Hello friends. The dreaded and long awaiting blog on WHAT THE FUCK HAPPENED TO THE CYBERSECURITY JOBS MARKET has arrived.

https://tisiphone.net/2025/04/01/lesley-what-happened-to-the-cybersecurity-skills-shortage/

I'm sorry.

@hacks4pancakes Nooo, why slop? Not you too, Auntie Pancakes 😞

@sindarina Sorry, my entire blogging platform now generates images if I don't commission one. And that is not something I can do at 10 at night, right now.

@hacks4pancakes

Who would want to protect the people in charge at this point with their #Infosec ?

Seriously.

@leean00 infosec includes like, the power not going out, though

@hacks4pancakes taking this opportunity to hype public institutions:

Water needs you.
Edu needs you
Your city needs you.

you wont be a pen tester. probably not a SOC analyst. but youll have fun, learn a ton, go bald, turn grey, and maybe even save a life.

@h2onolan Agreed

@hacks4pancakes so my partner and I were talking about this recently. Their org needs entry level people and it is cybersecurity. Not red team, engineering or SOC, but insurance. This role isn't hunting baddies. But they need critical thinkers who can meet deadlines and have the broad cybersecurity domain knowledge. They have a heap of women in leadership. Oh, and you're not on call!

It's hard to predict exactly where your career will go. I thought I was going to be a mechanical engineer. And my custom LinkedIn URL still has dba in it.

@badsamurai those janitorial roles I'm scared to name...

@hacks4pancakes I'm leaving the deduction of role type and orgs as homework for the exact reason you mention. My partner did tell their boss, "have we considered hiring more technical but early career cybersecurity people? We can teach them insurance."

Oh and you still get the CPE-like joys of taking credits to maintain your state license.

@hacks4pancakes why is there a garbage AI photo on this?

@danedeasy because Wordpress sticks them on now if I have no image. And I only just commissioned a picture at 10 PM.

@hacks4pancakes I apologize for contributing to the bootcamp rift as part of the education staff. It earned me enough pocket change to hopefully complete my BS in cybersecurity if I hunker down.

I'm unfortunately part of the fallout of one of those bootcamps that's pivoted HARD, but I'll shortly be on the prowl for any jobs more aligned with cyber and security as I complete my certs and try to convince hiring managers the small projects I came up with and barely managed to pull off are worthy of their time to put me on an interview list.

It was a gig, it kept introduced me to things that were outside of my community college curriculum, it kept me mostly up to date on what hiring managers wanted to see... But the last 3 years I've seen my students struggling to find employment.

@vandorb12 if you weren't the one selling them and marketing them it was not your fault, it was a whole Thing

I feel like @h2onolan and I should just go on tour hyping this.

@hacks4pancakes

@ohmu YES!

@hacks4pancakes Thanks for sharing.

@Ertain it is definitely not a pleasure

@hacks4pancakes good post and some really naive replies.

Like you mention, I do think there is a feedback loop of training vendors performing unscientific surveys of infosec managers asking “how many more people do you need to run your program?” Rather than “how many additional people will you be able to hire?” And then run around setting pants on fire with their extrapolated nonsense, driving further investment in building a workforce for jobs that done exist. Employers are loving it, because it means they are finally seeing downward pressure on salaries due to the glut of workers. And now we get to compete with AI on top of all that.

@hacks4pancakes @sindarina You do intend to remove this once you can, right ?

(No boost while the AI slop remains).

@Sobex @sindarina I did an hour ago… WTH? These are real photos.

I still get parents and teachers being like, “I referred this utter slacker who doesn’t give a shit to community college cyber programs” and want to kind of die

@hacks4pancakes I've been training, reading, learning, breathing, drinking, shitting security for most of my adult life now and I haven't gotten a single role since I've been looking.

I have nearly 10 years in operational IT between both internal and MSP IT infrastructure as a security SME and I can't even get a call back from security role jobs I apply for.

I'm no rockstar and I know that. I expected SOME level of foothold with my experience, but I am so fucking wrong and it's depressing.

@hacks4pancakes I went to Tafe for IT in 2004. There were people who didn't know shit about computers wanting to do the job because "it's good money". Same people that would learn to be a real estate agent. they didn't even get their diploma and certainly didn't get a job in IT. Out of maybe 30 people maybe 5 got IT jobs.
So slackers won't dilute the workforce. Just the entry level education system.

@simonoid oh no, I feel badly for the kids

@hacks4pancakes "none of the jobs I just named are the typical entry level tracks of 'junior pen tester' and 'SOC analyst'"

I can only talk about pentesting but my stance has for long been that pentesting shouldn't have been an entry level position in the first place. Inviting people to this path with 0 experience in dev or ops is a scam that has long-term negative effects on the industry as a whole.

@buherator it’s the same with SOC. Entry level relative to the industry.

@hacks4pancakes @sindarina I’m still seeing the AI slop preview image on my end, I just hope the fix will propagate.

🤞

(I wonder if editing the post could help make mastodon refresh the preview ?)

@Sobex @sindarina I already did, almost two hours ago, can’t help.

@buherator @hacks4pancakes the reports from industry leaders have LONG echo’d that cybersecurity is not an “entry level” field and there will never actually be “entry level” jobs in that market, because the skills required are not taught by businesses and employees won’t be useful without years of experience anyway

I heard almost 5 years ago that entry level jobs don’t exist in the cybersecurity market and literally nothing has changed since then, and this is probably a good thing

@froge @hacks4pancakes It depends how you define the "market". If you have pentests/a SOC solely because they're regulatory requirements, your perfect provider is one with a gang of amateurs working for peanuts. It's not only cheaper than the alternative, but you won't even have to deal with non-trivial vulnerabilities/alerts!

(Yes, there are is such a market.)

@hacks4pancakes one of the awful things that they've done is bring a glut of people into the market who are lacking the proper critical skills and security fundamentals.

The amount of wheat doesn't seem to have risen as much as the amount of chaff. And it does such a disservice to the good candidates, because they're nearly indistinguishable on a resume.

So now, if I'm hiring for a role, I have to go through 10x the candidates that I used to in order to find those people.

In short, everything is so much worse, including from the employers' perspective.

@hacks4pancakes And this doesn't help at all (found through Discord):

@hacks4pancakes Oh, and yeah, lest we forget all of the offshoring going on as well in the security space. Cheap workers who do not require health insurance or retirement funding, yeah, they win.

@hacks4pancakes thanks, that's really good. And I like the focus on mentoring. That's, I feel, is what makes this community so valuable to me.

@badsamurai @hacks4pancakes a nontrivial portion of my job is teaching cyber to insurance peeps, soo… yeah.

(The way my company is doing things, the underwriters are the insurance experts, while I’m the cyber expert. We’re not expecting any new hires to have both skills, but the UW jobs have more flexibility for what is expected of new hires because there’s lots more UWs and they have more mentorship opportunities)

@hacks4pancakes Thanks for this. And all you do. I appreciate your truth-telling.

After some mental health upgrades, I decided to return to tech and was recruited to lead an autistic SOC project. It didn’t pan out, but I got hooked on cyber. That was just as the cloaca of cyber jobs hype opened up. I did all the things, but despite 2 decades of senior experience in biz and tech, and all the “right” letters after my name, I was ghosted by every cyber company I applied to. It was effing demoralizing. I was happy to start at the bottom and work my way up, but the market was smoke and mirrors.

I’m back to teaching and consulting in ITIL, online thank goodness. But the lost potential of so many adaptive, dedicated, fast-learning middle-aged career returners who thought cyber was cool and would have been really excellent team members, is just heartbreaking.

@jerry @hacks4pancakes I’d like to add to this if I may. It seems there is a sweeping change occurring right now where even more senior staff are facing layoffs, downward pressure in salary driving positions to lower salary markets, and replacement by AI rather than augmentation.

It’ll be even harder for entry level to get a foot in the door not only competing with the privileged but the very experienced. I’m a senior looking and it hasn’t been an easy time due to “not good enough” for positions I know I’d nail. And I’m a lucky one still employed. A lot of the “shortage” seems to be for employers wanting a unicorn-dragon-pancake that is an expert in every facet of security for any role.

It’s easy to be discouraged with this backwards trend for employees whether it be AI or (waves everywhere), not just cybersecurity. But I’ll attempt to not digress into paralysis. Rather, how can we change this?

This article hits on the for-profit succubi that prey on the idea of “there be gold in them hills” and raises a problem we’re facing. What else can we do? I’m sitting here stewing and the only thing my brain comes back to is: unionize? Take back employee rights we seem to be losing in this age?

It’s easy for me to soap box that idea. It’s an entirely different and difficult task of bringing it to fruition. So what does that look like? What’s the catalyst to spawn macro-action? A talk on unionizing? Creating yet another independent organization that people can join as a resource for organizing their own union specifically in cybersecurity?

Asking for a friend.

@hacks4pancakes @danedeasy wow, that's fucked, super glad I migrated off now >:(

@hacks4pancakes Yes yes yes to all you've said in this piece! I'll be forwarding this to my bosses at my institution (a University of Applied Sciences).

@sten oh good I swore

@hacks4pancakes @danedeasy also fwiw if you edit the post it should purge the media cache and re-fetch the thumbnail so the slop one goes away.

@SandPaper @hacks4pancakes I’m not sure this is a fixable problem. I believe IT broadly, as a corporate function, is entering a “creative destruction” phase of its evolution.

>It’ll be even harder for entry level to get a foot in the door not only competing with the privileged but the very experienced. I’m a senior looking and it hasn’t been an easy time due to “not good enough” for positions I know I’d nail. And I’m a lucky one still employed. A lot of the “shortage” seems to be for employers wanting a unicorn-dragon-pancake that is an expert in every facet of security for any role.

I was a VP/CISO at a large company recently, and saw this extensively. I started calling it “just in time skills”. Companies generally aren’t interested any longer in training/growing people into roles they need as a business strategy - certainly it still happens, but I think that is more exceptional case than a product of some intentional planning - and so we have companies identifying a specific skill need, recognizing that they don’t have anyone in house with that skill, they go out and hire it. If the “thing” that skill is doing happens to displace existing people with other skills, those people are usually shown to the airlock. This is, perhaps, an area where unions could help, but I don’t see them doing much with the macro scale decline in the number of needed IT/infosec workers, any more than the UAW was able to prevent the precipitous decline in the number of auto workers resulting from automation (I know offshoring was another source of auto job losses, just as it is with IT).

I have been working on an outline of a presentation I intend to push out through my DefSec podcast giving my perspective on all this, and one fundamental conclusion I have is that successful IT workers going into the future will be those that are driving the implementation and adoption of AI and related technologies that materially reduce the cost of operating IT. I don’t love this, but I fear that there are many many people living in denial about macro the changes to the IT economy, expecting AI is going to get rolled up and tossed out like blockchain was.

Should I post this to LinkedIn or will the LinkedIn bros selling bootcamps be insufferable?

@hacks4pancakes Yes to both

@mttaggart hnnn

@hacks4pancakes Normally I would say post it there, but I think with everything else going on, you shouldn't, just to keep another log off the already huge amount of stuff you are dealing with.

@hacks4pancakes I personally feel it's always morally correct to disrupt the reality distortion field that is LinkedIn, revealing it as the clambering mass of damned souls that it truly is.

@hacks4pancakes
I assume there are enough other things for you to get mad at so that you don't need to bring more of them about. Given that, maybe better to resist throwing out the reply-guy bait. Even though it would probably be fun to hold them up to the light and mock them or savage them or something.

@hacks4pancakes Oh the LinkedIn bros will absolutely be annoying. On one hand you ruffle their entitled feathers, on the other hand they comment back... 😑

@hacks4pancakes will you posting it have any impact on their insufferableness? I'd say not, but posting it may help people falling into that bubble.

@hacks4pancakes it is pretty tough for me someone who has been doing it for five years now to find a new job. Lol

@hacks4pancakes "or"?

@jerry @hacks4pancakes My brain wasn’t thinking about the history of the auto industry. Good point. While the change is inevitable, the speed at which things are going seems troublesome as if we’re on the precipice of an economic bubble popping with no safety net. And the ones we had are being ripped away. It’s like a Moore’s Law of Outsourcing and humans won’t be able to keep up by our own design.

As for me, I see it. I’m now pivoting from just using AI as a user and diving deeper into to how they work and how they’re built. I wonder if by this time next year, every job description will have AI capabilities as a requirement.

@hacks4pancakes
I know nothing of cybersecurity or its jobs market, but I really love your heart.

@NicholasLaney I’m trying to stay a good person despite … everything.

@hacks4pancakes
The last time I was hiring for a directly security role, it was shocking to see just how far the hyperspecialization had gone. I live very much in blue team, and trying to find blue team appsec people was effectively impossible. I ended up grabbing a security-interested juniorish dev and mentoring her into the role instead. For most of the small (<150 engineers) firms I work with, it's always going to make more sense to outsource audit, including more serious code audits — the work is bursty and irregular — but we still need in-house folks helping devs with SAST, doing internal training, and working with engineers on vuln fixes. It's not sexy enough, though, not red team, so finding folks is a nightmare.

@hacks4pancakes I saw you did and loved looking at how nobody was disagreeing with you (at least via reposts)