back to article Wanted: Junior cybersecurity staff with 10 years' experience and a PhD

Cybersecurity hiring managers need a reality check when it comes to hiring junior staff, with job adverts littered with unfair expectations that are hampering recruitment efforts, says industry training and cert issuer ISC2. According to the organization's latest hiring trends study, entry-level and junior job descriptions …

  1. Throatwarbler Mangrove Silver badge
    Alert

    Security+

    On a lark, I decided to do a CompTIA Security+ prep course and found it so basic that I skipped right through several modules. Not that I'm particularly interested in security work, per se, but perhaps I should scoop up the certification if it's in such high demand.

    1. elsergiovolador Silver badge

      Re: Security+

      If a job description fixates on certificates, it's usually a sign that no one in the hiring pipeline actually understands the role. Expect to work alongside people who bought their certs, memorised multiple-choice answers, or got waved through because HR needed a checkbox ticked.

      And if they clock that you’re actually competent? Brace yourself - you’ll get all the work, none of the credit, and probably be told you’re “not a team player” when you burn out from carrying dead weight.

      1. ecofeco Silver badge
        Flame

        Re: Security+

        ...or eventfully fired because you're a threat to the favored son and making them look bad.

        My philosophy these days is sod it all and let them burn.

      2. MachDiamond Silver badge

        Re: Security+

        "Expect to work alongside people who bought their certs, memorised multiple-choice answers, or got waved through because HR needed a checkbox ticked."

        I put the effort into getting good at taking tests. I find that most of the time, the certification doesn't have much to do with what the job is about and can often ramble off into edge cases. Having a stack of certs is nice decoration on a resume and it impresses the HR types. Get a few, lie about having a few more, get to the interview with the supervisor if it's a job you feel qualified for.

    2. BartyFartsLast Silver badge

      Re: Security+

      I did the pre requisite COMPTIA certs for some manufacturer training by skimming the index of the books, they're basically gatekeeping and I tend to skip jobs which list COMPTIA as a requirement because it signals they're pretty clueless.

      I do find it wryly amusing when I see the whining of recruiters and managers that they can't find qualified candidates but then refuse to train or try to hire people with years of experience for an intern level wage.

      The main shortage is one of employers who are prepared to invest in and pay staff as well as create a work environment and culture that people want to be part of

  2. Pascal Monett Silver badge
    Facepalm

    Let's be clear

    Recruitment offer that demands you to be young and highly qualified and experienced at the same time ? What a surprise.

    This has been going on for decades already. Companies want to put you to work and pay you peanuts for the priviledge. Everybody knows the stupidity of this, but somehow it keeps on happening.

    1. Doctor Syntax Silver badge

      Re: Let's be clear

      I suspect that some of these problems can often be laid at the door of ISO 9000 and its friends and relations.

      Scene: Quality manual is being written

      Wallah 1. We come to minimum experience need for any job.

      Wallah 2. It can't be just anybody. All jobs must be done with somebody with good experience.

      Wallay 3. How about 5 years?

      Wallah 2. Sounds good to me. Should that be the current version of whatever it is they're using?

      Wallah 3. That must be right. In fact current versions of anything should always be used.

      Wallah 2. I'll go along with that.

      Wallah 1. And me. I'll put that down.

      And hence we have a requirement to use stuff which is never more than 2 years old and those needing it need to have been using it for at least 5 years.

      1. Eclectic Man Silver badge
        Unhappy

        Re: Let's be clear

        I was a security consultant to an organisation that had an ISO 9000 'quality' system. I was told the external consultant just sat in a corner and wrote it for them. Which is why it was completely useless and ignored.

      2. HMcG

        Re: Let's be clear

        And this is why people lie about their experience on their CV’s , and employers don’t bother checking up on claimed former employers .

    2. Groo The Wanderer - A Canuck

      Re: Let's be clear

      Yes, this has been "industry practice" since the early 2000's for all IT positions. The kicker is they call a decade of experience a "junior" when in any trades those are experienced journeymen.

      Why? So they can screw you over right royally on compensation.

      1. martinusher Silver badge

        Re: Let's be clear

        Its not just IT positions. Its been a bit of a joke in engineering for a couple of decades or more that job descriptions were written that the only possible candidate could be someone employed in a key role in a competitor (who's hardly likely to want a junior position!). It got so bad at one time that there was even a comprehensive article in the Wall Street Journal back in the 2000s about this.

        But as everyone has noted, it says more about the company than the candidate. What they're actually likely to end up with is a first class blagger -- someone who knows how to talk the talk. Ideal Marketing material,in fact.

        1. mcswell

          Re: Let's be clear

          "Its not just IT positions." Agreed. A relative was trying to find an intel analyst job a couple years ago, and many of the ads were for so-called "entry level" positions with 5--10 years of experience. Any HR person should have known that this much experience is not entry level.

        2. MachDiamond Silver badge

          Re: Let's be clear

          " Its been a bit of a joke in engineering for a couple of decades or more that job descriptions were written that the only possible candidate could be someone employed in a key role in a competitor (who's hardly likely to want a junior position!). "

          That's who those postings are written to attract. Acme widgets can't just put in the ad that they want the head of engineering from Spacely Sprockets straight out. If they write the ad for that and go one to say that it's a junior position with a salary bracket that is far too low, they've shot themselves in the foot and what might have happened is that once the posting was crafted, some other nob with approval authority didn't get the memo on why the position was being advertised. Hint: it wasn't to bring in a junior anything.

          Another reason you will see these type of ads with odd qualifications is the company needs to advertise the position in-country and not get any "qualified" candidates so they can hire somebody foreign who will have the necessary qualifications for the job and will work for half the wage (that they send home).

  3. Boris the Cockroach Silver badge
    Unhappy

    Its always

    been this way.

    Technology X is released to the public.

    5 minutes later the job ads start appearing Senior roles : must have 5 years+ in technology X, junior roles: 2 years experience in technolgy X (plus a master degree in comp science and 5-10 years in a developers role, ideally aged 21 or less)

    Cynical? and there me thinking the was my middle name

    1. b0llchit Silver badge
      Childcatcher

      Re: Its always

      The real kicker is that questioning or commenting on the contradictions and impossibilities makes you ineligible for the job. You are marked as "person questions authority" and that disqualifies you immediately.

      1. DJV Silver badge

        Re: and that disqualifies you immediately

        Then again, do you really want to work for a company that prides itself in the employment of people who constantly generate such contradictions?

        Of course, if the company also has a BOFH with more than 10 years of lift-shaft maintenance, a qualification in applied quicklime along with a sideline in rolled-up carpetry, there may still be hope for the place!

    2. Anonymous Coward
      Anonymous Coward

      Re: Its always

      Indeed. I remember a User Friendly cartoon mentioning a job advert that required 10+ years experience in Java, with a character pointing out that Java was only 5 years old. (Exact years may not be right, but the point is.)

      The cartoon itself has been defunct since 2010.

      1. Gene Cash Silver badge

        Re: Its always

        What? Surely, all the commentards here read UF! It's a perfect reflection of working in IT! It's a must-read!

        Oh wait, it's actually been dead since 2010 and deleted from the internet in 2022.

        God damn it. RIP Illiad. I hope he's doing ok, wherever he is.

        1. Peter Gathercole Silver badge

          Re: Its always

          Comics are still visible on Archive.org, I believe.

          One of the problems with long term web comics like this is trying to remain original without repetition. I think it's axiomatic that unless you're writing about something current, and thus allow repetition when life repeats, web comics will always have a limited life conditioned by the imagination and life experiences of the author.

          At least Randall Munroe is still going with xkcd.

      2. This post has been deleted by its author

    3. MachDiamond Silver badge

      Re: Its always

      " ideally aged 21 or less"

      Unless there is some legal requirement for a minimum age, you couldn't put that in. What you can put in is the job requires occasional or frequent travel at the last minute. Somebody with a spouse or young family would have a hard time with that. You would likely get more fresh-outs that are single and don't have after-work responsibilities.

  4. abend0c4 Silver badge

    Unfair expectations

    Potential employers seem to try it on all the time. But if they're failing to recruit, presumably all those highly-paid HR "professionals" are there to align their candidate requirements with market reality. Or is that an unfair expectation too?

    1. steelpillow Silver badge
      Devil

      Re: Unfair expectations

      Definitely unfair to expect HR staff to do a good job of HR. By failing to recruit, they make the case for more HR staff - an empire under them and a comfortable pension. Oh, and guess who wrote the ticksheet? HR!

  5. Tron Silver badge

    Time was...

    ...techies were not known primarily for their 'interpersonal skills'. This used to be a sector where you would treasure your ever-so-slightly aspie Linux geeks, even if they want to work at home, in glorious isolation, communicating only with the mothership in Klingon.

    But now (outside India) they are seeking clubbable folk with interpersonal skills who yearn to work in teams, excavating the nether regions of server code in a spirit of caring, sharing togetherness. Oh brave new world!

    1. Doctor Syntax Silver badge

      Re: Time was...

      Interface layer needed.

    2. cookieMonster

      Re: Time was...

      Oh god, the horror.

      So glad I’m no longer in this field.

    3. elsergiovolador Silver badge

      Re: Time was...

      Under UK law, autism is a protected disability - so rejecting someone with ASD for lacking vague “interpersonal skills” that aren’t essential to the job can be grounds for disability discrimination under the Equality Act 2010.

      But let’s be honest: corporations don’t want the best minds - they want compliant personalities who smile in meetings, nod through nonsense, and tick HR’s “team player” box. It’s not about ability, it’s about cultural obedience. If you’re brilliant but don’t perform the corporate social ritual, you're out. Because nothing threatens mediocrity like competence without deference.

      1. Anonymous Coward
        Anonymous Coward

        Re: Time was...

        Yup, I'm working in a project where they demanded it be written in [new technology]

        However, our 2 experts in [new technology] are rather abrasive, because a) they're somewhat autistic, b) quite direct and forthright, calling a spade a spade, and c) they're run ragged because they're experts in several new technologies.

        Guess who got kicked off the team?

        And guess how surprised management is, now that the project is completely stalled?

        Anon for obv reasons.

        1. Anonymous Coward
          Anonymous Coward

          Re: Time was...

          they demanded it be written in [new technology]

          Not the dreaded Fe2O3?

          1. Peter Gathercole Silver badge

            Re: Time was...

            I read that and thought Iron Oxide. Then it clicked....

      2. MachDiamond Silver badge

        Re: Time was...

        "Under UK law, autism is a protected disability - so rejecting someone with ASD for lacking vague “interpersonal skills” that aren’t essential to the job can be grounds for disability discrimination under the Equality Act 2010."

        That just means the company can't come straight out and tell an applicant they aren't candidate for that reason. That could be a reason why there can be odd requirements that are listed in the job posting. While they might accept somebody that doesn't tick all the boxes (but was smart enough to claim they did), they can down check anybody they don't like for not being suitable based on one of them.

    4. GoneFission
      Devil

      Re: Time was...

      There used to be a time where you could write your own salary if you had full-stack experience with a side of web dev. Now you need to be a sysadmin, network admin, cybersecurity expert, fluent programmer in at least C++, Python, Rust and Assembly, authored major contributions to a minimum of 4 popular open-source repositories and have received several laureate awards for public speaking on top of at least 2 TedTalks (no TedX please) to even begin the application phase for a $15 an hour part-time role.

      Then you get turned down because they hired the owner's nephew instead, who once looked at a computer, but they're paying him $90k a year to start

      1. MachDiamond Silver badge

        Re: Time was...

        "Then you get turned down because they hired the owner's nephew instead, who once looked at a computer, but they're paying him $90k a year to start"

        The last one I had like that, the manager of the program retired as he kept getting lumbered with dead weight. He really wanted to hire me for an aircraft support position and got some execs wife's sister or something that would show up in heels and couldn't marshal aircraft on the apron. The core of the job being hired for was data entry, but the boss really wanted me since I could be used all over the hanger as the job didn't take much time everyday, but needed to be done everyday. When I interviewed, we went out for a nice dinner (he was a friend of a friend), and talked about the job and how it would morph into more of an mechanic's assistant and test tech for the aircraft but he couldn't hire for that and getting me in via the data entry gig would give me a lot of on-the-job training doing that role. Mind you, this is a huge government contracting corporation, not some mom/pop store. Initially, the money was ok and after changing title, it would be quite nice.

  6. Ashentaine

    I have to wonder

    ...if at least some of those jobs are ones that were already filled internally but due to regulations they're required to post a public listing, and so set ridiculous or conflicting requirements to keep anyone but the pre-chosen individual from applying.

    1. ecofeco Silver badge

      Re: I have to wonder

      You bet a fair percentage are, for sure.

      Compliance theater.

    2. Anonymous Coward
      Anonymous Coward

      Re: I have to wonder

      I've also seen where corporate HR put boilerplate requirements into all job requirements, whether they were appropriate or not. The requirement to be able to calculate real estate commissions, for an HVAC tech, comes to mind.

    3. Sudosu Silver badge

      Re: I have to wonder

      Ah, the ole publish the current guy's resume as the job posting trick.

      Blah,blah, blah and you must look exactly like this fellow and be married to his wife.

      1. John Brown (no body) Silver badge

        Re: I have to wonder

        "Blah,blah, blah and you must look exactly like this fellow and be married to his wife."

        ..and now my twin brother no longer speaks to me :-(

      2. Caver_Dave Silver badge

        Re: I have to wonder

        I've been on the positive side of that, with my CV being used as the template, via a manager I used to work with who really wanted me at this newish company he worked for.

        Submitted my CV to the HR dept. who also it turned out was the owner of the SME.

        Rang after a week and was told I was rejected as I had no profile on "flavour of the week" social media and so they didn't know what sort of person I was.

        I didn't complain as that told me enough about the company to know that I did not want to work there!

        1. MachDiamond Silver badge

          Re: I have to wonder

          "Rang after a week and was told I was rejected as I had no profile on "flavour of the week" social media and so they didn't know what sort of person I was."

          They actually contacted you? Amazing. It was rare that I'd ever get as much as a "we received your application" form letter.

    4. Anonymous Coward
      Anonymous Coward

      Re: I have to wonder

      That happened to me (posting anonymously for obvious reasons) I had been contracting and had to be let go due to company rule on contractors weren’t allowed to more than 2 years. They wanted me back and wrote a job spec that matched me and I have been working as a permanent member for 2 years now.

    5. Anonymous Coward
      Anonymous Coward

      Re: I have to wonder

      That and H1-Bs.

  7. elsergiovolador Silver badge

    Crisis

    The cybersecurity hiring crisis - where companies want junior staff with senior certs, five years of experience, a spotless record, and the willingness to work for public-sector wages because "pensions". Newsflash: pensions are a 1980s relic. By the time most people cash them out, they'll be half-crippled from stress, redundant by automation, or dead. What exactly is the personal upside here?

    Cybersecurity isn’t just a job - it’s a constant arms race. To stay sharp, you pay out of pocket for certs, run your own infrastructure, rent boxes for testing, keep up with threat intel, toolchains, legislation, and whatever AI-generated malware just dropped. Meanwhile, companies treat talent like disposable assets, with layoffs every quarter and HR still wondering why no one’s loyal.

    The only reason you still get applicants is because some people genuinely love the work - and they have to eat. But don't mistake desperation for pipeline health. If you’re not paying for training, stability, or respect, don’t be shocked when your “junior hire” ghosts after six months or couldn’t spot a backdoor in a broom closet. You built this problem. You're just mad it's costing you now.

    1. Pascal Monett Silver badge
      Thumb Up

      Re: Crisis

      I have to say that I agree with absolutely everything in your post.

      Although I am getting close to pensionable age, so I'd rather it wait a bit longer to become a true relic.

    2. MachDiamond Silver badge

      Re: Crisis

      "Newsflash: pensions are a 1980s relic."

      They used to be a way for people that weren't all that responsible to have retirement savings done for them. The money would come out of each check with/without matching money and be invested in a steady fund that returns a reasonable interest over time. These days, the managers of the pensions are trying to make a killing when somebody isn't raiding the pension fund to pay for something at the company.

      When I was young, I signed up for an annuity/life insurance that was paid from my semi-weekly payroll. It's still ticking away many years later. The company I was with when that was started is long gone and I haven't paid in for ages. I've instead put money into buying a home (paid) and not carrying long term debt. There's no point in earning 5% and paying 22%. Even with today's home loan rates, it makes sense to buy, if possible. The retirement savings interest and the mortgage interest might be a wash (if lucky), but the home/land appreciates in value over time for a net win.

      After seeing how many pension funds are in lots of trouble, I'm glad I don't have money sunk in one that may not be there when I am eligible to collect.

  8. Anonymous Coward
    Anonymous Coward

    It's no better at senior levels

    I spent a few years as security lead for a product that I'd worked on as a developer. I knew the product, the team (dev & QA), had a good idea of where security issues might turn up. It was an interesting and fun job, even the visit to the SVP's staff meeting for a mea culpa after I (and fortunately not a customer) found a serious security issue in a new version that required a stop-ship & new release.

    Then came promotion to security head for the wider organisation. I was a sort of policeman for products and teams that I barely knew, and who didn't like an outsider telling them how to 'do' security. I had the experience, but nor the formal qualifications, and getting those was tedious and uninteresting. Some of the products were appalling, some were very solid and secure, but neither liked an 'outsider' supervising them. Soul-destroying work, even with the teams I knew and liked. I stuck it for a couple of years & then left for something that allowed me to look forward to going to work again.

    1. ecofeco Silver badge

      Re: It's no better at senior levels

      Yep, once the silos form, it's all over but the shouting.

  9. ecofeco Silver badge
    Facepalm

    Competive pay for experience

    Offering 60K US and wondering why they got hacked, but for sure they know who to scapegoat.

    80K if you're lucky. And no, that is still NOT a lot of money these days.

    1. elsergiovolador Silver badge

      Re: Competive pay for experience

      You could make much more as a sparkie. No CVEs, no threat intel feeds, no 3am breach notifications - just stay vaguely up to date on building regs and show up with tools. Can’t work from home, sure, but you also don’t get blamed when a FTSE 100 gets popped because someone reused "Analbeads2023!” as a password.

      1. ecofeco Silver badge

        Re: Competive pay for experience

        Yeah, in theory and for sure less stress, but wages are not keeping up in the USA, but actively going down across ALL professions.

        1. Anonymous Coward
          Anonymous Coward

          Re: Competive pay for experience

          ... unless you are CEO.

      2. Sudosu Silver badge

        Re: Competive pay for experience

        I've done both and reflecting on it, I should have stayed a working electrician.

        My conduit work was beautiful, functional art. I was really good at it and proud of what I built. Much of it will be around long after I'm gone.

        Computers used to be fun, and I have a great affinity for them, but it turned into a career of meetings...I got fat :) and cynical because work was rarely about goals, just politics. Who can care about that for any length of time?

        Every manager, PM and BA are all IT legends in their own minds, I never saw that as an electrician.

        Once you get a trade ticket you can start your own company and make very good money, just like IT.

        1. elsergiovolador Silver badge

          Re: Competive pay for experience

          just like IT.

          Just be aware that in the UK, worker owned companies are heavily restricted when it comes to making profit. It is all stacked in favour of big corporations exempt from the legislation (IR35).

          1. Giles C Silver badge

            Re: Competive pay for experience

            That is only if you are contracting.

            The previous poster was talking about a trade as I read it plumber, electrician, gas engineer etc. most of the those I know are self employed doing domestic work, no IR35 there, mind you if you don’t have the customers you won’t earn much. But there are other ways of working besides contracting for big companies.

          2. Sudosu Silver badge

            Re: Competive pay for experience

            Yeah, this is in Canada, so it is somewhat less restrictive.

            Our last prime minister intimated that all small business owners were tax cheats, which was concerning after seeing what happened in the UK with your IR35 problems, but nothing really changed.

            You can pretty much stick a magnet with your brand on the side of your vehicle or put an add in the classifieds, and POOF! you are a business.

            You have to file the additional stuff with your taxes and collect GST\PST\HST (our sales taxes) as required so there is some gov paperwork to be done but it can be pretty minimal for a one person show.

            If you represent as a trade you have to have a Journeyman ticket though or you can get in trouble and/or sued.

      3. MachDiamond Silver badge

        Re: Competive pay for experience

        "You could make much more as a sparkie."

        You can make twice that unblocking people's loos after hours. Tell them you charge $200/hr plus they have to make you a meal and the only question asked will be how fast you can be over. People will light a candle and pay $100/hr for an electrician to come over between 9-5.

        1. Sudosu Silver badge

          Re: Competive pay for experience

          You are not wrong!

          Had a friend who had to get an emergency call from a plumber: 3 hour minimum charge $120 an hour...and it took them 1/2 hour to fix the issue.

          Someone made some $$$.

  10. Neil Barnes Silver badge

    When I started work, back in the dawn of prehistory

    Companies provided training. They had enough smarts to realise that engineers didn't hatch from the egg knowing all they would ever need to know, and that if they provided training not only would they get competent engineers (or weed out the incompetent early) but they would be trained in the way that the company did things and so could be reasonably expected to work in the same way as their colleagues.

    The company I chose basically did a three-year on-the-job degree level education with both workplace and formal classroom work; the other companies that offered me work had similar schemes. Even thirty years later, they still offered training although by then it had mutated to the level that if you left within a certain time period, there was a compensatory financial penalty.

    Expecting someone else to provide the training for your staff is just plain foolish.

    1. ecofeco Silver badge

      Re: When I started work, back in the dawn of prehistory

      Are you saying 28 year old CEOs might not have a clue about things in general?

      Someone should tell Meta they might have recently overpaid for one.

      Nah, on second thought, let them burn their money.

    2. Terry 6 Silver badge

      Re: When I started work, back in the dawn of prehistory

      This is a problem half a century in the making. When I was at high school ( that long ago) most of the older kids who left would go to one of the local big companies ( e.g. ICI or Ferranti) and be given training, or put through engineering courses, even degrees. By the time my year group got to that stage this had started to dry up. For a pair of reasons. One group of companies decided to stop that investment and poach time served engineers from The Place Down The Road. Then, inevitably, The Places Down The Road stopped training people because it was pointless. They didn't stay.

      Underlying this was the Beancounter mentality of circa 1975. On the one hand not wanting to pay the training costs to grow their own people, because it was cheaper to pay a little extra to poach experienced trained staff. On the other hand not wanting to pay enough to retain them once they'd been trained..

    3. Giles C Silver badge

      Re: When I started work, back in the dawn of prehistory

      The idea that because we (the employer) paid for a one day course in prehistory demands the right to force you into servitude for a millennium needs to be killed off completely.

      Where I work we get training (sometimes too much) on new products, and it you want to get trained on an item it will be granted as long as it is relevant - they won’t pay network engineers to do underwater basket weaving for example.

      They understand that we need to use new products and more importantly know how to use it properly. We are installing a new monitoring solution and everyone using the product did a two day course to make setting it up easier and we knew how to get it running.

  11. Groo The Wanderer - A Canuck

    I'm one poor SOB in retirement, but I don't regret leaving the industry behind one little bit. The fun got replaced by irritating and irrelevant demands two decades ago

    1. Anonymous Coward
      Anonymous Coward

      They haven't stopped, either...

  12. JLV Silver badge

    Among other requirements, the successful candidate will demonstrate 15+ years experience hardening LLM-based customer facing systems against hostile prompt injections.

    1. Neil Barnes Silver badge

      Sadly not new: I remember seeing adverts requiring ten years of W2k experience four or five years after its release...

  13. Persona Silver badge

    Do they want to learn?

    When recruiting I would never place much value on the candidate holding any certifications. Security experience would be a plus but not necessary. Instead I wanted a technical background that was at the upper end of what could be expected for someone with their level of experience. Most importantly I wanted people who not only could lean a lot quickly, but wanted to learn. I found people with a burning desire to learn to be the most valuable hires.

  14. Anonymous Coward
    Anonymous Coward

    "even non-STEM fields"

    successful recruits were also sourced internally from departments such as finance and even non-STEM fields like communications, HR, customer service, and marketing to bring fresh ideas to the table.

    My experience of corporate ITSec would suggest RADA was the main recruiting ground for those security thespians. Don't suppose HR checked their Equity membership.

    The question is fundamentally "Do you want secure systems or just the appearance of security?"

    From the trail of increasingly unforgivable failures stretching back decades the answer is clearly the latter.

    If you want more on-the-job frustration than one life can reasonably bear then this is the gig for you. Late employees of CISA would likely hasten to concur.

    1. Giles C Silver badge
      Joke

      Re: "even non-STEM fields"

      Is that why we refer to them as bad actors - sorry.

  15. Sudosu Silver badge

    "security thespians"

    I'm going to use that one, have a beer.

  16. Winkypop Silver badge
    Alert

    The recruitment process

    It’s as much about you selecting them as it is about them selecting you.

  17. Anonymous Coward
    Anonymous Coward

    risk aversion

    This sentence 'However, the study noted that successful recruits were also sourced internally from departments such as finance and even non-STEM fields like communications, HR, customer service, and marketing to bring fresh ideas to the table.' is telling.

    Because the one thing that happens when hiring becomes a task in and of itself, is that risk management becomes a dominating criterion.

    Especially in cyber, because security is invisible to begin with.

    It's still better to hire someone who does not meaningfully contribute, but is 'safe', than it is to have 1-2 out of 10 of your good candidates fail.

    It's a sign the company in question has too much of a buffer to tolerate that kind of inefficiency.

    And let's be honest, very few companies care about security, nor do the vast majority of customers.

    This is the same mindset that pervaded engineering before major dam disasters made it mandatory that only certified, and critically, independent, engineers could desing and oversee critical infrastructure.

    But that will not happen for software, because the damage is also mostly invisible, except to those whose lives are ruined, but they don't post anymore on social media, so even more invisible.

  18. Cerebus TA

    No longer even slightly amusing

    The industry is rapidly heading back into the 'joke' territory it has taken years to get our profession out of.

    For example my eldest has a Masters Degree in Cyber Security and has grown up around Cyber Security and IT in general, but he can't even get a job on a basic help desk!

  19. Electronics'R'Us
    Holmes

    Silly job descriptions

    As noted by others, this has been going on for a long time.

    I recall seeing a job advertised on LI (I know, I know) for an electronics engineer.

    They stated 'Typically 2 to 5 years of experience' so not quite entry level but not far above it.

    They wanted:

    Degree in electronics. [6]

    Expert in analog and digital design [1]

    Design for EMC [2]

    Experienced with high end CAD tools [3]

    Mixed signal design layout expertise [4]

    High speed digital design [5]

    among other things.

    1. I have yet to meet a graduate from any university with any real knowledge of analog design and that is true of at least the last 30 years. It takes typically a couple of years of solid mentoring (if it even exists) or the grad studying it for said amount of time (or more typically 4 to 5 years) and actually building the circuits because it can advance their career , so they would need their own at least basic lab equipment. There is also a whole lot more to digital design than it seems at first glance. Sometimes the person who did not go to university has a better grasp depending on the career path.

    2. This is still one of the darker arts although there is a lot of science but every design is different and has to be assessed with an experienced eye. To get good at this takes several years in its own right.

    3. Depends on where they were previously; these tools are expensive although there are open source alternatives; those alternatives don't come with support, though, which most companies need or want. Even the relatively low end of the market (Altium) runs to almost £10k per seat per year. They all do (roughly) the same thing but each has its quirks, so there is always a learning curve.

    4. Hahahahahahaha. This is possibly the most difficult of skills and can take literally decades to fully master.

    5. For this, one needs to understand a lot of things from all the above and transmission line theory at a minimum. I started in RF so it really wasn't that big a deal for me.

    6. Slight afterthought; some of the best engineers don't have one.

    The real applicant for such a position would be very senior (probably a principal level) and would laugh at the offered salary.

  20. BPontius

    You made your bed!

    To all companies that demand these unreasonable qualifications for "junior" positions, do the world a favor.

    STOP COMPLAINING ABOUT THE LACK OF IT STAFF!!!!

    You made your bed, you lie in it.

    1. MuleD

      Re: You made your bed!

      Amen....brother. and even though I have always been on the defender side of the fence I have little sympathy for those who get compromised. I (and those like me) can and have told you how not to become victims.. You made the choice to not listen to what the the experts are telling you so enjoy that dumpster fire some some crew just set ablaze in your network....I FUCKING TOLD YOU SO !!!!! --- Mule

  21. MuleD

    A word from the top

    I have been at this Cyber Security thing for 25+ years. Started on the help desk and am retiring as a CISO. I have all the CERTS, years of experience (technical and policy) and an advanced degree. This whole topic is BULLSHIT and I have been shouting it for years.... There are no "entry" level positions in defensive cyber security. To be a qualified cyber security engineer you need to have a deep understanding of an assload of IT. Would you go and see an "entry level" Cancer Doctor or take your billion dollar corporate merger to an "entry level" lawyer. The counter to all of this is that the COMPANY NEEDS TO BE WILLING TO PAY FOR WHAT THEY EXPECT.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like