Packed. Crowded. Bursting. Crammed. Glutted. Jammed. Teeming. Saturated. Chock-full. Jam-packed. Brimming. Overflowing.

There has been a lot of hype for a while now about cybersecurity careers. Cybersecurity careers are hot, they say. Allow me to throw some cold water on that.

Schools, universities, certificate programs, and bootcamps have all been pushing cybersecurity. Why? Because they have stuff to sell you. They have now sold so many people on the idea of getting into cybersecurity that the field is now totally saturated. Particularly at the entry level. So getting a job is HARD.

"Just take our six week cybersecurity bootcamp, no IT experience required! Go from zero to hero with a six figure salary in just six weeks!" It's madness. It's totally unrealistic. It takes years.

"But I saw an article saying there were nearly 600,000 unfilled cybersecurity jobs in the US right now!"

And that there is a gap of four million worldwide!

Yeah, and who was the source for that article? Probably a school or someone with something to sell you or some vested interest. Google is loving seeing cybersecurity flooded and keeping salaries down. The ISC2 are loving selling certifications and collecting annual maintenance fees.

Note how that second article linked above mentions security people getting laid off. That would ease pressure on the need for hiring, not exacerbate it as the article claims.

I recently exchanged messages with a Google security exec on LinkedIn. Guess what? He's not hiring.

I heard from a recruiter who saw a company post security jobs on their /careers page so he contacted the CISO to get the external recruiter contract to fill those jobs. The CISO had to admit that they weren't actually hiring. Those jobs were just there to make it look like the company is growing for the sake of potential investors! All the applications they receive are sent to the bit bucket.

The reality? Security is always optional. Always. It shouldn't be, but it is. Barring some major compliance requirement imposed by force of law and jailtime for failure to comply, the big corpos will always cut cybersecurity when things get tough before anything else. So cybersecurity isn't even a very stable job. You are going to get laid off at some point. In fact, there have been quite a few cybersecurity layoffs in the last year.

Companies are typically happy to roll the dice on getting hacked in order to hit this quarter's numbers and look good for wallstreet. And they usually get away with it. Usually.

Yes, maybe there should be 600,000 jobs filled to protect our businesses, infrastructure, and nation. But those jobs aren't actually funded so they aren't there.

No, you aren't likely to go from being a 45 year old warehouse forklift driver to having a "6-figure" (which isn't nearly as much as it used to be and 7 figures is but a dream) cybersecurity career. Particularly if you've never built your own PC or installed your own OS or otherwise shown some sort of interest before now. But those with something to sell want you to think that you can pull it off.

They will tell you that there are some "non-tech" jobs in cybersecurity. Yeah, sure, sort of, but not really. Having deep technical knowledge will always be very helpful and give you an advantage in competing for those very competitive jobs. Those GRC and security-awareness or whatever positions which they claim to be non-tech are few and far between. They are but a very tiny percentage of the cybersecurity workforce. Most of us are writing code, reviewing code, deploying configs to harden environments, reading CVEs to know just how bad that vulnerability in our environment is and where it prioritize it in patching and what it could affect, trying to make sense of logs to determine if that oddity is an indicator of compromise or not, etc. You know, tech stuff.

There are a lot of "cybersecurity career coaches" out there claiming to be able to help you out. They keep talking about the money. They will tell you that you don't have to know how to program (you do if you want to be competitive). They are "influencers" with slickly produced youtube channels. They are often physically attractive people. They talk to you in language you can understand. And they keep using those words: "six-figure". Is this starting to sound like a salesperson yet?

There are lots of people out there pushing the penetration-test red-team offensive-security use-more-hyphens angle because it's cool and that's what we see hackers in the movies doing. The reality is that only a very tiny percentage of the cybersecurity jobs out there are pentest jobs. And what jobs there are out there are extremely competitive. You need to be good to make a living at it. Like NBA good. Burnout is rife in all of cybersecurity but particularly in pen-test. It's an arms race. You are constantly learning new things. Where's the career path there? If you think you are going to spend your 40 year career keeping up with that and popping shells until retirement, I'm very skeptical. The vast majority of us work in blue team.

Nobody cares how well you did on hackthebox or tryhackme.

Finally, cybersecurity is stressful. On call. Incident response. Compliance deadlines. Like any IT job, stuff breaks. Long unpaid hours keeping up on tech to remain competitive. Dealing with the politics of your management not sincerely wanting to spend the money required to do things right and having your advice ignored. Maybe even getting hacked and having to work days without sleep! Only to be canned for your efforts because, hey, you got hacked! Sure, management accepted the risk and they are ultimately responsible but something has to be done and firing you and your whole team is something. This worst-case scenario is somewhat rare but not unheard of.

Look into goat farming instead.

links