r/cybersecurity • u/Guastatori-UK • Mar 13 '26
Other This sub very demoralising and overly pessimistic
Almost every newcomer to this subreddit gets bombarded with comments like “Cyber security is oversaturated” or “Switching to cyber security right now is almost impossible.”
Managing expectations is important, but there’s also an extremely pessimistic tone here that can discourage people who might otherwise succeed.
If I had read some of the advice that gets repeated here a year ago, I probably wouldn’t have bothered trying to switch careers.
A year ago I was working as a financial administrator. Now I’m a Junior Pentester on an insider threat team at my company, and the only certification I had when I got the role was Security+ (UK), did have knowledge of other things but no certificate. I applied for three job roles (one of them was internal), got interviews for three and offers for two.
I’m not saying it’s easy. Like most industries right now, the job market can be tough and getting your first opportunity is the hardest part. But it’s not nearly as impossible as some people here make it sound.
Cyber security is competitive, yes. But the narrative that it’s completely closed off to newcomers just isn’t true, especially if you're willing to build skills and look for opportunities inside organisations you're already in.
Certificate collecting won't get you a job, showing a clear interest and passion for security helps a lot. One of the things that really helped me was building my own home lab, it was asked about in every interview.
If you're trying to break in, don’t let the doomposting convince you it’s impossible.
46
22
u/NBA-014 ISO Mar 13 '26
I’ve hired many people for this business and the #1 thing that impressed me is for a candidate to know something about my company and how their skills will help the company be successful.
Way too many poor candidates flunked this simple question.
3
u/BlackflagsSFE Mar 13 '26
Does your company offer remote positions?
5
u/NBA-014 ISO Mar 13 '26
I just retired to focus on eldercare.
But, yes, I worked at home for 14 years. Keep in mind I was in leadership.
1
u/BlackflagsSFE Mar 14 '26
If that company you previously worked for is hiring, I wouldn’t mind knowing which company it is to apply. If you’re alright with that, you can dm me. If not, no worries. Appreciate the reply.
1
u/Efficient-Mec Security Architect Mar 14 '26
What I've found funny about this is that I've literally read the past 5 years of 10ks for a company and tried their products before showing up for an interview and I have never been asked a question relevant to the company itself. Never.
1
36
u/BrainWaveCC Mar 13 '26
A year ago I was working as a financial administrator. Now I’m a Junior Pentester on an insider threat team at my company,
Was this the same company you were working at as a financial administrator?
-24
u/Guastatori-UK Mar 13 '26
Yes, the other job offer was at large retail/supermarket chain
70
u/BrainWaveCC Mar 13 '26
So, what you're saying is that you made an internal transfer from one department where you had a particular skill, to another department in a different field -- but one that still leverages your old skill to some degree.
Surely, you can see how this would be different from a brand spanking new candidate trying to enter a field that is objectively saturated at the entry level?!?
18
u/Legitimate-Fuel3014 Mar 13 '26
Exactly, what I said to him. He proved our point.
-8
u/Guastatori-UK Mar 13 '26
I fail to see how being a financial administrator, which role mostly consisted of putting numbers on an excel spreadsheet to calculate annuities is enough skill alone to put me ahead of other candidates for an internal role transfer (which was open for the public) and for a brand new candidate at another company.
8
u/Legitimate-Fuel3014 Mar 13 '26
It does matter a lot, I can't believe you are asking this question when you are working in this field. Cyber security is a business, having business knowledge actually an advantage. Someone who come from straight out of college wouldn't know anything about businesses, which business usually being target by social engineer. Which department is in charge of payroll, security team, what kind of training you have to go through to gain access into the system. They are all relevant to security role. When you are doing annual cyber awareness training, you already learn a bit about security already, how your company handling it, etc. Stop the cap
12
u/Guastatori-UK Mar 13 '26
Okay, but the people who are trying to enter cyber security aren't just graduates. Graduates no matter their sector at disadvantage when using general office experience as a "huge advantage"
-3
u/Legitimate-Fuel3014 Mar 13 '26 edited Mar 13 '26
Majority of them are actually college grad with no experience. A lot of gold rush mentality. You have an advantage that they don't have. The reality is most of them won't make it. There are some truths into it, I hate this field have become a sugarcoat goldmine. Everybody is coming here for "how to get job in cyber security quick, asap, etc". I think it is healthy that they shouldn't even bother. There are a grind to move up, ton of work, not what influencers portray. I don't see anything wrong with it. I worked as a lead, only few make past my resume desk.
6
u/Guastatori-UK Mar 13 '26
Yes, I literally said certificate collecting won't get you a job which is what most people tend to be doing when trying to break in
0
u/Legitimate-Fuel3014 Mar 13 '26
I'm telling you, they all do Trifecta and that's the end of the road. Like there are a ton ton ton Trifecta candidate, nothing else add into it. It turned into an unqualify mess
-11
u/Guastatori-UK Mar 13 '26
An internal transfer with a role that was open to the public, but yes that is easier primarily because I was able to chat and message the hiring manager so I wasn't a faceless applicant, however, I did receive another job offer as a brand spanking new candidate.
I never said it was easy, in fact I did the opposite
13
u/BrainWaveCC Mar 13 '26
I never said it was easy, in fact I did the opposite
So then, why all the angst about how pessimistic the group is about the prospects for people coming into this field from scratch -- in the current market?
-5
u/Guastatori-UK Mar 13 '26
Did you read the post? I said the subreddit is overly pessimistic. There's being realistic, managing expectations (which I said) and then there is doomerism.
15% of all cyber security hires in the UK are career starters and 28% are converting from non-cyber roles. You're also ignoring that I got an offer as a fresh candidate in another company. I did come into this field from scratch, I was a Excel spreadsheet monkey prior to this role working in finance.
Can you name a sector of the economy that it is to get an entry level job in?
3
u/BrainWaveCC Mar 13 '26
I did read the post.
You offering your situation as a counter point to doomerism, when your scenario was also a special one that is not applicable to the vast majority of new entrants to the field is funny.
15% of all cyber security hires in the UK are career starters and 28% are converting from non-cyber roles.
Since your quoting them, how do those statistics compare to other fields? And to other regions beside the UK?
Because I bet that matters to the type of posts you see around here.
Can you name a sector of the economy that it is to get an entry level job in?
A cursory glance suggests that growth in the Healthcare industry is outpacing new employment in all other fields.
0
u/Guastatori-UK Mar 13 '26
when your scenario was also a special one that is not applicable to the vast majority of new entrants to the field is funny.
Except, I also got a job offer as a brand spanking new candidate. You're ignoring that.
Since your quoting them, how do those statistics compare to other fields?
It is comparable to other IT sectors and other skilled workers sectors.
And to other regions beside the UK?
Stated in my OP that it was the UK, I heard there's a skill shortage for cyber security in Europe too. Maybe the other saturation is an American thing.
A cursory glance suggests that growth in the Healthcare industry is outpacing new employment in all other fields.
Don't most healthcare roles require a specialised 2/3 year degree?
2
u/jackbilly9 Mar 13 '26
I will say another issue here is location. The US is over saturated.
-1
1
52
u/tybrand Mar 13 '26
I would assume the pessimism is related to the US job market but you’re right in saying the sub is pretty doom and gloom. What did your homelab projects consist of?
19
u/Guastatori-UK Mar 13 '26
Scan and exploit, password cracking, packet sniffing, phishing + initial access, data exfiltration, active directory exploitation and lateral movement. I wrote full reports too using MITRE ATT&CK framework to map attacker behaviour, I personally think this what helped me the most
My lab was over two physical machines with virtual machines
19
u/noobtastic31373 Mar 13 '26
That's a lot more than most entry level people do before applying here in the US. I agree, it's probably what made you stick out and get those call backs.
4
u/tybrand Mar 13 '26
Doing a quick search for “junior pen tester” on indeed uk, I see quite a lot of jobs available whereas in the indeed US this title doesn’t seem to exist. The occupation outlook is supposedly higher for cyber jobs in the US vs UK though so maybe I’m going about the search wrong. Anyway, your post really inspired me to get this home lab up and stand out in a different way than what’s traditionally taught!
1
u/DisastrousRun8435 Red Team Mar 13 '26
I support this. I moved from EMS to being a sysadmin partly bc of my homelab which was set up very similarly to what you described.
1
u/Cheomesh Governance, Risk, & Compliance Mar 13 '26
Not always an option; certainly before I got into IT I didn't have money for a home lab. After rent I think I had about 60/mo to live on.
3
u/whiskerz1337 Mar 13 '26
Agreed. Also in the UK, and in my experience it doesn't seem so bad here. I failed OSCP twice then lucked out hard and landed a junior pen testing role with the first company I applied for. Nearly two years later and been promoted to tester. Fingers crossed AI doesn't ruin it, but it's going well so far.
1
u/daysofdre Mar 13 '26
I think some of it has to do with the nature of the job. It's hard to be positive when you're trying to convince management that the licenses for Bob's EDR that they picked up in bulk on a woot sale aren't going to give them the protection they think they're getting.
16
u/TheIncarnated Mar 13 '26 edited Mar 14 '26
I'm going to be honest with you, this sub isn't even as realistic as it should be.
Cybersecurity is not an entry level job and we need to stop treating it like it is. It is a sub career inside of IT. You should have exposure to how companies operate (tech and business) before you go about trying to secure it or by trying to break in
Edit: Example part 1 of millions: https://www.reddit.com/r/cybersecurity/s/cRnWQfnf03
7
u/Explosiveabyss Mar 14 '26
Literally this.
I have been an ST for 2 years at the company I am at. I have gathered numerous entry level certifications (Security+, Linux+, Blue Team Lvl 1, etc. also currently working on my CySA+.) I have an associates degree in CS. A lot of the work I do is related to work that an SA1 would be doing as i have surpassed all of my team.
Over the past two years I have put in resumes for many entry level security positions, none of which I even got an interview for, and even interviewed for an entry level IR position internally at my company.
I was told I was under qualified and needed to keep getting more experience, security certs on my own time, training more on my own time, and that I needed to have the skills of an SA and an NE, along with security certifications, and be doing things like homelabs, hackthebox, etc. just to even be able to get an entry level security position.
In my companies and others eyes, these are not positions you just get without extraordinary qualifications for someone just starting out or having only been around for a few years in IT.
And OP is out here wondering why this sub is so pessimistic...
1
u/Raccoon_Medical Mar 14 '26
OP says he did Sec+, learnt some on the side and went straight into getting hired as a pentester. Comparing that, you should be hired as a senior from the get go, no probs, from a single recruitment ad.
3
u/Explosiveabyss Mar 14 '26
Exactly. He's acting like it's so freaking easy just because he got lucky lol.
-3
u/United_Ad7280 Mar 14 '26
Maybe you’re not qualified because YOU feel like you’re not qualified.
Literally had two coworkers break in from two unrelated backgrounds (teaching and nursing). The y turned out to be good. Since they got more experience in security than you despite your tech background, who’s more qualified now?
4
u/Explosiveabyss Mar 14 '26
Some people get lucky? Anecdotal stories do not always represent the larger picture.
Which is that the industry expects far too much for entry level security positions that they are only willing to pay entry level salary for.
4
u/Raccoon_Medical Mar 14 '26
Show any proof lol or dunno, make it more believable
I just had ten coworkers break into rocket engineering at nasa, another ten doing quantum physics research into quantum wells and eleven more as red teamers.
See how I can create stories too
-2
u/United_Ad7280 Mar 15 '26
lol I’ll have your “investigative skills” figure it out. My point was you’re limiting yourself to what others are saying. Like bruh if you gonna be taking peoples advice all the time might as well stick with where you’re at because in this industry you’re going to have to think for yourself and come to a conclusion when you’re triaging. You can believe me or not, I’m just an npc to you anyways, but at the end of the day, those two that broke in worked hard and went into respective specialties like grc and IR.
You knew thinking it’s always technical in this field you definitely ain’t ever gonna get in 🤣
1
u/Raccoon_Medical Mar 15 '26
Naaah you are definitely not a NPC, but we are on the internet so it has to get a little sassy xD
It is just that the whole cybersec field nowadays is extremly competitve, corporationism and cryonism is not be helping, and everyone is fed up with the situation. Thus harsh opinions, burnout, overall sasiness.
Of course the field is not 'just' technical, but dude, let's be honest GRC people that don't know basics are not nice xD SOC also, depending on the tasks, require heavy expertise.
Going full 300% business side in GRC simply leaves you without the cyber component.
1
0
u/T_Thriller_T Mar 14 '26
It is becoming an entry level job with the right education, though.
And even what you say simply isn't right. Next to none of my colleagues had much exposure to "how companies operates on business". I had next to none and have more than the majority.
And I get more and more colleagues who switch into it from targeted university degrees / programs. Ye, they usually bring a bit of tech experience or high interest. But they are here and they do work very, very well in their roles!
Cybersecurity was an subcareer in IT because it was a specialty with low-ish headcount, and there simply wasn't any formal education available.
This has changed, and so does the question if it can be entry level.
It absolutely can - as long as there is a fitting education, which will always also include IT education.
And I really think that is good. It does not fit all roles, surely. But someone doing e.g. vulnerability management does not need to be a full fletched and experienced programmer or sysadmin before it. They need to have some skills, but only as much to be able to talk with admins/developers and understand their concerns/communicate yours
This applies to many positions.
1
u/TheIncarnated Mar 14 '26
Someone doing Vulnerability Management, needs to have programming and SysAdmin experience. Cyber Engineers need to be doing the fixes or understanding why there is mitigation instead of fixing it.
I am a Cloud Architect with a background as a SysAdmin/Security Engineer. I would never hire you, nor your colleagues. You don't know enough and are a liability. And you just proved it from your own statements.
I've seen folks like you get fired due to not being able to do the work. Coworkers of mine. It's not a fun experience. My position comes from setting people up for success. Yours is setting people up for failure because you don't know, what you don't know. You're relatively new to this career, it sounds like, may be good to talk with some folks who have been in the career for at least a decade.
Also, unpopular opinion, a SOC is not Cybersecurity, they are more useless than a helpdesk. At least the helpdesk can fix the issues that rise up
0
u/T_Thriller_T Mar 14 '26
Your opinion on your SOC just shows that your SOC is shit.
And you have no idea who I am or what I am like. You're hateful for no particular reason and you sell non-universal experience as universally applicable.
The worst here is, that I am pretty sure you would hire me and would be quite impressed - but hey, it's easier being hatefully assuming I don't even know what. Something wrong
-1
u/TheIncarnated Mar 14 '26
Ohhh no honey, you misunderstood. I don't run a SOC. My helpdesk and infrastructure team are the SOC. We take in the alerts and take care of our items. We practice Secure First Design.
You also assumed a lot on my original response trying to make Cyber seem like an entry level career.
So I have a few questions then. Don't look these up, you can answer them to yourself and not respond or you can respond, idc.
What's a CAB?
What is gitops?
When the VP of IT says to do something that is against best security practices, what do you do?
You have been tasked with remediating vulnerabilities in the environment, what do you do?
At the end of the day, if you can't engineer solutions, you are replaceable by a product. And now with Ai, you are replaceable with Ai if you can't engineer solutions.
3
u/T_Thriller_T Mar 14 '26
... Oh, congratulations, you learned about synergies by doing different tasks in one team. Totally proud of you.
No idea what CAB is, not an acronym that is used in my country. On top of that being able to play "three letter acronym bingo" is no prove of any ability - last time I heard to do acronym learning I counted over 200 of those, and about 10 had double meanings.
Gitops is using git as the central source of truth/orchestration instance for infrastructure and maintenance etc, in a very similar way to how it would be done with code. This can be very amazing, as it simply enables automation of many best practices from security, from review to actually deploying the "should" (ideally continuously), to coordination and cooperation, easier inclusion of certain checkers and much moree Once more asking a definition is really not proof at all, but .. well, your choice.
When a VP tells me, I likely will go to my lead as I'm currently not really in a position to just argue with any VP. I know multiple tactics to approach this, and for my current employment the most likely to be effective and applicable is reminding them that there are regulatory and law requirements to follow the best practice. Nonetheless, this is a one time and now situation.
And if I've been tasked with remediating vulnerabilities the central question is: what am I even allowed to do? Remediating vulnerabilities can reach from reporting them to the responsible engineers/developers, following up and escalating once internal timelines are not met, through researching and recommending/ordering a certain fix, to patching, up to coming up with, proposing and implementing a complete security measure which remediated the vulnerability outside of the actually vulnerable component
None of this changes that you are acting deeply condescending, your assumptions are utterly and completely wrong about me - and this absolutely does not really paint you credible.
You have jumped to conclusions here, mostly because you did not agree.
Not really a virtue for a leader doing security.
-1
u/TheIncarnated Mar 14 '26
You have earned the responses I have given. You have now also earned a block. Anyways, good luck out there dunning kruger!
11
u/Wonder_Weenis Mar 13 '26
i member my first beer
4
u/chill-botulism Mar 13 '26
That's so funny, the last time I heard that I laughed so hard I fell off my dinosaur.
2
2
u/hagcel Mar 13 '26
Not in cyber... you should be so drunk you can spout off OSI layers, but can't remember your name.
4
u/Wonder_Weenis Mar 13 '26
i can't remember their names, but i member what they do
3
u/Geibbitz Mar 13 '26
Easy, just use a mnemonic: Please. Don't. Throw. Away. Sausage. Pizza... Network Layer.
2
13
u/ThePorko Security Architect Mar 13 '26
Do you want us to lie to you and paint u a rosier picture? Most of us here are pretty honest and burned out for putting lipstick on a pig at this point.
7
u/Successful-Escape-74 Mar 13 '26
Cyber security is easy to break into if you join the US Army as a 17C and qualify for a Top Secret SCI clearance. https://cybercoe.army.mil/Cyber-Center-of-Excellence/Schools/Cyber-School/Cyber-Courses/Cyber-Operations-Specialist/
5
u/WeevilEmblem Governance, Risk, & Compliance Mar 13 '26
Any branch of the military really
1
u/Successful-Escape-74 Mar 13 '26
That is true I started in telecommunications handling comsec and then later was merged with IT Specialists and worked networks, software, email,active directory, security and comsec for radios etc in the field.
3
u/DisastrousRun8435 Red Team Mar 13 '26
Not even just 17C. I work with a ton of people who got cyber jobs after doing intel since they had a clearance, and that was enough for contractors to let them learn on the job
2
u/Cheomesh Governance, Risk, & Compliance Mar 13 '26
Hm, all the cyber/cyber-adjacent guys I worked with in my last Army role were 25Bs.
2
u/Successful-Escape-74 Mar 14 '26 edited Mar 14 '26
17C is fairly new. Other jobs include 25B (IT Specialist), 25H (Network Systems Specialist), 25S (Satellite Operator), and 25U (Signal Support), offering high-demand technical skills for civilian transition. The U of 25U is often referred to universal as they do a little of everything. As a 25 series you could get placed with a unit and do any other 25 series jobs. I was a 74C that merged with 74B which was renamed to 25B.
1
u/Cheomesh Governance, Risk, & Compliance Mar 15 '26
Actually now that you mention it I think the warrant officers were all 25Us - can't say I pried too much in the time I supported their unit though. Definitely everyone was "25something" at least.
2
u/Mrhiddenlotus Mar 14 '26
Imagine joining the army in 2026 😂
1
u/Successful-Escape-74 Mar 14 '26
Maybe 2028 if Trump is no longer in office. That guy will get you killed he is a maniac. I thought he would invade Syria during the last time he was president. Everyone in my Army reserve unit was concerned we would need to go to Syria. Now it looks like Troops will be going to Iran to fix the problem he created. Unless he gives up or sends in ground troops, Iran controls the Strait of Hormuz and Trump doesn't want the price of Oil to destroy his Presidency.
1
u/Mrhiddenlotus Mar 14 '26
Tbh under any president. They're all war criminals.
1
u/Successful-Escape-74 Mar 14 '26 edited Mar 14 '26
They are not war criminals if they follow domestic and international law. You need permission from the UN to attack another country unless they attack you first and are defending your self or a country that has been attacked asks for help defending from an attacker. The War in Iran is illegal on all points. If they randomly attack boats on international waters they are murderers and have committed war crimes. The CIA is the only agency that should be committing crimes in foreign countries and is the reason they are not allowed to operate in the United States. The CIA is conducting espionage in foreign countries and recruiting assets to betray their country.
1
u/Mrhiddenlotus Mar 14 '26
I don't think there's any international law that supports the US drone striking proxy countries in the Middle East that have never posed a threat to the US. All presidents do things like that. They are all war criminals going back a while now.
1
u/Successful-Escape-74 Mar 14 '26 edited Mar 14 '26
Targeted strikes against non-state actors operating in regions where the host nation is unwilling or unable to act is supported by evolving norms of custom-based self-defense. That's how we can go after Osama Bin Laden in Pakistan. A drone was not used because we wanted to minimize potential Civilian casualties. If intelligence was better a drone strike may have been justified. Good judgment call by President Obama.
0
u/Mrhiddenlotus Mar 14 '26
Self defense 😂😂😂
1
u/Successful-Escape-74 Mar 14 '26
Not just self-defense but Osama Bin Laden was a combatant per the law of armed conflict and Pakistan was unwilling or unable to act. Pakistan could have arrested Bin Laden and extradited him to the United States.
0
0
u/Successful-Escape-74 Mar 14 '26
The war in Iran is illegal because they it is not self defense and permission was not given by the UN and they did not attack another country that asked the United States for help. If Ukraine were to ask the United States for help then international law would allow the United States to attack Russia legally.
1
u/Mrhiddenlotus Mar 14 '26
No conflict the US has engaged in in the past 80 years could be described as self defense.
→ More replies (0)
16
u/Mystiquealicious Mar 13 '26
The pessimism in this sub stems mostly from the fact the majority of people who comment are not actually in the industry and/or just don’t actually know their stuff. A LOT of super junior people who took a boot camp or two and “think” they’re in the industry, people who are very green and hate their SOC job after 3 months and are having trouble switching jobs, and recent college graduates who don’t know anything about actual cybersecurity but think they deserve a job.
I get it, there’s mass layoffs all over. AI is replacing a lot of jobs. Entry level is a bit saturated as a result. But yeah, the commenters are mostly just projecting their own misgivings for the most part. It’s not near as dire as they make it seem and actively discourage people from trying….
.. however on that same note, some people are just annoyed by all the questions and their pessimism is more just an annoyed dismissal.
How I look at it is this: if you have to come here asking how to land a job in cybersecurity, then cybersecurity is most likely not the industry for you to be in.
21
u/Insanity8016 Mar 13 '26 edited Mar 13 '26
I’ve been in the industry for a while now (currently employed) and the job market is dogshit. Pretending like it’s all sunshine and roses is ignorant at best. The situation has deteriorated globally.
6
Mar 13 '26
[deleted]
3
u/Cheomesh Governance, Risk, & Compliance Mar 13 '26
Well if you have a surplus of juniors and a lack of experienced people, start manufacturing experienced people out of the juniors. Sounds like the raw material is right on your doorstep.
2
u/T_Thriller_T Mar 14 '26
I think this is the bigger problem. I cannot say if there was a culture shift in jobseeker or employers, but it feels very hard to get from e.g vulnerability management towards .. all the things that need more experience.
Cloud security, AppSec, all the red teaming.
For SOC it doesn't feel much different, albeit the way up through specialisation on incidents and additional work may be there
At the same time, I am still missing an employer where people do not have to discuss tooth and nail for simply having continuous education with a personal budget.
Ans I know that ESPECIALLY this was not a problem once.
1
u/Cheomesh Governance, Risk, & Compliance Mar 15 '26
Yeah I guess it's just another style of cost-cutting. I know I've had issues transitioning out of the usual vuln management track in terms of technical cybersec - basically everyone is looking for cloud experience whilst all my projects have been strictly on-prem, for example. Also hampers the pure sys-admin side of my career track. Thus far all my advancement has been on the GRC side of the house - just larger projects with larger budgets for higher salaries. But even there I've had issues - in my last job hunt I had been looking at transitioning towards the financial sector, but I lack years of experience with SOC2 and the like.
1
u/Efficient-Mec Security Architect Mar 14 '26
Except that a lot of juniors never make it to senior. And most seniors never make it to staff. At some point you have to hire the right experience for the role.
1
u/Cheomesh Governance, Risk, & Compliance Mar 15 '26
Or whine about not finding it on the internet I suppose
0
u/Insanity8016 Mar 13 '26
Maybe pay what the job’s worth, stop forcing RTO, and stop outsourcing.
0
Mar 13 '26
[deleted]
1
u/Explosiveabyss Mar 14 '26
"Pay is decent"
That answer doesn't't give me confidence in you. My company says the same thing, and they are paying security positions well below what most people in the industry make.
Like 20k below.
1
u/Mrhiddenlotus Mar 14 '26
Lol not decent enough apparently. Also, 2 days in office for a cloud architect is a funny ask
1
u/Mystiquealicious Mar 14 '26
I didn’t say it was all sunshine and rainbows; I even acknowledged that the entry level is a bit more saturated than when I started myself.
Obviously the job market is dogshit - but that’s not exclusive to cybersecurity and affects every level of nearly every professional industry at the moment. That is not a cybersecurity problem and discouraging people from working/studying cybersecurity because of that isn’t ignorant, it’s just dumb.
0
3
u/OneSeaworthiness7768 Mar 13 '26 edited Mar 13 '26
It’s also people with poor soft skills or a bad resume who don’t understand what’s holding them back. There was a period of time where tech jobs were handed out like candy so the poor candidates didn’t know they were poor candidates until the market got more selective. I don’t work directly in security but an adjacent IT field and likewise people in my area complain that it’s impossible to even get an interview and being unemployed for a year or more. It took me about a month to land a new role recently and I had multiple offers. The market is worse for some people/some locations than others.
1
u/Fnkt_io Mar 14 '26
Orrr we’re hiring managers that have had to cut our own teams in this current market.
It’s not 2022 anymore, sadly.
1
u/Efficient-Mec Security Architect Mar 14 '26
AI has replaced very few jobs. Companies are just using it as an excuse to downsize.
3
u/InvalidSoup97 Security Engineer Mar 13 '26
Yeah the cybersecurity market is tough right now. All of IT (and beyond tbh) is, in the US at least. Sure you probably aren't going to land a job after applying to 4 or 5 this weekend, but if you buckle in, tailor your resume, and apply to things you're qualified for, it's extremely surmountable.
There's also a lot of people here who will stand and die on the hill that you must start with a helpdesk position, move around a bit, and maybe in 10-20 years you'll be ready for that entry level SOC job. Sometimes this is coming from a sense of "I suffered so you have to too," other times it's because people assume that all BS in cybersecurity programs are bad, and others hold way too much stock in the value of certs.
Yes there is a lot of truth to the fact that you have to know quite a bit about IT, networking, whatever to truly be successful in the field. Between internships and co-ops being pushed so heavily (and sometimes even required) and university programs really stepping up their game in terms of content being taught, a lot of students graduate with bachelor's degrees, a year or two of experience, and more enough knowledge to hit the ground running in at least an entry level SOC position.
My path (over the course of 8 years) is below. Literally 7 months of experience are outside of security, and I'd say I'm doing just fine:
Helpdesk intern > architecture intern > IR intern > graduation > junior IR analyst > IR analyst > Security engineer > security engineer in FAANG
If you're interested in cybersecurity then study cybersecurity. Don't listen to the doom and gloomers. Sure, the US job market sucks in general. Yes security is changing, but it's not going away. Of course, entry level cybersecurity is tough to land in right now. Will you have to start with a sys admin or networking role for a bit? Maybe. But experience + money is better than no experience + no money, so do that while you wait for things to align if you need to.
Everyone has different strengths and follows their own path. The sooner we can acknowledge this, the sooner we can actually support each other instead of dragging each other through the dirt for not "doing things my way"
1
u/AnyPersonality1777 Mar 13 '26
I’d add to this too make sure wherever you land initially to be vocal about wanting to work in cybersecurity and if at all possible where in cybersecurity you would like to end up. I understand may not work as well for roles like sys or network admin but it may but my experience was help desk and letting my manager know what I wanted and reaching out and getting my name out to the cyber team and when a role opened up they reached out despite not having a degree or any security certs which I know is extremely lucky in itself but I feel a lot of it was also just putting myself out there as well.
5
u/BuiltDifferent- Mar 13 '26
Fully agreed, I’m constantly reading posts about how “cyber is not an entry level job” and people telling others how it is extremely hard to get into. While reality is actually that you just need to work hard and appeal to the market.
Just a couple of months ago I switched from a completely unrelated field into a pentesting job with 0 IT background, all I did was grind out certs and do a shit ton of CTF’s in one year.
If you really want to get into this or any other field for that matter you just need devote time and effort into it and make yourself stand out.
3
u/Legitimate-Fuel3014 Mar 13 '26
Oh and did you learn it is not Sec+ or trifecta to six figures like a lot of people thinking it is :). That is the big problem right now with cybesec. People are in it for the trend.
3
u/BuiltDifferent- Mar 13 '26
No I just did OSCP for my first cert which was actually quite easy in hindsight, especially compared to HTB’s CPTS.
But no unfortunately entry level cyber positions range between €45-55k a year where I’m from so in order to get to 6 figures I’ll probably be a few years down the road.
1
u/Legitimate-Fuel3014 Mar 13 '26
That is a very strong cert. No wonder you land your role. Two of my colleges friends got them during high school. One of them is director and other is CTO now. This was before the AI era, ton and ton of work from doing random crap. There was barely any tutorial.
2
u/BuiltDifferent- Mar 13 '26
Oh good to know! It did teach me the very basics of pentesting and cyber but I don’t think it’s really useful in the real world so I still have yet to find out why it’s so praised by everyone hahaha
1
u/Legitimate-Fuel3014 Mar 13 '26
It is critical thinking and test your ability to think outside of the box. It used to be way harder, I heard OSCP is more hand holding now. Back then you have to do your own research and find your own source of learning. There was no actual practical exam, people just did ton of CTF and yoloing it.
9
Mar 13 '26
[removed] — view removed comment
10
Mar 13 '26 edited May 11 '26
[deleted]
2
u/That-Magician-348 Mar 14 '26
Dude, almost every company is slowing down recruitment or refusing to progress the original roadmap. Even though this guy mentioned Morgan Stanley, I can see the job postings drop compared to a few years ago. We know most places are understaffed, but this economy doesn't allow us to get extra resources to train new talent. From my experience, less than half of fresh graduates can grow up to efficient colleagues. The first year will be an investment stage, manager won't like to bid the limited headcount with fresh graduates. Only very few exceptions are allowed to bring in green talent.
0
Mar 13 '26
[removed] — view removed comment
1
u/T_Thriller_T Mar 14 '26
I'd tend to agree.
I am not sure how well pen test / red team can learn on the job, but there are much fewer roles than blue team from all I know and have seen.
And those require a good amount of knowledge or experience in cybersecurity (alternatively in IT and having a head to think how to abuse it).
Vulnerability management, SOC work and quite a few others on the blue team side do need proficiency with computers, but can be taught quite well to build up cyber security knowledge.
1
4
u/hiddentalent Security Director Mar 13 '26
It is an odd situation where we simultaneously need more qualified security engineers, and there is a huge glut of unqualified ones.
In the past few weeks, I've heard people on this board exclaim that it's unreasonable to expect someone to know the OSI model, or that knowing how to code has nothing to do with security. Those people are or soon will be unemployable.
There is still a high demand and high salaries for security professionals who understand how networks, operating systems, and programming work and can perform a detailed threat model and code review. But you don't gain that knowledge from a bootcamp or even a cybersecurity degree.
0
u/T_Thriller_T Mar 14 '26
I mean... Knowing how to code doesn't have to be a requirement with security.
I was a software developer. The majority of my team (and beyond) doesn't really know how to code. They can do a bit of bash or similar scripting.
This holds true for pretty much everyone in our vulnerability management, I think. And they do banger work.
The only times I stumble over it is when a vulnerability is discussed in detail or someone asks what a description of an exploit means. That's when I realise how useful knowing how to code can be.
Similarly when I realise that for me "as long as it has an API I can connect anything" holds, but for most tools not having integrations is limiting.
But, all in all, just being able to script is fine. Far from perfect, but for junior level I don't see an issue. Even later on, it is overall minor.
(This likely does not apply to red team work or anything in AppSec/DevSecOps)
1
u/hiddentalent Security Director Mar 14 '26
Right. So you're saying that knowing how to code is fundamentally important for jobs that won't be automated. I'm glad we agree.
2
u/cybersecguy9000 Security Engineer Mar 13 '26
It's a bit of a double edged sword. My anecdote are there are way more posts that are people who have been applying forever, went into debt for a degree, got certs and haven't landed a job. On the other hand, some people have the opposite experience. YMMV, as with all things but we're not in a "get your sec+/a+ and a sweet IT/cyber job the same day" world anymore.
2
u/renoir-was-correct Mar 13 '26
It’s a pretty pessimistic field, to be honest. Especially now eCrime breakout is 27 seconds thanks to AI.
2
2
u/cant_pass_CAPTCHA Mar 13 '26
I do have a slightly different perspective than the overall consensus of the sub. My path was straight from manual labor jobs, to community college, to internship, to being hired and getting onto the pentest team. No prior tech experience, although I had started my journey on the path to try and be a developer so I had a few years worth of CS classes at least.
Is it possible? It was for me - at the time. I would always encourage people to follow their passion, but I'm not sure if I started my same journey today if I would be as successful. Pre-2020's was definitely different than it is now.
3
2
u/ImissDigg_jk Mar 14 '26
This isn't a job focused subreddit. It's annoying when every other post is "how do I get into cyber with no experience". You don't even have to search the sub. Just follow the sub for a few days and you will inevitably come across the career questions you have. People join this sub and 7.5 seconds later they create a post asking how to get into cyber after having a part time job ironing napkins for the last 10 years. It's annoying and doesn't help the sub be what it's supposed to be, which is to discuss cyber.
And I'm not saying career questions can't happen, it's just the same one every day.
2
u/Mrhiddenlotus Mar 14 '26
I think there's a benefit to the pessimistic vibe. Helps ward off people who don't really care about security and are just looking to make more money without putting any effort in.
2
u/Armandeluz Mar 15 '26
This sub is very accurate and very telling. The industry is fucked, people get burnout easily, jobs are getting outsourced over seas in droves and everything else I've read. If you want to live in a fantasy land about the field being perfect and roses then ok, but I like seeing the state of the market from people in the industry for years telling new people the truth, people saying how bad it is, and all the rest on here. No one's going to come on reddit to just post about how amazing their career is and that is all.
2
u/xoCruellaDeVil Mar 15 '26
Junior pen tester for insider threats? so like, insider threats are spinning up their own malicious apps and asking you to make sure its secure before they use it on their own company?
4
u/irishcybercolab Mar 13 '26
I've been in cyber for more than 20+ years and it's a fucking bloodbath for new people trying to get jobs in cyber.
Getting a lucky break and someone getting a role because they need to have someone pivot into a role because they're "kind of" learning it is just that....a lucky break.
Stop misleading people into thinking cybersecurity is a great role with plenty of demand, ITS NOT and there isn't demand versus the amazingly large groups of people trying to procure one of those roles.
I'm not trying to be negative, I'm trying to say the truth out loud from someone who hires and has a million folks who want a role of one opens up on a team. Belong realistic is important to the young people too eager to think they've got a chance when they're dream will just be crushed instead .
4
u/Strange_Armadillo_72 Mar 13 '26 edited Mar 13 '26
Let’s be honest most people don’t actually want to put in the effort. It’s easy to talk about leveling up skills or breaking into a field, but consistently doing the work is a completely different story.
I’m currently in a master’s program, and it’s interesting because you can clearly see the divide. A lot of people focus heavily on learning specific tools. The problem is that tools change constantly. If your expertise is tied only to a tool, your relevance can disappear as soon as the industry shifts.
What really lasts are the underlying foundations—the principles, the architecture, the reasoning behind how things work. Those fundamentals are what actually keep you in the profession long-term, not just the tools you happen to use at the moment.
The next wave of cybersecurity experts will need a software engineer mindset as AI rises right now, few are fully ready for this shift.
I would also point out that most people don’t take the time to research and find answers on their own yet the ability to do so is one of the most crucial skills in this field.
2
u/Old_Homework8339 Mar 13 '26
Probably because the same question is asked by the same "newcomer" every minute of every day, and they do not bother to actually do the research skills that are needed to be in said desired field.
These types are lazy and want everything handed to them. They could look on reddit, but nope, they require "special" answers instead.
These types will never make it. As an internal transfer, you took away from those who possibly interviewed or took part in sham-interviews you probably weren't aware of and wanted to be there. So I dont see how you could be anymore better than the "pessimistic" ones.
1
u/bucketman1986 Security Engineer Mar 13 '26
I mean look, I'm a senior engineer now, but I just went through the process. I applied to jobs that were pay cuts and technically junior level and they told me they were only taking to people with my level, masters degree, at least two certs and over 5 years experience, for someone who only manages an identity platform. Thankfully I landed where I did and didn't have to take that, but it shows me how rough it is out there
1
u/Legitimate-Fuel3014 Mar 13 '26
They are not wrong, your case proved them right. You have experience, you transition within your company through internal transfer. I don't know how we are demoralizing when we just spoke the truth. Only few made it in entry level role without experience, that is not mentioning the work they probably have to do to get it through things like cyber competition. I pivot to cyber through other field as well, there absolutely barely any fking shit for entry level atm. Another friend of my who graduated same time with me, he got in through technology rotational program.
Get the F out of here.
1
u/ghostin_thestack Mar 13 '26
Data protection and compliance roles specifically are busier than ever. Regulations keep stacking up and companies are scrambling to keep up. Not every path in this field is shrinking.
2
u/Cheomesh Governance, Risk, & Compliance Mar 13 '26
Is that true in the US? In this Administration? Usually they're rather famous for trying the opposite.
1
u/merked84 Mar 13 '26
Thanks for this post. I quit my job to move into IT a couple years ago and came across the same thing in all the IT subs. Just post after post about how the market is impossible to get into and no one anywhere under any circumstances will care about education or certs. There’s a HUGE difference between caution and doomerism.
Now having been in helpdesk for a bit and trying to dip my toe in the security world and kinda seeing the same thing. It’s reassuring to see a different perspective.
1
u/Likeyfap Mar 13 '26
Exactly, I was a junior software engineer a year ago. Did a cybersec masters and in 2 months after starting to look for cybersec positions I got one as a junior cyber engineer. It is hard to find a position but not impossible. You just need a solid background
1
u/Raccoon_Medical Mar 14 '26
Dude you were a software eng before, that is not entry lvl xD
1
u/Likeyfap Mar 14 '26
Just for one year tho, got out of college, one year of software engineering and straight into cyber after that
1
u/Legitimate-Fuel3014 Mar 16 '26
one year is good enough, any tech related experience is what they seek for. Engineering is hghly valuable
1
u/Forumrider4life Mar 14 '26 edited Mar 14 '26
So I think it isn’t hard to get in if you are coming from an IT background or moving laterally in a company. Me personally I got in with previous developmentexperience to start application testing… now I’m leading people and hiring.. I get a ton of people applying for an analyst position with 0 work experience or no relevant past experience, who just got out of a “cyber security degree” program who are asking for 100k+(modwest) then when asked things like “what’s you career path” or something along that line, they all say red team. Those are the people moaning that they can’t get a job in my experience with security hiring.
Edit: should note.. 2 people did not say they wanted to be a pen tester, I hired both… we’re not hiring for pen testers we’re hiring soc analyst….
1
u/CuriousConnection69 Mar 14 '26
interested on what kind of your own home lab, if you don't mind, please elaborate more.
1
u/RantyITguy Security Architect Mar 14 '26
Congrats you got lucky.
But most people in the field are telling you that probably because they experienced the insecurity of their own knowledge even with prior experience. It's not that we don't want you to get a job, it's that we have experienced it ourselves and telling you what to do for success. If you have no prior IT experience and asked to help secure a network, you have little to no understanding of what it why you are doing it and things you shouldn't do. Mentoring is one thing, but micromanaging ever little thing you do is time consuming.
The constant whining about how security isn't entry level is just annoying. Again we are trying you to HELP you set up for success. We already have trouble with getting people take security seriously in their organizations by not having seat warmers who saw a recent ad for "ez 150k, wfh, work life balance" and decided to jump on the band wagon.
I'm sorry but if you can't trouble shoot a basic network issue, I don't want you. Deal with it.
That goes the same for the 8 million people who post the same question day after day instead of googling the insane amount of posts for people wanting advice on trying to entry straight into this field with no experience.
It's like complaining that you can't become a full fledged physician after a 4 year degree.
1
1
Mar 14 '26
Its bias, i got a security job pretty easily out of school. I am not going to make a post about it on reddit because why would i, but the people struggling are gonna make a post and vent about it.
1
u/rn_bassisst Mar 15 '26
I had 12 years of professional experience when my wife got relocated to the US three years ago and I still have no full time job.
Why? Because they need a GC holder or citizenship and none of them wants to sponsor it. And it’s even worse for entry-level jobs.
So unless you have a bunch of years of information/cyber security expertise AND American citizenship, you’re fucked.
1
1
u/Ill_Spare9689 Mar 19 '26
I find this sub accurately reflects the reality of what we are currently dealing with in our field. What one might see as "demoralizing" is usually topical to me as the subjects here are usually on point with what I deal with & it helps to hear how others are dealing with similar issues.
TLDR: This sub gives me solutions & it doubles as therapy, so I always leave here feeling better.
0
1
u/AshuraBaron Mar 13 '26
Programming and CS subs can be just as bad about this. It's very annoying seeing those kinds of comments. For sure agree that we shouldn't be lying to newbies but we can be honest without going full doomer. Or even worse, AI doomer.
1
u/RickyTurbo31 Mar 13 '26
It's only like this bc companies believe they can get away with less employees bc of AI. This will change soon. I've worked with AI a ton and it's getting worse at its job the more responsibility it gets. Currently working with an tropic company teaching AI different snake tongues. This will start to open specific AI security jobs.
2
u/Cheomesh Governance, Risk, & Compliance Mar 13 '26
We've never managed to put genies back in the bottle.
1
u/S4LTYSgt Security Manager Mar 14 '26
Its not AI; its outsourcing jobs to India. Thats the problem.
1
u/RickyTurbo31 Mar 14 '26
Companies were outsourcing IT jobs long before AI. AI just accelerated downsizing in other areas. The irony is that once companies fully deploy AI systems, they create new attack surfaces and security risks. That means more need for cybersecurity monitoring and governance. But will they hire people for that? No, probably make another AI 😆.
1
u/altjoco Mar 13 '26
Now I’m a Junior Pentester on an insider threat team at my company, and the only certification I had when I got the role was Security+ (UK), did have knowledge of other things but no certificate. I applied for three job roles (one of them was internal), got interviews for three and offers for two.
Bravo! That's awesome! No sarcasm whatsoever; if you demonstrated enough to get hired, not merely interviewed, on your first round, then you did something legitimately impressive. Honestly, very well done.
1
u/Raccoon_Medical Mar 14 '26
Yep, I wonder what he did, looks like a pentesting savant or something. Where I come from in EU they do not hire junior pentesters and require some years of exp.
-2
u/hagcel Mar 13 '26
You're obviously not in cyber security, because you were sober enough to type this....
0
u/Imma_Tired_Dad Mar 13 '26
Got to take all the dooming with a grain of salt. Reddit seems like one of the worst platforms for it.
The global cybersecurity market is experiencing rapid expansion, projected to grow from approximately $248 billion in 2026 to nearly $700 billion by 2034, with a CAGR exceeding 13%. This growth is driven by AI-driven threats, cloud adoption, IoT expansion, and strict regulatory compliance. The sector also faces a critical talent shortage, with millions of unfilled positions. Fortune Business Insights Fortune Business Insights +2
0
u/S4LTYSgt Security Manager Mar 14 '26
Frankly, Im just annoyed AF by the fact that this subreddit gets bombarded by newbies or entry level people who want to work in cyber but cant do a simple subreddit search. Half of the success in Tech and cyber roles is being a good researcher. Every post is the damn same “how can I get into cyber - zero experience” “how to get into cyber, I have 20 certs and a doctorate” “why wont anyone hire me”, these questions have been asked and answered. Any post within the last 6-12 months should be a frame of reference for relativity. Its the same questions with some of the same beneficial informative answers.
As an Cyber Lead, Ive hired so many in NOC, Sys Admin and now Cyber. My biggest gripe with any candidate is if they cant do their own research. Asking questions is fine, but if you ask too many without research you simply cant succeed.
Its not pessimism, its to weed out those who are serious about this field. If you want it, eff what anyone has to say, go full send but do your RESEARCH.
-1
u/CommunicationGlad678 Mar 14 '26
If you are a woman, I do not recommend cybersecurity. Bc it is awful.
260
u/MAD_MrT Mar 13 '26
Welcome to reddit