[Rotdhizon]

This is the easiest niche to pick on but I am mid career for cybersecurity. I spend a decent amount of time trying to advise people away from this career field for college. So so so so so many people are going to college for cyber not realizing when they graduate, they are in totality unemployable. Really I'm not sure how new people to tech could even enter the industry, it seems like at the lower levels the entire industry is essentially closed.

However it happened, the absolute maniacal obsession with job experience has ruined the market. Yes the more involved jobs in information security do require widespread knowledge that can't necessarily be taught on site. A lot of the entry jobs in tech though are not complicated and can easily be taught on site but even then, companies have defaulted to requiring years of prior experience even for those positions.

[ilamont]

> I spend a decent amount of time trying to advise people away from this career field for college. So so so so so many people are going to college for cyber not realizing when they graduate, they are in totality unemployable.

My spouse knows a recent grad who took this path through an undergraduate program at the University of Maine (https://www.uma.edu/academics/programs/cybersecurity/cyberse...). As you said, he was unhirable in this field and now works in a completely unrelated job in a hospital.

Universities, local governments, local legislatures, the federal government, and whatever industry lobbying orgs that pushed for this are at fault. The apocalyptic narrative warning of a dire skills shortage are still being pushed out by industry:

Cybersecurity workforce shortage reaches 4 million despite significant recruitment drive (2023) https://www.csoonline.com/article/657598/cybersecurity-workf...

It's led to an expensive, unforgivable mess for a lot of young people and their families.

[toomuchtodo]

> Universities, local governments, local legislatures, the federal government, and whatever industry lobbying orgs that pushed for this are at fault.

It’s an industrial complex that uses students as fuel and when the winds shift, they get left holding the bag. Schools want revenue from student loans, employers want the best talent at the lowest cost without expending any resources to train and develop talent. Colleges are also desperate for students due to structural demographics and an ever shrinking pool of potential student customers, so they’ll sell whatever dream students want to buy. Cybersecurity? Sure. AI? Sure. Whatever gets you into the pipeline. Give us your money and we’ll give you a piece of paper of little to no value.

Edit: If you need a sure thing, go into healthcare. The world is going to keep getting older, and the demand for care will not end in our lifetime.

(day job is cybersecurity and risk)

[lispisok]

Anytime you see a lot of media claiming there is a shortage of some career it's a negative signal. The field will shortly be flooded

[le-mark]

Same for the retiring cobol programmer myth. All those jobs were offshored years ago.

[hn_throwaway_99]

Not being directly in cybersecurity, is the situation there different from, say, CS grads as a whole? That is, not sure if the point is that hiring for entry-level tech is a disaster across the board and cybersecurity is one particular manifestation of that dynamic, or if cybersecurity is for some reason specifically worse than overall new grad employment in tech.

[laughing_man]

Big tech companies use their influence to push the "shortage" narrative in the media, because it gives Congress political cover to increase the H-1(b) cap.

I had a tech career spanning from the late '80s until the 2020s, and I read articles in major media outlets about a shortage every single year. In all that time we had a actual, bona fide shortage for about two years in the late '90s.

[SOLAR_FIELDS]

I personally as a general rule don’t hire people who work in cybersecurity if they were not traditional developers first. The chances of you understanding “cybersecurity” without also understanding how general software works is extremely low.

[crims0n]

This is broadly true for all concentrations in cyber. There is no entry level. Your first job should be learning how what you want to focus on works… be it networking, sysadmin, devops, vendor risk management, etc.

Unfortunately, cybersecurity was a hot topic in the education market and people got sold on the idea that they could get a six figure job with nothing but some theory and an entry level certification.

[jagged-chisel]

> Your first job should be learning how what you want to focus on works.

Then what was the purpose of sitting for a degree?

[crims0n]

There is theory to learn and it is important, but it is all for naught if you don’t understand how what you are protecting works. You need both for an entry level position - there is a reason those positions pay as well as they do.

[jghn]

This is true for most sub-fields. The average person in them is either a failed dev or more of a pencil pushing box checker. The quality employees are devs with extra specialized expsrtise

Security, qa, devops, data emgonerkng, the list goes on and on.

Infosec also adds the angle that you want someone with actual grey or black hat hands on experience

[TurdF3rguson]

I'm actually pretty good at data emgonering, one time I accidentally wiped our production db.

[jghn]

You too?

That was one long ass day!

[jjav]

Absolutely. Cybersecurity is not a field you can (well of course you can, but not with legitimate effectiveness) approach as an isolated field of study. To be effective you must have a reasonable experience and skill in programming, and in operating system internals, and in the network stack from the highest to the lowest level. You'd do well to also have experience in hardware and QA and you really need aptitude and hands-on experience actually breaking into things, not just in making things work. The last one is often hardest, plenty of brilliant people know how to build things but lack the mindset to break them.

So in this sense it is true there is a significant shortage of qualified cybersecurity people to fill the roles.

The mistake is that institutions try to fill that shortage with some undergrad program (or worse, certification) which of course can't build expertise in all the above fields in a few years. So that graduate is nearly as unqualified after graduation as before.

[giancarlostoro]

Kind of funny, my cousin studied software development, then she pivoted to cyber security last minute because she was uncomfortable about finding work, she's been through a few different companies so far, so I guess it worked out for her.

[yogorenapan]

100%. I started out in cybersecurity and was complete shit. I gave up and went into software engineering and devops instead. Now returning to cybersecurity again and things finally make sense

[WarOnPrivacy]

> A lot of the entry jobs in tech though are not complicated and can easily be taught on site but even then, companies have defaulted to requiring years of prior experience even for those positions.

I graduated with an AS in programming in the mid-late 1990s. I continually sent resumes for 18mos and got back 2 replies.

I had 2 major strikes against me. I was a new coder. I worked in a region that was reluctant to consider new hires (even for no-skill jobs) w/o an introduction.

My scholarship came with job placement but the entire program was axed by the Contract With America prior to me graduating. Apparently the animosity toward helping folks off the bottom rung outweighed any platitudes about jobs.

I eventually eked out a living doing local IT work but I never did reach a living wage.

[jibal]

The Contract On America as many of us called it. And Newt's legacy has metastasized into even more virulent forms.

[WarOnPrivacy]

Zoe Chase did a great background on Newt. It's from some years ago and she notes how he generated animosity on a national scale and leveraged it raise Republican voting numbers.

It's quite good. Zoe is really interested in this stuff. The reporting isn't confrontational, it's just how things unrolled.

ref: https://www.thisamericanlife.org/662/transcript

[rfgplk]

> However it happened, the absolute maniacal obsession with job experience has ruined the market.

The problem isn't necessarily with job _experience_. It's the acronym. Most employers seem to believe that YOE stands for years of _employment_, which has effectively cut off anyone who wasn't previously employed at a relevant position. You can gain experience in almost anything by working hard at home (and 90% of that would absolutely carry over to a FT position), but you can't do the same for employment (unless you accept fabricating your job history). Cybersecurity is actually a field where hacking away at home, messing around with codebases, doing ctfs can actually give you TONS of experience, but barring you coming up with major zerodays, no one cares.

[bluefirebrand]

> Yes the more involved jobs in information security do require widespread knowledge that can't necessarily be taught on site

It certainly can, companies just don't want to pay for that training. That's really where the "maniacal obsession" with job experience comes from. Companies just want to save money on training.

[zwily]

Have a friend just graduated in cybersecurity. He’s going into the military with it.

[downrightmike]

Poverty to poverty + disability given time

[chucky_z]

The absolute wild opposite (for cybersecurity) to this is that higher level individuals are in such insane demand that if you are underpaid even during the current wage suppression, going to over market should be almost completely trivial.

[SOLAR_FIELDS]

Of course, people actually good at security are rare and in high demand. This is totally aligned with OP’s statement. IMO you shouldn’t even be thinking of going into cybersecurity straight out of college. There’s just too much you have to learn about how software works for it to be a reasonable first job out of university. There will always be exceptional people, of course, but as a general rule I’m not hiring new grad cyber folks. Seems dumb

[bombcar]

Cybersecurity seems to be either working to fill out forms to satisfy some requirement of some company/government office, or being akin to an exhacker actually trying to improve security.

Colleges seem to be producing tons of the first, hardly any of the second.

[singpolyma3]

Are the companies hiring fewer people than they need? If not then perhaps the fault is not with their standards but with an oversupply of applicants.

[spunker540]

I’m just a swe, but I kinda thought cyber is a good place to be, since the proliferation of insecure vibecoded apps.

[827a]

Companies have never cared about security, because there are almost no consequences to data breaches. A hospital network could get ransomwared for 48 hours, and no one cares. Critical data gets leaked? So what, pay a fine. You either pay a fine to the hackers, or you pay a fine to the government, or you pay a fine to customers, but no matter what its substantially less than a fully staffed security team, not just because security professionals are expensive, but because security professionals slow everything else down, they'll spend all day telling everyone what they can't do, which == lost revenue growth.

The only thing keeping security companies in the business is compliance/certification. If you've been around these compliance programs for long enough you know: they're box-checkers. But, sometimes you need to check that box, begrudgingly, annoyingly, so most companies will prefer to just outsource that security work to some managed security services provider, then think about it once a year when audit time comes around.

[bpt3]

What is a cybersecurity professional going to do about a bunch of vulnerabilities in an app that someone else decided to deploy on a network they are responsible for?

99% of cybersecurity in the commercial sector is a box checking compliance exercise.

[wizzwizz4]

There would not be such a proliferation if cybersecurity were a well-respected field.

[rfgplk]

Most companies sadly don't care about security whatsoever.

[delfinom]

Yep, I think my megacorp's cybersecurity department is just a bunch of checklist punchers that now just copy and paste any of our technical writeups into ChatGPT, and I am not even joking. Fucking infuriating.

They are doing the bare minimum for cybersecurity insurance requirements, thats it.

[rfgplk]

I know _for a fact_ that most companies don't care. There might be a select few out there that genuinely do, but most don't. I've literally reported numerous GLARING vulnerabilities to companies in various different industries, only for the vulnerabilities to remain unpatched for MONTHS. Few of the most comical examples, one major game studio was compiling their Linux binaries with FULL DEBUG SYMBOLS AND INFO plus they were shipping a 600M .sym file with practically full paths and all source info. Literally all the paths and function signatures to every single one of their functions was in there. I had to submit FOUR bug reports before they patched it (didn't even receive a bug bounty). The second one was with a major multinational telecom that was distributing routers that _had an open telnet port to the wide internet_ ... with a default password. And there were countless more. The telecom one I had to BEG them to ship me a new router, or to at least do an over the air update, because "they didn't understand what the problem was".

[nradov]

Shipping debug symbols isn't a security vulnerability. It might be sloppy, but we all know that security through obscurity doesn't work. Especially not with modern analysis tools and access to the executable code.

[zdragnar]

That's what it means to be a cost center. Anything over the minimum translates to wasted effort and inefficiency.

[the_real_cher]

what about oscp certification?