(well, I initially wrote this at midnight after spending two hours looking through job postings, and it shows!  So I’ve cleaned it up a little throughout, but I’ve also added another section on the bottom, so if you’ve already read this you can skip to the last section for new info)

In December I wrote a blog post breaking down the cyber security job market in the Salt Lake Valley, but ultimately put off publicizing it because December can be a weird month for hiring.  Now it’s January and big tech is laying off tens of thousands of people, so let’s look at the market and see how it’s changed.

I did a very simple search — I looked up “‘Cybersecurity’ or ‘cyber security’” on Indeed for the Salt Lake metropolitan area and then went through all of the almost 250 jobs that came up.  I defined three levels for jobs:

• Entry — 1 year of experience or less, bachelor’s degree or less required
  • You can argue that requiring a bachelor’s degree isn’t really entry level, but if we only went with jobs that didn’t require “bachelor’s degree or above” we would not have many entry level jobs at all.
  • I also think a lot of the “bachelor’s or above” jobs would accept someone if they had the right certs and no degree — assuming you got through the automated filters.
• Mid — 2-5 years of experience, bachelor’s degree
• Senior — 6+ years of experience (cybersecurity specific) and advanced degree or certifications

Keep in mind, this is a VERY small sample size.  I looked for jobs within 25 miles of Salt Lake City, Utah.  The Salt Lake Metropolitan Area has right around a million people, so the area is fairly small, and there’s a decent amount of technology organizations.  I also excluded remote jobs because, if I didn’t, I’d end up looking through job postings all night!

Let’s look at how the numbers compared from December to the end of January, and then we’ll dig in to what they mean a little bit:

• December 2022
  • Entry – 7 positions 
  • Mid – 36 positions 
  • Senior – 51 positions 
  • TOTAL – 95 positions
• January 2023
  • Entry – 9 positions
  • Mid – 28 positions
  • Senior – 60 positions
  • TOTAL – 96 positions

A few interesting things to note that we’ll dig into — first, the total number of available positions stayed about the same.  Second, entry level positions make up less than 10% of open cyber security positions, whereas senior level positions are over half.  Anecdotally, the type of positions changed between the two months (more SOC and analyst positions in December, way more sales positions now).  If we break down entry level positions we get:

• 5 sales positions (three of them were identical positions for the same company, not sure if they posted multiple times or are hiring multiple people)
• 2 “SOC” positions (working in a call center for lots of clients)
• 2 “Analyst” positions (working on a traditional team for one organization)

So let’s dig a little deeper into some of these findings.

The same number of positions?  I thought layoffs were happening

Layoffs ARE happening, but I’d argue that they’re primarily an indicator that some larger organizations made some bad decisions.

Here in the US, we value agility above almost all other qualities in our technology companies (move fast and break things).  When the pandemic hit, technology usage shot through the roof and many major companies assumed the future of all tech all the time was here and, to capitalize on the opportunity, they hired WAY more people than normal — tens of thousands of extra employees.

(sidenote — I’ve recently been reading “The Fifth Discipline” and they talk about “the beer game” — a game where three people act as an owner of a convenience store, a beer distributor and a brewery and they try to respond to demand doubling for a niche beer.  These three only communicate with a number — the number of cases of beers they want to order (or produce).  The end result of the beer game is always chaos as the brewer ramps up production, the distributor orders hundreds of cases of beers, and the convenience stores end up with a six month supply of beer sitting in the back, gathering dust as it continues to sell at a higher, though still modest, rate.  The whole game is a warning about overreacting to market conditions and causing further chaos)

The pandemic did not, actually, change the way we work forever and now those same companies have significantly more people than they need.  Companies that didn’t give in to the temptation to staff up (Apple is a prime example — hiring only went up 20%, compared to 100% for some of their competitors) haven’t had the same massive layoffs.  That explains the majority of layoffs, but others are more … opportunistic — a way to pacify investors while larger companies are taking the majority of the heat.

My point is, the market in Utah didn’t change drastically, especially around cyber security, because the effects of the larger organizations’ hiring decisions are more muted here.  Utah has had some layoffs, but not nearly as many.

The only downside of all this is that these huge hirings and layoffs are leading to genuine instability in both the job market as well as the overall economy.  When hiring shot up, wages in the tech sector did too, contributing to inflation.  And now layoffs are contributing to economic uncertainty — creating a sort of self-fulfilling prophecy.  But at least they did move fast and they also broke things so you know … mission accomplished.

My point is, the job market in Utah is roughly the same as it has been.  It will likely contract over the coming months, but not dramatically so — unless a lot of people buy into the self fulfilling prophecy.

Not that many entry level positions

In the past I’ve posited that cyber security generally isn’t really an “entry level” job in IT — that the true entry level position is on a helpdesk and then most people move to cybersecurity after a few years.  The results of this survey seem to confirm that — most companies are looking for more senior cyber security candidates.

That doesn’t mean there aren’t any positions out there, though.  Sales seems like a good way to get into it, especially if you have sales experience in other fields.  And working in a SOC is still a valid option (though likely one that will require working some night shifts to start).

If I were trying to get into cybersecurity right now, I would probably try to get a job on a helpdesk first, and continue doing certs as I gain that baseline experience through the helpdesk.

That’s almost exactly what I did, actually, although my initial specialization wasn’t cyber security, it was sharepoint.  I worked on a helpdesk for roughly three years and, while I was doing that, I studied sharepoint and gained a reputation as someone who knew the product and liked working on it.  When a position opened for a sharepoint administrator, I was able to make the jump from Helpdesk to Operations — within that same organization.

I still think that’s a good way to approach it, although making the jump directly into cyber security isn’t out of the question.

I thought there were 3.5 million unfilled cyber security jobs!  Where did those go?

I’ve seen this number floating around and I’m not sure where it comes from, but I think it’s a misunderstanding of the market.

In both December and January my search for jobs that mentioned cybersecurity turned up almost 250 positions — but only about 90 positions were actually dedicated cyber security roles — the rest were things like Developer postings, asking that they have a “familiarity with cyber security” or something along those lines.

There may be 3.5 million jobs that list cybersecurity somewhere in the job description, but I would guess the real number of cyber security positions is much less than that (if my numbers are anything to go by, maybe a third of that).

There are two main takeaways from this:

1. Cybersecurity is a great skill to have no matter what field in IT you wish to ultimately end up in
2. Cybersecurity demand is probably overstated in popular media, but it is still there, and it’s very steady

To add to number 2, I look at cybersecurity as the dentists of the IT world.  You won’t ever find a town full of dentists, but you will find a few dentists in every town, and everyone needs one eventually.

Where is the job market heading?

I’m going to speculate here, so take this with a grain of salt.

The entire IT world has seen a gradual shift from products to services.  What I mean is, back in the day Microsoft sold a product (like Active Directory or Exchange) and you hired a bunch of people to run that service for you.

Now Microsoft has transitioned to selling services — AzureAD or Microsoft 365 (doesn’t Microsoft just have a way with words?  It’s poetry).  This means IT staff has shifted from the enterprise to the service — now you can run a fairly complicated IT stack with a much leaner department because your servers and websites and business products are all “in the cloud.”

Cybersecurity is going through the same transition — you used to buy Norton and your IT department ran it on your machines and watched them night and day, but now you buy Managed Detection and Response and someone watches your machines for you.  Again, the staff is shifting from the enterprise to the service providers.

It’s already apparent that most of the job openings aren’t for individual orgs, they are for service providers.  This isn’t necessarily a bad thing, it’s just a different type of organization.  Instead of being a lone cyber security voice in a business, you work in a business that is entirely cybersecurity.

Businesses still need some cybersecurity expertise but, more and more, they’re only hiring senior candidates because they don’t need the cyber basics (those are covered by a service provider) — they need something specialized.  They need an expert on cryptography to work with their app developers, or they need a GRC pro to work in their audit department.

This is all pretty obvious, so let’s get to the EXTREMELY speculative part.  I think these trends will naturally lead to a few outcomes:

• Those service providers that get really good at bringing on new, entry level talent and training them up will have WAY more success than those that need to hire more senior candidates — but other organizations will just burn through entry level candidates in SOCs and will be always hiring.  From the outside they’ll look pretty similar (both consistently hire more entry level candidates than senior ones), but one is toxic and the other is a dream — candidates will need to check with current (or former) employees to figure out which is which.
• Enterprises will continue to reduce IT staff, relying more on service providers, which leads the service providers to hire more staff, leading to a reinforcing cycle.  I don’t think we’ve found the appropriate equilibrium yet.

The second point is, in my opinion, a mistake — especially when it comes to cybersecurity, but also much of IT in general.

That’s because these trends are all symptomatic of an attitude about IT that is endemic: IT is a service provider to the business, and not a part of the business.  When IT is a service provider it doesn’t matter if you’re doing it in-house or not, so the businesses will gravitate towards the cheapest way to do something — frequently outsourced.

That makes sense from a short-term ROI standpoint, but long term you lose out on the innovation an IT department can bring.  If an IT department is part of the business (and not a service provider), then they understand the business, they work with them, and they can provide unique and meaningful solutions to business problems — solutions that are impossible when IT is outsourced and all you get from a service provider is, well, a service.  A menu of options that can’t easily be deviated from.

Similarly, the best Cybersecurity departments aren’t about “securing the machines” — they are about creating a culture of cybersecurity throughout the organization — they are collaborative.  And just like IT, good cybersecurity should be about finding solutions, not putting up barriers.  If someone wants to do something with sensitive data then cybersecurity will help them figure out how to do that safely.

Again, that can’t happen if cybersecurity is handled by a service provider — when cybersecurity is done by service providers all they can offer are barriers.

It’s still about finding balance — using service providers where they make sense, but also having dedicated cyber security staff where they make sense, working with, understanding, and ultimately providing solutions for the business.

This blog post has already gone on too long, but I do think there is a basic structure for enterprise cyber security that makes more sense and, coincidentally, involves hiring more entry-level cyber security staff.  But that’s for another blog post.