Lesley Carhart 
I mentor a lot of junior people and something y’all need to be cognizant of in the crummy job market is that SOC analyst jobs have gotten way more competitive. It used to be a pretty direct path into cybersecurity (and it’s still way better than SWE) but it’s not an in demand job anymore.
Everyone who decided to get in four or five years ago is graduating now and the market is saturated. Candidates that would have been unbelievably perfect then are now struggling because they are in the wrong location or need visa sponsors. I mean ones with certs, masters degrees, and volunteer work.
This isn’t doom and gloom outside the market suck, I just need young people to know this isn’t a golden ticket you can just get a degree and walk into anymore. You are competing with people who network as a default. Have credentials or experience as a default. Clearances. Volunteer. Have home labs.
You can’t be lazy and get a red team or blue team role anymore. I’m not being a LinkedIn asshole, and I definitely don’t think people should have to have degrees or experience. I’m just telling it like it is. You can’t skate into cybersecurity anymore. Don’t imply that to your kids or mentees.
For us as seniors it makes mentoring and community development that much more vital. We need to be out there helping genuinely engaged newcomers, because it’s incredibly scary out there for them right now.
That one Jewish network nerd@hacks4pancakes Speaking of jobs. I’m looking for a person with federal compliance program experience who either knows or wants to learn networking.
I’m sorry, “lazy” was harsh. I’m not using that liberally, it was more parents pushing kids who didn’t want to work into cyber into it because it was a “good job” and letting them do the bare minimum.
I yell because of despair, because I’m booked out for mentees and seeing so many very scared job hunters who got promised the moon by skeevy universities and boot camps. Cybersecurity is a great job but you have to be proactive!
Martin Seeger@hacks4pancakes We see that every time a hype cycle ends. I still remember a time when being able to write HTML was an in-demand property 😀.
P.S. Everyone starting a degree related to #ai now: that will also be your fate.
@masek the world needs plumbers and janitors. Literally and figuratively. The jobs that will stay in demand in IT and cyber are less flashy and more practical.
Stormgren@hacks4pancakes @masek There's a reason I build network infrastructure for a living. It's not flashy. I haven't broken 200K yet. But I've been out of work once in 25 years and it was a bad situation at that gig as it was, so I wasn't sticking around anyway.
I and others have been telling people with a security concentration to pick up any skills other than just cyber crap, because they're massively more valuable that way because they actually might understand what they're supposed to secure, and they have an employable alternate skillset when the infosec market falls out, which is what appears to be happening
I have been laughed at for that.
I'm not laughing at them now, I just worry for those that chose to ignore that advice.
fedops 💙💛@Stormgren the reason the market is tanking is because the business model of most cybersecurity outfits is a grift. Selling blinky boxes that have more security holes than they protect against. Mad race of minimum-pay outsourcees punching up dashboards of false alarms. Phishing awareness programs. Compliance reports.
If you really want to do something solid and actually want to learn then OT security is a good place to be. But you need to think as an engineer.
@fedops @Stormgren @masek concur. We can’t fill jobs. But the problem is there’s a lot of people without critical thinking skills or basic computing fundamentals in cybersecurity we just have no luck training.
@hacks4pancakes yes, been in the exact same position and had to let one go.
Typing up generic reports without any technical skills and most importantly without the drive to learn and improve yourself just doesn't cut it.
@Stormgren @masek
@hacks4pancakes @fedops @masek We have the same problem in network engineering. Too many cert-punchers, not enough curiosity.
I've been advising leaders all over the place to hire for the thinking skills and fundamentals, they can train the rest into them, that's just additional skills.
Matt HallI feel like this is sound advice for _so_ many disciplines.
@Stormgren thinking skills, curiosity, willingness to learn, team spirit. Everything else they can learn/be trained on.
@hacks4pancakes @masek
@hacks4pancakes @masek
jb@Stormgren @hacks4pancakes @fedops @masek that’s infrastructure and ops in general these days. My consulting partner calls them charlatans.
Mike J👹🐀 🤘🏻@Stormgren @hacks4pancakes @fedops @masek Somebody with an English degree who has thinking and problem solving skills is much, much better than somebody with a CS degree who learned by rote something that's probably already obsolete.
Dave@Stormgren @hacks4pancakes @fedops @masek I had a rash of senior pentesters apply for jobs as a staff engineer and they all considered this a step down but none of them had a clue how to build software and ship it, or even how to do active reconnaissance. All they had done was source code reviews. None got even close to a job and we were pretty desperate.
🦄Cyber Unicorn🦄@Stormgren @hacks4pancakes @fedops @masek this resonates so much. I have been doing this for years whenever I get the opportunity to be involved in hiring.
They are also so much more enjoyable to work with, as they will want to learn and not just show off their certs.
They are also so much more enjoyable to work with, as they will want to learn and not just show off their certs.
Stephan Neuhaus@Stormgren @hacks4pancakes @fedops @masek Absolutely 100% agree. And that's why I think it's a huge problem when universities now offer "security" degrees when what they should really offer is CS degrees with a security specialisation on top. Or even just a really good, solid CS degree without any specialisation. That can come later.
@sten @hacks4pancakes @fedops @masek I really want to see CS / CE and IT programs bake security into every single course they teach that's degree oriented.
It's been taught and continues to be taught as a separate topic and this has been and will always be a gigantic mistake. If we're not teaching, from day one, good security practices, bad habits will be baked in, and then it's very difficult to undo later.
The ticky-box compliance people do not get that, the academics feel like it's getting in the way of solving interesting problems, the vendors and pet language people think their particular product solves the problems despite probably being built on sand, and around and around and around we go with history repeating.
@Stormgren @hacks4pancakes @fedops @masek Yep. My institution has taken a step in the right direction my making a basic security module mandatory, but has stopped there. From talking with my non-security colleagues, I know that most are not interested in teaching security. And I can understand why because they're not experts, they're afraid of teaching something wrong, and they would have to cut something.
@hacks4pancakes Yep, doing janitorial work (figuratively mostly) for decades.
What I wanted to say is: don't try to chase the hype cycle. Use it wherever you can, but don't plan on it to be around forever.
Hope that came across.
Emelia/Emi@masek @hacks4pancakes This is part of why I work in the backend of [redacted]. Everyone needs [redacted], so my position's pretty safe.
And it's also why I have a backup career of "electrician". Even if the "less glamorous IT positions" are crowded out, as long as we have electricity, we'll need people that understand how to safely pipe the angry pixies around without setting things on fire. So it's a pretty safe bet there will always be openings, especially since it's a job that can't really be done remotely like a significant chunk of IT can.
Schamschula@masek @hacks4pancakes When I was an undergraduate many moons ago I realized the half life of skills in some fields is short. At that time I guessed it to be on the order of three to five years for CS. I went on to get a PhD in physics. I teach E&M. It hasn't changed since Maxwell. Who still uses Pascal?
@schamschula @masek @hacks4pancakes I chose cyber because it does change so much. I started as a math major for a couple years but it was too easy. My friend got me into comp sci. It was challenging and the ever evolving world of cyber intrigued me. I will be forever a student and I will forever learn whatever the world has to offer me.
One final plea to senior folks to please mentor at least one young person in a structured, formal way. Please, don’t pull the ladder up behind us.
Craig Brozefsky@hacks4pancakes for us seniors new to mentoring outside of an employing organization, do you have a suggested resource on structured, formal mentoring?
phil@craigbro @hacks4pancakes Would be interested in this, too....
@hacks4pancakes one of my old mentors taught me to always mentor my mentees to take my job. If your folks can replace you, you know you can rely on them as you move up the ladder. The more they excel, the better it makes you look too if you need the extra motivation. You are building the next generation.
@hacks4pancakes This becomes more important by the day. AI and cloud are threatening to eliminate the fields where we were trained. AI will ear up easy tasks first and cloud kills ops experience.
@hacks4pancakes this. They won’t be the only ones getting something out of that experience.
I have found it so rewarding to mentor my junior colleagues and see them grow and develop.
There have brought some views to problems I would have never thought of myself and thus made me better at my job in the process as well.
I have found it so rewarding to mentor my junior colleagues and see them grow and develop.
There have brought some views to problems I would have never thought of myself and thus made me better at my job in the process as well.
Eleanor Saitta@hacks4pancakes
I struggle with this *because* the industry has changed so much. My way in is unrecognizable today, and I genuinely don't understand a lot of the traps that junior folks are dealing with because I've never seen them. I worry about steering folks the wrong way, sometimes even just by telling my story.
I struggle with this *because* the industry has changed so much. My way in is unrecognizable today, and I genuinely don't understand a lot of the traps that junior folks are dealing with because I've never seen them. I worry about steering folks the wrong way, sometimes even just by telling my story.
@dymaxion your story will not be representative, but you can still offer huge help in building skills.
@hacks4pancakes
Oh yeah, sorry — not implying that I think I can't help or shouldn't try because of this!
That said, right now all my spare time is going to local community capacity building/advise and assist work or analysis and doctrine writing. It would be nice to feel like I could think about the security community again.
@hacks4pancakes I’ve seen a fair few number of people who just do 9 to 5 in cyber or aren’t really interested in it outside of work and then get upset when not moving up.
This may have been possible in the past, but the field is so competitive now, that to stand out you need to put in extra effort.
I think this is where working in a field you enjoy and are interested in is so important. You won’t necessarily feel like the extra effort is extra effort as you enjoy it.
Don’t get be wrong, 9 to 5 is fine, but you need to have the right expectations on what that means for your career.