Let’s talk about something that’s been bugging me for years: the cybersecurity job market. It’s a complete mess. And if you’ve spent any time looking for a job in this industry—or trying to hire someone—you’ve probably felt it too.
We’re told there’s this massive talent shortage, that companies are desperate to fill cybersecurity roles. Yet, the reality for many job seekers is rejection after rejection, often for jobs they’re perfectly capable of doing. Meanwhile, employers complain they can’t find “qualified” candidates. So what’s going on? Why does the cybersecurity job market feel so broken?
Let’s cut through the corporate fluff and get real about what’s happening.
The “Unicorn” Problem
One of the biggest problems in this industry is what I call the “unicorn syndrome.” Employers are out here writing job descriptions for magical, mythical creatures who don’t exist. They want entry-level candidates with:
- Five years of experience.
- A CISSP (which requires five years of work to even qualify for).
- Expertise in every tool from Burp Suite to Kubernetes to whatever buzzword they picked up at last year’s RSA conference.
Let me translate this for you: we want someone cheap who can do the job of five people.
Newsflash: that’s not how this works. If you’re looking for a pentester, you don’t need them to also be a cloud security architect, a SOC analyst, and a digital forensics expert. Write clear, realistic job descriptions and maybe—just maybe—you’ll find someone who can actually fill the role.
Talent Shortage or Gatekeeping?
There’s no denying that the demand for cybersecurity professionals is high, but let’s not confuse a talent shortage with bad hiring practices. The truth is, we’ve built an industry full of unnecessary gatekeeping.
Take certifications, for example. I’ve got nothing against certs; they have their place. But when you’re requiring a CISSP for an entry-level SOC analyst role, you’re not filtering for talent—you’re just narrowing your pool to an elite few who can afford the time and money to jump through hoops.
And then there’s the infamous “entry-level” role that requires 2-3 years of experience. What the hell is that? Entry-level means no experience—or at most, internships. If you want experienced people, stop calling it entry-level.
The result of all this gatekeeping? Tons of qualified, passionate people get stuck on the sidelines, while companies claim they can’t fill jobs. It’s a self-inflicted wound.
The Burnout Problem
Let’s say you do land a job in cybersecurity. Congrats, right? Maybe. But here’s the ugly truth: many roles in this industry are set up to fail.
We expect people to work 24/7, chasing alerts, responding to incidents, and cleaning up after every bad decision their organization made before they were hired. Burnout isn’t a bug in our industry—it’s a feature.
Companies are often understaffed, and security teams are overworked. Meanwhile, leadership doesn’t prioritize security until something goes horribly wrong. And when it does, guess who takes the blame? It’s not the people who ignored your recommendations to patch critical systems.
Until we fix this toxic cycle—by hiring enough people, setting realistic expectations, and creating supportive environments—the best talent will keep burning out and leaving.
The Tool Fetish
Another problem: companies are obsessed with buying tools. Don’t get me wrong, tools are important. But tools are only as good as the people using them.
Here’s what happens way too often:
- A company buys some shiny new security tool because a vendor promised it would “solve” their security problems.
- They don’t hire or train anyone to actually use it effectively.
- The tool collects dust while attackers walk right through the front door.
Instead of throwing money at tools, invest in people. Train them, trust them, and give them the resources they need to succeed. A good team with average tools will always outperform a bad team with the best tools money can buy.
Teach the Right Sh*t and Do Sh*t
I don’t know what you’ve been told, but a “cybersecurity degree” does NOT guarantee you’ll get a job in the cybersecurity industry. Before you shell out $80,000 – $100,000 (average for in-state public institutions) for that bachelor’s degree in cybersecurity, you better make sure you’re going to recoup the investment, sooner rather than later!
NOTE: The average cost for a private institution can easily exceed $200,000.
In order to recoup the investment, you need to find a good paying job. In order to find a good paying job, you’ll need to convince an employer than you’ll provide real/tangible value to them. Employers will find value in what you know, but it’s what you can do with what you know that gets you hired.
In simple terms, it’s know sh*t, do sh*t.
The problem with too many cybersecurity degree programs is that they’re not teaching the right sh*t, and even if they are, they could be failing to teach how graduates can/should properly apply the sh*t in the real world. Academics and application (of the academics). In some instances, professors/instructors lack the practical experience themselves to produce the value employers demand.
Don’t get me wrong, there are some very good cybersecurity degree programs out there, but “some” isn’t good enough. Anyone who’s going to charge this kind of money, better damn well produce a product (graduate) that’s worth every penny! In all honesty, we need better standardized curriculum in and between post-secondary schools, more emphasis on foundational concepts (much less on tools), focus on practical skills, and a lot more people who can speak human.
Fixing the Sh*t Show
So how do we fix this mess? It’s not going to happen overnight, but here are a few ideas:
- Write Realistic Job Descriptions: Stop asking for the cybersecurity equivalent of a brain surgeon who also designs rocket ships. Be clear about what you need and what’s actually required to do the job.
- Create True Entry-Level Roles: If you’re not willing to train people, don’t complain about the “talent shortage.” Build pathways for new talent to enter the industry—apprenticeships, internships, and junior roles with reasonable expectations.
- Prioritize People Over Tools: A tool is only as good as the person using it. Invest in building strong teams, and the rest will follow.
- Address Burnout: Hire enough people, set realistic workloads, and foster a culture where employees feel supported. Burnout isn’t just bad for your team—it’s bad for your bottom line.
- Standardize Roles and Career Paths: The industry desperately needs consistency. A “Security Analyst” role should mean roughly the same thing across organizations, and there should be clear paths for career growth.
A Call to Action
The cybersecurity job market is broken, but it doesn’t have to stay that way. Companies, hiring managers, and industry leaders: you have the power to change this. Start treating cybersecurity as a profession that requires long-term investment, not a band-aid for your compliance checklist.
And to those trying to break into the field: don’t give up. This industry needs you—desperately. The system is flawed, but there are people out here who care, who are fighting to make it better.
Glitches are everywhere in this industry, and the job market is one of the biggest. But like any glitch, it’s also an opportunity to do better. Let’s fix it—together.
People need jobs and we need people.
-Evan