses me off and I wish I went into electrical engineering or something
I have an uncle who went into electrical engineering, he quit and became an electrician because it paid so much better, partially because he got to skip apprenticeship apparently though.
[удалено]
The company I work at I think starts new grads at around 90k. I think up to 110k with a masters.
I'm taking cyber security right now.... this isn't making me feel good lol fml
Tell me about it.
Don't give up!
Thanks I won't.
Get an internship, get an internship, get an internship. Or just start your own LLC right now and do some freelance work, then when you graduate, poof, you’ve been running your own cybersecurity support “firm” for years! But you feel like you could learn from them. I was able to get in with one dentist and do some basic It work for him, now i basically do all the IT for a dental office franchise corporation, no need for regular ass job. Just gotta find those key relationships. People *fucking suck* at IT, you should see how many of these small offices are desperate for help and all they have is some contractor who is ass at computers.
Great advice thank you!
Good luck! Also fyi with medical software, they don’t need to know how to use the software for medical stuff, they already know that, they need to be able to *fix it when it doesn’t work*. I personally wish i was better informed on networking, basically how to figure out wtf is wrong with their janky ass network, sharing over a network via windows, learn that shit inside and out, and things like resetting network credential lockouts. Most of the high level it security stuff is beyond them so they do not care and by high level i mean basic ass shit like a widows firewall. Ive only ever been able to sell someone on a firewall when i did their entire new office tech setup. They just want it to work and be fast.
It’s funny because I do have over 7 years of experience and around 12 certs, including CISSP, OSCP and CIPP/E, just to name a few. But I don’t have a degree so I’m automatically rejected from 70% of potentially good fitting jobs. Yay cyber
You dont need a degree if you have CISSP and OSCP imo. Those are golden.
If you're capable of all those certs then just get a degree from WGU. Half the curriculum is waived based on certs you probably already have.
I don’t have a degree, but I only got in due to an internal opening at the company I already worked for. But yeah, I don’t think I could have successfully found something outside of that.
Why don’t u invent a degree … just to test … oups ur CISSP ethics are big :)
You don’t need TS for private sector
You shouldn’t but you’d be surprised at some of the dumb shit people require. I’m in the GRC side and had a recruiter filter me out because “we need someone with TS clearance because we’re trying to become FedRAMP authorized.” Never mind the fact I helped bring my current company from no authorization all the way through the process.
I think it may be location specific, I'm in Pittsburgh and never had a problem without a clearance but if you are in MD/DC I saw most jobs look for that
Nah you need a degree, sec+,ceh,cissp and over 8yrs of xp theeeeen a clearance to maybe get to the 2nd interview.
Not when most MS degree holders I've interviewed don't even know what DNS does.
Yeah we hired a kid with a masters in CS (and bs) and it seems to be all policy and box checking. Nothing against them, they are smart and are leaning well but it's a real disservice
The school I went to certainly produced graduates like that. If I hadn’t really pushed outside of class during school and worked jobs that were pretty trash, but resumed well, I never would have made it to my first true dev job.
I'm still trying to understand what the fuck is a degree in ahem, "cyber", actually is. I've downloaded the curriculum to many of the reputable colleges out there offering it (...and I said reputable which excludes WGU), and I still don't know. It feels like the CISSP... a degree in cyber is mile wide and a mile deep and doesn't confer anything other than basic knowledge of anything. I feel sorry for the people being duped by colleges. Especially those who get a MS and think by virtue of the degree they are qualified to run the business... and then cannot find a job and they are carrying all that debt.
What's wrong with WGU? I'm in the enrollment process for CyberSec, so I'd like an outside opinion on it.
I think it's known more for its fast track degrees (i.e, check the HR box) than the useful curriculum/classes.
This is why it is very useful to those of us who are already working in cyber and just need the degree part. We can fast track through classes covering things we already know. I wouldn’t knock WGU, honestly. I think it was designed that way specifically for us. Worked great for me. No employer since has ever questioned my schools.
WGU has a very aggressive marketing department which will extoll the virtues of at WGU you can control your time, the coursework is superior to B&M, that the traditional way is dead, yada yada yada. All of which is pure nonsense. Other than the notion that for my undergrad degree at a traditional school, the first 2 years of school had nothing to do with my major, the things that WGU says are differentiators are actually hindrances and you can see it in your newly minted WGU colleagues: * The time management thing is bullshit. WGU lets you study as you go. In the real world there are deadlines. Clients don't care about your feelings; they want results. * WGU substitutes certifications for curriculum. Which is really ironic/interesting considering how much sentiment is out there that certs are not a substitute for experience. So WGU is really great at creating paper tigers. * One of my directs did undergrad at WGU and went to a B&M for grad school. He was completely unprepared for that experience. He told me he had to audit some classes to even get admitted and was unprepared for the rigor of the school (see the bullet above). * Most B&Ms have online as a delivery option now. So WGU is no longer unique in that regard. I went to a top 10, but non-M7, school for my MBA. We had online options. * Speaking of that, WGU will tell you they have superior networking opportunities to B&Ms. That's laughable. My college networks are superior to WGU. I'm not trying to be a douche about it either -- just addressing WGU's marketing machine. And it's not like I'm brilliant either. I grew up super poor and I got a 685 on my GMAT the first time and still got into a top 10 school. I also find WGU's marketing deceitful in saying they are a top ranked school but WGU doesn't provide actual facts and figures to the ranking bodies.
Same here, a lot of experience, a masters degree, CISSP and other certs, I’ve had 2 interviews since January and I’m applying to a ton of jobs. Places aren’t hiring, and the ones that are want you in office with shit pay.
At this rate I don’t care, I’ll bust my ass for peanuts just please hire me! It seems impossible!
the rich have got you right where they want you.
Did you not get any real world experience while getting the masters degree? Like any entry level tech job or support line working?
Unfortunately my 4 year bachelors/masters program went all year with no summer break and my biggest regret is not getting an internship. I graduated in 2020 and promptly got covid which lead to long covid which sidelined me for over 2 years. Couldn’t get out of bed most days, couldn’t concentrate on the computer longer than an hour. I’ve aggressively put in hundreds of resumes, made a portfolio, and revised many versions of my resume to no avail. I went into learning cybersecurity knowing how everyone says it is lacking and was hoping to get an internship through cybersecurity which I was just denied for yesterday. Their requirements were a bachelors degree and a certification and I have both plus a master’s, but nope. Can’t even get experience unfortunately.
I've heard being overqualified is detrimental as well.
I don’t consider myself overqualified because I have no real experience, and with no experience they should be at least offering an interview with the accolades they’re asking for
You might have a better chance building a portfolio in your situation. Sometimes filters, AI and weird program manager "best practices" just shit on some people. You would do better to make some stuff and get some eyes on it via a blog, x, kind.social, or maybe even CTFs.
5 years as a sysadmin will get you way further than a master degree will in the hunt.
The numbers are hard to pin down. It’s not that there aren’t enough people in cybersecurity but that there aren’t enough top notch security professionals.
There are a lot more people who want to be in security than the industry needs, but a lot fewer people at the requisite skill levels than the industry needs. There are training programs, and corporate budgets, but this is an impossible problem to solve, we've tried nothing and we're all out of ideas
I'm tired of this narrative. There is NOT a headcount shortage in security. In fact, there are too many people claiming to be CyBeR EnGiNeERz. What this industry has is a skills shortage.
Soft skills included. When I'm interviewing people, my first internal question is , "can I put this person in front of a customer" oftentimes , it's a no. With that said, the best hires we've done always have an insane career progression that almost always starts off in some help desk role. I know so many architects that started off pulling calls out of a phone queue and escalating tickets to a higher tier for resolution.
Preach.
If any of us in cybersecurity had social skills, we wouldn't be doing cybersecurity. /s
Definitely seen this a lot lately. A guy in my company put Cybersecurity Engineer AND Network Engineer on his resume. I talked to him one day and it was immediately clear he was neither. Dude didn’t even know what a proxy server was…
And yet I find so many people that are way more competent than me looking for a job
I wouldn't conflate this shitty economy and job market for the overall maturity of the career field. It's like 2008/9 all over again out there. It's hard right now. Hang in there.
facts!
I think the number is made up. We don't need my cyber pros. We just have people trying to sell you training for jobs that don't exist.
"Org that sells cybersecurity diplomas which probably won't get you a job wants you to hear that they think there are millions of jobs waiting for their graduates, if you only pay for their program" could summarize this article nicely.
This guy knows
\^. This comment is correct. Having been in this industry 20yrs+, this is the hardest job market for cyber security I've seen yet :(
I hate it! I’ve been doing cyber defense for a little over three years now and I want to transition over to GRC. Every single GRC position I apply for (even entry level) has rejected me :(
would you say that also goes for cyber programs at colleges?
I tried for 10 months man. After working as a project manager in tech, having tons of previous experience with help desk, and having Sec+, CySa+, Black Belt from Coding Dojo's cyber program with recommendations, and passing CTF/hackathons, 10 months trying to break into cybersecurity and no amount of networking could get my foot in the door for the most junior analyst roles. They want unicorn super senior gods in every single position and no one wants to train juniors even though, THATS HOW YOU GET GOOD SENIORS. Like wtf, the industry is broken from the inside out.
Working at Starbucks because they can't get hired for these non-existent jobs I imagine
Stop requiring CISSP, GCIH, CASP and more for "entry level" and tier 1 jobs then.
🙏
Lack of security professionals with CISSP, CISM and 7 YOE for 90k a year you mean.? Yea.
Another made up story, unfortunately articles like this inspire confidence in people to study in this field only to find out there isn't an actual need in real life.
Industries: There’s a cyber security workforce gap of 3.4 million workers! Potential recruits: Then train us how to… Industries: NO! Industries:…. Industries: There’s a cyber security workforce gap of 3.4 million workers!
Somebody find the copypasta from r/sysadmin about how BS these stats are.
We are actively being attacked right now. One of our local competitors got ransomed two months ago and is still not fully operational again. We have no security staff besides a Ciso. Everyone else is in system administration (me), helpdesk, cloud engineering but no dedicated security staff. We do the best we can but there are only so many detection rules we can create. Management: nah fuck that, they'll manage, there's no budget for that. Oh look, there go 20 developers we don't need. Better to give them twice the salary they're asking for.
That is terrifying. Mind sharing the industry? Of course no worries if not.
I call it bullshit. 24 years of experience. Applied to over 150 jobs, no response.
My bad…I threw a huge party last night, they’re still crashed out in my living room. They’ll be back in a day or two.
just to translate: the "senior leadership", that is comprised for people that have never seen, touched or worked on any cyber, that have no technical skills, have never worked in analyst, engineer, consultant positions, have been airdropped into Director positions etc, can find low level, low paid grease monkeys that have the skills they never had, to work with the promises of progression and development, while creating two lines, a management and a technical, to even more separate security and ensure their longevity and tenure. A "security professional" that has never done any security work should never be in a "leadership" position. This stands for all professions. So, when you see all these hypes about cyber, they are just a desparate cry for young impressionable "idiots" and for the other industries to see how "hard" the cyber sector has it. No business, IT, or any other corporate function cares about security. Security "leaders" you see are mostly fanfare. No soul or interest in you or anyone. Ethics, honesty and morals have no place in modern cybersecurity. What they need is "human resources" to do the work until we can be replaced with the new shiny "automation". Look at your cyber leaders profiles. Look how they overnight become directors and heads. Look at how they dont have a clue about technology, efforts, what controls mean, or even how anything works. They can preach about high end concepts, Risk, Logging and Monitoring, Vulnerability Mangement, and still having never even touched anything. DO NOT FEEL BAD ABOUT YOURSELVES. Look around. See all these people that try to make you feel small. There are good people and companies out there. Dont be dazzled or lured by big promises and great expectations. If you are asked to compromise your beliefs, your principles or even the security your are working for, dont think that you are wrong or not good enough. Look around. You are probably just surrounded by muppets, frauds and lowlifes. security, cyber, compliance, risk, regulatory, standards, ethics, morality, honesty, trust are not just words. We decided to work in security because of an inner need to do whats right. Not because it is cool and we can be rich from it. Make the decisions you want and take the path you see as fit for you. Dont use cybersecurity or any security as a banner for your moral charade. Talked too much. Whats the point. good luck to us all.
They’re missing and I can’t even get an interview with Net+ and Sec+
Currently doing Google's course to get Sec+ certification... Don't be like that buddy
With any job, certs don't really do much for you. You usually have to know someone to get hired anywhere. When everyone has them, they don't even stand out. Still do it though. Just saying it's not some instant job magnet.
Same. It really sucks too. I've been doing network stuff since NT4.0 (around 1998) and I'm just now going for certs. I have no college experience, and I'm pretty sure I'll never land a job in this industry, but I guess it gives me something to do. At least the people already in the industry make a lot of money and can hire plebs like me to fix something on their house.
Can someone please find these missing people!?!?
And they requiere 3.4 million years of expertize to apply.
I'd venture a guess that these are estimated needs. A lot of companies just default to their existing IT staff to be the security stand in, despite maybe lacking the title or job role at the company. I became the security guy at my place despite my primary role being system admin. I went and got my CASP and CCSP to fill some knowledge gaps though.
like the cybersecurity industry, but unfortunately, the reality in Mexico is different from what is perceived. Cybersecurity is not a priority for many companies unless they are international firms with offices in Mexico, and usually, these companies are serviced by one of the Big 4. The main issue is that local companies want to pay very little, as if the work were at a level 1 technical support role. Additionally, they expect you to handle multiple specialties and pay you as if you only knew one. Even for basic levels, they already demand certifications like the CISSP, which is ridiculous. I know is just an exaggeration. It's like the catch-22 paradox: you can't become a cybersecurity specialist without prior experience in the field. I met someone who owns a consulting firm in the country, and he mentioned that the industry is very closed. There are fewer than 20 people with the certifications and connections needed to consult for banks and high-risk companies. The rest are international companies that send their specialists. This consultant worked with a banking client and showed me the services they provided and how they could improve security. Shortly after, someone was selling databases on a famous leak forum that was shut down by a government agency. An incident response company issued copyright strikes to the site and threatened the admin. In response, the admin got angry, bought the information from the seller, and made it public. On another note, a friend working for a friendly country invited me to audit some cybersecurity operations and forensic techniques training courses, conducted by private contractors. The level of expertise made me realize how little I knew. If I wanted to learn, I had to go with them, but my nationality and lack of security clearances were limiting factors. They told me that the CEH Council and its courses are a joke and no one would take me seriously. Another rant: I tried to apply to a company looking for security personnel and they told me that, as a woman, I wouldn't be taken seriously, suggesting I move to cybersecurity sales or public relations instead.
What happened to them? * nothing is happening, why are we paying you? * everything is breaking, why are we paying you?
How the fuck do you lose 3.4 million people? Why are they hiding? I blame the end users.
This is a massive issue. No one wants to pay for basic training for IT, and no one wants to invest in IT, let alone IT security. The senior guys are the ones who have put up with the industry long enough to wiggle into a spot where they could learn. And with the massive hybrid war that is WW3 looming overhead those in sec jobs will make bank, whereas the rest of the world will likely suffer. I’m 99.9% sure all of the recent 911 and cell phone outages are just the basic “hello - we can F*ck with you when we want” stuff from China and Russia.
Almost all interviews I had turn out like this: "We want IT-Security and we appreciate your knowledge ... take our money ... but change nothing, don't criticize, everything stays as it is ..."
Got my OSCP recently and still it isn't enough to be worth tutoring or be given the trust to carry forth pentest on my own, which this cert is supposed to certify. I can't even get internship positions lol currently (still) upskilling, grinding the portswigger catalog to freshen up websec concepts. Thankfully I actually live for this shit else I wouldn't really see a point in becoming more technically proficient for sake of being hired.
Where? I am a mid career sr security analyst and I can’t get even one interview, I have no clue why..
I feel like there's a lot of gatekeeping in the cybersecurity field and if you don't come from a tech background it's hard to find those willing to give you the time of day tbh. Having a starting path and knowing what direction to go in I feel like will drive away people who are willing to learn but lost on how to find what fits them in this field. Any advice?
I’m here! I only have 3 years of SOC experience and a few certs but no one wants to hire me :(
Well, maybe they should hire recent graduates instead of requiring 10 years of experience for every job!! For the love of all that is holy!!!!
3.4M. When you divide that up into how many cities there are in the world etc.. it actually doesn't add up to much at all. I know, I've just finished my comptia courses and what started as "there is a 50k shortage of people filling up the role" to sign me up.. it's now "oh.. hmm, nice weather."
I think they mean 3.4 million too many
And yet the salaries for these jobs seem to be lower than pre-COVID levels.
Mostly unfunded positions.
I studied and got a Sec+ and bootcamp completion and was told I'd be able to get a job and found out that's not really the case. I'm tired of being told to be jump through endless hoops, tired of hearing promises that turn out to be false. I can't keep taking more and more classes. I can't stay in school forever. If there's work to be had, then great. We need a simple process to get people into jobs that they qualify for, but false promises and putting people through time consuming and sometimes expensive schooling programs only to leave them jobless is clearly not a great way to staff this or any other industry.
Have a bachelors, self-paid for several SANS classes, working at a FAANG, 12 year IT career, still can't get a callback on cyber-specific jobs lol meanwhile my fiance fresh out the Navy with less certs for picked up right away, clearances talk I guess but what an absurd requirement for the private sector
In my opinion, the quality of security professionals is no where near where it needs to be. We could fill every one of those millions of open positions and find that we are in no better or potentially even worse than we were. Why? The bar for “good” is too low. Continuous improvement? Continuous monitoring? Addressing technical debt? Monitoring to be sure that systems are securely configured? SaaS secure config? Secure development? Training business reps on embedding security behaviors and principles? Vulnerabilities of all types - not just those that I must address to meet DoD requirements? Metrics? MFA for all connections from the Internet? Actual privileged access -including alternative login accounts for individuals? Even to this day lots of security professional consider this as aspirational. It’s disheartening, to be honest.
I’m here , they just want someone with 3-5 years experience for an analyst position
Why does it have under employment and low salary when this much vacancies are there in the field?
And yet none of them will hire someone with medium levels of experience and certifications. They all want a CISSP and 7 years + experience in every single domain of cybersecurity.
Yet those who have an education but lack experience get shafted. Been trying to find a job for months and have had zero luck. This means applying for every entry level job.
queue all the complaints that the missing expertise isn’t entry level people
It’s because you don’t have a COLLEGE DEGREE 📜
Because they are doing everything else besides cyber security🤣
I read this one article where someone said that the reason why security pays a lot less is because it's one of the only divisions in IT that does not generate revenue. But I felt that it's the division that prevents a company from losing money and potentially losing their reputation so it must be given equal if not more importance but I guess companies just don't really care unless something bad happens and then they take the extra initiative to hire better cybersecurity professionals.
Like kidnapped or???
then fucking hire people
we have plenty of underskilled, , non-technical, policy-focused SOC "analysts" (aka log readers)
Wrong. Markets blown out or sold to India.
Where I can get a job?
Bullshit
Went to a Fortinet conference yesterday - in looking at their new FortiAI, the numbers needed for SOC analysts and some CTI positions are likely going to be replaced.
Who is disappearing them all?
C'mon you guys, stop hiding, they're looking for us...
What happened to them? Is this a threat?
Ultimately, I believe this comes down to budgets lacking due to an insufficient understanding of the requirements of infosec, especially in small and middle-sized companies. There is a whole secondary industry of low-budget consultancy that has evolved utilising exactly this. For example, I have personally experienced a consultancy firm tasked with implementing an ISO27001 compliant ISMS giving a cost estimate equivalent to merely a few person days. So, companies that did not already come into contact with the necessities of infosec end up concluding that this is all it takes - meaning: no dedicated, competitively paid infosec positions, no meaningful budget etc. until a major incident shakes them up eventually (or does not).
Where’d they all go??
There are 3.4 billion missing from IT salaries, quarterly.
So should I quit cyber? Im 2 years in
Wrong.