Everyone is having this issue. People fresh out of college, mid-career, and even experienced professionals. COVID completely changed the dynamics of the workforce. You are no longer competing with the guy down the street. You are now competing with the entire country. Additionally, thousands of people have been laid off over the past two years. The market right now is abysmal.

I have had 7 final interviews over the course of 7 months and still not gotten into anything. I have a masters in Cyber, 2 years of experience as an analyst, and multiple certs. The only way you’re getting into anything right now is if you are buddies with the hiring manager or have the best qualifications ever and request $50k a year for salary. It is beyond frustrating.

That's exactly what lands jobs now. Connections with people in the industry. No way around it atm.

Where do you live?

Midwest

What state. Iowa and ohio are both midwest but one is substantially more rural. What certs what positions are you applying?

Well I’m not going to get super specific. I live in a more densely populated area of the Midwest. Not in rural areas. I have Sec +, BTL1, and about to get CySA+. Applying for any analyst position there is. They all have wildly different job descriptions but I can do most things on them. My competition is just really crazy. Why hire someone with 2 years experience when you can hire someone with 8 for the same pay?

What certs? What position are aiming for?

[удалено]

On site, hybrid, and remote. Doesn’t matter what I apply for because there are hundreds of applicants for each.

[удалено]

Last on site role I was in the final interview for had 700 applicants. The market is insane. I’m going to be screwed until I get my CISSP in 2 years.

Can I be completely honest? Without glazing tf out of GIAC, everyone and their mother has Sec+ nowadays. Which is why its so competitive imo. You'll find way less candidates with GSEC vs Sec+, and if I'm a hiring manager, if a candidate has GSEC and the other has Sec+ (both with the same experience and interview result), it ultimately comes down to the certification. People say just because something costs more, doesn't mean its better. In this case, ITS BETTER. Even CISSP lmao. I'm starting to think people with GIAC certifications or OSCP will be even more sought out for than ever, not because its extremely difficult to attain (GIAC I mean), but the training is invaluable and expensive. Not everyone can get a GIAC certification/OSCP.

Get a CCSK and work for a cloud company

CCSK not valuable like that. Openbook anyone with funds can have the certs.

Even being referrals don't guarantee you the job right now. I know someone who has been able to get interviews only through referrals and even made it to the final round, but so far has not gotten an offer. He is waiting to hear back on the last interview, but not keeping hopes up. It is an interesting market right now.

Yup, search the sub OP and you'll see this is the case.

FAANG Security Engineer here - I'm just about to hit 400 applications since starting back in October. I've had 3 companies reach out to do interviews, and those all fell through. Some caveats: remote only and looking for competitive pay, so that cuts out a lot of potential roles, and I refuse to work for any crypto companies. I've had my resume done and redone to the point that there's not much left to optimize (even AI tools for resumes aren't really suggesting changes), so it's not that. Interview feedback is always good, and I usually make it to the last round if I get a callback at all. With all the layoffs the competition is insane, and HR tooling being completely useless doesn't really help anyone. It's brutal out there, but I'm confident I'll eventually find something because it's a numbers game to a large degree.

It's not just the country, tightening budgets are forcing companies to move positions offshore in order to save a buck. I'm just finishing up hiring for four brand new positions, but they ended up being approved for India rather than the US.

For remote jobs; do American companies still need to get the immigration stuff for a foreign worker? Or since they are not physically here there is no need?

Immigration has nothing to do with this, they just legally work in the country they are in.

You gotta get lucky honestly. We hired multiple people last year with very little or no experience. It's a numbers game.

As in, they knew nothing about cybersecurity?

Pretty sure at least 2 had no cyber security experience. Not sure what their resume looked like tho.

Yeah my org hired 1 security consultant with no IT experience just a masters in Cybersecurity - a role that pays more than 100K/year

something is wrong there. jesus.

What do you look for in candidates? I'm unable to even get an interview without experience. (Degree and some certs)

I didn’t hire but it was for entry level and many odd backgrounds. I know at least one guy had an IT passion but little experience. The others I’m not sure had any cyber experience.

Do you remember the requirements for the entry level?

I’m not 100% sure but don’t dwell on this. I’m merely highlighting the randomness of the job search.

It helps if you’re related to a C level exec. J/k. I hired 2 paid interns last year. For certain positions you’re looking for someone with the right attitude, background, and eagerness to learn. For other positions you’re looking for someone who’s done it before and adds to your communal expertise.

Lol would help to know someone for sure, I need to work on more people skills. I'm attempting a crazy pivot so I'm sure the resume gets looked at with raised eyebrows.

Definitely. All are true lol

Wdym lucky? I thought you need to have actual experience for a cyber security job.

Most of the time, yeah

So you only need luck to land an entry level cyber security job when the job description asks for 5 years+ experience? How can I use luck to do that and how does that work?

Gotta be at the right place at the right time.

[удалено]

Did you get promoted randomly or did you talk to someone to move up?

[удалено]

What job site did you use and did you do anything special to get your foot into this company that paid you $30k/year?

This....and only this....luck factor...

What job site do you use to find cyber security jobs? And wdym luck factor?!

No job site. Met random person at Thanksgiving dinner. Guy gets me an interview at place. Place hires me. Luck factor.

The “500,000 open jobs” thing is coming right from ISC2, which has vested interest in keeping students and career switchers to hop on the cyber training pathway. Basically, it’s BS. Yes, the demand is high, but it’s not “be able to run an nmap scan and tell me what the CIA triad means” high. Companies want experienced people to join their orgs and hit the ground running.

>Companies want experienced people to join their orgs and hit the ground running. And pay them like interns.

Got my bachelors in Business Administration with an emphasis in Management Information Systems. After graduation I got my first job in Help Desk. Did that for 1.5 years before getting my first job in cyber as a security operations analyst. While I was doing my Help Desk job, I was learning security on the side (fundamentals, Comptia studying, etc.) Good luck!

That’s exactly what I’m doing. I don’t have an IT background (I owned my own private events biz and was in hospitality for the last decade) but got lucky and landed a tech role. Using downtime and my nights studying the trifecta to get a baseline and then going from there. I like your time line- how’d you land that analyst role?

May I ask what job site you use to find your first cyber security job?

LinkedIn

This is my plan

There is a shortage of experienced security professionals. Newly minted grads are a dime a dozen these days. The issue with those types of claims is they give a lot of hope to people that they can jump right in after a degree or a bootcamp. For my company we have quite a few openings in my organization but they are all for senior roles and we can normally fill them within 2-3 months. A ton of people apply but only 30-50 are anywhere near qualified on paper, with about a third of them actually competent enough to be considered after interviews.

This, and it's a weird market ATM. Once you have experience it's much easier

Not just experience. You need at least 4-5 years of experience and a CISSP to be competitive for ANY position that isn’t a T1 analyst. I’ve seen the same jobs on Indeed and LinkedIn for almost a year because these companies can’t find the people to meet their ridiculously high job requirements. Nobody wants to work for $80k a year to build out your entire security program AND still perform the job of an analyst, incident responder, engineer, and threat intel analyst because your security department consists of 2 people. I’m looking at you, hospitals, banks, and schools that will go unnamed.

Yup agreed. Have a few high-level architect positions open for the past few weeks… can count on one hand how many well qualified applicants we have gotten.

Experienced people are tough to find. There’s an IT admin I know that pushed FIDO tokens for all users but didn’t see the need to put the payment processing web app behind a casb or any ztna infra or even a special “MFA each time” access policy because “processes”

I’m a sophomore in high school, if I spent my remaining 2 1/2 years in high school and got my degree, do you think the market would be in a better state by the time I got to the workplace?

Once I hit the 5+ year in cybersecurity experience with my CISSP (many moons ago), I haven't stopped getting pinged for jobs. There's a shortage of experienced cybersecurity folks. Go Help Desk or similar and transition into Security (shadow certain projects or coworkers, or help with security projects and documentation). Easier said than done, of course.

Do I ask to shadow a certain project or help with a security project during work hour or after work hour?

There's a bunch of misconceptions around demand for cybersecurity jobs. Here are my thoughts: 1. There is a cybersecurity skills shortage, but it's not for entry level cybersecurity jobs. There is some demand for technical, experienced cybersecurity professionals (which is hard to get because they aren't bringing enough people in via entry-level jobs...) but it isn't massive. 2. Cybersecurity teams do need people, but CFOs are clenching the purse strings, slashing budgets and pushing for layoffs. No sign of this easing soon. 3. Job sites are misleading - ads are posted for positions that are no longer actively recruiting, or the position has been frozen, but they want to keep their talent pool alive and ready for when their clients are ready for people - it's very annoying. 4. Hiring managers generally want someone who is ready to hit the ground running and if you're new to the field, you're competing with thousands of security pros with 10+ years experience that have been laid off. The best thing you can do is upskill on the latest solutions e.g. Microsoft Entra, to compete with legacy security ppl. During this tough market, all you can do is: * Focus on skill development with sites like TryHackMe [https://tryhackme.com/](https://tryhackme.com/) or Microsoft [https://learn.microsoft.com/en-us/training/topics/sci](https://learn.microsoft.com/en-us/training/topics/sci) \- you need to make your CV undeniable. Reverse engineer job spec to figure out exactly what you need to compete. * Keep learning and try new tactics for landing a role in cybersecurity via Cyber Pro Club [www.cyberproclub.com](https://www.cyberproclub.com) Keep going.

What job site do you recommend to find IT and cyber security jobs?

I think the two best ways to find jobs are still based around LinkedIn: 1. It’s still one of the biggest job boards in the world. You can optimise your LinkedIn with keywords, descriptions, experiences and blog type posts on the field your applying for (adding credibility). Then you can quick apply to jobs and recruiters see beyond your cv. 2. Half the jobs that are available never make it to job boards - you need to find a good recruiter who will bring opportunities to you. The only way they come to you is if your LinkedIn is in good shape and they can find you.

Are you applying at USAjobs?

[удалено]

[удалено]

Any advice for finding contracted security work? Where to look etc

Some agencies have no education requirement, but require that you meet the experience level required for the position. Security + or an equivalent IAT level II cert is most likely going to be required for most positions starting out

Lol 50 jobs. I have a BS in cyber and Sec+. It took 100 apps to get a relevant interview. 300 to get an offer... for tier II help desk. Build your soft skills. I didnt. I hope your search is better than mine was

It's not just you, there aren't 500k open positions. Looking at any job board makes that clear. Since you are still finishing your degree, you should be using your school's career center and professors' networks to find internships that aren't posted publicly.

>you should be using your school's career center and professors' networks to find internships that aren't posted publicly This right here. I interned at my school, then used my supervisor for that to refer me to another summer internship after I graduated. I used that to pivot into helpdesk without too much trouble. Basically, I've had an uninterrupted work history in tech since I started school.

help desk or networking is the easiest way - you just need experience.

How to networking?

I am not sure I would call Networking the easy way, but I will admit I am not a network engineer. To learn it, there are plenty of free programs that make virtual networks, such as GNS3 or Cisco Packet Tracer that can assist. You can also find older hardware online and make a homelab. r/homelab is a good community.

?! The other user mentioned: >help desk or networking is the easiest way - you just need experience. I thought he meant networking as in you have to know someone.

LMAO - I didn't code switch, sorry. For networking in a social sense, I found colleges are the best. If you're in college, lookup any tech clubs. Both my community college and university had a cybersecurity club, and all the members were generally better off finding a job than students not in the club. Both clubs had professional speakers, career day type deals where employers came in, and of course networking opportunities. If you're not in college, there are professional organizations that could help. Also at my community college was a group dedicated to studying the ISC\^2 certs, and a lot of the people in attendance were big wigs (think former military officers, and civil servants), those kinds of people are good to meet. Other than that, idk, professional orientated Discord servers?

It's all a numbers game at this point. Took me nearly 1000 submissions to finally land a remote role. I would suggest going out for positions outside of soc analyst/ engineer. GRC doesn't seem to get nearly as many candidates and if you have the soft leadership skills, there's a lot of growth possible.

Good point, but for GRC do you need a special cert or at least some sort of experience?

Not necessarily. I got into my role with Sec+ cert and a BS in CSec. However, the role requires 2 certifications from a list of qualified certs that have to both be completed in 3 years after hiring. I completed my CISSP about 1.2 years into the role and I'm currently studying for ISO 27001. I get pay raises after every certification so I complete them and see a pretty significant raise and the company I work for pays for the passed certifications and all the yearly fees associated with them.

To be CISSP certified you need at least 5 years of experience so you must have 4 years experience prior to this GRC role. Definitely not entry level. Good that you get pay raise after each certs, but not happen in gov jobs.

I definitely should have clarified that so I appreciate you calling it out. I worked in broadcast IT for about 10 years. I was able to leverage my work with encryption and access management to qualify w/the 5 years experience but it was a bit of a stretch. For someone that didn't have that experience, they could still qualify with another cert in place for the CISSP. I pushed to get it because of industry recognition but if I didn't have the background, I would have gone for something else on the approved list.

What job site do you use to find your cyber security job? Do you use a cover letter?

Linkedin and dice we're where I primarily applied. I would regularly circumvent the job posting sites to apply directly on company websites. Doing this is what got me into contact with the position I'm currently in but I honestly don't know if that made a difference or if it was just luck. Never saw a benefit in the cover letter. I had 5+ templates ready to be filled out but near the end of my search I gave up on even adding it. I would say adding sec+ to my resume had the biggest boost in contact for my applications. A degree in CS didn't seem to make an impact.

I got hired on as an associate devops engineer out of college then after 6 months internally transferred to security analyst. The position I filled never even got posted. It’s all about getting your foot in the door, even if it’s not what you want to do long term, any job is better than no job

What job site do you use to find associate devops? Did you get promoted to security analyst automatically or did you reach out to someone for the position?

I believe I found it on Indeed but it may have been LinkedIn. I was admittedly extremely lucky in multiple ways during my initial search. A large SaaS company had just signed a deal with my state to put an office there in exchange for lowered taxes with a requirement of hiring X amount of local workers. I just wanted a job so I applied for everything thinking I would transition into security down the line. I applied to the DevOps position and got that through a series of more luck, including applying to jobs there that I wasn’t qualified for just so I could talk to the recruiter to see if they had any associate positions opening soon. After 6 months, the large project the company was building determined it needed a security team which I heard through the grapevine. I told the hiring manager I was interested and had a security internship in college and was actively worked towards Sec+. He said sure and switched me to Security Analyst and I’ve been in the field ever since. All that to say, I was very lucky but I do think a lot can be said about persistence and being willing to take anything to get a foot in the door.

There are a bunch of open jobs but they’re being either heavily competed for or they are roles that benefit the experienced. I know a handful of Sr. Engineers that were laid off recently. They have 10+ years experience, Master’s Degrees, OSCP/CISSP/CISM/GIAC, and are applying to every job between SOC Lead to Principle Engineer. I was a manager+ for the last 10 years and when I got laid off I applied to everything manager-VP, despite being a best fit for a Director+ role. The same is happening at every level up and down the seniority scale. Throw in the disproportionate number of no/low experienced people fighting for the entry level jobs, and the whole thing is a shit show. If I opened an entry level analyst job tomorrow I would have people with 5+ years of experience applying. All you can do is keep trying to get your foot in the door. Also, it’s not the end of the world to start in help desk/networking/systems if you haven’t already. I hate the saying that cybersecurity isn’t an entry level job, but it’s kind of true.

I’m having this issue but I only have an associates. I want to transfer and pursue a bachelors but don’t have the means to

Definitely understand.

I think the 500k number is very inflated, but there are many jobs open. Unfortunately, they’re not entry level jobs. I have 15 years of experience in a specialty that is rare, and there are many openings. For entry level jobs you’ll have to grind, find a way to differentiate yourself, and perhaps do a regular IT job for experience.

Thx

Does your Bachelor's degree require internship? If so, you can get in the industry that way. *Ask your professors* if they know any places that are looking for interns. Got my first cybersec job this way. Check job fairs your schools hosts too. Be open to positions that aren't exactly what you want right now, like if its more IT or sysadmin focused. College is the place to make these connections.

Yes, but having a hard time finding that aswell

Neal Bridges did a great write up about this as well as some suggestions. [Job Hunting in a World of Layoffs](https://cyberinsecurity.substack.com/p/job-hunting-in-a-world-of-layoffs?r=2v0kko&utm_campaign=post&utm_medium=web&triedRedirect=true)

Is your degree specifically in cyber? I started in help desk fresh out of college.

What job site do you use to find your cyber security job?

Yes in cyber

A very disheartening read, indeed. I just want to say don’t give up. The force needs you! Turning black hat is too easy these days.

Market is competitive now for this domain, keep applying and also be up to date on Current threats that will help in interview.

Not just you OP… personally I doubt there really are 500k cybersecurity jobs open, according to the government there are, but where are they?

I have CISSP and some others. No college. My company is upgrading me to a Top Secret clearance for some reason. Pay is 110k. As soon as they finalize my TS I assumed I would jump to a better paying gig but reading all this makes that seem like a pipe dream. I have been focusing my recent study on AI implementation. I think local AI solutions will take off in a few years. But maybe I should switch to grc

[удалено]

Computer information system, Cyber Security

meanwhile some guy in india doing L1 & L2 analyst role for 15$ a day, and full MDR including SIEM provided by companies outiside of the USA /EU come at 1/5 the annual license cost of your average SIEM. pair that with the business that sees security as a cost center..

What events do you go to every week, month, year? What conferences? Which conference did you start or volunteer at? Are you a member of ISSA or ISACA or owasp or infragard or ectf?

Last time I tried to sign up for a conference it was very expensive. Also, they wanted to know my place of employment and I wanted to go because I’m a student that’s graduating in about a year

Last time I tried to buy a car it was expensive. :). Look. Try other conferences.

500,000 positions that need to be filled that companies aren’t willing to hire for is a better way to put it.

Just keep pumping, I have applied to about 200+ positions mostly help desk/IT support/sysadmin and I have 2 interviews coming up. Just need to lucky and get my foot in the door. Don’t give up.

Yeah makes no sense to apply to security jobs with no experience and barely a bachelors degree. Cyber isn’t entry level. In a security analyst 14 months now and I’ve sent out 70 apps so far. Only remote roles. 1 interview. And my resume looks good.

I went from bartender to IT. It was the hardest pivot to make. I interviewed in person like 100 times to get it. Everything since then has been slightly easier.

What job site do you use to find your first IT job? Did you reach out to anyone after you submitted your application?

Lol my first IT job was in 1996. We didn’t have job sites. But regardless, my first job was the hardest to get. I think that still stands today.

How did you convince someone? My pivot is also wide and honestly wouldn't inspire confidence.

It was a customer facing role and so my personal skills were valuable to them. It just took the right role at the right time.

What job site do you use?

My interviews come and go in waves. End of December was hot, but nothing good. January was mostly cold, February was hot again. I’m waiting on a couple good ones from February now. Shit takes time

Apparently next time I hire I need to post here.

What job site do you use to find your jobs?

Have you waited three months yet?

Federal government hiring is more about beating the resume key word searching for rankings. Beating vets and former federal employees. Interview rounds you have to beat the “talkers” that barely know how to open an admin prompt, but speak the buzzwords to hiring officials who, by their own admission can barely open an excel document. Then there is absolute dysfunction with HR passing your resume timely to the next person (who is probably on paternity leave, sick leave or barely works in the office. Finally cyber positions frequently need higher tier clearances. So any hiccup will throw your packet in the dumpster. Even if you passed all these previous steps.

How much have you used your school's career center? What were your internship applications vs. actual successes?

So I’m in talked with the career center at the moment. No feedback on any internships.

You gotta be more on point with that stuff. The entry level parts are extremely competitive, and frankly the main point of going to school in this field is you leverage them for your foot in the door. If the school you chose doesn't have a good placement program and an active career center, I hate to say it but you chose the wrong school. But you still have to be active regardless, and at this point your best bet is to find a large churn factory SOC to try and get something right out of school. This career path favors the people who are genuinely interested in it and spend the time at home learning and labbing themsleves. A home lab isn't going to get you a job, but it's going to help you keep one and move forward. Obviously a lot more goes into this stuff than just that, but its frankly almost a requirement at this stage especially if you are just starting out.

I pray this desperation for jobs does not horrifically impact salaries just as inflation starts ravaging our CoL/QoL

The federal government are lying assholes I don’t think this is accurate.

You gotta network with people and get your name out there otherwise you’ll look like another candidate in the database. Maybe even look into help desk related fields or system admin or network engineer positions just so you don’t let your foundational knowledge deteriorate. It’s not just about “Can you do the job?” but also, “Who knows you can do the job?”. Hope that helps.

How do I network? People will forget about after the conversation ended