| ▲ | john_strinlai 2 days ago |
| context: i teach at a local college in IT. some of my classes are part of the cybersec curriculum. as far as i have been able track (linkedin, email, etc.) roughly 3/4 of the previous graduating cybersec class has been unable to get a job in cybersec. probably 1/2 of those are struggling to find even basic sysadmin or password-resetter positions. this is significantly different than when the program started (around 2015 or so), where roughly 4/5 of the graduating class had jobs (specifically in cybersec) lined up at the time of graduation. cybersec is a bit of an outlier, but i see a similar trend with the networking program and game design program as well (the only other 2 i have first-hand knowledge of) its rough out there! (i am recommending to my kids that they avoid post-secondary) |
|
| ▲ | brailsafe 2 days ago | parent | next [-] |
| Game design also seems like it'd be an outlier fwiw, since it's a niche that people desperately want to get into if they've participated in contemporary entertainment culture in the last 2 decades, and that schools are happy to take their money for, but realistically the competition's always seemed high. Networking is a pretty boring unglamorous pursuit though that's very behind the scenes as well as being difficult and niche. |
| |
|
| ▲ | elevation 2 days ago | parent | prev | next [-] |
| None of the top cyber security talent I've worked with went to school for it, and I have been underwhelmed by what I see coming from college programs. These kinds of credentials themselves are not a signal of quality to me. |
| |
| ▲ | john_strinlai 2 days ago | parent [-] | | >The kinds of credentials themselves are not a signal of quality to me. i hear this online a lot but never from the companies and hiring managers that hired our cybersec students for the last decade. keep in mind, this is not a 6-month "intro to cybersec" or bootcamp-style program. | | |
| ▲ | elevation 2 days ago | parent [-] | | Goodwill with hiring managers is good. But in a down economy it'd be helpful to boost your reputation more broadly. If I were running your college's program, I would invest in a presence at Defcon. If just one your students could use their skills to uncover and present something genuinely interesting, it would be worth covering their airfare and accommodations just to get your logo on the screen. If you could do this every other year, your program would have an unparalleled brand. | | |
| ▲ | john_strinlai 2 days ago | parent [-] | | >Goodwill with hiring managers is good. But in a down economy it'd be helpful to boost your reputation more broadly. part of our success over the years has been due to our reputation building, presence at local/state/national conventions, etc. that is exactly why the sudden downturn in hiring has been eye-opening. |
|
|
|
|
| ▲ | steve_adams_86 2 days ago | parent | prev | next [-] |
| This surprises and worries me, because it seems more important than ever to take cyber security seriously. Although bots are more sophisticated and capable than ever, people seem to feel much the same as they did ten years ago. It's as though security is eternally reactive. |
| |
| ▲ | 2 days ago | parent | next [-] | | [deleted] | |
| ▲ | zingababba a day ago | parent | prev [-] | | Take a look at what is coming out of RSAC right now. All the big boys are starting to lean heavily into things like agentic SOCs, agentic threat Intel, agentic appsec. I've been in appsec for a decade now and honestly I get it, a lot of this bullshit can be broken down into agentic flows pretty easy, it's even more compelling when you have a program with uninspired security leadership (most places) | | |
| ▲ | steve_adams_86 21 hours ago | parent [-] | | I know I've worked with quite a few compliance/checkbox programs in which the people running things don't even seem to see their work as security-oriented anymore so much as... I don't know, generic criteria fulfillment. It made me trust code or systems that claim to be audited way less than I did before. The people I've seen auditing things are not critical, curious, serious people. They're like most other people, waiting for the day to end so they can do something else. I hate to say it but I can see agents being more effective in many cases. We're kind of hosed, aren't we. The more I think about how complex and challenging security is getting, and will continue to get, the more I want to pull an Admiral Adama and pull everything offline. I need an air gap. |
|
|
|
| ▲ | gedy 2 days ago | parent | prev | next [-] |
| > I am recommending to my kids that they avoid post-secondary I think that's a mistake, unless you mean "and go into debt for college". Working with many people over the years the educated (in STEM) are noticably better quality than high school or bootcamp folks on average. Work ethic or amount of code written is not an issue, just the general thinking through of problems. |
| |
| ▲ | john_strinlai 2 days ago | parent [-] | | >unless you mean "and go into debt for college" well, yes. i am not rich. they would need to take loans. and from what i am seeing, they would likely end up working in the exact same position as the 19 year old who decided to go directly into the workforce. i will, of course, support them no matter what they decide. but when we discuss options, i emphasize skilled trades, or working for a few years before committing themselves to tens of thousands of dollars of debt to very possibly end up in a position that doesnt require the schooling. | | |
| ▲ | MyHonestOpinon 2 days ago | parent | next [-] | | For what is worth. I am planning to save about 60k for each and encourage them to go to the State university that is 20minutes from home. Hopefully they can go to college and stay debt free. But it will be really up to them. | |
| ▲ | gedy 2 days ago | parent | prev [-] | | I don't mean to argue but living at home and community college + state school is a viable option. I was not wealthy but able to not borrow for school this way. Good luck | | |
| ▲ | john_strinlai 2 days ago | parent [-] | | it is absolutely viable! i am just not recommending it as a first choice to my kids. i remember how it was presented to me: "go to post-secondary or be stuck burger-flipping forever." this is also just one random teacher's opinion, where 99.9% of the context (e.g. academic history of my kids, aptitude, my experiences as a teacher, my location, etc.) are missing. so, mountain of salt and all that. my recommendation is specifically a recommendation for my kids. |
|
|
|
|
| ▲ | bsder 2 days ago | parent | prev | next [-] |
| > i am recommending to my kids that they avoid post-secondary Certainly I'd avoid an expensive standard university to start unless they have an obvious path. I'd recommend the local community college for 2 years to get an Associate's Degree of some form though with an eye on heading to a university for the last bits. |
|
| ▲ | the_real_cher a day ago | parent | prev | next [-] |
| I dont understand these degree programs. Those were single courses or side specializations in my computer science curriculum. And then you could build on one of the other after your degree. Cybersecurity is a subset of computer science. |
|
| ▲ | alephnerd 2 days ago | parent | prev [-] |
| > some of my classes are part of the cybersec curriculum > as far as i have been able track (linkedin, email, etc.) roughly 3/4 of the previous graduating cybersec class has been unable to get a job in cybersec. probably 1/2 of those are struggling to find even basic sysadmin or password-resetter positions. What is the curriculum that is being taught in your program? If it's "how to be a Splunk or Crowdstrike" admin or "how to be an L1 SOC" I don't think that is a hireable skill at this point. |
| |
| ▲ | john_strinlai 2 days ago | parent [-] | | >If it's "how to be a Splunk or Crowdstrike" admin or "how to be an L1 SOC" I don't think that is a hireable skill at this point. its not, and up until recently (~2 years or so), the majority of our graduates were instantly picked up. | | |
| ▲ | alephnerd 2 days ago | parent [-] | | What is the curriculum though - you don't need to send me the name of the institution but I've been a hiring manager in the space and a PM for some of the larger companies and I haven't been impressed by "Cybersecurity" bootcamps or degree holders unless they also had a tangible track record (eg. HackerOne). I feel a lot of hiring reflects that as well now - if I want a SWE to build a runtime agent I'm better off hiring a new grad from UC Berkeley who took CS162 and CS161 versus someone who took a summary course but doesn't understand how ld_preload works. Similarly, if I was doing AppSec for WebApps/OWASP I'd rather hire someone with an actual bounty track record on HackerOne instead of a bootcamp grad and potentially even a degree holder. My best hiring pipeline have either been Vets who were in a Cyber MOS with a couple years of hands-on experience and then did a WGU type program (the WGU program was just a checkbox for HR) or successful bounty hunters with a strong track record on HackerOne or Cobalt. | | |
| ▲ | john_strinlai 2 days ago | parent [-] | | i have no arguments with anything you have said here. but none of it really explains how we went from most kids being hired directly into the industry a few years ago to only a few of them now. our curriculum has not changed enough in the last few years for the curriculum to be the culprit. we understand the importance of meeting the employers where they are at, so once a year we meet with ~15 industry partners (people in your position) and ask them directly questions like: "of your recent hires, what are they missing?", "what specific skills do you think needs more focus?", etc. that informs any changes we make for the following year. we have dropped entire courses and spun up new ones solely from industry input. we also understand the importance of hands-on experience. it is probably the most common feedback we get from people in your position. we have a giant lab so kids get experience wiring up and configuring real physical appliances instead of doing it all in packet tracer or whatever. we have a bug bounty club, we attend and host hackathons, etc. courses are split roughly 50/50 between theory classes and practical classes. practical courses are mostly focused on "fix this shitty/vulnerable implementation of X" or "here is an existing environment, propose and then implement something that addresses X problem in the least-disruptive way" rather than "here is a fresh start, implement X in this perfect environment". i dont want to give too much detail (e.g. course names and progression), as i would probably end up doxxing myself. but as someone who started off in the industry and then moved to a teaching position later in life, i am 100% with you. people who have real experience (e.g. a vet with cyber experience) are almost always going to be a better hire than a fresh graduate (i think this is true in any industry, and has always been true -- so it doesnt explain the change). but my job is to try and close that gap, and i think we have made good progress along that path. we are absolutely not a 6 month money-grab program. |
|
|
|
