Navigating the Cybersecurity Hiring Trenches: Challenges, Realities, and Paths Forward

cover
14 Jun 2024

Our [Cybersecurity/Infosec/Hacking] industry presents a paradox as intriguing as it is exasperating. On one hand, it's vital and dynamic, promising the bleeding edge of technology and security. On the other, it's marred by widespread layoffs, entry-level roles adorned by 'CISSP Required'’ and a mix of burnout, substance abuse, and low salaries.

Ample opportunity, yet ever increasingly competitive. Niche requirements alongside expectations of broad and far-reaching knowledge. Academic institutions, training providers, and educational personalities hawking their warez as get-rich-quick schemes.

The only ones getting rich are them, and it's off the back of your wallet.

For the many aspiring to join the industry, this brings significant challenges and frustration. Having polled LinkedIn, Twitter, Mastodon, and Discord these were the sentiments and overarching themes I identified.

Job Market & Industry Challenges

Fiercely competitive, with frequent layoffs and less-than-expected compensation, except for those wielding niche skills

The job market, while appearing rich with opportunity, is extremely competitive and marked by frequent layoffs, poor compensation, under-appreciation, and long hours. It's no longer adequate to have just a degree, certification, or hands-on experience. Human Resource departments seek their unicorns, i.e., an individual with degree(s), certification(s), hands-on experience(s), conference/speaking attendance, GitHub project(s), Network/Development/Windows/Linux/Reverse Engineering experience, Threat Intelligence, and Blue-Red-Purple Team knowledge, etc. Do you have knowledge of everything? I certainly don't.

Many feel let down, having pursued degree(s) and certification(s) with high hopes, only to be met by a lack of job offers.

Venturing into the industry, many carry with them a sense of disillusionment. Whether it's after pursuing advanced degrees and certifications or under the false pretense that cybersecurity is an 'easy' industry to enter with only the foundational knowledge of computing necessary ~ regardless, both have hopes of highly lucrative job offers. Disappointment stems from the stark contrast between corporate and academia's promise of opportunity and the reality that specific credentials don't always guarantee a role. The gap between expectation and reality leads to a crisis of faith, with many questioning the perceived value of the money and time they've dedicated to education, certification, and skills development.

Despite proclamations of talent shortage, entry-level positions seem scarce.

Despite far-reaching reports of a 'talent shortage'’ many early job seekers find themselves caught between an abundance of open positions and layoffs that don't translate into accessible entry-level opportunities. This gap raises questions about the alignment of educational training programs with the actual needs of the industry. Do realistic entry-level cybersecurity positions exist, or is that simply a misnomer for more advanced computing roles that have a security element attached? NIST suggests a 3.4 million person global shortage of cybersecurity professionals and 600K+ open roles. Examining how roles are defined, identifying the necessary skills and knowledge, and understanding how these positions are filled is essential. Despite the critical importance of cybersecurity, many people find it paradoxically challenging to enter the field.

It isn't what many expected...for better or worse.

Individuals often bring an initial set of expectations that may not align with reality. For some, expectations are exceeded with thrilling and fulfilling careers filled with constant learning and problem-solving. To the dismay of others, the reality falls short, with unanticipated facets of the job leading to disappointment. Many speak to the dual nature of their experiences, highlighting satisfaction in learning and applying their skills while acknowledging the pressure of staying ahead of the pack - technically, competitively, and in terms of knowledge. For those already in the industry, the pressure to prioritize profits and shareholder satisfaction over adequate staffing and training can undermine team effectiveness, leading to gaps, burnout, and under-appreciation.

Journey & Motivation

Dep passion for technology and problem-solving is common, often sparked by media portrayals

A significant number of individuals cite a deep passion for technology, problem-solving, or a fascination with 'hacker culture' as their initial draw to the industry. What role does the media play in romanticizing the art of hacking? How many of us joined after being inspired by The Matrix, Sneakers, Mr. Robot, Office Space, WarGames, or even the DEF CON documentary from over a decade ago? Face it, a lot has changed in the years since then. When the reality of the day-to-day 24x7 9-5 work doesn't match the movies, what sustains one's engagement and success? The complexity multiplies alongside the inability to obtain practical hands-on experience until after they've invested significant amounts of money and hours into education.

Navigating the field necessitates overcoming hurdles, with each advancement both a challenge and thrill.

The journey, while daunting, is often characterized by the excitement of engaging with a constantly evolving field at the forefront of tech. Each step forward, whether mastering new technology, winning a capture the flag (CTF), or succeeding in an engagement, brings with it a sense of achievement and progress. However, each advancement isn't without its own barriers. Financial costs, time commitments, and the ever-present need to prevent stagnation all contribute to an industry that's as challenging as it can be rewarding. The challenge is always guaranteed, but the reward is never. Success in the field often requires a combination of relentless curiosity, dedication, and resilience.

Individuals transitioning from other careers often face numerous obstacles but achieve success through commitment to learning.

Many professionals come from diverse backgrounds, bringing with them a variety of skills and perspectives gained from tenures in industries such as psychology, child care, the military, and even medicine. One of the best architects I've known began his career in such a field. Whether transitioning from law enforcement, marketing, forensics, or an entirely different sector, these individuals often face steep learning curves and the need to quickly acquire relevant knowledge. For those with a family and financial obligations, taking an aggressive pay cut to gain foundational skills presents extreme difficulty. However, success stories abound of those who, through sheer determination and force of will, have carved out successful careers. These transitions are often supported by communities and mentorship networks that provide guidance and encouragement.

Shared stories of resilience and success, offer beacons of hope.

Tales of perseverance and triumph over adversity are common. Discord servers, forums, conferences, and social media platforms have become the spaces where individuals share their journeys, advice, support, and motivation with others. These narratives not only inspire newcomers but reinforce our sense of community and shared purpose. Personally, I'd have been lost without the community, and I deeply miss regularly attending hacker cons. There's a sense of family among us, with offers of guidance when someone sees another similar to themselves. By highlighting these stories, a culture of encouragement is fostered, emphasizing that while the path is challenging, success is attainable through persistence and collaboration.

The Culture

Opinions vary widely, from exhilaration to dismay

The work environment can be a mixed bag. Some thrive in high-pressure, dynamic settings that offer meaningful intellectual work and satisfaction. Others, however, find the relentless pace, long hours, and high stakes to be sources of stress and burnout. Conversely, some roles are low-key and relaxed yet lack the necessary challenge and opportunity. Company culture plays a significant role in shaping these experiences. Organizations that prioritize employee well-being, offer opportunities for professional development, and maintain reasonable expectations can foster a positive atmosphere. This only works, however, when the opportunities presented align with the personal goals of an individual. An engineer with no interest in management will never make a good people leader, and vice versa. In contrast, companies focused solely on profit results, often at the expense of their workforce, contribute to a toxic culture that drives talent away.

Unrealistic requirements and flawed processes mar the landscape

One of the most significant challenges facing job seekers is the inconsistency and often unrealistic nature of job requirements. Many postings list an exhaustive array of skills, certifications, and degrees, creating a barrier to entry-level applicants and those looking to transition careers. Additionally, hiring processes can be lengthy and opaque, leaving candidates in the dark about their status. Hiring software may algorithmically remove candidates based on missing criteria, resumes are fed into artificial intelligence systems, and candidates often face requests for interviews only to be ghosted. These practices contribute to the disillusionment of many aspiring professionals, highlighting the need for more transparent and inclusive hiring practices. A more humane approach leads to a more accessible field that attracts more diverse talent.

The value of formal education versus hands-on experience is split, with no consensus on the best path

There is ongoing debate about the merit of formal education versus hands-on experience. Traditional academic programs provide a structured learning environment and a theoretical foundation but may not always align with the demands of the industry. Often, students find themselves taught outdated tools and techniques that are no longer applicable, with no connection to the community that they're supposedly being prepared to join. How many professors consider themselves subject matter experts on hacking despite never having stepped foot inside a conference? Conversely, hands-on experience gained through self-study, online learning, and real-world projects offers practical skills and adaptability yet is not as highly valued as academic qualifications. Not that boot camps, cyber ranges, and certifications are without their own flaws. How many certifications are little more than vocabulary exams, while the quality of online training steadily creeps into the territory of money-grabbing? To say the least, each approach has its positives and negatives. Many advocate for a balanced approach, combining formal education with continuous, self-directed learning and practical engagement to develop a holistic skill set. However, accomplishing this requires a significant investment of time, energy, and finances.

Skills, Education, & Training

Success is often attributed to hard-fought practical experience beyond theoretical knowledge

While formal education and self-guided learning provide a foundational understanding of the principles, practical experience truly sets the successful apart. Engaging in hands-on projects, participating in Capture the Flag (CTF), contributing to open-source, and seeking apprenticeships, internships, and contract work can demonstrate one's skill. Real-world experience allows for the application of theoretical knowledge, creating a deeper appreciation and ability to adapt to evolving scenarios. Employers value the candidates who can showcase their expertise through tangible achievements and contributions. However, many find it challenging to access paid and appropriately challenging entry-level opportunities. The number of internships has been far outpaced by the number of applicants, and not all are paid or lead to the learning and experiences one hopes for. Nobody wants to be stuck fetching coffee and filing paperwork.

Diverse skills are crucial, and that includes [EVERYTHING?]

The path to expertise is augmented by self-directed learning through online resources like TCM Security Academy, Udemy, Plural Sight, and YouTube. In a rapidly evolving industry, self-directed learning is a critical skill to develop. Accessible platforms like Try Hack Me, Hack The Box, and CTF Time allow individuals to develop necessary skills at their own pace. However, not all content is created equally, and the sheer number of options creates a deluge to sift through before finding quality. A quantity versus quality problem has developed, with much of the content out there being of poor quality, lacking in expertise or care in effectively communicating what they aim to teach.

Certifications are often seen as benchmarks of knowledge and skill, particularly those such as Offensive Security's Certified Professional (OSCP), which emphasizes hands-on experience and practicality. However, the process of becoming certified can be demanding and costly, leading to frustration for many who find themselves certified yet unknowing and unemployed. A great number of certifications, while being cost-affordable and accessible, are nothing more than vocabulary exams and checkbox bylines for resumes. This has led to the phenomenon of Pokémon Trainer-esque individuals trying to "Catch Them All!" but with certifications. Despite these challenges, certs remain a key component of professional development and are required by employers, whether it be the Security+ or the CISSP. As with online training, the vast number of options makes it difficult to know if the money and time invested will prove of value. Balancing the pursuit of certification with practical experience is crucial.

"Launch a successful cybersecurity career and embrace the latest trends" CompTIA.

Between self-paced learning and academia are boot camps and accelerated learning programs, which promise to fast-track individuals into cybersecurity careers. The effectiveness and credibility of boot camps is debated, with critics arguing that these programs offer only a superficial understanding of the field, lacking the depth and rigor required for long-term success - as wide as an ocean and as deep as a puddle. Proponents, however, highlight their practical focus and ability to quickly equip individuals with job-ready skills. As the industry continues to develop, it's becoming clear that the value of these programs largely depends on the quality of the instruction and the commitment of the learner.

Lastly, there are two and four-year academic programs. Many of these have emerged due to the recent exponential growth of the industry and are increasingly necessary for continuing to develop a skilled workforce. Previously, individuals had to seek degrees in tangential industries and then acquire the necessary niche skills on their own. These newly developed academic 'cybersecurity' programs promise to equip students with the skills needed to "track down hackers intent on breaching." They emphasize their adherence to "industry standards," suggesting that their curriculum is aligned with best practices, standards, and current trends. However, despite these claims, programs are often led by individuals actively avoiding engaging with the community out of fear of being "surrounded by criminals." Ironically, these same programs are consistently ranked among the top in the nation, reflecting a paradox between their reputation and the real-world experience of their faculty.

Recommendations for Newbies

Networking (IRL or Online), skill niches, and the value of experience and knowledge — whether academia, self-paced, boot camp, or certification — is essential. For those new to the field, building a network can open doors to opportunities and provide valuable insight. That same network can offer support when times get tough. Within the community, it often feels like friends and family. Focusing on specific areas of interest or emerging technologies can set you apart. A genuine passion for the subject matter goes further than pursuing something simply because someone said it was lucrative and easy. The number of individuals pursuing cybersecurity, because they heard it was 'easy' and that there were jobs and high salaries, is truly worrisome. Those same individuals are often unwilling to put in even the smallest modicum of effort because they lack genuine fascination. That's not to say you should toil away in an industry that doesn't pay, but passion is crucial for sustained success.

I'm often asked about my story, so I'll take a moment to outline it. This isn't to brag and boast but to set expectations and demonstrate what worked for me. If you follow these exact steps, that's not to say that it'll work for you since we're all different, but it did at least work for me.

¯\(ツ)

GENERAL INTEREST

I was terrified of computers as a kid, and our first computer was a Gateway with Windows 98 SE that frequently blue-screened and died. Eventually, though, I wanted to play games and rip CDs, so I figured out how to do it. I spent a lot of time at our library playing Kid Pix, Roller Coaster Tycoon, and Sim City.

MYSPACE

When I added a playlist and background to a MySpace page, I didn't realize I was editing HTML. When I wanted it to display a specific banner, I either found the code or combined parts of others' to make it happen. Hacking was far past the days of phreaking, but I like to imagine that for a large part of the community, MySpace was their introduction.

LOST KEYS

We got locked out often growing up. Sometimes, it was because I locked the shed with the keys still in the bike bag, but other times, it was because the latch was loose and flipped itself locked as we went out. More than once, I remember my dad or I prying open a window or sliding door with a butter knife someone found in the sandbox. While not the best example of physical security, it was definitely a demonstration of how to defeat one!

K-12

In elementary and especially middle through high school, I took every keyboarding, animation, graphic design, computing, coding, broadcasting, and related class I could. I didn't particularly love all of them, especially the coding courses, since I'm not much of a developer. Still, it was a good introduction to HTML and Java. A distinct memory is of a computer in the lab dying and the teacher opening it up to replace a component. This was the first time I'd seen the inside of a computer, and I was ENAMORED! I'd never considered what made computers 'tick'; I was just happy that they continued working! He pulled out the motherboard, hard drive, RAM, and graphics card, listing off the function of each. I'm not confident, but I want to believe that resetting the RAM fixed whatever the problem was. Regardless, he turned it off and on again, and the problem was fixed as it usually is.

IT Crowd - Have You Tried Turning It Off And On Again?**

CAREER PREP

In my senior year, I attended a Career Prep Academy tailored for those interested in pursuing trades such as welding, early education, automotive repair, and construction. Truthfully, this got me out of class in the afternoons and was an improvement over study hall. Their information technology program was built upon the CompTIA A+ and covered computer repair and some basic system administration. While the material wasn't advanced, it explored how and why computers compute and what to do when they inevitably stop. Just a few years prior, I'd seen the guts of a computer for the first time, and now I was operating on them like a surgeon! Looking back, I can confidently say that this course significantly impacted my trajectory by providing me with a foundation and hands-on experience that proved invaluable. I later built my first computer based on the specs I'd chosen during that class, and we'd have Halo LAN parties. Before that, I didn't even know what a local network was. In my experience teaching a few 100-level university courses, many students had never seen the inside of a computer. I think this shift is attributable to the increase in laptops and tablets, which has reduced the need and ability to perform physical repairs. Defend the Right to Repair! How fortunate I was to have had those early experiences. The exposure sparked my passion for technology and problem-solving. Eventually, I sat for the first half of the A+ and passed. Six months later, I failed the second half. I've never gone back to get it, but I sometimes consider doing it just for kicks.

LOCAL INTERNSHIPS

At some point, I was hooked up with two local internships: one with a community college and the other at a local government office. Neither of these was glamorous, but I learned how to image machines and provide end-user support — both being tasks I'd spend a lots of time doing later in my career. The community college used GHOST to install Windows, and while at the government office, we'd take calls and then drive out to whichever building across the city was having an issue to try and resolve it. I'd try sushi for the first time during one of these internships.

** Backing Up and Restoring Embedded PC's with Symantec's Norton Ghost | DMC,  Inc.**

UNDERGRAD

A teacher, I believe the one who had opened the computer, recommended that I go to university for a degree in [COMPUTERS]. I visited exactly one and decided that was what I'd do. I didn't really know the difference between 'Computer Science' and 'Computer and Information Technology,' but I sat through their presentations and decided to apply for Computer Science, still not fully understanding the distinction between the two. I wasn't the most thorough in my application because I confused the two and applied to Computer and Information Technology by mistake. I'd have never graduated from computer science; I'm a terrible developer and a worse student at that time. After five and a half years, I graduated with a four-year degree. Along the way, I joined a cyber forensics group and took a course in cyber-criminology. I wasn't convinced that hacking was what I wanted to do, and I needed money (not that I'd make any), so I left for a gig at a managed service provider (MSP).

MANAGED SERVICE PROVIDER

I interned with the Managed Service Provider (MSP) and for those fortunate enough to have never worked at one, they're essentially glorified and outsourced IT help desks with some system administration on the side. I returned from the internship, graduated, and went back to work full-time. This experience royally sucked, but it convinced me that I wanted to pursue security — or at least convinced me that I didn't want to be a Help-Desk-Sys-Admin-Network-Engineer. After a year and numerous conversations about how 'VNC is a HAcKeR TOoL' and 'HAcKeRs are CRIMINAL SCUM,' I made my exit. Before my final departure, though, I became Sec+ certified.

GRAD SCHOOL

At the very tail end of my undergrad program, the university had just introduced a bachelor’s in cybersecurity. This was likely a turning point for both me and the industry. Once I was free from the MSP life, I came back and started a graduate degree with a concentration in security. I'd bounce around topics, exploring physical security, forensics, psychology, Internet of Things (IoT), biometrics, wireless security, and more cyber-psychology-criminology, but eventually land on biohacking and augmentation. I proposed my thesis research, never conducted or defended it, but graduated with a two-year degree after four years. I did a lot of 'teaching,' which mostly amounted to configuring infrastructure for undergrads, grading, and making sure nothing caught on fire. I hated much of it since I was never involved in security courses or assisting in the subjects I was more well-versed in. However, there were moments I enjoyed with other passionate students and professors.

CONS & CTF

By this point, I was attending as many conferences as I could and absorbing anything and everything hacking-related. Textbooks, CTFs, 2600, talks, documentaries, meetups, it didn't matter! I won my first CTF and black badge at one of these cons, and I volunteered for five years at another. I met individuals who made planes fly sideways and discovered biohacking. I'd collect badges, challenge coins, and stickers. We'd cram ten people in a hotel room, carpool, and eat cheap to afford the discount student tickets. I experienced some of the lowest and highest moments on trips like these. I miss this period sometimes — there was a sense of camaraderie, and I was surrounded by others who wanted to be hackers. Some of those individuals drifted off into other careers, some disappeared altogether, and a few did, in fact, make it in their pursuit. I don't attend as many cons as I did then. The conference circuit lost a few, others became bi-annual, travel became more cost-prohibitive, and my time became less available. I'll be at GrrCON as always, though!

HELP DESK

During grad school, I worked far more help desk and system administration jobs than I'd care to. I don't think of these entirely negatively, as they gave me a wealth of experience across a number of verticals — farming, veterinary, agriculture, electrical engineering, etc. However, they contributed to my being typecast as a System Administrator rather than a Security Professional. I had too many positions in one subset of Information Technology, and most HR departments struggled to look past that. Bills need to be paid, though.

CONTRACTING

I was introduced to a small cybersecurity contractor a friend had been doing work for. This individual introduced me to the community and many cons, friends, and opportunities — they were on the scene long before I was. I began assisting with some of the contract work, which included vulnerability scans, business continuity plans, infrastructure reviews, personnel evaluations, training, incident mitigation protocols, and data loss prevention. Most companies would provide us with an overview of their infrastructure; we'd perform a gap analysis, and then return with our recommendations. I spent time writing reports and presenting findings, but I was getting hands-on experience outside of a help desk, and I was getting paid.

CURRENTLY

Having done a bunch of teaching, mentorship, and community involvement over the years, I now find myself in the niche of creating cybersecurity education and training materials, which includes cyber ranges and content development. I spend my time designing exercises, creating virtual environments, and delivering training. I despised the cliques and bureaucracy of academia, even though I loved teaching, learning, and designing. At one point, I'd hoped to be a professor of cybersecurity. Building training for the industry still lets me have an impact on learning, tap into my experience, offer mentorship, and get paid to do it. I've been able to attend conferences and become certified on my employer's dime while still working with students. I don't always love it; I'm often at the will of clients regarding the training materials I create, and I don't carry the social media presence to build a 'learning empire' — not that I want to. However, when I get to build stuff I'm passionate about, I love it!

Recommendations for the Industry

TRAINING, CERTIFICATIONS, DEGREES, & EXPERIENCE

Encourage hands-on practice in safe, virtual environments such as cyber ranges and take individuals in under the tutelage of internships, apprenticeships, and mentorship. Make learning accessible to all, regardless of financial status, e.g., pay-what-you-can training. Move away from rote memorization towards practical assessments, i.e., kill multi-choice 'vocab exam' certs. Emphasize learning through real-world experience, supported by practical engagements, on-the-job training, and entry-level roles. Shifting away from costly and time-consuming boot camps and memorization in favor of practical assessments and experience reflects true competency and bridges the gap between education and employment.

ELITISM

Address and dismantle the gatekeeping that hinders new talent from entering the industry. Confront unrealistic job requirements, exclusionary hiring practices, and the absence of transparency. Inflated promises and lack of diversity contribute to an unwelcoming environment. This isn't only applicable to human resource departments but to the community as a whole. Just because someone hasn't phreaked, is 18 years old, has a college degree, is self-taught, or is attempting what you consider a child's level of difficulty challenge doesn't mean they don't deserve respect and admiration for stepping outside their comfort zone and learning! It's easy to become jaded when you're constantly pestered by people who are unwilling to put in the smallest modicum of effort and just stare blankly, waiting for answers to be handed to them on silver platters. When people ask questions, I often ask Google before regurgitating info. Knowing how and what to search to find the info you need is a skill unto itself. Eventually, telling them to "Google it" themselves becomes the de-facto response because that's exactly what I'm doing. Try not to let your heart become hardened. We were all kids once, and most of us probably still are in some way, haha. This is a space for anyone and everyone who is willing to put forth effort to make the world a better place, no matter how they go about it. Fostering an inclusive space that values diverse backgrounds and experiences taps into a broader pool of individuals and helps break down the barriers to creating a more equitable workforce and community.

HIRING CRITERIA & JOB DESCRIPTIONS

Create accurate and realistic job descriptions that accurately reflect the necessary skills and responsibilities. Overly broad and unrealistic expectations discourage qualified and motivated candidates and contribute to the overall perception of a talent shortage. By clearly defining competencies, differentiating between entry-level and advanced roles, and truthfully communicating the day-to-day tasks, a more suitable and diverse spectrum of candidates becomes available. Transparent and expeditious hiring processes improve overall experiences and rates of retention.

PRACTICAL ADVICE

Clearer pathways to success, guidance on certifications versus degrees, and tangible training opportunities like internships, apprenticeships, and mentorship are being sought out! Providing guidance on the relative value of degrees, boot camps, and self-directed learning creates tangible pathways to success. Individuals can make informed decisions, navigating the complexities of the industry more effectively. Aspiring professionals and the cybersecurity workforce as a whole become more robust with accessible and realistic guidance. It doesn't have to be an introduction by drudgery.

Conclusion

Navigating the [Cybersecurity/Infosec/Hacking] industry can feel like a labyrinth of contradiction and gatekeeping. While opportunities in the field offer the allure of a thrilling career, they're also fraught with fierce competition, unrealistic expectations, and a sometimes unforgiving job market. The journey demands more than credentials or certifications; it requires hands-on learning, due diligence, a network of supportive peers, leg work, and a relentless passion for learning and problem-solving. Professionals must balance education with practical engagement while the industry itself strives to become more inclusive, transparent, and realistic. A culture of mentorship, diverse pathways to success, and an emphasis on real-world skills over rote memorization can bridge the gap between promise and reality. As the field continues to evolve, so must the approach to education, training, community, and careers, ensuring the next generation is prepared to meet the opportunities that lie ahead.

I'm excited to see what the next ten years bring.

Are you?