The state of the cybersecurity job market can seem like a perplexing paradox. On one hand, you’ve got frothy statistics from the likes of ISC2 stating that cybersecurity workforce shortages total 4.8 million positions or more. On the other, you’ve got an ever-growing cadre of newly cyber-certified and -degreed candidates who can’t even seem to get a call back for an interview no matter how many resumes they send out.
So what gives?
Lesley Carhart, a security leader and industrial cybersecurity specialist, wrote in a no-nonsense polemic on the cybersecurity job market, “I cannot express how numerically and logistically dire things are."
“We need to have a talk about the terrible state of the cybersecurity jobs market. The universities, colleges, and boot camps sold the heck out of an entry level skills shortage that does not practically exist, and everybody in those programs just graduated, all at once."
—Lesley Carhart
Today, cybersecurity team leaders are flooded with candidates for every security operations center (SOC) role that opens up, Carhart wrote. And it's understandable that HR responded to the flood by jacking up requirements, she added. Her advice is that entry-level candidates respond by jacking up their qualifications beyond the "cookie-cutter Bachelors’ and Masters’ curriculum."
Here are three things your organization needs to know about the state of the cybersecurity job market.
[ Get RL's Essential Guide: Software Supply Chain Security for Dummies ]
1. There is no monolithic cybersecurity career path
Anecdotal evidence like this is stacking up to show that it is actually a tough cybersecurity job market out there right now for many — especially for those trying to break in via the junior SOC analyst and penetration tester roles that many veterans cut their teeth on a decade or more ago.
Derek Fisher, a longtime application security (AppSec) professional, said this is the problem for many jobseekers today. Fisher explained in a recent post on the topic that too many people think their “path to riches and fame” in cybersecurity is a linear one that starts with the pen testing role.
“While penetration testing is indeed a need in cybersecurity, we all can’t be penetration testers. Cybersecurity is not a monolith and has roles in all shapes, sizes, and talent levels. I often look for ways to challenge the person looking to get into the space to broaden what they believe cybersecurity actually is.”
—Derek Fisher
Fisher and Carhart said that while breaker-type roles and analyst roles are oversaturated — and likely to become even more scarce as AI takes hold — there’s room for newcomers in other areas.
“Think outside the box about cybersecurity jobs that need to be done but aren’t being oversold by schools as cool and sexy."
—Lesley Carhart
A former developer who found his way into cybersecurity by working “on loan” to help AppSec teams in his spare time, Fisher said he advocates for seeking experience and education around building secure systems, applications, and networks. He also suggests jobseekers broaden their horizons on roles by turning to the National Institute of Standards and Technology's NICE Framework for ideas. NICE is what a lot of enterprises and recruiters use to develop their career paths and define their roles.
“The roles that are in high demand right now are in the oversight and governance space. The runner-up? Secure design and development, which includes secure software development, software assessment, and requirements planning.”
—Derek Fisher
2. Nontraditional backgrounds are a win-win
Sidestepping the traditional route into security that usually goes through the SOC could put more wind in the sails of those coming from either a nontechnical background or a tangential, but not necessarily related, technical field. And that’s good not only for job hunters, but also for the vitality of a cybersecurity program, said Aaron Shaha, a longtime security leader with experience at the National Security Agency and multiple stints as CISO in different companies.
“The reason I think some of the nontraditional ways into cyber can help the industry is these candidates provide out-of-the-box thinking by default. One of the problems I’ve seen in cyber from my time at the NSA all the way through corporate America is people who start with a tech-first focus tend to approach the problems with a tech-first focus. And so much of cyber isn’t a tech problem.”
—Aaron Shaha
3. Soft skills matter more than ever
As a CISO, Shaha said, he wants to see a greater emphasis on soft skills in cybersecurity recruiting. “Soft skills is the big one right now because, right now, with AI I can kind of train up on demand on a lot of different [technical] things. But soft skills and critical thinking are just not easily taught,” he said.
He said that those with alternate backgrounds — be it finance or humanities or development — will still need to bone up on their security knowledge to get their foot in the door, but they can look for nontraditional starter support roles within a security team to start down their own particular path. He reiterated Fisher’s analysis, pointing to governance, risk, and compliance (GRC) as great areas to break in.
“There's some really important roles out there. GRC is a good starting point, and there's not a lot of good people there because it kind of takes in a lot of those soft skills — the critical thinking, the auditing; they’re all important there."
—Aaron Shaha
Other areas, such as identity and access management (IAM) and rights management generally, are big, as is anything having to do with data management, data analysis, and data engineering, Shaha said. And, finally, people with project management and other business training and experience should consider looking for roles that would support business information security officers (BISOs) and roles that can support software supply chain security on the programmatic side, he said.
Think big-picture to tackle modern cybersecurity problems
Shaha said that thinking big about your needs — and what people bring to the table — is key. That's because the risk landscape is change, and your organization needs to change with it.
“It takes big-picture understanding — an ability to carry out functions like contracts management. You’ve got to understand [things like], 'Hey, did legal sign something that makes it tough to even ask certain questions of vendors?'”
—Aaron Shaha
Shaha stressed that while those skills are completely nontechnical, they are essential to the highest priority areas of security like the software supply chain, which requires an interdisciplinary approach.
