| ▲ | Rotdhizon 3 hours ago |
| This is the easiest niche to pick on but I am mid career for cybersecurity. I spend a decent amount of time trying to advise people away from this career field for college. So so so so so many people are going to college for cyber not realizing when they graduate, they are in totality unemployable. Really I'm not sure how new people to tech could even enter the industry, it seems like at the lower levels the entire industry is essentially closed. However it happened, the absolute maniacal obsession with job experience has ruined the market. Yes the more involved jobs in information security do require widespread knowledge that can't necessarily be taught on site. A lot of the entry jobs in tech though are not complicated and can easily be taught on site but even then, companies have defaulted to requiring years of prior experience even for those positions. |
|
| ▲ | ilamont 2 hours ago | parent | next [-] |
| > I spend a decent amount of time trying to advise people away from this career field for college. So so so so so many people are going to college for cyber not realizing when they graduate, they are in totality unemployable. My spouse knows a recent grad who took this path through an undergraduate program at the University of Maine (https://www.uma.edu/academics/programs/cybersecurity/cyberse...). As you said, he was unhirable in this field and now works in a completely unrelated job in a hospital. Universities, local governments, local legislatures, the federal government, and whatever industry lobbying orgs that pushed for this are at fault. The apocalyptic narrative warning of a dire skills shortage are still being pushed out by industry: Cybersecurity workforce shortage reaches 4 million despite significant recruitment drive (2023)
https://www.csoonline.com/article/657598/cybersecurity-workf... It's led to an expensive, unforgivable mess for a lot of young people and their families. |
| |
| ▲ | lispisok 2 hours ago | parent | next [-] | | Anytime you see a lot of media claiming there is a shortage of some career it's a negative signal. The field will shortly be flooded | | |
| ▲ | le-mark 35 minutes ago | parent [-] | | Same for the retiring cobol programmer myth. All those jobs were offshored years ago. |
| |
| ▲ | toomuchtodo 2 hours ago | parent | prev [-] | | > Universities, local governments, local legislatures, the federal government, and whatever industry lobbying orgs that pushed for this are at fault. It’s an industrial complex that uses students as fuel and when the winds shift, they get left holding the bag. Schools want revenue from student loans, employers want the best talent at the lowest cost without expending any resources to train and develop talent. Colleges are also desperate for students due to structural demographics and an ever shrinking pool of potential student customers, so they’ll sell whatever dream students want to buy. Cybersecurity? Sure. AI? Sure. Whatever gets you into the pipeline. Give us your money and we’ll give you a piece of paper of little to no value. Edit: If you need a sure thing, go into healthcare. The world is going to keep getting older, and the demand for care will not end in our lifetime. (day job is cybersecurity and risk) |
|
|
| ▲ | SOLAR_FIELDS 2 hours ago | parent | prev | next [-] |
| I personally as a general rule don’t hire people who work in cybersecurity if they were not traditional developers first. The chances of you understanding “cybersecurity” without also understanding how general software works is extremely low. |
| |
| ▲ | jghn an hour ago | parent | next [-] | | This is true for most sub-fields. The average person in them is either a failed dev or more of a pencil pushing box checker. The quality employees are devs with extra specialized expsrtise Security, qa, devops, data emgonerkng, the list goes on and on. Infosec also adds the angle that you want someone with actual grey or black hat hands on experience | | | |
| ▲ | crims0n an hour ago | parent | prev | next [-] | | This is broadly true for all concentrations in cyber. There is no entry level. Your first job should be learning how what you want to focus on works… be it networking, sysadmin, devops, vendor risk management, etc. Unfortunately, cybersecurity was a hot topic in the education market and people got sold on the idea that they could get a six figure job with nothing but some theory and an entry level certification. | | |
| ▲ | jagged-chisel 37 minutes ago | parent [-] | | > Your first job should be learning how what you want to focus on works. Then what was the purpose of sitting for a degree? |
| |
| ▲ | giancarlostoro an hour ago | parent | prev | next [-] | | Kind of funny, my cousin studied software development, then she pivoted to cyber security last minute because she was uncomfortable about finding work, she's been through a few different companies so far, so I guess it worked out for her. | |
| ▲ | yogorenapan an hour ago | parent | prev [-] | | 100%. I started out in cybersecurity and was complete shit. I gave up and went into software engineering and devops instead. Now returning to cybersecurity again and things finally make sense |
|
|
| ▲ | WarOnPrivacy 2 hours ago | parent | prev | next [-] |
| > A lot of the entry jobs in tech though are not complicated and can easily be taught on site but even then, companies have defaulted to requiring years of prior experience even for those positions. I graduated with an AS in programming in the mid-late 1990s. I continually sent resumes for 18mos and got back 2 replies. I had 2 major strikes against me. I was a new coder. I worked in a region that was reluctant to consider new hires (even for no-skill jobs) w/o an introduction. My scholarship came with job placement but the entire program was axed by the Contract With America prior to me graduating. Apparently the animosity toward helping folks off the bottom rung outweighed any platitudes about jobs. I eventually eked out a living doing local IT work but I never did reach a living wage. |
| |
| ▲ | jibal 2 hours ago | parent [-] | | The Contract On America as many of us called it. And Newt's legacy has metastasized into even more virulent forms. |
|
|
| ▲ | rfgplk 2 hours ago | parent | prev | next [-] |
| > However it happened, the absolute maniacal obsession with job experience has ruined the market. The problem isn't necessarily with job _experience_. It's the acronym. Most employers seem to believe that YOE stands for years of _employment_, which has effectively cut off anyone who wasn't previously employed at a relevant position. You can gain experience in almost anything by working hard at home (and 90% of that would absolutely carry over to a FT position), but you can't do the same for employment (unless you accept fabricating your job history). Cybersecurity is actually a field where hacking away at home, messing around with codebases, doing ctfs can actually give you TONS of experience, but barring you coming up with major zerodays, no one cares. |
|
| ▲ | zwily 2 hours ago | parent | prev | next [-] |
| Have a friend just graduated in cybersecurity. He’s going into the military with it. |
|
| ▲ | chucky_z 2 hours ago | parent | prev | next [-] |
| The absolute wild opposite (for cybersecurity) to this is that higher level individuals are in such insane demand that if you are underpaid even during the current wage suppression, going to over market should be almost completely trivial. |
| |
| ▲ | SOLAR_FIELDS 2 hours ago | parent [-] | | Of course, people actually good at security are rare and in high demand. This is totally aligned with OP’s statement. IMO you shouldn’t even be thinking of going into cybersecurity straight out of college. There’s just too much you have to learn about how software works for it to be a reasonable first job out of university. There will always be exceptional people, of course, but as a general rule I’m not hiring new grad cyber folks. Seems dumb | | |
| ▲ | bombcar a few seconds ago | parent [-] | | Cybersecurity seems to be either working to fill out forms to satisfy some requirement of some company/government office, or being akin to an exhacker actually trying to improve security. Colleges seem to be producing tons of the first, hardly any of the second. |
|
|
|
| ▲ | singpolyma3 2 hours ago | parent | prev | next [-] |
| Are the companies hiring fewer people than they need? If not then perhaps the fault is not with their standards but with an oversupply of applicants. |
|
| ▲ | bluefirebrand 2 hours ago | parent | prev | next [-] |
| > Yes the more involved jobs in information security do require widespread knowledge that can't necessarily be taught on site It certainly can, companies just don't want to pay for that training. That's really where the "maniacal obsession" with job experience comes from. Companies just want to save money on training. |
|
| ▲ | spunker540 2 hours ago | parent | prev | next [-] |
| I’m just a swe, but I kinda thought cyber is a good place to be, since the proliferation of insecure vibecoded apps. |
| |
| ▲ | 827a 2 hours ago | parent | next [-] | | Companies have never cared about security, because there are almost no consequences to data breaches. A hospital network could get ransomwared for 48 hours, and no one cares. Critical data gets leaked? So what, pay a fine. You either pay a fine to the hackers, or you pay a fine to the government, or you pay a fine to customers, but no matter what its substantially less than a fully staffed security team, not just because security professionals are expensive, but because security professionals slow everything else down, they'll spend all day telling everyone what they can't do, which == lost revenue growth. The only thing keeping security companies in the business is compliance/certification. If you've been around these compliance programs for long enough you know: they're box-checkers. But, sometimes you need to check that box, begrudgingly, annoyingly, so most companies will prefer to just outsource that security work to some managed security services provider, then think about it once a year when audit time comes around. | |
| ▲ | bpt3 an hour ago | parent | prev | next [-] | | What is a cybersecurity professional going to do about a bunch of vulnerabilities in an app that someone else decided to deploy on a network they are responsible for? 99% of cybersecurity in the commercial sector is a box checking compliance exercise. | |
| ▲ | rfgplk 2 hours ago | parent | prev | next [-] | | Most companies sadly don't care about security whatsoever. | | |
| ▲ | delfinom 2 hours ago | parent [-] | | Yep, I think my megacorp's cybersecurity department is just a bunch of checklist punchers that now just copy and paste any of our technical writeups into ChatGPT, and I am not even joking. Fucking infuriating. They are doing the bare minimum for cybersecurity insurance requirements, thats it. | | |
| ▲ | rfgplk 2 hours ago | parent | next [-] | | I know _for a fact_ that most companies don't care. There might be a select few out there that genuinely do, but most don't. I've literally reported numerous GLARING vulnerabilities to companies in various different industries, only for the vulnerabilities to remain unpatched for MONTHS. Few of the most comical examples, one major game studio was compiling their Linux binaries with FULL DEBUG SYMBOLS AND INFO plus they were shipping a 600M .sym file with practically full paths and all source info. Literally all the paths and function signatures to every single one of their functions was in there. I had to submit FOUR bug reports before they patched it (didn't even receive a bug bounty). The second one was with a major multinational telecom that was distributing routers that _had an open telnet port to the wide internet_ ... with a default password. And there were countless more. The telecom one I had to BEG them to ship me a new router, or to at least do an over the air update, because "they didn't understand what the problem was". | | |
| ▲ | nradov 34 minutes ago | parent [-] | | Shipping debug symbols isn't a security vulnerability. It might be sloppy, but we all know that security through obscurity doesn't work. Especially not with modern analysis tools and access to the executable code. |
| |
| ▲ | zdragnar 2 hours ago | parent | prev [-] | | That's what it means to be a cost center. Anything over the minimum translates to wasted effort and inefficiency. |
|
| |
| ▲ | wizzwizz4 2 hours ago | parent | prev [-] | | There would not be such a proliferation if cybersecurity were a well-respected field. |
|
|
| ▲ | the_real_cher an hour ago | parent | prev [-] |
| what about oscp certification? |
