Hi
@Olivia Rempe.
Your observations are spot on. The other replies are very valid. Let me build on a couple of dimensions.
Without walking through the machinations, the basic reality is except for some operational positions, entry-level cyber positions require a working knowledge of how business units operate and at least a working knowledge of the role of technology. This is why there is a 5-year experience requirement. Think of it more like an entry-level position we would see in areas like finance, medicine, and the law. All of these require a master's degree.
In my experience, the true entry-level positions are more in the $60k range. These are operational positions that often require hands-on keyboards.
If you dig into the metrics, you will see the higher-paid positions are almost always architects, systems engineers, and leadership positions.
The simple fact is the world realizes the industry's strengths are technical defenses. The largest gap is the alignment of the security architecture with business objectives. Most incidents come from the exploitation of non-technical controls. Once penetrated, most organizations do not detect the exploit, and fewer know how to respond. All of which are more people and processes than technology.
If I were earlier in my career, without a technical degree, I would target where the puck is going to be by focusing on the non-technical phases (e.g., detect, recover) in one of the related areas like risk management, audit, etc. Doing so will also give you the creds for the protection phase.
Please let me know if you would like more specific suggestions.
------------------------------
Alex Sharpe
Principal
Sharpe42
[email protected]Co-Chair Philosophy & Guiding Principles Working Group
Co-Chair Organizational Strategy & Governance Working Group
------------------------------
Original Message:
Sent: Dec 07, 2022 07:50:19 AM
From: Ross Weatherford
Subject: Where did all the Entry-Level cybersecurity jobs go?
Olivia,
As to the entry-level cybersecurity jobs at $86k+, I personally think that is a gross misrepresentation. In prior positions, I hired many cybersecurity professionals for various roles. The struggle was often trying to hire the lowest level possible with the highest skill set and certifications. You can see that your frustration is valid, and I felt it from the other end. I often was told by my directors to lower the level (let's say we had 1-5) from a 4 to a 3 or a 3 to 1 or 2 for a new hire requisition. Unfortunately, when we hired entry level persons without a cert (i.e. CISSP, Security+) and they did not complete them within a given timeframe (we usually gave 3-6 months), we often had to go back and hire someone else to meet the requirements (we rarely let anyone go, though). This led to pressure to only hire those with certs, even though you are completely right that is ridiculous to expect when you are yet to have any experience in the field.
While that probably sounds negative, I only want to give a counterpoint to why it has become frustrating (for all parties; my recruiters also pulled their hair out). I do believe there are good entry-level cybersecurity jobs out there and hopefully better job requisitions will result in a better experience for everyone. In my time hiring, I did interview some amazing entry-level persons (with no certs!) and fought hard to get them hired. Many of them have now been promoted multiple times, are excelling in their roles and making cybersecurity a better profession.
------------------------------
Ross Weatherford
Solutions Architect
Red Hat
Original Message:
Sent: Dec 05, 2022 11:29:29 AM
From: Olivia Rempe
Subject: Where did all the Entry-Level cybersecurity jobs go?
Almost every day, I read articles about more than 750,000 job openings within the #cybersecurity industry that are offering north of $86,000. For an entry-level professional like myself, this sounds almost too good to be true, but it continues to make weekly news headlines. When I search for jobs on LinkedIn with the keyword "cybersecurity" and filter the results to "Entry Level," I am bombarded with positions asking for five or more years of experience and that candidates hold a CISSP.
Per Wikipedia, an entry-level job is defined as a job that is usually designed or designated for recent graduates of a given discipline and typically does not have prior experience in the field or profession. The CISSP certification typically requires five years of full-time work, demonstrating that this is not an entry-level certification. Many companies leverage applicant tracking systems to filter out certain candidates who don't have specific desired credentials like five years of experience or a CISSP meaning many quality candidates are eliminated from the decision-making process.
This continuous misrepresentation of what skills are required of entry-level candidates is incredibly frustrating and only deters quality people from entering this line of work and exacerbates this labor shortage. It makes me question, do realistic entry-level cybersecurity jobs even exist. Is there some secret website or message board with all of these so-called positions with high starting salaries that many other recent college graduates and I don't know about?
------------------------------
Olivia Rempe
------------------------------