“Brutal” cybersecurity job market: pros can’t land roles despite massive worker shortage

The cybersecurity industry is desperately short on talent, with studies estimating a global shortfall of four million professionals. Yet many job seekers have been struggling for months to land roles, describing the market as 'brutal.' So what's really going on?
Cybersecurity has been promoted as one of the hottest career paths, with a high demand for professionals, competitive salaries, and plenty of options.
Not if you ask the jobseekers, though. The cybersecurity community on Reddit is full of frustration and disappointment.
“Just got bricked from an interview I had a few weeks ago. The first interview in three months,” one user said.
“I barely bother applying anymore. It's a complete waste of time. The best-case scenario is you get a rejection email a month later.”
The feeling resonates. The community is angry about fake offerings, the so-called ‘ghost’ jobs. One job seeker shared receiving a “sorry email” only to see the job reposted a few hours after the email on LinkedIn.
“I got laid off last October after 16 years at a company. I spent the last eight years doing Technical compliance, risk management, and cybersecurity stuff (I was a Director level). Started looking in earnest in January for mid/senior level roles. 250+ applications. Over half never respond. I've had about six interviews in the private sector and five for state work. I was even offered a position with NYS, but I am still waiting,” another user posted.
“It freaking sucks.”
Similar posts appear periodically and attract a lot of attention. Here are some other examples:
“LinkedIn has been so useless it's soul-crushing. Most of the postings are fake,” one user said, asking for help.
“We all have seen it, from university promotions to YouTube influencers claiming you can start an entry-level cybersecurity job with sec+ (certification) and no XP. Biggest load of crap I’ve heard in my lifetime. Cybersecurity is NOT an entry-level. Even for GRC (Governance, Risk, and Compliance), you need compliance, analyst, or risk management XP,” one of the most popular community posts in a month said.
It’s similar on LinkedIn. Security strategist and innovator Rafal Los said he sees “cybersecurity people all over out of work for months and months with jobs drying up or worse – never there to begin with.”
Meanwhile, various studies paint the opposite picture – the shortage of cybersecurity pros is ever-widening and reaching a headcount of 4 million. The US alone had more than 750,000 unfilled cybersecurity jobs.
So what gives? I couldn’t sum it up better than Gadi Eron, CEO at Knostic, who has more than 25 years of experience in the field.
“It’s very difficult to enter the industry as a junior. We hire experienced people, and it is becoming an aging industry. There is a talent gap to some degree, but there is also a willingness to pay gap and a willingness to train gap,” Gadi told Cybernews.
Businesses hesitant to spend
Around one-third (37%) of cybersecurity roles are reported as ‘hard-to-fill,’ according to VIQU IT Recruitment agency in the UK. Businesses are now also hesitant to spend, but they want to have options in the future.
“We do not post ghost jobs. However, we know a number of businesses do,” Matt Collingwood, Managing Director of VIQU, observes.
“Organisations want to keep a good talent pool available for when they do need someone.”
According to him, the pandemic increased the demand for cybersecurity expertise. However, the market has remained relatively flat over the past two years, as recessions and elections have made businesses less likely to start new projects or recruitment campaigns.
“Many businesses are hesitant to spend their budget on hiring professionals,” Collingwood said.
“I also see that companies have high requirements for cybersecurity professionals, including a certain number of years of experience.”
While some niche skills and specific experiences remain in very high demand, many organizations also allow remote work, putting local professionals in competition with cybersecurity experts worldwide for the same jobs.
“This can make junior-level job seekers' searches that much harder.”
Cache Merrill, founder of Zibtek, a software development firm, also suggests tempering enthusiasm surrounding the “shortage of cybersecurity professionals.” Companies now focus on particular skills, such as cloud security and AI predictive analyses, and they embrace automation tools such as security orchestration, automation, and response (SOAR) platforms.
“Due to ongoing layoffs and subdued hiring in the tech sector, entry and medium-level cybersecurity professionals are undergoing stiff competition,” Merrill said.
“While there is still a high demand for top-level employees such as CISOs and security architects, fresh graduates may suffer from wage strategies that are out of place.”
The perceived increase in ghost jobs may be due to some recruiters' failure to keep up with certain budget and structure changes.
Recruiters may rely on AI too heavily
Some also believe that AI applications in recruitment fail to recognize true talents in cybersecurity.
“I have some suspicion that more companies are using AI to filter job applications. This has inherent risks and biases and could lead to unintended exclusion of qualified candidates,” said Jackie McGuire, Senior Security Strategist at Cribl, a platform for IT and security.
Social media is abuzz with jokes about CEOs who sent resumes that didn’t pass the initial screening.
Some experts noted that companies post job openings as a formality to show attempts to hire American workers while intending to hire foreign employees on work visas. These not genuine listings waste job seekers’ time, as applications won’t be accepted.
Hope is not lost
While entry positions may be more difficult to find, the changing market rewards the highest qualifications.
“It’s not as black and white as it might seem from a few Reddit threads. Yes, there are challenges right now, but it's important to dig into why that might be happening before calling it ‘brutal’ across the board,” said Brandon Dock, Managing Director of TGC Search, a recruitment agency.
“While the market may have its ups and downs, the need for cybersecurity talent is real.”
He sees more demand for highly specialized skills in cloud security, threat hunting, and compliance expertise.
Dinesh Besiahgari, an Amazon Web Services (AWS) engineer, argues that migration to the cloud and adoption of hybrid work models increase demand for special roles in cloud security.
“There will unquestionably still be a need for highly specialized cybersecurity professionals, specifically those in cloud security, AI-driven security tools, and DevSecOps. From what I have seen within AWS, these are very important roles. Most organizations want to ensure their cloud environments are secure and automate security protocols,” Besiahgari said.
Another driver is surging demand for zero-trust architectures, replacing the traditional perimeter-based approaches of security. This creates demand for specialized roles focused on securing cloud-native applications, managing identity and access controls, and detecting advanced threats across distributed environments.
“We have seen the rise of attacks against remote workforce tools such as collaboration platforms and VPNs. The need for more protection and monitoring solutions with respect to ‘endpoint protection,’ thus scalable for distributed teams, has increased radically at AWS,” Besiahgari said.
A recent IAPP (International Association of Privacy Professionals) survey between April and May 2024 revealed that 18 percent of the members were looking to hire a cybersecurity professional. Eighty percent of respondents indicated that their privacy teams have acquired responsibilities beyond privacy, and 40 percent of those have added cybersecurity as a regulatory compliance matter.
“Organizations’ increased focus on cybersecurity compliance is driven not only by new legal requirements in the US and Europe, but also by enforcement actions, insurance requirements, class-action lawsuits, and new regulatory requirements, such as the SEC’s rules mandating disclosures of material cybersecurity incidents as well as cybersecurity risk management and governance,” Caitlin Fennessy, VP & Chief Knowledge Officer at the IAPP, said.
Comments
Your email address will not be published. Required fields are markedmarked