Wanted: Junior cybersecurity staff with 10 years' experience and a PhD Cybersecurity hiring managers need a reality check when it comes to hiring junior staff, with job adverts littered with unfair expectations that are hampering recruitment efforts, says industry training and cert issuer ISC2. According to the organization's latest hiring trends study, entry-level and junior job descriptions …
If a job description fixates on certificates, it's usually a sign that no one in the hiring pipeline actually understands the role. Expect to work alongside people who bought their certs, memorised multiple-choice answers, or got waved through because HR needed a checkbox ticked.
And if they clock that you’re actually competent? Brace yourself - you’ll get all the work, none of the credit, and probably be told you’re “not a team player” when you burn out from carrying dead weight.
"Expect to work alongside people who bought their certs, memorised multiple-choice answers, or got waved through because HR needed a checkbox ticked."
I put the effort into getting good at taking tests. I find that most of the time, the certification doesn't have much to do with what the job is about and can often ramble off into edge cases. Having a stack of certs is nice decoration on a resume and it impresses the HR types. Get a few, lie about having a few more, get to the interview with the supervisor if it's a job you feel qualified for.
I did the pre requisite COMPTIA certs for some manufacturer training by skimming the index of the books, they're basically gatekeeping and I tend to skip jobs which list COMPTIA as a requirement because it signals they're pretty clueless.
I do find it wryly amusing when I see the whining of recruiters and managers that they can't find qualified candidates but then refuse to train or try to hire people with years of experience for an intern level wage.
The main shortage is one of employers who are prepared to invest in and pay staff as well as create a work environment and culture that people want to be part of
Recruitment offer that demands you to be young and highly qualified and experienced at the same time ? What a surprise.
This has been going on for decades already. Companies want to put you to work and pay you peanuts for the priviledge. Everybody knows the stupidity of this, but somehow it keeps on happening.
I suspect that some of these problems can often be laid at the door of ISO 9000 and its friends and relations.
Scene: Quality manual is being written
Wallah 1. We come to minimum experience need for any job.
Wallah 2. It can't be just anybody. All jobs must be done with somebody with good experience.
Wallay 3. How about 5 years?
Wallah 2. Sounds good to me. Should that be the current version of whatever it is they're using?
Wallah 3. That must be right. In fact current versions of anything should always be used.
Wallah 2. I'll go along with that.
Wallah 1. And me. I'll put that down.
And hence we have a requirement to use stuff which is never more than 2 years old and those needing it need to have been using it for at least 5 years.
Its not just IT positions. Its been a bit of a joke in engineering for a couple of decades or more that job descriptions were written that the only possible candidate could be someone employed in a key role in a competitor (who's hardly likely to want a junior position!). It got so bad at one time that there was even a comprehensive article in the Wall Street Journal back in the 2000s about this.
But as everyone has noted, it says more about the company than the candidate. What they're actually likely to end up with is a first class blagger -- someone who knows how to talk the talk. Ideal Marketing material,in fact.
"Its not just IT positions." Agreed. A relative was trying to find an intel analyst job a couple years ago, and many of the ads were for so-called "entry level" positions with 5--10 years of experience. Any HR person should have known that this much experience is not entry level.
" Its been a bit of a joke in engineering for a couple of decades or more that job descriptions were written that the only possible candidate could be someone employed in a key role in a competitor (who's hardly likely to want a junior position!). "
That's who those postings are written to attract. Acme widgets can't just put in the ad that they want the head of engineering from Spacely Sprockets straight out. If they write the ad for that and go one to say that it's a junior position with a salary bracket that is far too low, they've shot themselves in the foot and what might have happened is that once the posting was crafted, some other nob with approval authority didn't get the memo on why the position was being advertised. Hint: it wasn't to bring in a junior anything.
Another reason you will see these type of ads with odd qualifications is the company needs to advertise the position in-country and not get any "qualified" candidates so they can hire somebody foreign who will have the necessary qualifications for the job and will work for half the wage (that they send home).
been this way.
Technology X is released to the public.
5 minutes later the job ads start appearing Senior roles : must have 5 years+ in technology X, junior roles: 2 years experience in technolgy X (plus a master degree in comp science and 5-10 years in a developers role, ideally aged 21 or less)
Cynical? and there me thinking the was my middle name
Then again, do you really want to work for a company that prides itself in the employment of people who constantly generate such contradictions?
Of course, if the company also has a BOFH with more than 10 years of lift-shaft maintenance, a qualification in applied quicklime along with a sideline in rolled-up carpetry, there may still be hope for the place!
Comics are still visible on Archive.org, I believe.
One of the problems with long term web comics like this is trying to remain original without repetition. I think it's axiomatic that unless you're writing about something current, and thus allow repetition when life repeats, web comics will always have a limited life conditioned by the imagination and life experiences of the author.
At least Randall Munroe is still going with xkcd.
This post has been deleted by its author
" ideally aged 21 or less"
Unless there is some legal requirement for a minimum age, you couldn't put that in. What you can put in is the job requires occasional or frequent travel at the last minute. Somebody with a spouse or young family would have a hard time with that. You would likely get more fresh-outs that are single and don't have after-work responsibilities.
...techies were not known primarily for their 'interpersonal skills'. This used to be a sector where you would treasure your ever-so-slightly aspie Linux geeks, even if they want to work at home, in glorious isolation, communicating only with the mothership in Klingon.
But now (outside India) they are seeking clubbable folk with interpersonal skills who yearn to work in teams, excavating the nether regions of server code in a spirit of caring, sharing togetherness. Oh brave new world!
Under UK law, autism is a protected disability - so rejecting someone with ASD for lacking vague “interpersonal skills” that aren’t essential to the job can be grounds for disability discrimination under the Equality Act 2010.
But let’s be honest: corporations don’t want the best minds - they want compliant personalities who smile in meetings, nod through nonsense, and tick HR’s “team player” box. It’s not about ability, it’s about cultural obedience. If you’re brilliant but don’t perform the corporate social ritual, you're out. Because nothing threatens mediocrity like competence without deference.
Yup, I'm working in a project where they demanded it be written in [new technology]
However, our 2 experts in [new technology] are rather abrasive, because a) they're somewhat autistic, b) quite direct and forthright, calling a spade a spade, and c) they're run ragged because they're experts in several new technologies.
Guess who got kicked off the team?
And guess how surprised management is, now that the project is completely stalled?
Anon for obv reasons.
"Under UK law, autism is a protected disability - so rejecting someone with ASD for lacking vague “interpersonal skills” that aren’t essential to the job can be grounds for disability discrimination under the Equality Act 2010."
That just means the company can't come straight out and tell an applicant they aren't candidate for that reason. That could be a reason why there can be odd requirements that are listed in the job posting. While they might accept somebody that doesn't tick all the boxes (but was smart enough to claim they did), they can down check anybody they don't like for not being suitable based on one of them.
There used to be a time where you could write your own salary if you had full-stack experience with a side of web dev. Now you need to be a sysadmin, network admin, cybersecurity expert, fluent programmer in at least C++, Python, Rust and Assembly, authored major contributions to a minimum of 4 popular open-source repositories and have received several laureate awards for public speaking on top of at least 2 TedTalks (no TedX please) to even begin the application phase for a $15 an hour part-time role.
Then you get turned down because they hired the owner's nephew instead, who once looked at a computer, but they're paying him $90k a year to start
"Then you get turned down because they hired the owner's nephew instead, who once looked at a computer, but they're paying him $90k a year to start"
The last one I had like that, the manager of the program retired as he kept getting lumbered with dead weight. He really wanted to hire me for an aircraft support position and got some execs wife's sister or something that would show up in heels and couldn't marshal aircraft on the apron. The core of the job being hired for was data entry, but the boss really wanted me since I could be used all over the hanger as the job didn't take much time everyday, but needed to be done everyday. When I interviewed, we went out for a nice dinner (he was a friend of a friend), and talked about the job and how it would morph into more of an mechanic's assistant and test tech for the aircraft but he couldn't hire for that and getting me in via the data entry gig would give me a lot of on-the-job training doing that role. Mind you, this is a huge government contracting corporation, not some mom/pop store. Initially, the money was ok and after changing title, it would be quite nice.
I've been on the positive side of that, with my CV being used as the template, via a manager I used to work with who really wanted me at this newish company he worked for.
Submitted my CV to the HR dept. who also it turned out was the owner of the SME.
Rang after a week and was told I was rejected as I had no profile on "flavour of the week" social media and so they didn't know what sort of person I was.
I didn't complain as that told me enough about the company to know that I did not want to work there!
"Rang after a week and was told I was rejected as I had no profile on "flavour of the week" social media and so they didn't know what sort of person I was."
They actually contacted you? Amazing. It was rare that I'd ever get as much as a "we received your application" form letter.
That happened to me (posting anonymously for obvious reasons) I had been contracting and had to be let go due to company rule on contractors weren’t allowed to more than 2 years. They wanted me back and wrote a job spec that matched me and I have been working as a permanent member for 2 years now.
The cybersecurity hiring crisis - where companies want junior staff with senior certs, five years of experience, a spotless record, and the willingness to work for public-sector wages because "pensions". Newsflash: pensions are a 1980s relic. By the time most people cash them out, they'll be half-crippled from stress, redundant by automation, or dead. What exactly is the personal upside here?
Cybersecurity isn’t just a job - it’s a constant arms race. To stay sharp, you pay out of pocket for certs, run your own infrastructure, rent boxes for testing, keep up with threat intel, toolchains, legislation, and whatever AI-generated malware just dropped. Meanwhile, companies treat talent like disposable assets, with layoffs every quarter and HR still wondering why no one’s loyal.
The only reason you still get applicants is because some people genuinely love the work - and they have to eat. But don't mistake desperation for pipeline health. If you’re not paying for training, stability, or respect, don’t be shocked when your “junior hire” ghosts after six months or couldn’t spot a backdoor in a broom closet. You built this problem. You're just mad it's costing you now.
"Newsflash: pensions are a 1980s relic."
They used to be a way for people that weren't all that responsible to have retirement savings done for them. The money would come out of each check with/without matching money and be invested in a steady fund that returns a reasonable interest over time. These days, the managers of the pensions are trying to make a killing when somebody isn't raiding the pension fund to pay for something at the company.
When I was young, I signed up for an annuity/life insurance that was paid from my semi-weekly payroll. It's still ticking away many years later. The company I was with when that was started is long gone and I haven't paid in for ages. I've instead put money into buying a home (paid) and not carrying long term debt. There's no point in earning 5% and paying 22%. Even with today's home loan rates, it makes sense to buy, if possible. The retirement savings interest and the mortgage interest might be a wash (if lucky), but the home/land appreciates in value over time for a net win.
After seeing how many pension funds are in lots of trouble, I'm glad I don't have money sunk in one that may not be there when I am eligible to collect.
I spent a few years as security lead for a product that I'd worked on as a developer. I knew the product, the team (dev & QA), had a good idea of where security issues might turn up. It was an interesting and fun job, even the visit to the SVP's staff meeting for a mea culpa after I (and fortunately not a customer) found a serious security issue in a new version that required a stop-ship & new release.
Then came promotion to security head for the wider organisation. I was a sort of policeman for products and teams that I barely knew, and who didn't like an outsider telling them how to 'do' security. I had the experience, but nor the formal qualifications, and getting those was tedious and uninteresting. Some of the products were appalling, some were very solid and secure, but neither liked an 'outsider' supervising them. Soul-destroying work, even with the teams I knew and liked. I stuck it for a couple of years & then left for something that allowed me to look forward to going to work again.
You could make much more as a sparkie. No CVEs, no threat intel feeds, no 3am breach notifications - just stay vaguely up to date on building regs and show up with tools. Can’t work from home, sure, but you also don’t get blamed when a FTSE 100 gets popped because someone reused "Analbeads2023!” as a password.
I've done both and reflecting on it, I should have stayed a working electrician.
My conduit work was beautiful, functional art. I was really good at it and proud of what I built. Much of it will be around long after I'm gone.
Computers used to be fun, and I have a great affinity for them, but it turned into a career of meetings...I got fat :) and cynical because work was rarely about goals, just politics. Who can care about that for any length of time?
Every manager, PM and BA are all IT legends in their own minds, I never saw that as an electrician.
Once you get a trade ticket you can start your own company and make very good money, just like IT.
That is only if you are contracting.
The previous poster was talking about a trade as I read it plumber, electrician, gas engineer etc. most of the those I know are self employed doing domestic work, no IR35 there, mind you if you don’t have the customers you won’t earn much. But there are other ways of working besides contracting for big companies.
Yeah, this is in Canada, so it is somewhat less restrictive.
Our last prime minister intimated that all small business owners were tax cheats, which was concerning after seeing what happened in the UK with your IR35 problems, but nothing really changed.
You can pretty much stick a magnet with your brand on the side of your vehicle or put an add in the classifieds, and POOF! you are a business.
You have to file the additional stuff with your taxes and collect GST\PST\HST (our sales taxes) as required so there is some gov paperwork to be done but it can be pretty minimal for a one person show.
If you represent as a trade you have to have a Journeyman ticket though or you can get in trouble and/or sued.
"You could make much more as a sparkie."
You can make twice that unblocking people's loos after hours. Tell them you charge $200/hr plus they have to make you a meal and the only question asked will be how fast you can be over. People will light a candle and pay $100/hr for an electrician to come over between 9-5.
Companies provided training. They had enough smarts to realise that engineers didn't hatch from the egg knowing all they would ever need to know, and that if they provided training not only would they get competent engineers (or weed out the incompetent early) but they would be trained in the way that the company did things and so could be reasonably expected to work in the same way as their colleagues.
The company I chose basically did a three-year on-the-job degree level education with both workplace and formal classroom work; the other companies that offered me work had similar schemes. Even thirty years later, they still offered training although by then it had mutated to the level that if you left within a certain time period, there was a compensatory financial penalty.
Expecting someone else to provide the training for your staff is just plain foolish.
This is a problem half a century in the making. When I was at high school ( that long ago) most of the older kids who left would go to one of the local big companies ( e.g. ICI or Ferranti) and be given training, or put through engineering courses, even degrees. By the time my year group got to that stage this had started to dry up. For a pair of reasons. One group of companies decided to stop that investment and poach time served engineers from The Place Down The Road. Then, inevitably, The Places Down The Road stopped training people because it was pointless. They didn't stay.
Underlying this was the Beancounter mentality of circa 1975. On the one hand not wanting to pay the training costs to grow their own people, because it was cheaper to pay a little extra to poach experienced trained staff. On the other hand not wanting to pay enough to retain them once they'd been trained..
The idea that because we (the employer) paid for a one day course in prehistory demands the right to force you into servitude for a millennium needs to be killed off completely.
Where I work we get training (sometimes too much) on new products, and it you want to get trained on an item it will be granted as long as it is relevant - they won’t pay network engineers to do underwater basket weaving for example.
They understand that we need to use new products and more importantly know how to use it properly. We are installing a new monitoring solution and everyone using the product did a two day course to make setting it up easier and we knew how to get it running.
When recruiting I would never place much value on the candidate holding any certifications. Security experience would be a plus but not necessary. Instead I wanted a technical background that was at the upper end of what could be expected for someone with their level of experience. Most importantly I wanted people who not only could lean a lot quickly, but wanted to learn. I found people with a burning desire to learn to be the most valuable hires.
successful recruits were also sourced internally from departments such as finance and even non-STEM fields like communications, HR, customer service, and marketing to bring fresh ideas to the table.
My experience of corporate ITSec would suggest RADA was the main recruiting ground for those security thespians. Don't suppose HR checked their Equity membership.
The question is fundamentally "Do you want secure systems or just the appearance of security?"
From the trail of increasingly unforgivable failures stretching back decades the answer is clearly the latter.
If you want more on-the-job frustration than one life can reasonably bear then this is the gig for you. Late employees of CISA would likely hasten to concur.
This sentence 'However, the study noted that successful recruits were also sourced internally from departments such as finance and even non-STEM fields like communications, HR, customer service, and marketing to bring fresh ideas to the table.' is telling.
Because the one thing that happens when hiring becomes a task in and of itself, is that risk management becomes a dominating criterion.
Especially in cyber, because security is invisible to begin with.
It's still better to hire someone who does not meaningfully contribute, but is 'safe', than it is to have 1-2 out of 10 of your good candidates fail.
It's a sign the company in question has too much of a buffer to tolerate that kind of inefficiency.
And let's be honest, very few companies care about security, nor do the vast majority of customers.
This is the same mindset that pervaded engineering before major dam disasters made it mandatory that only certified, and critically, independent, engineers could desing and oversee critical infrastructure.
But that will not happen for software, because the damage is also mostly invisible, except to those whose lives are ruined, but they don't post anymore on social media, so even more invisible.
The industry is rapidly heading back into the 'joke' territory it has taken years to get our profession out of.
For example my eldest has a Masters Degree in Cyber Security and has grown up around Cyber Security and IT in general, but he can't even get a job on a basic help desk!
As noted by others, this has been going on for a long time.
I recall seeing a job advertised on LI (I know, I know) for an electronics engineer.
They stated 'Typically 2 to 5 years of experience' so not quite entry level but not far above it.
They wanted:
Degree in electronics. [6]
Expert in analog and digital design [1]
Design for EMC [2]
Experienced with high end CAD tools [3]
Mixed signal design layout expertise [4]
High speed digital design [5]
among other things.
1. I have yet to meet a graduate from any university with any real knowledge of analog design and that is true of at least the last 30 years. It takes typically a couple of years of solid mentoring (if it even exists) or the grad studying it for said amount of time (or more typically 4 to 5 years) and actually building the circuits because it can advance their career , so they would need their own at least basic lab equipment. There is also a whole lot more to digital design than it seems at first glance. Sometimes the person who did not go to university has a better grasp depending on the career path.
2. This is still one of the darker arts although there is a lot of science but every design is different and has to be assessed with an experienced eye. To get good at this takes several years in its own right.
3. Depends on where they were previously; these tools are expensive although there are open source alternatives; those alternatives don't come with support, though, which most companies need or want. Even the relatively low end of the market (Altium) runs to almost £10k per seat per year. They all do (roughly) the same thing but each has its quirks, so there is always a learning curve.
4. Hahahahahahaha. This is possibly the most difficult of skills and can take literally decades to fully master.
5. For this, one needs to understand a lot of things from all the above and transmission line theory at a minimum. I started in RF so it really wasn't that big a deal for me.
6. Slight afterthought; some of the best engineers don't have one.
The real applicant for such a position would be very senior (probably a principal level) and would laugh at the offered salary.
Amen....brother. and even though I have always been on the defender side of the fence I have little sympathy for those who get compromised. I (and those like me) can and have told you how not to become victims.. You made the choice to not listen to what the the experts are telling you so enjoy that dumpster fire some some crew just set ablaze in your network....I FUCKING TOLD YOU SO !!!!! --- Mule
I have been at this Cyber Security thing for 25+ years. Started on the help desk and am retiring as a CISO. I have all the CERTS, years of experience (technical and policy) and an advanced degree. This whole topic is BULLSHIT and I have been shouting it for years.... There are no "entry" level positions in defensive cyber security. To be a qualified cyber security engineer you need to have a deep understanding of an assload of IT. Would you go and see an "entry level" Cancer Doctor or take your billion dollar corporate merger to an "entry level" lawyer. The counter to all of this is that the COMPANY NEEDS TO BE WILLING TO PAY FOR WHAT THEY EXPECT.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
