A while back I wrote about the entry level cybersecurity job market in the Salt Lake Metropolitan Area. I did this because I had just started working as a cybersecurity mentor for tech-moms and wanted to be able to provide actual, informed advice. There were a lot of big numbers floating around out there and, unless I knew they were true, I didn’t want to convince a bunch of people to get into cyber just to leave them disappointed.

I’m pretty proud of that post, but to make it easier for you I’ll outline my conclusions here (from the post written March 2023):

• Entry level positions make up less than 10% of all cybersecurity job postings (over half of job postings are for “senior” positions, which I defined as requiring 6+ years of cybersecurity experience and advanced degrees/certs)
• Because of the lack of entry level jobs, you’re often better off getting a general entry level IT position, such as a helpdesk, to build some experience, then pivoting into cybersecurity
• Cybersecurity is a great skill to have no matter what IT discipline you end up in as most of the positions that mentioned cybersecurity weren’t cybersecurity specific — they were for things like developers with a “familiarity with cybersecurity” or something like that.
• “Cybersecurity demand is probably overstated in popular media, but it is still there, and it’s very steady” (I compared dedicated cybersecurity to dentistry — there aren’t a lot, but they’re always around, and everyone needs one eventually)

In the article I mentioned the quote floating around the internet saying there were 3.5 million unfilled cybersecurity positions, but I said I didn’t know where it came from, and thought it was overstated. What I didn’t realize was just HOW overstated it was.

Thank goodness someone did what I was too lazy to do

Ira Winkler wrote a great post on LinkedIn digging into where this number came from (or, at least, one version of this number). He talks about some ISC2 research that claimed there was a “Demand” for 4.8MM cybersecurity professionals.

Typically when you see “Demand” the assumption is that, well, someone is “demanding” something. In this case, Demand would generally imply that there are 4.8 million job postings out there, waiting to be filled.

Ira found, way down in the footnotes, what they actually meant by “demand.” It says:

The ISC2 Cybersecurity Workforce Gap is an estimate of the number of people needed globally to adequately secure organizations. The workforce gap is not an estimate of open positions or cybersecurity jobs available.

Wow. WOW! To clarify, what they’re saying here is that they did some back-of-the-napkin math and determined that, in a perfect world, to secure everything, there would be 4.8MM more cybersecurity jobs out there.

They specifically say that this number ISN’T an estimation of open positions. It is … a wish! This number, and numbers like it, have been reported all over and they aren’t based on anything other than someone’s idea of what a perfect world would look like.

Ira tracked down the actual statistics:

Worldwide cyber employment is flat. Their own numbers show a total increase of 4,442 cybersecurity professionals globally, which is a year over year increase of .08%. While there was roughly a 60,000 job growth in the Middle East and Asia, it was offset by 60,000 jobs lost in North America, Latin America, and Europe. This trend appears to be going on for at least 3 years. Again, there is not a “Demand” gap.

I highly recommend reading Ira’s entire post. He outlines some changes that ISC2 should undergo (which I wholeheartedly agree with), and he adds some additional context which I think is really useful.

But I try to make this blog useful for those entering the field. So let’s get to the big question.

What does this mean for people trying to break into cyber?

I hope Ira’s post dispels the harmful notion that, well, there are 4.8MM unfilled cybersecurity positions waiting for someone to jump into them. This gives false hope to people trying to enter the profession, and it harms those who have been in cyber for a while and can’t find a job and are assuming something is wrong with them. It’s not! There just aren’t 4.8MM jobs out there!

There ARE jobs out there, but, as previously mentioned, most are NOT entry level positions. What that means is that there’s a lot of competition for every single entry level position (we typically get several hundred applicants in a matter of hours to a couple days for ours). Trying to jump straight into cybersecurity in the entry level market is a huge gamble — it’s not impossible, but it’s very hard. It’s not the sure thing that some advertisements would have you believe.

But there are other ways in. Working in a related IT field and “specializing” in cybersecurity is a really good way to get into it. A few years of that with some cybersecurity related projects under your belt goes a long way towards qualifying you for one of the mid-level positions, skipping the entry-level cybersecurity rat race entirely. It’s not a bad strategy.

So I guess the takeaway for someone trying to break into cyber is this:

It’s not impossible to get into cybersecurity, but it’s not as easy as you may have been led to believe. Be prepared for a long road to get that first cybersecurity job. Looking for a side door, through another IT discipline, might be worth your while.

(as a side note, it’s always helpful to look at your career path from the “career capital theory” perspective. You may not get the exact job you want, but as long as you’re building that career capital it’s not a waste)

I don’t want to be discouraging here, because the world needs more people with cybersecurity expertise, and I don’t want to be accidentally turning people away. If you’re passionate about cybersecurity, keep at it! There are opportunities out there — even if your title doesn’t yet have “cybersecurity” in it.

But I want you to go into it with eyes open, knowing that it could take a while, it could require detours, and it could require more education than you were initially told.

If you feel drawn to the unique challenges and opportunities of cybersecurity then hopefully those potential roadblocks don’t deter you. But it’s better to know that they’re on the road.

It was around five years between the time I first got my CISSP, and my first dedicated cybersecurity role. But I had some really valuable experiences between those two things that helped qualify me for the role, so I’m not disappointed with that gap at all.