Hello friends. The dreaded and long awaiting blog on WHAT THE FUCK HAPPENED TO THE CYBERSECURITY JOBS MARKET has arrived.
https://tisiphone.net/2025/04/01/lesley-what-happened-to-the-cybersecurity-skills-shortage/
I'm sorry.
@hacks4pancakes Nooo, why slop? Not you too, Auntie Pancakes š
@sindarina Sorry, my entire blogging platform now generates images if I don't commission one. And that is not something I can do at 10 at night, right now.
Who would want to protect the people in charge at this point with their #Infosec ?
Seriously.
@leean00 infosec includes like, the power not going out, though
@hacks4pancakes taking this opportunity to hype public institutions:
Water needs you.
Edu needs you
Your city needs you.
you wont be a pen tester. probably not a SOC analyst. but youll have fun, learn a ton, go bald, turn grey, and maybe even save a life.
@hacks4pancakes so my partner and I were talking about this recently. Their org needs entry level people and it is cybersecurity. Not red team, engineering or SOC, but insurance. This role isn't hunting baddies. But they need critical thinkers who can meet deadlines and have the broad cybersecurity domain knowledge. They have a heap of women in leadership. Oh, and you're not on call!
It's hard to predict exactly where your career will go. I thought I was going to be a mechanical engineer. And my custom LinkedIn URL still has dba
in it.
@badsamurai those janitorial roles I'm scared to name...
@hacks4pancakes I'm leaving the deduction of role type and orgs as homework for the exact reason you mention. My partner did tell their boss, "have we considered hiring more technical but early career cybersecurity people? We can teach them insurance."
Oh and you still get the CPE-like joys of taking credits to maintain your state license.
@danedeasy because Wordpress sticks them on now if I have no image. And I only just commissioned a picture at 10 PM.
@hacks4pancakes I apologize for contributing to the bootcamp rift as part of the education staff. It earned me enough pocket change to hopefully complete my BS in cybersecurity if I hunker down.
I'm unfortunately part of the fallout of one of those bootcamps that's pivoted HARD, but I'll shortly be on the prowl for any jobs more aligned with cyber and security as I complete my certs and try to convince hiring managers the small projects I came up with and barely managed to pull off are worthy of their time to put me on an interview list.
It was a gig, it kept introduced me to things that were outside of my community college curriculum, it kept me mostly up to date on what hiring managers wanted to see... But the last 3 years I've seen my students struggling to find employment.
@vandorb12 if you weren't the one selling them and marketing them it was not your fault, it was a whole Thing
I feel like @h2onolan and I should just go on tour hyping this.
@hacks4pancakes good post and some really naive replies.
Like you mention, I do think there is a feedback loop of training vendors performing unscientific surveys of infosec managers asking āhow many more people do you need to run your program?ā Rather than āhow many additional people will you be able to hire?ā And then run around setting pants on fire with their extrapolated nonsense, driving further investment in building a workforce for jobs that done exist. Employers are loving it, because it means they are finally seeing downward pressure on salaries due to the glut of workers. And now we get to compete with AI on top of all that.
@hacks4pancakes @sindarina You do intend to remove this once you can, right ?
(No boost while the AI slop remains).
@Sobex @sindarina I did an hour agoā¦ WTH? These are real photos.
I still get parents and teachers being like, āI referred this utter slacker who doesnāt give a shit to community college cyber programsā and want to kind of die
@hacks4pancakes I've been training, reading, learning, breathing, drinking, shitting security for most of my adult life now and I haven't gotten a single role since I've been looking.
I have nearly 10 years in operational IT between both internal and MSP IT infrastructure as a security SME and I can't even get a call back from security role jobs I apply for.
I'm no rockstar and I know that. I expected SOME level of foothold with my experience, but I am so fucking wrong and it's depressing.
@hacks4pancakes I went to Tafe for IT in 2004. There were people who didn't know shit about computers wanting to do the job because "it's good money". Same people that would learn to be a real estate agent. they didn't even get their diploma and certainly didn't get a job in IT. Out of maybe 30 people maybe 5 got IT jobs.
So slackers won't dilute the workforce. Just the entry level education system.
@buherator itās the same with SOC. Entry level relative to the industry.
@hacks4pancakes @sindarina Iām still seeing the AI slop preview image on my end, I just hope the fix will propagate.
š¤
(I wonder if editing the post could help make mastodon refresh the preview ?)
@Sobex @sindarina I already did, almost two hours ago, canāt help.
@buherator @hacks4pancakes the reports from industry leaders have LONG echoād that cybersecurity is not an āentry levelā field and there will never actually be āentry levelā jobs in that market, because the skills required are not taught by businesses and employees wonāt be useful without years of experience anyway
I heard almost 5 years ago that entry level jobs donāt exist in the cybersecurity market and literally nothing has changed since then, and this is probably a good thing
@hacks4pancakes one of the awful things that they've done is bring a glut of people into the market who are lacking the proper critical skills and security fundamentals.
The amount of wheat doesn't seem to have risen as much as the amount of chaff. And it does such a disservice to the good candidates, because they're nearly indistinguishable on a resume.
So now, if I'm hiring for a role, I have to go through 10x the candidates that I used to in order to find those people.
In short, everything is so much worse, including from the employers' perspective.
@hacks4pancakes And this doesn't help at all (found through Discord):
@hacks4pancakes This is not the whole picture though, they are also not hiring as much for security, period. There are a lot of ghost jobs as well and generally in this current moment (since Der orange fhurer took over) the markets and the economy is so fucked and unstable, no one is willing to spend money anyway. Add to this, that even the olds, like you and I (evidently as you have been in the biz around the same amount of time) are not even getting any interviews these days. I have seen more than a few on this security mastodon, who also are out of work having been laid off and out of work for months to years.
So, bigger picture, as I have said before, this is like what happened in the 80ās when everyone wanted to be in advertising/graphic design and went to school for it. A flotilla of designers was loosed on the market and flooded it. Jobs became scarce and many moved on to other pursuits because they were forced to. The same happened here, all the uniās and cert programs popped up and there was gold in them thar fields! Gluts in markets dilute the prospects and in this arena, we never were going to be in a space where there would be a lack of talent, itās always been a lack of will to spend.
See, security, is a cost center.
A cost center that has never been perceived as a needed one until itās too late.
So yeah, here we are Lesley.
I have been under/unemployed off and on since 2023 even though my resume is full of experience. Is it ageism? Is it that I am worth more and theyād rather pay less? Is it that they just donāt want to hire?
Yes.
The fact that now, most of these reqs require a degree in CS (which you and I know means nothing in this arena) is just a rubric within the current hiring milieu is a means to an end. Firstly to not hire anyone but a unicorn, and secondly, driving salaries down as well.
Honestly, the future of this business is also subject to just how much AI will be coming to play as well. I am already seeing tooling being deployed in SOCās that will answer the questions āaugmentingā the staff, which, will reduce the need for headcount, never mind talented headcount in the future (this will be the mindset of the corporate types) So, we are all endangered species frankly.
For all of you looking to get into the cybers because itās a great salaryā¦.
Perhaps you should look into plumbing or other trades that humans only can do, until the robot comeā¦
K.
@hacks4pancakes Oh, and yeah, lest we forget all of the offshoring going on as well in the security space. Cheap workers who do not require health insurance or retirement funding, yeah, they win.
@hacks4pancakes thanks, that's really good. And I like the focus on mentoring. That's, I feel, is what makes this community so valuable to me.
@badsamurai @hacks4pancakes a nontrivial portion of my job is teaching cyber to insurance peeps, sooā¦ yeah.
(The way my company is doing things, the underwriters are the insurance experts, while Iām the cyber expert. Weāre not expecting any new hires to have both skills, but the UW jobs have more flexibility for what is expected of new hires because thereās lots more UWs and they have more mentorship opportunities)
@hacks4pancakes Thanks for this. And all you do. I appreciate your truth-telling.
After some mental health upgrades, I decided to return to tech and was recruited to lead an autistic SOC project. It didnāt pan out, but I got hooked on cyber. That was just as the cloaca of cyber jobs hype opened up. I did all the things, but despite 2 decades of senior experience in biz and tech, and all the ārightā letters after my name, I was ghosted by every cyber company I applied to. It was effing demoralizing. I was happy to start at the bottom and work my way up, but the market was smoke and mirrors.
Iām back to teaching and consulting in ITIL, online thank goodness. But the lost potential of so many adaptive, dedicated, fast-learning middle-aged career returners who thought cyber was cool and would have been really excellent team members, is just heartbreaking.
@jerry @hacks4pancakes Iād like to add to this if I may. It seems there is a sweeping change occurring right now where even more senior staff are facing layoffs, downward pressure in salary driving positions to lower salary markets, and replacement by AI rather than augmentation.
Itāll be even harder for entry level to get a foot in the door not only competing with the privileged but the very experienced. Iām a senior looking and it hasnāt been an easy time due to ānot good enoughā for positions I know Iād nail. And Iām a lucky one still employed. A lot of the āshortageā seems to be for employers wanting a unicorn-dragon-pancake that is an expert in every facet of security for any role.
Itās easy to be discouraged with this backwards trend for employees whether it be AI or (waves everywhere), not just cybersecurity. But Iāll attempt to not digress into paralysis. Rather, how can we change this?
This article hits on the for-profit succubi that prey on the idea of āthere be gold in them hillsā and raises a problem weāre facing. What else can we do? Iām sitting here stewing and the only thing my brain comes back to is: unionize? Take back employee rights we seem to be losing in this age?
Itās easy for me to soap box that idea. Itās an entirely different and difficult task of bringing it to fruition. So what does that look like? Whatās the catalyst to spawn macro-action? A talk on unionizing? Creating yet another independent organization that people can join as a resource for organizing their own union specifically in cybersecurity?
Asking for a friend.
@hacks4pancakes @danedeasy wow, that's fucked, super glad I migrated off now >:(
@hacks4pancakes Yes yes yes to all you've said in this piece! I'll be forwarding this to my bosses at my institution (a University of Applied Sciences).
@hacks4pancakes @danedeasy also fwiw if you edit the post it should purge the media cache and re-fetch the thumbnail so the slop one goes away.
@hacks4pancakes This is an excellent blog post and I plan on sharing it with *many* people, including (hopefully) our industrial advisory board. I do have a couple of thoughts on the college side of things:
1) I do open house events. By the time families get to me, virtually all of them have already decided that they want cybersecurity. The question isn't whether they're going to do it, it's what school they're going to do it at. I'm not trying to convince them that cybersecurity is the right degree path, I'm trying to convince them that our program is better than the program of other schools. Occasionally, they've decided on the school and on tech, not the specific tech program at the school (CompSci vs Cybersecurity vs...), but that's less common.
(For what it's worth, we've been shifting the open house narrative to a bit of a reality check for a few years now.)
The root problem here is that tech is broadly seen as one of the very few reliable paths to a middle/upper middle class lifestyle (particularly for average or less than average students), and probably the most reliable. I'm sure I'm preaching to the choir about how delusional that view is at the moment and how bad things are going to get when folks broadly realize this isn't reliable anymore.
2) We're going to see a *ton* of programs (and, frankly, schools) collapse in the next 5-10 years between the demographic cliff and the shifting tech market. This is going to lead to more concentration and less competition in higher ed... which I'm not entirely sure is a good thing.
@SandPaper @hacks4pancakes Iām not sure this is a fixable problem. I believe IT broadly, as a corporate function, is entering a ācreative destructionā phase of its evolution.
>Itāll be even harder for entry level to get a foot in the door not only competing with the privileged but the very experienced. Iām a senior looking and it hasnāt been an easy time due to ānot good enoughā for positions I know Iād nail. And Iām a lucky one still employed. A lot of the āshortageā seems to be for employers wanting a unicorn-dragon-pancake that is an expert in every facet of security for any role.
I was a VP/CISO at a large company recently, and saw this extensively. I started calling it ājust in time skillsā. Companies generally arenāt interested any longer in training/growing people into roles they need as a business strategy - certainly it still happens, but I think that is more exceptional case than a product of some intentional planning - and so we have companies identifying a specific skill need, recognizing that they donāt have anyone in house with that skill, they go out and hire it. If the āthingā that skill is doing happens to displace existing people with other skills, those people are usually shown to the airlock. This is, perhaps, an area where unions could help, but I donāt see them doing much with the macro scale decline in the number of needed IT/infosec workers, any more than the UAW was able to prevent the precipitous decline in the number of auto workers resulting from automation (I know offshoring was another source of auto job losses, just as it is with IT).
I have been working on an outline of a presentation I intend to push out through my DefSec podcast giving my perspective on all this, and one fundamental conclusion I have is that successful IT workers going into the future will be those that are driving the implementation and adoption of AI and related technologies that materially reduce the cost of operating IT. I donāt love this, but I fear that there are many many people living in denial about macro the changes to the IT economy, expecting AI is going to get rolled up and tossed out like blockchain was.
Should I post this to LinkedIn or will the LinkedIn bros selling bootcamps be insufferable?
@hacks4pancakes Normally I would say post it there, but I think with everything else going on, you shouldn't, just to keep another log off the already huge amount of stuff you are dealing with.
@hacks4pancakes I personally feel it's always morally correct to disrupt the reality distortion field that is LinkedIn, revealing it as the clambering mass of damned souls that it truly is.
@hacks4pancakes
I assume there are enough other things for you to get mad at so that you don't need to bring more of them about. Given that, maybe better to resist throwing out the reply-guy bait. Even though it would probably be fun to hold them up to the light and mock them or savage them or something.
@hacks4pancakes Oh the LinkedIn bros will absolutely be annoying. On one hand you ruffle their entitled feathers, on the other hand they comment back... š
@hacks4pancakes will you posting it have any impact on their insufferableness? I'd say not, but posting it may help people falling into that bubble.
@hacks4pancakes it is pretty tough for me someone who has been doing it for five years now to find a new job. Lol
@jerry @hacks4pancakes My brain wasnāt thinking about the history of the auto industry. Good point. While the change is inevitable, the speed at which things are going seems troublesome as if weāre on the precipice of an economic bubble popping with no safety net. And the ones we had are being ripped away. Itās like a Mooreās Law of Outsourcing and humans wonāt be able to keep up by our own design.
As for me, I see it. Iām now pivoting from just using AI as a user and diving deeper into to how they work and how theyāre built. I wonder if by this time next year, every job description will have AI capabilities as a requirement.
@hacks4pancakes
I know nothing of cybersecurity or its jobs market, but I really love your heart.
@NicholasLaney Iām trying to stay a good person despite ā¦ everything.