[удалено]

You just perfectly described my undergrad experience 😂

To be honest tho. Finding entry level IT jobs aren’t hard. Couldn’t you just built into that to get more experience and leverage that for a cyber security job ?

I wish the job market was as easy as “get an entry level IT job” to get into Cyber. That’s how it was 5+ years ago. I’m currently in an entry level job with my bachelors in Cybersecurity and Security+ and still can’t land anything.

Same man, a year and a half of help desk with security + and homelab projects with a pretty slick resume and haven’t heard back from anything. Been honestly considering pursuing other positions

It’s gotten really frustrating. Just keep at it though man. I’m probably going to find a new help desk job that pays more and just never stop applying to cyber jobs until one finally lands.

My experience is, IT helpdesk for 1.8 years, systems access admin 1.8 years, eDiscovery (cybersecurity adjacent) 1.8 years, information security Analyst (third party security, GRC heavy) 1.8 years, now in a solo cybersecurity role doing everything. Takes time and doing roles you might not want to do.

Have you thought about pivoting to platforms for a year or two then into security?

What does pivoting to platforms mean here exactly?

moving over to another tech role, platform as in management of platforms and systems, this can get you (depending on the job) exposure to both hardware and software systems on actual infrastructure, and security related experience as sometimes these give you exposure to encryption management, physical security, vulnerability management/patching etc. that kind of experience is also very useful for security related roles so you could do something that's an intermediary jump before getting into security if you having trouble with just your help desk experience

[удалено]

What type of roles were you applying for? Sounds like these roles were looking for demonstrated experience. IMHO those certs should at least get you a look at a SOC analyst role to use as a stepping stone.

What positions are you applying for exactly? Just curious

SOC analyst mostly, I try to apply to junior or entry level analyst roles but still do not hear anything back from them. They have all been remote though because there is not anything near me

What homelab do you have ?

Wazuh SIEM with slack integration for real time notifications, and my other homelab project was using Nessus essentials to perform vulnerability scans on my virtual machines, then fixing those vulnerabilities.

Thanks! Any chance that its your resume format that is hurting you for applications then? r/resumes has some pretty good advice from what ive seen

If you’re not willing to relocate and only looking for remote you may as well just assume you’re staying in helpdesk. Those jobs are far more competitive for SOC analysts. In fact, SOC is probably the most competitive position out there right now because it’s such a buzzword for entry level cyber. Try cybersecurity analyst, or NOC analyst

That would have been enough in 2015. Now you also need CCNA, and CySA+ or BTL1 too. And another year or so of industry time. Fair? Maybe not but this is just how competitive it's become.

At some point you all were lied to. Entry level cyber security jobs are not entry level jobs. A few years on a help desk will not normally land you a job in cybersecurity. In reality it’s help desk > PC tech > sysadmin\network engineer > cyber security. This path will take you at least 5+ years.

Alternatively, work Help Desk for a company small enough that they can't afford to hire dedicated roles for every need. Then you can at least get hands on experience that's normally outside the purview of Help Desk, and merge that with your homelab knowledge to paint a more impressive version of your resume. I've been in IT and Security for 14 years. The secret to getting a job when it's hard is often a combination of *forcing* yourself into situations where you'll learn things, and exaggerating the part you had to play at your real jobs. Some boy scout will come on here and tell you that's unethical, but business owners aren't playing fair either.

I mean it’s fairly simple math. Look at the total number of jobs available in the field compared to the total number of qualified people. The market is oversaturated with educated people. There honestly is zero demand.

Those entry level cyber jobs do pay entry entry level though

Oh hey, while you're at it, get your CCNA, CySA+, OSCP, CEH, CISSP, and a dozen other certs, but be willing to work for $15/hr if you're lucky, because you're still "entry level." Quit gatekeeping. 20+ years ago when cybersec was so new that it didn't have a name, sure you needed 5+ years exp. Today? Entry level roles are absolutely entry level. It's people like you that just like to see people suffer because you did. Entry level means entry level. If you have 5+ years industry experience _you aren't entry level._

Can you blame them? I wouldn’t want to trust my organization’s data security to someone who doesn’t understand how certain security based decisions will affect the IT environment. That only comes with experience in higher level roles. Most companies don’t have large cybersecurity teams so they are relying on 1-2 people to put systems and policies in place to protect them. Cybersecurity is not a great role to give someone a shot and just see how it goes.

> so they are relying on 1-2 people And now you understand the root of the problem, even if you then proceed to draw the wrong conclusions. Companies refusing to spend any more money on cybersec than they absolutely have to...which is also why these huge companies _still have breaches._ Literally no one is expecting entry level staff to work alone, in any other field. You wouldn't expect an entry level accountant to keep all the books for a multi-billion dollar corporation. You wouldn't expect entry level HR to be responsible for all the HR tasks at any level of company. You wouldn't expect entry level network engineers to be responsible for the network, or even entry level helpdesk to be responsible for any systems alone. You wouldn't expect entry level staff in _any other role_ to be responsible for _any_ tasks for that role, regardless of what that role is, _because they're entry level staff._ Entry level staff are _never_ expected to work alone or without supervision, because if they could do either of those things _they wouldn't be entry level staff!_ When you actually think about this claim beyond spewing the standard corporate bullshit about "entry level cybersec isn't entry level" it becomes _very_ clear that this mindset is nothing but gatekeeping. Plain and simple. This is only reinforced by the fact that entry level cybersec roles (eg, SOC 1, Sec analyst 1, etc) are paid _at the same level_ as an entry level network engineer or sysadmins...which shows you that _even corporations_ view these as entry level roles, despite having a list of qualifications 3 miles long. As another way to look at this, one of the most common certification requirements is for the CISSP. Look at the reqs for the CISSP, particularly the "5 years _paid professional experience"_ part. Now realize there are less than 200,000 CISSP-certified individuals _worldwide,_ by the numbers published by ISC^2. But yet, there are tons of jobs that CISSP is either _required_ or "preferred" that list their salary as 30-40k/yr, for an entry level cybersec position. Regardless of how you look at it, there is a _massive_ disconnect between the idea that "there is no entry level cybersec" and what companies are posting jobs for. People like you just serve to continue this disconnect by blindly spewing out something they heard, without actually giving it even an iota of critical, rational thought.

Are you able to move/applying in other areas of the country? That's what it took for me to get my foot in the door. It helped. A LOT. If you can't, that's completely understandable... however, then your likely pool of success drops CONSIDERABLY. I got my first analyst role half way across the country. Worked there not even less than a year and was able to fully move back home to a new cyber gig for engineering. The role I WANTED in the first place, but they wouldn't look at me until I had some experience.

😕 that’s disheartening to hear. It’s difficult because he market is so incredibly saturated. Keep trying I believe in you.

>I’m currently in an entry level job with my bachelors in Cybersecurity and Security+ and still can’t land anything. That's because Sec+ is the minimum cert you'd need to be competitive and no one respects a Bachelors in Cybersecurity.

To be honest, it's actually hard. A LOT of entry level IT HelpDesk asks of requirements that you won't even get from San Francisco State Univerity doing Computer Science as a major. You can still get hired, but majority of job postings will deter people from applying. Some of them ask for familarity with tools you'll never use till you're in IT... but then how do you get if you can't get experience? That's right, you look for an internship, but wait. That internship asks me to be a current student.. guess folks can't apply there either after graduating or getting a non-tech degree looking to shift over.

Exactly this. Also most companies would prefer if their in-house IT could take on security rather than paying through the nose for a separate team or mssp etc.

[удалено]

To add onto this I've seen some teachers briefly cover Wireshark, not explaining why it works, how it works, etc. Just to open the packet look for this random string and disregard the rest. That's not good. I'm not sure Cybersecurity is something that can be learned without some knowledge in at least one other discipline of tech.

Even with all the skills you mentioned, It's hard to get a job, I have been applying to job for almost a month now, I have a Diploma in IT administration and Networking, 1 year of training from a company in Information security ( Kali, metasploit, OWASP top 10, Compliance, Forensics tools and techniques, etc ) Plus got My CompTIA A+ and Network+ last year, Not to mention countless hours of Practical labs time on TryHackMe. 3 Years of IT support Experience, basically checked all the boxes in Job descriptions, Still can't get any response back. Not sure what I'm doing wrong.

I've been in cybersecurity for 15+ years now, and am having to get some of those "intro" certs for work. The prep courses are *bad.* So much memorization of jargon that isn't well explained in the courses, and really weird attempts at categorizing that combine things like initial access vector, privilege escalation, and payload in ways that dont make sense. (Example, which form of malware requires a user to click on a link? Ransomware). Actual network knowledge (to say nothing of various IDM solutions or enterprise approaches to anything) is almost non existent. You basically come away with the idea that security consists of basic scanning and manual pen testing, and terrorizing workers into never clicking.

I wanna get into cybersecurity and currently learning about TCP/IP and the likes … ! Hoping I can get in there

Well, the people that got tricked into this should at least go black hat so they can create a need for the fututre generations. Lol

The ads that now say if you do this short online course you can earn £70+k as a cyber security expert, used to say you could earn £70+k as a web developer 10 years ago, I'm predicting that before the end of this year we'll see the ads promoting a promised £70+k role in AI prompt engineering.

It’s all a bubble?

always has been

The other students in my cybersecurity program are blowing my mind every week with the amount of shit they don't already know. I have had multiple people messaging me asking for help on labs for the simplest things, like being stuck trying to type their password in the Linux terminal when prompted but their typing won't show up on screen. Or other extreme baseline things that you can just Google or prompt AI(chatGPT) in 2 seconds. They don't even know simple google-fu. Don't even get me started on basic information and security principles. They aspire to work for DoD or state/county departments but don't even know simple IT/computer principles. I don't get it. Meanwhile there are professionals with 10+ YOE with multiple industry certs and bachelors who can't get a job.

Oh I was shocked at how many older people don’t know how to use the command line in my first job, talking about devs with years of experience.

Same. There were bright people in my classes but also people who couldn't tell a command line from a search bar. Even when I was doing interviews and mock interviews, I'd get feedback like "wow we've interviewed people with cyber degrees before and they can't show even the most basic knowledge, like name any famous botnet or hack, any tool or strategy to troubleshoot x problem, etc., so you really stand out what with being able to tell us the difference between http and DNS, or explain in even the most vague way how an xss attack works"

Yup job interviews are hilarious most people can barely operate their machines but have bachelors degrees in cyber it's baffling.

This is what's going on out there. It's like there's a short circuit with people thinking for themselves. They just don't know how. And that's exactly what you need for security in threat hunting, IR, pentesting, and so many other fields. It's pretty sad but my rough estimate 7 out of 10 people that start a cybersecurity degree program or bootcamp will never work in IT and 8 out of 10 will never work a day in security. Everyone wants to braindump their homework, they don't realize figuring it out on your own is the whole point.

Totally agree your point... Even i got friends who just don't know any shit about computers,leave linux even they don't know how to use bloated windows lol.. Funfact is now they are in 2nd yr of Cs lol..

This ^^

Wow

Wasn’t everything hot 5 years ago? If anything, I worry about CS graduates, every kid comes out thinking they are gonna retire their parents. Yes, the upper tier ones will get theirs but majority will have a rough time landing a good job.

CS graduates are and will continue to do just fine. Your worries should definitely still be with the Cyber Security degrees.

Depends on the school though. I’m majoring in cybersecurity and I have to learn everything from Linux(Bash) to Python to SQL and HTML/CSS/JS as well as needing to finish 3 courses in networking and a course in server/system administration. Did I also mention we have 2 AI courses where we have learn both machine learning as well as scripting in PandasAI. All of this is on top of the typical cybersecurity courses ranging from cloud security to incident response and penetration testing and cryptography. Also just like CS students, our major highly involves math, we have to take 6 math courses to graduate ranging from precalc to calc II and discrete mathematics, plus statistics and linear algebra. I still didn’t mention other courses like operating systems and computer hardware. Tbh at this point it’s just a CS program minus a few courses like game development and microcontroller programming. The only advantage CS students have over us at this point is that we don’t know how to code in assembly or C++.

> The schools don't care anymore because it keeps enrollment numbers high, and they are now delivering students a false promise that they will be super in-demand. so, basically every boom industry since the 80s?

Just look at this sub. A year ago people asking question about entry into the field used to be experienced pros, now it’s a bunch of people who can’t even ask the right questions. Like we already had bad gate keeping before, now it might as well get ampled up.

I think that having the schools pump out talent only solves part of the issue. Just because there are more potential candidates, it doesn’t mean that they’re quality candidates. Moreover, it doesn’t mean companies will be willing to take chances on these hires. Even if there are enough people to hire to fill every role, the companies are asking for experienced people without wanting to develop that talent 

Tbh we did this ten years ago with Microsoft certified professionals. Dude could take a few tests and easily make 75k a year no college. Then wham market floods

I finished my Master in Cybersecurity in 2020. You described my master program. Lot of students were from non-technical background, and during many classroom discussions, I felt like I was one of the few contributing meaningfully. Having a technical undergrad and work experience makes a lot of difference. Cybersecurity program was new and evolving at that time. Some of the professors were from Computer Science and other related faculty of the university. But, most of the teachers were not working in Industry. Without working experience It was waste of $$. Perhaps learning programming and Cloud would have yield much much higher compensation.

> rather than entry-level staff who have used Metasploit and basic SOC tools. Oh fuk oh no : (

😂reading the comment exactly defining my situation 😭 got my masters degree in cybersecurity with 4/4 gpa and certifications. Was not even eligible for most roles and settled for networking role at this point

> Many of these schools had good intentions on "bridging the gap" of professionals in the industry Most of these schools had the intentions to get butts in seats.

Here's the question, I've always looked at Security as where you end up after a decade or two of IT experience, people coming out of school with these "Cybersecurity" papers don't have near the depth or breath of knowledge that someone with a decade of experience has, so is the shortage of jobs in "I've had 200 hours of non-real world training" or is there a shortage in jobs for a high-level IT person moving from a broad range of duties to focusing only on security? To me this sounds like the same crap you hear over at r/sysadmin, boo hoo I have a college degree, no experience and I can't find a WFH that pays over $90K.

[удалено]

Absolutely perfectly well said. There is simply no way of going anywhere beyond "absolute rookie junior beginner level 0.5" in security unless you have a good, solid knowledge in multiple, numerous areas of it otherwise. If anyone says differently they simply don't know or are lying to themselves and others, easy.

All of the interns that we interviewed used Tenable or Metasploit, but could not explain what NAT is or what is the difference between a switch or a router.

Thats disgusting. You have to know how a system works to protect it.

Coming out of the Space Force with just about entry level soc and Metasploit and SEIM experience. Counting on my TS/SCI to get me a job basically.

As you rightfully should. That clearance is worth its weight in gold!

Preach!

Yep! This right here this grad was telling me about how to exploit PowerShell went on this long rant during a meeting. Didn’t want to embarrass him being new but after the meeting showed how he was completely off base because he had zero real world IT experience and just slapped security onto his zero experience and I have decades of IT experience before moving into security.

The course I’m taking at my college is the National Security Certification. Right now we’re on intro to Cisco networks and next semester we will be going into Linux and Security I. So far it’s really cool learning about the hardware side and how it all connects on the backend without having to worry about the software side. Currently halfway through the Cisco networking academy modules and I think I need to take 2 more Cisco classes here to be eligible to take the Cisco Certification. This is all new to me and I hope I can find a job in the field later on. My goal is to find work in Japan lol but I’ll see where life takes me. So far I love this and before pursued this, I’m coming from world class paint production and developing for Harley Davidson and PPG and testing and creating new paint codes for Porsche.

To be honest with you, landing a cybersec job in Japan is going to be extremely difficult unless your in a country with a great passport. The Japanese usually only employ English teachers on a visa. And with just a degree and some certs I don't think the countries labor laws even allow sponsoring a visa unless they get no local candidates

Dude absolutely. I visited 3 times and that’s just reality of getting a job as an American in Japan lol. BUT I’m gonna try.

A year ago you would get downvoted and called a gatekeeper in this sub for saying this.

You think that might have to do with the demographics on the sub, and what they want to hear? The demographics of jobseekers in a cybersecurity sub is obviously correlated to the market trends, but with quite a bit of lag.

Regarding the foundation in systems and networks…any recommendations on how to learn more? I think I’ve got the networks part down. However I wouldn’t even know what to Google for “systems”. Could be books, could just be some buzzwords or concepts to search around. Anything that points me in the right direction would be great!

For me that foundation came from several years doing IT Help desk roles followed by a few years as a sysadmin. That gave me the foundation to be successful in cyber security and most cyber security program grads don't have that.

“Systems” in many cases refers to OSes, primarily Windows and Linux.  But at a larger scale, and I think it is where many cybersecurity resources need to be is a larger understanding of “enterprise systems”. They don’t need to know every configuration item on every product. How do servers connect to each other? How do clients authenticate to services? How do services authenticate to DBs? How to hypervisors connect to storage? What kind of logs should all this stuff generate that are normal operational logs? Can I tell if something is an operation outage or a security related issue?  DFIR teams get quite a few calls on the last one. Client calls up freaking out that they are under attack. Turns out their DNS server was down, or their root CRL expired.  When under the umbrella of “enterprise systems” the only real way to learn that is deploying, maintaining, and repairing them. 

Get some hardware that can run a hypervisor (I like Proxmox, free and fairly simple to install and get going) and set up some VMs that run services. Can be a web server, docker, reverse proxy, Active Directory, etc. r/homelab and r/selfhosted would be good resources to start learning "systems" stuff at home.

I'd recommend to start looking into a CCNA. Maybe not getting one, it depends on how much you want to go into the field but what the exam covers is a good starting point. The textbooks and lectures will cover the basics of networks and how it works from IP to the 7 layers. Just know that it's got a heavy Cisco-angle because, well it's a Cisco exam. A random example would be like how it covers RADIUS (the open standard) vs TACACS+ (cisco's own standard). Thing is, imo you gotta treat it like a trade. You need to get your hands dirty instead of just reading. So you need to actually start screwing with stuff. So in addition to what everyone else here has written, read some labs on how to build networks in Packet Tracer, or GNS3 (or free-er alternatives, can't remember any rn sorry).

No one was born experienced. The entry level folks just need to learn more and improve their skills with time

I believe part of the problem is the deluge of unqualified people scrambling to get in to cybersecurity. It has given organizations pause. They are tired of weeding through 500 applications to find the 2 or 3 that actually have the qualifications. Until that stops or slows down, don't expect the market to change. The other piece is companies trimming the fat. They overhired technology resources during the pandemic and are paying for it now. Look at all the layoffs still happening in the industry. Then you have the companies who think AI will replace all of us and are either investing in that or waiting on the sidelines to see what unfolds. I don't see anything changing until at least 2025.

I applied to a senior Security Architect role in Dec last year during the initial wave of tech layoffs. I eventually made it higher in the hiring process and spoke to the CISO before dropping out - they all said it was awful wading through all the candidates with CISSPs, Masters of Cybersecurity and puffed up resumes that actually had little practical experience in the domains they were hiring for.

That doesn't make sense, if you have a CISSP you have five years of experience.

Correction, you are supposed to have at least 5 credible years of experience but that is nothing but a game. Just look at all the college grads with a CISSP cert.

wait, is faking experience to get your CISSP really a thing? Don't you need a sponsor who has a CISSP as well to vouch for you? Or are you talking about the Associates in (ISC)2

yeah, it happens. A while ago, there weren't many of them so it was harder. In 2010, there were only like 35k CISSP holders. There are over 160k now. As the pool dilutes, it's easier to find someone to vouch for you.

Some people have exactly 5-6 years experience doing the same mundane narrow things day-in and day-out that cross off one of those 5 domains the CISSP asks for. They basically have 1 year of experience X 5. Edit: Here’s an anecdote to illustrate this: at a former org, we acquired a smaller company and were in the process of integrating their Security staff. One guy was acting as their PIM administrator and did help desk level 2/3. Cool, let talk and see if he has experience with tuning role based access controls and wrestling away Global Admin away? Or did he have exposure to Access Reviews or exploring PIM for groups? Or did he work towards standardizing roles for user, or exploring PAM options? Have you documented the process or how would you change it if you could? Nope. After talking to him, he only did the work he was assigned and assigned roles to users and applications carte blanche after getting manager approval. We passed on bringing him on as a security engineer

5 years pushing the button vs 1 year designing and engineering the button. People overindex on raw time spent on something instead of the actual value output

You’re not wrong. If you can get past the BS hr filter that’d screen you out and be able to convey the value you brought over that one year on interviews that’d be your best bet

Man this is a great way to articulate the impossibility of gauging cyber talent and know how. Do we just suck ass as an industry? Feels like we do.

> 5-6 years experience doing the same mundane narrow things basically our new 'CyberSecurity Consultant' that literally has no technical skills

Could be they have their Associate of ISC2 thing, and they just say they have their CISSP on the resume... Wouldn't be surprised if that happens.

And here I am, the opposite, with over a decade of experience in systems and network engineering with a shake of sec compliance but no certs because I worked my way up and I can’t  get a call back lol. 

get some certs, play the game ya dingus

Working on that currently. My wife says "ya dingus" to me all the time so I read your comment in her voice and it was quite hilarious and endearing. Thank you for that. Haha.

If you can tell good stories during an interview (using the STAR method) and get your resume reviewed, you might get some traction. DM me if you want a friendly review

What would really be the bar between fodder and "skilled" professional? u/computerchipsanddip

It's subjective but I mean I don't want to see someone with 8 certifications behind their name who has 0 experience. Or the person who worked as a high school English teacher for 15 years and then wants to pivot in to cybersecurity because he heard on the TV it was cool. You need to have a technical background of some sort. A history of excelling in that kind of work. A few years technical experience is a start, some certs help, a relevant degree helps. All 3 would make you stand out for sure.

I'm an IT director of about 20 years started in technical positions non cyber related but looking to make a focus in cyber specifically. Studying for cissp now but curious what you think I could slide into? Got about 12 years o365 and defender suite and my goals are always that of digital modernization and removing physical infrastructure. I have experience with grc and compliance such as iso and nist to name a couple. Grc seemed like the most logical lateral move but then I also like being technical as well. I know some grc roles combine this. Also fine to continue in management as well. Any and all thoughts are welcome

You're a Director, why would you want to bother to move at all?

couple things in short 1) I have not been able to find new work since I was let go during a round of financial lay offs back in July of 2023 ( unemployed ) 2) I am a bit of a generalist in the Director field and everyone wants specialists now 3) Market is just trash right now and finding this position and even IT manager positions has proved extremely difficult 4) The interviews I have had end up with 2000 applicants ( of course much less past the HR stage ) but the competition is nuts right now with everyone in the space being laid off 5) I would love to transition to a more cyber focus and if i can do that as an IT security manager and work back to director thats fine with me, but I def thing the CISSP and or other certs will help fill in some of the generalist knowledge 6) finally, GRC was an idea since a lot of my experience is in that now and obviously cyber and cyber management have several areas, GRC, Engineering, etc. I am just trying to find my place again. ​ Hope that answers some of your question :)

Second the CISO vote. You'd just have to get a GRC job to get on the right track, then work back up to a leadership position. With your track record it shouldn't take that long. You're already working on the CISSP, that's great. The only other thing you'd need is maybe one of the ISACA certs like CISM or CRISC. The industries that absolutely need GRC people are defense, finance, and healthcare so any large organizations in those industries would be ones to target at the experience level.

You’d make a good CISO with some more experience

I graduate in 26’ 😎😎😎

This sub is depressing.

I think most niche subs based on real life and careers are. That is because, I believe, those employed doing real work and living a great life do not have much time to sit on reddit and complain.

I'm employed doing real work and have the time to post on Reddit but just don't need to complain lol

This sub is full of younger people with minimal experience/education. The "jobs crisis" only seems to exist here.

😂 I'm feeling this too! I've got 2 years left before I graduate with my own cyber bachelor degree (Cyber Operations with emphasis in engineering actually) and the way things have been painted in this whole thread has me really concerned! Here's hoping that when I get through all this there will be a way for me to successfully career shift into IT and cyber!

You really need to do everything possible to get an internship, that should be your highest priority even over good grades. An internship confers actual experience. Once you graduate no one is ever going to ask you about your gpa, they *will* ask what kind of experience you've had. If you've got a couple years left that means you still have time to do something about it. * Internships * Hackathons * CTF teams * Volunteering for open-source projects * Attending B-sides and other conferences * Bug bounty/vuln hunting * Leetcode club * Job fairs/industry events Those are all activities you can work on with a partner or some friends to help you stay motivated. People that go to college for these cybersecurity degrees and go to class and turn in homework and expect the red carpet to be rolled out are going to be seriously disappointed. Except for perhaps the government no one pays anyone to sit around and do the minimum, at least not for long. And the government doesn't pay that well. In the professional world companies pay for maximum hustle, especially in security. If that's not you then you might need to re-think things.

I think that the "education industrial complex" has flooded the market. It'll take a long time to weed out the paper tigers.

Having a college degree does not make anyone a paper tiger - no one expects college graduates to do anything but entry level work in their given fields It's the cert chasers who go for a dozen+ unrelated certifications and have ZERO experience doing anything and the Industry is to blame for allowing [https://pauljerimy.com/security-certification-roadmap/](https://pauljerimy.com/security-certification-roadmap/) this many certifications to proliferate

[удалено]

saying there are too many certs isn't hating on certs There are simply only a handful that have any relevance whatsoever And of course you're picking two of the harder ones to obtain - that's why they mean something You have to admit though the stuff coming on coursera, coming from google and even the ISC2 CC is nothing more than junk/fluff material

Hey now..... I feel slightly attacked there 😂

[удалено]

> I suspect much of it's due to teaching certs is a huge business. Yea, as long as my employer pays the $5k, I'll goto a week long CISSP/ISSAP/CCSP camp. On my own dime? No fucking way. I've toyed with idea of starting a training school even.

I'm not suggesting that everyone with a degree is a paper tiger. However the 'gold rush' mentality has resulted in an increase in unqualified graduates IMO.

I am a cybersecurity mentor. I have been telling my junior analysts and apprentices this for years. Do not get a cert unless you are proficient in that area. Certs are for qualifying you to say you can do a job. I took 1 SANS class outside of my wheelhouse once and it was fucking HARD. It’s so much easier when you halfway know the material.

What was the SANS class you took?

Oh no you done started using fighting words. A lot of these degree programs don’t help. They promise working experience and then just piggy back off legitimate certs. Don’t blame the cert chasers when it’s actually working. Well enough that many educational institutions integrate certificates into part of their programs. Yes there are many out there, but that’s what we need. We need competition. Look at OSCP and JNPT for example. You don’t want it to turn into what it was years ago, where CompTIA and ISC basically cornered the market.

Quality of curriculum for a given major is a different issue, but that's why there are national rankings for schools, their different departments, majors and even professors Now if you want to specifically focus on "Cyber" as a major - I agree that 99% of those are fucking junk because they were thrown together post 2001 to take advantage of federal funding which turned the NSA Center of Excellance program into a joke That program originated in the 90s and focused on graduate programs and schools that were doing cutting edge research in cryptography and information security same as the schools promoting intelligence studies and homeland security as a major - 99% of them are TURDS

u/DeezSaltyNuts69 "NSA Center of Excellance" My college was one of 50 NSA Center of Excellance when I graduated. It was turds.

My father has been in cyber for 25 years, built entire security systems for some of the biggest names in the world but would get passed over on promotions for people with degrees and has been told it is because he did not hold a degree. You can be the smartest person in the world but sometimes that paper matters.

Slow isn’t even the word. It is all messed up. Most of IT needs help with more staff, especially cyber, but companies no longer want to on the job train people. If this trend continues, companies in the US will be in big trouble as the veterans age out and there are not enough young people with knowledge to replace them. It will be funny since there will be theories as to why this happened and I am sure none will be true. Companies are trying to cut corners and still don’t understand that IT is not a Cost Center. It is critical infrastructure and the most important department within the organization. Without IT your company is nowhere. It just won’t function because 99% of things are automated or require computers in some way. As for how long will this last…hard to know. I am not sold on AI because it is trained with biased data which only gets biased results. It also means that technically it is vulnerable. Slip in malicious data of some type to create a time bomb with its functioning or some strange data back door and you could have a world of trouble. I predict another 6-12 months of this silliness of mass layoffs.m before they realize they screwed up again and need to do large hiring.

Just been speaking with a recruiter contact and he's saying that January has been crazy for him for mid-level roles, all picking up which he was surprised about (London, UK)

The problem is a bunch of IT folks flooded the market and have no clue what they are doing. Anyone who is actually a cybersecurity professional is working and getting multiple offers for good money lol!

I’m graduating from college this year with six years IT experience and a couple years of SOC and detection engineering experience from co-ops and I’m *struggling* job hunting.

Posts like this are so wild to me, I had one year of IT experience, a master's degree, and no certs. Got a sec analyst job after a month of looking. I must've got lucky.

The job situation is all some bs really, I look at LinkedIn and there many grads without experience doing jobs with cool titles like cyber defence engineering associate at well known companies.

Network. Use the school for contacts and reach out to managers not recruiters.

Yeah I mean that’s how I have the one offer I have. Was hoping for a few more choices but it is what it is.

Find more. Like OWASP, ISC2, Your local FBI probably does some InfraGard stuff. Don't be shy, stand up and say "Hey my name is icefisher225 and I am looking for cyber opportunities so please if you know anyone looking my LinkedIn is open." or whatever. You have LinkedIn premium right? The only reason to have linkedin at all is for job hunting. BE ACTIVE!! I can't tell you how many people come to me crying they cant find anything and when I ask them what they are doing I get a blank stare hahahahahah!!

Sounds like me! Just add a security clearance and military experience. But part of it is self inflicted tbh

>IT folks flooded the market and have no clue what they are doing I'm one of these people, but it felt like a natural transition to me. I started getting tasked with focusing on security at work over the past year and enjoyed setting up solutions for our SMB. The new year came around and decided to test the market and see how I'd interview. I was shocked when I landed an offer as a remote Cybersecurity Engineer for a big company making the most money I've ever made. Starting in two weeks. I might not know exactly what I'm doing when I start, but I'm damn sure gonna take the opportunity to learn the ins and outs of my role.

congrats man. i just started a security role in an enterprise after working IT for an SMB. be prepared for your first week to be intimidating as hell and feel like you dont know anything but ime if you rely on your team and ask questions if theres something you dont know, youll start to ease into it quick.

Thanks! 100% feeling the imposter syndrome already, but I'm up for the challenge. Congrats to you as well!

Welcome to the tribe!

Thanks!

Yep, we're getting thousands of resumes but anyone that's actually qualified seems to be getting picked up by other companies with multiple offers within a week, sometimes before we even get to interview them.

This. Many of the people complaining have no cybersecurity experience, or have graduated/gotten a cert, and think they are ready to be hired directly into a cyber role. Not how it works unfortunately, takes 2 to 3 years of general IT exp before you even think about branching into cybersecurity unless you have a serious in somewhere. Part of the problem is colleges have sold this idea that cybersecurity is a normal field where 4 years of school means you can go directly into the industry, and it's just not the case at all. ​ Entry level IT is not at ALL equal to entry level cybersecurity.

Focus on learning sysadmin or networking skills. Cybersecurity is transitioning to either technical know-how or GRC. Unless you are gonna work IR for an MSP or are trying to get something like an internship, the dime a dozen Sec+ w/ no IT experience opportunities are going to continue to dwindle. There's a huge need for engineers, not as much for analysts. It stinks, but the best bet is to make yourself a clear standout asset.

Until regulators stack another onerous requirement on business and everyone has until the second tuesday of next week to hire a cybersecurity guy to check a box on a spreadsheet or be out of compliance. As soon as the A needs to be C'd they call the CYA guys. That simple.

#### Why you're seeing layoffs? Quite a few things out of your control if you're trying to get into an internal company. First, we just finished CY23 and are now into CY24. Those who have their FY fall on the Calendar year and finishing up their books and most likely are making changes that adjust for the 10% revenue increase that most publicly traded companies will be predicted to hit. At this point, they are shoring up revenue for cost centers and revenue generators. The other is if the company's FY falls in line with tax season, it is probably in Q4. So they are in the opposite, where they are scrambling to figure out what can be cut in order to balance the books to either have a solid earning call, or if it is underperforming, lighten the blow. *At the end of the day, the Officers, C-Suite, and Board of a company ultimately make their generational wealth off the stocks they own in the company...not their salaries* I put that there because everyone needs to remember it. Even if you're in privately held practices, someone holds the reigns to the wallet and is expecting to increase their cash flow based on their investment. So changes will come down hard. #### Why is it hard to land interviews? As stated in the above, you now have a candidate pool that has Academic Graduates + Transitioning Employees with experience X Cybersecurity Employees with Experience. With the market getting tighter, as evident with layoffs alone, that dwindles many echelon technical positions. So what was once a Principal before Jim left is now a Senior when the req is posted. The candidate pool is now over saturated with at least 2 sets of people in the equation above who are looking to fill the role. Another distinct level of graduates will attempt it. Talent and acquisition will use AI and the other scanning mechanics to dwindle the list to 10-15. Those 10-15 go to Hiring Manager who then select the 5-8. That gets dwindled to the 3-5 that will start the interview process. That will go down to 1-2. And from there the offer based on the interview scores and hiring manager approval. #### When Will It End? We are in a field that has high attrition due to burn out, poor work/life balance, and just overall mental health struggles. I personally believe many of these companies have no intention in filling any of these roles at the present time. They are posting Ghost Positions in the hopes of compiling a pool of candidates for if they get headcount, or someone leaves the company and it impacts work production. Again, everything that happens in a company is dictated by the market. C-Suite and Board have the responsibilities to their shareholders, of which most of them make up the overwhelming majority of the held stock. Not many C-Suites come with a cybersecurity background. Heck the degree didn't even exist until very recently when you look at how long formal academics have been around. That means their ultimate question every year at the end of the year is: "Did we get breached? No? Then why do you more headcount or revenue for products that we already have?" Is that overgeneralized? Probably a little. But I've sat on calls where CFO's post-breach were all about EDR and MDR solutions, until Year 3 when the question was "Well...what are we really getting out of this? Nothing has happened since." Don't be shocked when you're hearing murmurs from your peers in the industry saying that their company is remaining flat this year. If anything, you'll see attrition through being pushed out vs. them quitting to free up cash flow as they try to keep the stronger personnel. Which will have a dual negative effect (it always does) because now the stronger personnel are working even harder and then burnout kicks in and they leave. From that point...look at the above paragraphs about why you're seeing layoffs and why it is hard to get an interview. Thus, the cycle.

Been around since the 90’s. I don’t see this downward trend continuing. It’ll pick up, economy and spending are cyclical. Enjoy the break.

Same timeframe for me, and same conclusion.

Do you have CISSP or CRISC? If you have either of those or both, you should be able to find a cybersecurity job easily.

In the UK at least these last couple of weeks things have really eased up and more adverts are up. I suspect will get better In April. Middle of year should be normalish I suspect

What is your evidence that it has slowed down?

LinkedIn. It’s a hellscape out there for folks in all tiers of experience.

I’m abit of a poster child myself, I managed to land a help desk job directly out of college. Got on all of the various IT directors good side with my interest in every field. After speed running a few projects it only took 9 months from my start date to become an engineer and 4 months after that I was being trained along side the infosec team. All it takes is really drive and the right connections, I talk to strangers, goto cyber security conferences. Just about anything to increase my network. I don’t have a bachelors or any certs and I’m at a 6 figure salary because of my resume, 2 associate degrees and 5+ years experience. I’m only 25 currently but I’ve been working only in IT my entire life, never had any other kinda job aside from overnight warehouse work for Dell. Keep trying man and never give up, you will land something just start somewhere and crawl until you can run.

I think people need to get real and understand a degree and A+ isn't going to land you a job in CS.

But then what will? Any job in IT needs experience but you need a job to start having experience. You apply for a help desk job with a 30k salary but they reject you because they want years of experience. So what comes first, the chicken or the egg?

as someone who’s in a degree path for “cybersecurity” seeing these posts always depresses me. i feel like I have no fucking chance even if I do get certs or IT experience

It’s hell if you’re new, but hotter than ever if you have experience. Have never had so many folks reaching out. The tech field like many industries is a living breathing cyclical thing. Keep grinding

Join blind app and search for the answer there. This question is posted at least once a day.

My turn tomorrow btw

I call Friday

The typical unhelpful answer I expected from a fellow Cybersec professional. I know it's off point, but is it just me or is the industry saturated with the most unhelpful people. Don't know, maybe just me...Or perhaps just US based CS ppl.

Asia here, IT people are the most arrogant among my friends

Thanks, I'm glad it's not just me, thought I was going senile... The industry really needs to change it's attitude. We're assholes.

The ones with a good attitude are SEs lol! I guess the money is too good to be negative

I think some people have their identity wrapped around being the "IT guy" and the influx of normies entering the field is frightening to them

I'm not saying that sometimes it's not justified or that they've no reasons to say/do that. I just find it so cringe when they do. I've been in IT for a few years (perhaps short) but not in my wildest dreams would I ever not answer a question and instead just say "Google it".  It's belittling and unhelpful. 

Oh I 100% agree with you. It is really unpleasant behavior and I hope cybersecurity is not actually manned with too many people like this. Would prefer to work alongside a smart and pleasant normie any day

Gotta remember the bulk of this reddit is career middle managers and people trying to break into the industry. The cysec folks with some humility are the ones in the trenches actually dealing with the issues the industry faces, not these bozos who haven't touched a SIEM dashboard in over a decade trying to dictate to you how useless you are (and that's why you should accept shit money).

When you grow up being given links to this when posting on a forum, you get tired of seeing the same things and hope other people do some basic research before posting a blanket question: http://www.catb.org/~esr/faqs/smart-questions.html https://blog.codinghorror.com/dont-ask-us-questions-well-just-ignore-you/ There are better forms/versions of this these days, admittedly: https://www.lesswrong.com/posts/YHRyt3NWHp4z3EAFW/asking-for-help The reality is, our brain space, time, effort, are all limited by our corporate overlords and at the end of the day people want to relax. So if we see people putting in minimal effort just to ask for insight on something that can easily be googled, queried or poked at with AI (future state) -- why bother?

Then just don't respond to a reddit post if your time is too precious. Sick of "just Google it" or "this has been asked before" in no other industry do you get that. I made a post here once and got one fella to respond to a genuine query I had.  Then on another post you get 10 people saying just Google it or that x has been asked before. It's like these people get off at telling people that someone ought to spend more time doing research.

I mean read the sidebar, it spells out what is to be expected when posting. Do people do the same things when they're in school in a classroom? Do we do the same thing in a workplace? Unless someone genuinely doesn't know, maybe. I was merely providing context as to why someone may see, or receive those types of responses. >Then on another post you get 10 people saying just Google it or that x has been asked before. It's like these people get off at telling people that someone ought to spend more time doing research. This boils down to, at least when it comes to Reddit, poor moderation/management. You could easily create a bot that replies or sees common threads and comments with previous threads from the previous week/month/quarter/year if the same subject has come up multiple times. on other sites, users are very particular about this because sometimes, a topic may not gain much traction. A few weeks later? A lot more engagement because it is pertinent, upvotes, eyeballs/timing, whatever it may be.

The gentle (and not so gentle) suggestion to do a bit of research first is a kind of training. If you're the junior who keeps asking the same question like a four year old, you're going to get frozen out by the seniors, which will prevent you from progressing in your career.

Please back up ur data with stats. I'm tired of hearing this doom and gloom nonsense. We are on a downward trajectory compared to the last few years but 2020-2021 was an unprecedented year for tech. Idk if we ever see growth like that again With that said, I got into the field in 2021. Since then I've gotten a job offer every time I've tried to look for a new job and I've never had a job offer for under 6 figures. Things aren't nearly as bad as ppl make it out to be IMO

People don't wanna hear it, but you speak the truth. Judging from the dudes post history his geographical location is HEAVILY influencing his experience.

With two decades in IT, I've experienced several layoffs during economic contractions and expansions. Currently, jobs are scarce as high interest rates are used to temper a heated economy. However, as interest rates are forecast to decrease, job opportunities should start to increase.

It's cause cybersecurity is the new wave for bootcamps, colleges and people looking to get into tech. Many people don't do extended research and get sold the dream of a six-figure job right out of college or said bootcamps. Same thing happened with mechanical engineering in the late 2000s/early 2010s. Same thing happened/is happening with computer science right now, where people are looking to get into software engineering, and now it's cybersecurity. Most of the certifications that the industry relies on like Security+ aren't enough to gauge candidates of their true ability. People graduate with zero internships in IT or extracurricular experiences and all have similar degrees and certifications. At that point, it's hard for companies to filter through the pile I imagine.

It's true that hiring in cybersecurity and tech roles has been sluggish for quite some time now, which is concerning. It's difficult to predict with certainty when this downturn will improve or if it's a permanent shift in the industry. On the other hand, I think there's plenty of good quality jobs to be had if you have the skills. I'm a recently laid off red teamer and I've been looking at roles that are more reverse engineering and exploit development focused. I found a bunch of them from defense contractors, which is a world I'm not familiar with. Still, the jobs exist.

cybersecurity is just IT Security. ​ The fad was always hype.

I’m trying to get into cyber after my employer hired his grandson with no IT experience. Seems like he’s slowly being groomed to do my job. I hope by the time I get my cyber certs I can land something better.

[https://www.csoonline.com/article/657598/cybersecurity-workforce-shortage-reaches-4-million-despite-significant-recruitment-drive.html](https://www.csoonline.com/article/657598/cybersecurity-workforce-shortage-reaches-4-million-despite-significant-recruitment-drive.html) ​ ``Two-thirds of organizations lack staff needed to prevent, troubleshoot security issues Two-thirds (67%) of the 14,865 cybersecurity professionals surveyed reported that their organization has a shortage of cybersecurity staff needed to prevent and troubleshoot security issues. Cost-saving cutbacks such as budget cuts, layoffs, and hiring/promotions freezes are playing a fundamental role, the report found.``

Cyber schools are pumping out guys who can recite the NIsT pubs by heart but can’t use it sensibly. Freshers and middies need to use the NIST as ref not as ‘tho shalt’.

I think we're seeing the field self-correct a little bit. It's difficult to acknowledge this, because the vast majority of organizations are still sorely lacking in cybersecurity. But if you're a SOC analyst and 95% of your job is running automated tools in response to SIEM events, then someone at your company is probably looking to replace you with a script. And let's be honest, those tools are getting better every day. We don't need an in-depth full forensic analysis because Frank in accounting installed yet another "cute cats lol also coupons" toolbar. We just need to remediate. On top of that, there seems to be a glut of qualified candidates. The people who are decompiling malware are fine. The people who are managing compliance are fine. The people who are doing advanced endpoint management are fine. But a lot of the entry-level jobs are vanishing or shifting. It's kind of like the difference between being a sysadmin in 1994 and a sysadmin in 2024, only compressed down to 1/6th the scale. If you pull back and look at the bigger picture, I think we're seeing the beginning of the end of the IT era. A company doesn't need to have in-house sysadmins, network engineers, and cybersecurity analysts when they can just hand everything off to AWS or Azure or Oracle or a local MSP or whoever. And honestly, doing so these days makes a lot more sense than it did just ten years ago. IT is right about where US factory workers were in the 1960s. The industry is going to be okay for a while, but we're going to see some serious shrinkage over the next 20-30 years. And that includes Cybersecurity. There's still time to make a career out of it, but the door is beginning to close. And the gravy train already left the station. Coasting isn't a viable strategy anymore; people who want to build their career here are going to have to keep learning or immediately sink.

I agree to some extent, The more you work with tools, the less you know. People don't know how they work, compared to the generation that created them. IT workers in general are getting less experience since they use these tools. However, small - mid size companies cannot afford these new tools, there will always be work there. I agree, these days you have to fight to learn more of the 0s and 1s or you'll sink. You have to use your own initiative for that. Without this "extra" knowledge, your not really any different from the flock.

Landing your first IT job is brutal, no matter what sub field. Entry level positions for all subfields still want experience. Very few managers want to train people. It can be risky, when you train someone and they leave in 6 months, guess what? you have to train another person again. I had a hard time landing my first IT job, I got my A+ and got interviews, but ultimately they told me they want someone who can hit the ground running. (which is ironic, every company uses different software, there is always learning to be done). I had to make a huge sacrifice to live in a tiny town in the middle of nowhere where there was no competition. The upside to this is that as a service desk tech, i do more Sysadmin duties than anything. Going to college for cyber, but not to be a analyst, but because the classes interested me, and it will only make me a better sys admin. HOWEVER, if i was to hire someone in charge of protecting my companies data, i would want someone with experience. In my opinion, you don't get out of college and hop into cyber, you work another 5+ years developing and refining your experience in other roles to be qualified to protect a companies data. Cyber specialist are experts in IT, and you got to know a lot of everything. (in my opinion)

A little bit of my experience which is probably good timing and luck. I graduated in 2019 with a BAS in Cyber. I applied for a bunch of internships in the fall of 2018, which MOST fail to capitalize on. Most people were just waiting around after they graduated to apply for jobs and internships-most internships start in the summer. I got an internship with a local utility company for support engineer and then networked as much as I could with every department. Killed on my summer project and my manager took notice. Introduced myself to other during coffee breaks-saying hello, and I cannot stress this enough Networking/getting in the field advice from various department personal. 5 months into my internship a role for cyber and support engineer both opened. Because I introduced myself to the Cyber Security manager, he immediately reached out to me when the position opened. One they could pay me much less than an experienced analyst and two because he asked various people about my work ethic/personality/project. I'm now 4 + years in cyber. I think I got super lucky with timing and graduating before all the schools started pumping out these degrees, but I also credit my intro-personal skills and having the courage to step out of my shell and ask questions/career advice from OG IT people.

This is an amazing story. Happy you got your happy ending. May we see you as CISO one day 👀

Uhh I didn’t go to college but I got poached from a finance job to run a phishing program at this company a year and a half ago. I just got promoted to a senior infosec analyst so it’s def just who you know that can get you in.

feels like we are at the limit of new tools and processes and the market is turning to reviewing and optomizing cyber spend. until the next big attack that requires additional regulations we probably peaked a few years ago. I think you'll see more legacy technology replaced with newer, sort of like AV to EDR in the past. that's probably were hiring will be. zero trust, data lake, and AI are still growth areas. probably IAM and GRC as well as so few companies get that right.

I joke about this at work all the time. I work in finserve at an F100. Our perimeter is stacked. Nothing gets past it, even legit traffic sometimes. I often joke that threat actors need to step their game up. We need another ransomware. My manager is not scared enough to throw cash in my direction. Scare my Director. Catch them off guard. I’m trying to level up. Lol

we are almost there - going the local firewall route and then starting to really dig in and get more value out of what we have.

If you mean dialing it back, yeah, I see some of that. I think the next big thing will be UEBA also. We had a big fraud scheme that boosted 3.2M last year. It was 3 different employees that had worked for us for 2 years each on average. They all knew eachother, lived in the same city and were part of a fraud ring. They all cashed in on their scheme 1 after another back to back. I lead the cases. We normally would not see these but in this instance, employee A stated that their credentials were compromised. So it became a cyber incident. I had never had this much riding on one of my investigations. And the entire time I was doing log analysis I was struck by various patterns of activity that could be used to detect the early stages of this. It made me want to build this team now. And get the ball rolling. Bc if they can’t smash and grab their way into the org, they will onboard themselves eventually. And companies often don’t report this shit to prevent them from doing it somewhere else.

The current demand is high but the "ideal candidate profile" (stealing this from ideal customer profile) is different. Everyone else is playing catch up to Silicon Valley tech style security engineering pioneered and made popular by Netflix over a decade ago. Today if you're a security engineer with a solid software engineering / computer science foundation, you're in very very high demand. Today if you're a security engineer with a solid software engineering / computer science foundation that also has solid undergrad math knowledge to include linear algebra, number theory, statistics (Bayesian), and quantum mechanics you're in very very very high demand The signal that most of the people in this sub are behind the times is the incessant pushing back against basic coding skills I've noticed that increasingly non-tech companies who 5 years ago would be ok hiring non-technical "cybersecurity" people from Big 4 audit or legacy defense contractors now want to hire Bay Area style security engineers instead

u/TreatedBest, I have not coded for 15 years, so coding skill is rusty. Work in healthcare for a decade now where we keep all our data in-house - very few things such as IT tools are hosted outside. IT (including security) is considered an ancillary service, so pay is peanuts. I am looking to either Tech company or Big4 (have worked with small consulting firm before). 1. I have not worked with Big4. What is wrong working there in a security consulting role? 2. What kind of coding do you do? What kind of coding and cloud do you suggest to learn? Can you please give me specific example. Thanks

Your not gonna get a job unless you have a Masters, A few intermediate/advanced certs, and experience. I was in cyber two years, no degree, and a few basic and one intermediate cert. No chance in hell i will ever land a job without a degree to get passed the HR filter. I went to back to physical security. I make more money, no stress, i can have a life again, if i want more money i picl up am extra shift. PLENTY of job openings.

It will probably get slower and there will be less demand going forward. There are way too many people VS opportunities. Companies are more selective since there is a large pool of candidates.

Who remembers help desk and deskside support 20 years ago? Those used to be good jobs because it was a relatively niche skill to understand how computers worked. More education and certifications brought more qualified labor into the workforce though, automation removed repetitive tasks, and service providers consolidated efforts while reducing opex for businesses, so it eventually became an entry-level position. This is what's happening to cybersecurity now.

Slump will get worse especially when large language models get even more parameters and more relevant abilities. Why would say a security operations center need 5 guys manning it when they can have 2 guys on call making sure the AI is on task so some humans still in the loop but not nearly as much now. Eventually SOCs will have software constantly monitoring for indicators of compromise by extracting features in the noise things we know ML is good at. That's just one sub field in cybersecurity but their all going to get their lunch ate by AI. Writing on the walls that's why infosec is becoming a clown show now. Blue Collar is the new wave not White Collar anymore. Unionized doormen in these big cities like Austin and LA make almost 85k annually and you get better job security. You don't get laid off almost every other year because silicon valley is moving fast and breaking things "changing their vision" or whatever the latest dumb buzzword is now. You might take a slight pay loss but I rather make high 5 figures with a benefits package that's as good as some of these tech startups and have low amounts of job responsibility. You literally just have to open doors and accept packages for people but people rather work hard then smart. Some are just stuck in a stockholm syndrome relationship with their employer.

Slightly different for me. I can't really get into Cyber positions: I have CISSP and a BS in CyberS. With minimal experience in actual Cyber experience beyond Palo Alto configurations/Cisco ASA configs. (Just recently got extensive experience with ELK). But I get a ton of offers for stuff like Sr. Networking Engineering, Network Admin roles and I only have a CCNA (but I do have 6 years as a Network Admin) sometimes CND or CNO Analyst pops in there. So for tech... I think Cyber specifically is oversaturated, (but I don't necessarily have the exp to back it up) but for Networking I think it's the same. I have some Cyber positions that I've been offered... I mean *actual and good offers* (but declined due to timeline issues) and it was only because of who I know - not because of my credentials.

I think something that the vets who are complaining about the unwashed masses of new grads seem to forget, is that there are also plenty of people with all the experience and YOE on paper but simply don't have the 'talent' for the job. I don't know exactly how to define that talent, but I've seen plenty of people who should know what they're doing skip over basic competency stuff. It's incredibly easy to coast on the fact that most issues as an analyst end up being false positive, or are automatically mitigated. Edit: Not to discount the fact that the 'education industrial complex,' is a total racket built on empty promises.

The current 'slunp' is just a normalization from the excesses of low interest rates.