The Inner Circle

 View Only
  • 1.  Where did all the Entry-Level cybersecurity jobs go?

    Posted Dec 05, 2022 11:29:00 AM

    Almost every day, I read articles about more than 750,000 job openings within the #cybersecurity industry that are offering north of $86,000. For an entry-level professional like myself, this sounds almost too good to be true, but it continues to make weekly news headlines. When I search for jobs on LinkedIn with the keyword "cybersecurity" and filter the results to "Entry Level," I am bombarded with positions asking for five or more years of experience and that candidates hold a CISSP.

    Per Wikipedia, an entry-level job is defined as a job that is usually designed or designated for recent graduates of a given discipline and typically does not have prior experience in the field or profession. The CISSP certification typically requires five years of full-time work, demonstrating that this is not an entry-level certification. Many companies leverage applicant tracking systems to filter out certain candidates who don't have specific desired credentials like five years of experience or a CISSP meaning many quality candidates are eliminated from the decision-making process. 

    This continuous misrepresentation of what skills are required of entry-level candidates is incredibly frustrating and only deters quality people from entering this line of work and exacerbates this labor shortage. It makes me question, do realistic entry-level cybersecurity jobs even exist. Is there some secret website or message board with all of these so-called positions with high starting salaries that many other recent college graduates and I don't know about?



    ------------------------------
    Olivia Rempe
    ------------------------------


  • 2.  RE: Where did all the Entry-Level cybersecurity jobs go?

    This message was posted by a user wishing to remain anonymous
    Posted Dec 06, 2022 07:29:00 AM
    This message was posted by a user wishing to remain anonymous

    Most "entry level" jobs are not listed publicly to the world, which is why proper networking and personal branding are so critical. 

    An example is a person that networked with me and built her personal brand.  I felt comfortable stamping my brand on her based on those, so she got a job offer within 2 weeks of me reaching out on her behalf.

    Job postings are a wishlist anyways.  Nobody has all of the requirements for any of the job postings I see.  And even if they "require" CISSP, just ignore that and still apply.  The worst case scenario is they say no or you hear nothing back.

    If you are looking at publicly posted jobs on LinkedIn, Indeed, etc then I suggest looking for those that list 3-4 years of experience and less because they are usually more willing to take someone without formal cyber experience.  Another way to search for publicly posted jobs is to search the sponsor list of major conferences and then look at those company websites.  CyberSN is another potential resource.

    One thing to keep in mind is that you do have "experience" already from other jobs, so just highlight transferable skills on your resume/LinkedIn profile and how those apply to the cyber career path you are choosing.   This makes it easier for hiring managers/recruiters without cybersecurity experience to see the connection.

    And to your question on salary $86,000 starting for true entry level is unlikely to happen for you.  Probably more in the $65K-$75K range depending on the type of position you are going after.  If you want to hit $80K+, then I would suggest seeing if they can offer a sign-on bonus or (for smaller companies) if they will buy you a used car or something.  I've seen all sorts of things negotiated outside of base salary, including someone who got a 2 year old Rubicon as part of their offer because the smaller company couldn't compete on base salary.

    Everything is negotiable.


    P.S. - Sales and marketing roles at a cybersecurity produce or service company are often a hidden way to get your foot in the door.  You can then get free training on all of their solutions and get a big name (i.e.- Splunk) on your resume.  6-12 months of working a role like that and you can write your own ticket in just about any role in any company, simply because you know X solution very well and you worked at X company.

    Or you can try the way of everybody on social media that can't find work and spend your time doing "100 day challenges" that are worthless in the grand scheme of things.


  • 3.  RE: Where did all the Entry-Level cybersecurity jobs go?

    Posted Dec 06, 2022 07:30:00 AM

    This is a good observation. I had a short stint with security, but I had considerable experience in IT Industry. Though I did clear CISSP which was an enabler to get a Security Architect/Lead role, I would like to know more about entry level jobs and what companies would hire them as it is a bit of risk for the hiring company, but nevertheless a good investment for the company and the entry level graduates. I am interested to know as I mentor some would be soon graduates and guiding them will require this information.

    A cyber security internship opportunity is a good pathway for entry level jobs. But companies should be willing to invest and advertise for such positions.
    I would like to hear other's experience and thoughts on this.



    ------------------------------
    Pradeep Nambiar
    Director
    Pexus LLC
    ------------------------------



  • 4.  RE: Where did all the Entry-Level cybersecurity jobs go?

    Posted Dec 06, 2022 07:42:00 AM
    Olivia, I'm sorry to say that now that you've discovered the secret of the hidden web pages, ...  no, just kidding!

    You're quite right to be concerned about this. Assuming for a moment it's not a query problem - I have been noticing these last six months that keyword-sensitive searches that used to work just fine now fail to work as they should -- we still have a flawed understanding "out there" about this. 

    A friend of mine who's been teaching security for a donkey's years talks about the many students he gets who might have some experience in one small corner of one systems security domain. They might have been guards who'd walk a patrol beat, or administrators who worked security badging processes. Aren't these "entry level" tasks?

    (ISC)2 has a new certification that is positioned as the "entry level" one. I would love to hear employers' views on what they see as the value proposition on such a certification, especially with (ISC)2 aiming to have a million people "certified in cybersecurity" via that path (soon).  I'd be curious to hear what your thoughts are about that cert.

    Thanks,
    Mike

    ------------------------------
    Mike Wills
    ------------------------------



  • 5.  RE: Where did all the Entry-Level cybersecurity jobs go?

    Posted Dec 07, 2022 07:50:00 AM
    Olivia,

    As to the entry-level cybersecurity jobs at $86k+, I personally think that is a gross misrepresentation. In prior positions, I hired many cybersecurity professionals for various roles. The struggle was often trying to hire the lowest level possible with the highest skill set and certifications. You can see that your frustration is valid, and I felt it from the other end. I often was told by my directors to lower the level (let's say we had 1-5) from a 4 to a 3 or a 3 to 1 or 2 for a new hire requisition. Unfortunately, when we hired entry level persons without a cert (i.e. CISSP, Security+) and they did not complete them within a given timeframe (we usually gave 3-6 months), we often had to go back and hire someone else to meet the requirements (we rarely let anyone go, though). This led to pressure to only hire those with certs, even though you are completely right that is ridiculous to expect when you are yet to have any experience in the field.

    While that probably sounds negative, I only want to give a counterpoint to why it has become frustrating (for all parties; my recruiters also pulled their hair out). I do believe there are good entry-level cybersecurity jobs out there and hopefully better job requisitions will result in a better experience for everyone. In my time hiring, I did interview some amazing entry-level persons (with no certs!) and fought hard to get them hired. Many of them have now been promoted multiple times, are excelling in their roles and making cybersecurity a better profession.

    ------------------------------
    Ross Weatherford
    Solutions Architect
    Red Hat
    ------------------------------



  • 6.  RE: Where did all the Entry-Level cybersecurity jobs go?

    Posted Dec 08, 2022 08:01:00 AM
    I can agree on this. It is often hard to get your upper management to agree to a true entry level position. Often times InfoSec teams are extremely lean due to them being considered "an unfortunate necessity cost center" by upper management who doesnt understand the business InfoSec unlocks, as well as the cost savings from fines / customer trust loss. I see every day companies increasing their headcount (typically in revenue generation areas) by lets say 50 percent every year, while the size of their InfoSec stays stagnant. This led to things like 2 people running all of Amazon's AD infrastructure all the way till ~2015, for example.

    This is also why stress, etc. exist in the career field as often InfoSec types are doing the job of what would be 2-4 people in a revenue generating engineering org.

    Despite all this, I find most of the entry level jobs are in contracting and consulting. This allows the company to hire entry level people with almost no risk to themselves, though costing them more. I'd recommend checking into contracting for a year and then jump into the employee category of searches.

    ------------------------------
    ----
    Justin Bowen
    Uber Inc. - Senior Security Engineer
    Penguin Technologies Group LLC - CTO/CISO
    ------------------------------



  • 7.  RE: Where did all the Entry-Level cybersecurity jobs go?

    Posted Dec 09, 2022 06:38:00 AM
    @Justin B. Brings up an excellent point. The most uncertain hiring decision is the new hire because they do not have a history. Organizations would much rather rent before buying.

    Consulting also provides you the opportunity to see how multiple organizations perform similar activities while giving you the opportunity to see if this is a company you want to be part of long-term.

    ------------------------------
    Alex Sharpe
    Principal
    Sharpe42
    [email protected]
    Co-Chair Philosophy & Guiding Principles Working Group
    Co-Chair Organizational Strategy & Governance Working Group
    ------------------------------



  • 8.  RE: Where did all the Entry-Level cybersecurity jobs go?

    Posted Dec 08, 2022 09:57:00 AM
    Hi @Olivia Rempe.

    Your observations are spot on. The other replies are very valid. Let me build on a couple of dimensions.

    Without walking through the machinations, the basic reality is except for some operational positions, entry-level cyber positions require a working knowledge of how business units operate and at least a working knowledge of the role of technology. This is why there is a 5-year experience requirement. Think of it more like an entry-level position we would see in areas like finance, medicine, and the law. All of these require a master's degree.

    In my experience, the true entry-level positions are more in the $60k range. These are operational positions that often require hands-on keyboards.

    If you dig into the metrics, you will see the higher-paid positions are almost always architects, systems engineers, and leadership positions.

    The simple fact is the world realizes the industry's strengths are technical defenses. The largest gap is the alignment of the security architecture with business objectives. Most incidents come from the exploitation of non-technical controls. Once penetrated, most organizations do not detect the exploit, and fewer know how to respond. All of which are more people and processes than technology.

    If I were earlier in my career, without a technical degree, I would target where the puck is going to be by focusing on the non-technical phases (e.g., detect, recover) in one of the related areas like risk management, audit, etc. Doing so will also give you the creds for the protection phase.

    ​Please let me know if you would like more specific suggestions.

    ------------------------------
    Alex Sharpe
    Principal
    Sharpe42
    [email protected]
    Co-Chair Philosophy & Guiding Principles Working Group
    Co-Chair Organizational Strategy & Governance Working Group
    ------------------------------