Finding (and Filling) Cybersecurity Jobs in 2025

The cybersecurity sector continues to evolve rapidly, creating a job market poised for significant growth in 2025. Sam Grise, 4B Marketing Director of Strategy, recently sat down with Brad Rager, CEO and Founder of Crux, to discuss practical strategies for people trying to enter the cybersecurity job market in 2025.

Here are two critical takeaways from their conversation.

The demand for skilled cybersecurity professionals is surging as digital security becomes a cornerstone of business operations across industries. This growth necessitates a strategic approach to both job-seeking and talent recruitment. It’s not just about filling positions but ensuring a match that supports ongoing professional development and job satisfaction.

Bridging the talent gap requires more than traditional hiring tactics. It calls for a nuanced understanding of the market’s needs and the professional aspirations of potential candidates. Innovative talent matching and robust career development programs are crucial for adapting to the evolving demands of the cybersecurity industry.

Watch the webinar recording above, or read the complete transcript below to learn more.

Sam Grise, Director of Strategy, 4B Marketing

Brad Rager, CEO & Founder of Crux

______________________________________________

Sam Grise:
Welcome to today’s webinar. I’m Sam Grise, Director of Strategy with 4B Marketing, a marketing organization focused on business outcomes for the tech channel. Our central vision for the company is to be leaders who create a daily positive impact. So this topic is close to my heart. Finding and filling cybersecurity are essential topics in today’s world. 

To give you a bit of background on myself, my career was as a seller in the tech ecosystem. So, over the past eight years, I’ve bounced around from organization to organization. The one constant theme was the growth of cybersecurity. How do we attach cybersecurity to all the solutions we are selling? I know this has been a key piece of the industry’s growth. It’s time to introduce my panelist and co-sponsor, Brad Rager. Brad, thank you so much for joining us. Before we dive in too deep, I would love to hear your background and what you’re doing with Crux.

Brad Rager:
Thanks, Sam. It’s great to be here. I started Crux roughly two years ago. I ran marketing at a large security services organization, and I’d have conversations with CISOs about their challenges. I found people-related and talent-related issues to be number one on their list. And there wasn’t a lot of creativity and fresh thinking in how people were matching folks with job opportunities and thinking about fit and match. And so that’s what we’re building at Crux. It’s a talent marketplace for cybersecurity, and we work with candidates and companies to help find excellent people who are a good fit for the organization’s culture, the needs of the role, and the careers and aspirations of people themselves. So that’s what I do, and it’s been a fun journey.

I’m looking forward to the conversation.

Sam Grise:
Thank you so much for joining us again. I’m excited to pick your brain about the space, especially what you’ve been doing with Crux. Before we dive in too deep, we have the Q and A channels open for those listening, and I have the chat open. Sometimes, there’s a little bit of wonkiness with Zoom. So, if it’s not going through on chat, put it into the Q and A. Put it into the chat if it’s not going through Q and A. We’ll monitor it and would love to hear your feedback as we continue the discussion. The first piece I’d like to dive into is the trends in the marketplace. And so one of the things I mentioned earlier was how cybersecurity is becoming so prevalent in the market today. It’s continuing to grow. Every solution being sold has some form of cybersecurity attached to it. From a solutions perspective, that’s what the technology is. But one of the things that I’ve noticed is the trend of more jobs out there. There’s more talent out there. We need to fill those jobs from a success perspective to be able to implement those tools and use them properly. However, one of the statistics I found interesting was that there are around 1.2 million people employed in cybersecurity in the US today. And there are about 450,000 or so open jobs out there. And so, I wanted to pick your brain about what you have seen over the past couple of years of working at a cybersecurity organization. Those CISO conversations you were having from a job market perspective in the cyber security industry?

Brad Rager:
Yeah. You know, it’s funny. Those stats get thrown around a lot, Sam, and I’ll be direct. There’s a lot of BS to them. So, the headline for years has always been a cybersecurity talent shortage. You know, the sky is falling, the hackers are out there, the bad guys are out there, we don’t have enough frontline defenders. And it’s not an entirely untrue statement, but there’s a lot of nuance to it. The dynamic is a shortage of elite-level talent combined with a persistent gap in companies knowing what they need and having programs to develop talent. And so the market we’ve had for the past few years has been relatively lopsided. It looks like a relative shortage of high-end cybersecurity architects and engineers and, to some degree, application security kind of software engineers with a security lens to it and a relative oversupply of folks in less technical or more junior roles.

There is also an oversupply in cybersecurity leadership roles. So, folks that are trying to break into cybersecurity, it’s not an easy thing to do from the ground floor because, when you talk to employers, what they’re looking for, or at least what’s reflected on their job descriptions, and we’ll get into this, which isn’t always what, what, what they say when, when you talk to them, but most job postings have pretty, pretty healthy experience requirements. And so there’s a lot of wonkiness and weirdness in the market. At a high level, trend-wise, we’ve seen a significant softening in demand over the past couple of years. Arguably, the market is healthier and more balanced. Where we were in 2019, 2020, 2021 was not a sustainable market in terms of demand. You’d have people jumping jobs, cloud security architects, and engineers jumping jobs for $100,000 pay increases.

You don’t see that in the market today. It is becoming normalized, but there’s a lot of room to go in sorting out some of those imbalances. So, it has softened over the past couple of years. But we’re at a bit of an uptick. I’m seeing some good signs in the market that we’re starting to get to a better place between supply and demand. But in general, it’s been a weird market. And anybody in the earlier stage would tell you stories about the number of jobs they’ve applied to, the number of callbacks they’ve gotten, and the number of interviews they’ve had. You often see a big funnel to get to that one job opportunity. But, yeah, that’s what I see at a high level. 25 will be better than 24 and 23. But we shall see.

Sam Grise:
And that’s a great point you brought up at the beginning of your statement. Is it true that not all jobs are created equal? And so when we look at just the holistic numbers published on the Internet, which we all know, everything on the Internet is true. So you have to take it to heart. But not all jobs are created equal. And so there are differences between the entry-level and, you know, a lot of people trying to get into cybersecurity because of the trend of cybersecurity taking off, if you will, of that’s the career path that I want to get into versus a very experienced tenured, knows what they’re doing, tons of certification, so on for that job. There are differences here. And so it’s a little difficult to just look at it as a blanket statement of, yeah, there are tons of jobs, or there aren’t any jobs, or there’s a bunch of talent, or there isn’t talent and what that looks like because that’s just the holistic view if you will. But not all jobs are created equal. But yeah. So, from your perspective, the trend you’re saying in 2025 will get, and you think it will get to a more balanced state because of the past few years. I think so. I think so. And it’s probably worth talking just a bit about trends in cybersecurity overall because I think the job market echoes what’s going on in security. And I think there are probably a few things that I see. I’d love your thoughts, too. I mean, you’re also in this space, I think that again, back to that 2020 era, it was a land of very healthy and rising budgets. We live in this world where cybersecurity is an industry as a budget line item, and companies are growing at about 15 to 20% a year, both on the services and tech sides. That’s moderated over the past few years. I think that. And that’s partly driven by more normalized levels of ransomware and adversarial behavior. It’s been driven by the cyber insurance market starting to mature a bit, though there’s still a lot of crazy stuff happening in that space. It’s been driven by overall budgetary pressures and economic uncertainty over the past few years. As security grows as a company budget line item, it naturally gets more scrutinized. CISOs, in particular, are being called on to justify their spending. So they’re, they’re talking about business value, they’re talking about risk quantification, they’re talking about, you know, what, what are the must-haves, what are the nice to haves, they’re taking a stronger look at cost and making sure that they’re spending the money on the right tools and right places. They’re looking at what I do myself and what I outsource to an MSSP. And I think that all has had the effect of, on the vendor side, a lot of pressure on vendors to extend their Runway, to reduce their cash burn. On the vendor side of security, you’ve seen a lot of layoffs that happened maybe two years ago. There’s still a little bit out there, but it’s certainly, I think, going through the bulk of the cycle on the vendor side, particularly in go-to-market roles where there was a lot of churn and turnover. And then on the enterprise side, on the practitioner side of security, I think what you’ve seen is just folks kind of hunkering down and not as many layoffs that have hit security teams, but people saying, you know what, job market’s tough out there. I’m just going to stick this out for a couple of years. Maybe there’s not as much promotion in internal movement and things like that, but overall calming down has impacted the job market we’ve seen. And then, and then I think that going forward, it probably does put us in a healthier place. I mean, security should be viewed as an investment. It should be viewed as a means of mitigating and buying down risk. And it should be thought of in that type of an equation, unfortunately, because it is a cost center and because, ultimately, what drives the cybersecurity industry are companies that make other things and sell other things needing to adopt a cybersecurity posture that reaches the appropriate level of risk. There’s always going to be some degree of Cost scrutiny. One of the things that is hard to do in that environment is it becomes hard for the folks who build and run cybersecurity programs and companies to adopt a strategic posture on how they architect their talent pipeline. And you need to be of a certain size to say, hey, I’m going to have, you know, a couple of senior people, a couple of mid-level people, some junior people. This is what the career path looks like. Because of that, there are relatively few entry-level jobs in cybersecurity. And I don’t see that changing. When you talk to CISOs with a more strategic posture and the budget for a large security program, some have had phenomenal success building talent pipelines with relatively junior folks and giving them the experiences they need to learn on the job. But those are relatively few and far between. So, I think one of the other ways to think about cybersecurity is not as its market but as its own space where you can build a cybersecurity career. It is that. However, another way to think about it from a job market perspective is to say there is technology and information. Those assets are secured in the infrastructure adjacent to it. And you can think about a world, and this is actually on a de facto basis, how most people get their jobs in cybersecurity. Few start at a junior level, like a SOC analyst or a GRC analyst, and navigate their way up more. They start as experts or practitioners in something else in technology and then move over. And that’s been the traditional way that folks have gotten into security. And that’s a way of thinking about it that I advocate. Because I think there is this truth: you can’t secure what you don’t understand. And it makes sense to become an expert or go deep in a certain area and then put the security hat on and say, how do I harden that? What are the vulnerabilities? What are the risks? What could somebody exploit? And you can apply that to whatever. You can apply that to cloud architecture, software, networks, data, etc. And that’s another way that I think that folks when they’re thinking about an aspiration to be on the security side, can think about career paths in a way that doesn’t stop them at some low glass ceiling where they try and like like hack to get a SOC analyst job and can’t find one, you know?

Sam Grise:
You touched on so many good points I want to dive into, which will lead us to some of the following points. One is macroeconomics, which is the budget side of things. How will I drive revenue, reduce cost, reduce risk, optimize cash flow, and optimize my asset utilization? Those five drivers are something that we focus on internally when we’re speaking with clients and also how we’re portraying that to the market. But really, that’s what the business is looking at. And so when they’re looking at the cyber security side of the house, they’re trying to mitigate that risk. There will always be risk, but how do they mitigate it as much as possible? And so building that team. But also, money goes to it; there’s a cost associated with it. So how do you find that fine balance of where that gets into?

Another piece that you touched on that I loved is the backchanneling into security instead of the entry-level way, which makes sense. You know, perfect. I want to be in cybersecurity. Great. I’m going to look for cybersecurity jobs. But really, what are they protecting? Is the technology or the assets that they need to understand what they do and what the value is there because that’s helping drive the business forward? How do I mitigate risk with that? Which is a great way to get into the space. You bring value to the company. If I understand this technology, I know what’s going on. These are the vulnerabilities. Here’s how we can solve it. That helps you stand out in the job market. Like crazy, this is what I can do and how I can solve that problem and bring it back to the budget side. A question that I have for you is the timing.

I always hear this all the time. Well, the timing’s not right for the job market, or we’re coming into a spending freeze because of the holiday season and stuff like that. Another component of that is with the budgets of them saying, hey, we may want to outsource to an MSSP, or we want to do contract-to-hire or full-time hire. What is your perspective on that kind of heading into 2025? MSSPs will continue to grow but still need their internal security teams to augment and work with that MSSP. But what does that look like from your perspective as contract work versus full-time hire? With the macroeconomic craziness that we have going on, we just finished an election cycle. So where that’s going to bring an impact? But we’d love to hear your perspective on what that looks like moving forward.

Brad Rager:
Yeah, anybody forecasting confidently doesn’t know anything. There is more uncertainty in the world than we like to give credit. And concerning the point of folks trying to time the market, a healthier way to look at it is what’s in your control and what’s out of your control. And market timing is always out of your control. And market timing is also meaningful to your experience in the job market. But it isn’t everything, and it isn’t something you can control and probably not that you can forecast with much confidence. So rather than sweating timing, I think that. And we’ll get into, you know, advice on finding a job. But the TLDR on that is it’s all about networking. Networking is generally not something you want to flip on and off like you can. You can do that, but it’s much less effective if you always have it on at some level. And don’t sweat the market. That all being said, I’ll tell you my thoughts. But again, they’re not worth much. From a macro perspective, things are bullish now. There’s also a lot of uncertainty in the world, so that bullishness could flip. It is in a relatively fragile way. But we don’t know. Budgets will be better going into 25 than in 23 and 24. And when folks think about budgets on one level, they look at people process and technology altogether, and we’ll look at cybersecurity spending and say what we want to ramp up. What do we want to bring down? Security leaders are always looking for ways to automate work and ensure that their human talent can focus on the highest value things and fill in the gaps that technology can’t solve. So there’s always going to be that kind of trade-off. Generally, security leaders feel that the human capital is more scarce than the technology. When it’s like I need somebody that knows this tool that can do this job, again, it pushes many of those skills up to the higher order skills rather than the kind of entry-level and basic skills, which has its questions for how we shape cybersecurity talent. But let’s put that off to the side. That being said, budgetary dynamics can make alternative roles or entry besides a full-time job an interesting thing to pursue. So frequently in companies, you have lots of controls around hiring people, and bringing on an FTE often triggers different levels of approval and scrutiny than bringing on contractors. And I do think that over the past couple of years, you’ve seen a bit more use of contractors and a bit more fluid use of contractors and a bit more fluid use of MSSPs than then kind of FTEs, and that’s part of what’s caused that kind of freezing in the job market. That’s not going to change. And I advocate contracting to hire. Try before you buy, and make sure there’s a fit for both ways of philosophy. It’s suitable for candidates and companies to think that way because you never know 100% of the data you want in an interview process. I am long-term bullish on MSSPs and outsourcing. Companies don’t want to be in the cybersecurity game. That is not what they do; that is not what they make. It is a necessary evil, and the migration will happen to whatever is cheapest. Whatever’s at that frontier of what’s most affordable, most cost-efficient, and most straightforward to manage, and as security matures, if security can be done better on the outside looking in than on the inside, that’s a desirable proposition. And so for folks looking to build careers, building it on the services side, whether that’s a professional service and a project-based thing or a managed service and it’s continuous, I think those are great avenues for, for folks to explore and, and I think we will continue to see growth and interesting things happening in that, in that side of the market.

Sam Grise:
You led us to our next topic: tips and tricks to stand out and how you should enter the job market. And, you know, my favorite piece that you brought up, and as we were talking, getting ready for this, was the networking side of the house. That is important because we’ve all seen a job listing on LinkedIn. The description, you’re like, well, hang on, they need 15 years of experience. You’ve got 150 applicants. How do I stand out? LinkedIn does the thing where it’s like you have eight qualities they’re looking for. And so. Yeah, and so the networking side is so important to me. Who do you know? How are you building relationships? One of the biggest things about networking is bringing value into that relationship, even if it’s just grabbing a coffee or helping somebody else. Living that positive business outcome or impact daily for us in our business. How can you help people from a networking experience? I would love to pick your brain more about other tips and tricks. The networking side wants to get your opinion on it and some ideas there, but anything else that you have around, you know, how do you stand out? How do you make an impact? So people know I’m Sam Grise, and I’m the one you should hire.

Brad Rager:
Yeah, yeah, 100%. We’ll take that at a couple of different layers. So if you take it to the most basic thing, there’s a job to be done, and that job gets distilled in a job posting, and that posting gets put out into the world, and it describes a job to be done for a company. Then, a candidate has their equivalent, a resume, or a LinkedIn profile. And at its most basic level, the way it should work is you have this universe of potential applicants matching up against a job description. The reality is that it is super messed up and poorly functioning today, which matches that marketplace. And it’s because job descriptions are poorly written. Companies oftentimes don’t. They will cut and paste faster than they think through what they need. Then those job descriptions get sent to junior recruiters who don’t understand the job to be done, and they’re just going off matches between qualifications and requirements. That’s after it goes through an applicant tracking system, which will rank candidates based on keywords between those two things. And so there’s a lot on the Internet about how you can hack this matching that’s happening. How do you beat the AI? How do you beat the ATS? How do you, you know, and there’s all. You can fall into subreddits on this stuff. And, and that’s, that’s all fine. People find jobs that way. There is some clearing of the market that happens. You can think about how to optimize your resume. And you do want to have a good resume. You don’t want to have a, like, lousy one. You do want to make sure that you’re, you know, bringing your life accomplishments. Do you want to think that skills are now explicitly rendered through an ats, and how do you make sure they pop? But I always say, like, take that to the 8020 rule, you know, know where it’s good enough. But don’t waste your cycles on endless applications, endless gaming, and the refinement of your resume, which is particular to every job. Because it is the numbers in the numbers game that are not working in your favor. It’s that 150 applicants. It’s the fact that, you know, many of the jobs never actually get filled for one reason or another. So, that is not the. If people are thinking about where I put my energy, And we all have a discrete number of hours in the day, that is not where I advocate people put theirs. You’re most likely to find your job through your network, some human connection, and some human conversation. And part of that is a reaction to how badly that first thing we talked about is working today. So referrals matter a lot in the market we’re in today. And having somebody who can say, oh, hey, you should talk to so and so that bubbles you up to the top of the list. Suddenly, you’re not competing with the 150 people who drop their resumes on LinkedIn or the 500 people. You’re competing with one or two others who may have also been referred. Then, the question is, how do you get referred to a job opportunity? Well, one, you know, if, if you have a large network and people that know you and people that like you, naturally you’re going to get opportunities from that law of large numbers, and you’ll, and you’ll see things that way. The other way is to get yourself referred in and strategically network around certain companies and opportunities. So, the advice that I give to folks is to have a list of target companies. And that can seem a little bit unusual because outside looking in, you don’t, you don’t know that much about a company. Let’s say you want to be a SOC analyst. Like, does it matter what company it’s at? You know, a job is a job, but that is how you can run a process to find a job strategically because it gives you something to focus on and something discreet to build a network on. So, use the job boards to understand who’s hiring, and then use LinkedIn and your network to try and have conversations with folks who work there. Then, think about how you stand out not from the resume but from the human perspective. What’s the story that you’re telling? What’s the value you can bring to those people in those conversations? What’s the narrative you have around where you’ve been and where you want to go? And have that elevator pitch super tight. You should be able to say in 15 seconds what you’re all about and where you want to go. And you will find that people are open to help. But, having a warm introduction, having a human connection, having somebody say, yeah, this person seems pretty cool. They’re nice. They’re, you know, they’re smart, they’re, you know, they seem to be hardworking. That goes a long way. And I think those are the things that distinguish folks at the end of the day much more than, you know, fine-tuning the resume to the 50th degree or adding, you know, additional layers of certs. We will talk about good certifications, but certifications don’t equal jobs. The human stuff matters a lot more.

Sam Grise:
Yeah, great, great points there. One of the things that I always think about from a networking perspective is something that I did early in my career, trying to find a job and where I wanted to go next, even with people outside of my network. I asked for help, and it wasn’t; you helped get me into this company. It was, hey, Jimmy Smith, you have a job role that looks like something that I want to do. In the future, could you guide me on how you got to that role, what you studied, how you built that relationship, and so on? And nine times out of 10, people want to help. We’re human. We want to help people. And so if your network is small. Don’t be afraid to go on LinkedIn and find people with that role you’re looking for, message them, and ask them for help. They’re more than willing to help most of the time. And so that’s how I did it. And so your perspective on that’s the same: build those relationships, ask for help, be vulnerable, and say, hey, I’m looking for this kind of role. How did you get there? And so I had nodded. So we’re on the same page there. That’s. That’s, like, the digital realm. Like in the digital realm, talk to people who do what you want.

Talk to people who work for companies that you want to work for. Ask for advice, but think about how you could give back in those things. Be open, and don’t frame it as if I want a job from you because that’s like the equivalent of selling. But frame it as you know a lot about this space. I’d love to learn from you. And people like that and like to give back. That’s the strategy on the digital side. And then there’s the local in-person side, too. What’s the phrase? 90% of life is just showing up and attending meetups and meetings. There are many cybersecurity networking groups and meetups, both informal ones organized like meetups and ones that are more formal and part of chapters and organizations like Issa Cloud Security Alliance.

Go to those events and meet the people. There they are. These organizations are desperate for volunteers and help organizing events. Be that person who shows up, contributes, helps manage the events, lines up the speakers, and figures out who will cater for the happy hour. And you will meet people that are senior folks in your market, in your industry, and in places where you could go, yeah, it might be an in-person job, but you know what, 80% of the world is now, and they’re going to be the people that could be your employer. And if they see somebody hardworking and eager, that goes a tremendous way. So, it’s both LinkedIn and digital and remote and local conversations. Go to Denver Tech on Tap and meet folks there. Yeah, absolutely. Appreciate the plug there. That’s great. But yeah, that’s precisely why we started the happy hour connecting the community. And how I look at the IT community, not just cybersecurity in general, but we’re all working together in one facet or another. Whether we’re competing on selling a product or six months later, we’re continually being acquired and working together. That’s connecting the community and helping the network build those relationships. Relationships, which is fantastic. And now, onto the next point. I’m not a technical guy, so I’ve always heard about certifications, certifications, and certifications. And as a seller in the space, that was something that we always hung our hat on is we’ve got the best engineers with the certifications that can do X, Y, and Z. You know, it was like kind of the gold standard if you will. I would love to hear your perspective as somebody in the job market looking for, you know, a role. Either it’s a higher level or an entry-level. You know, you said it earlier: certs don’t equal jobs. I would love to hear your perspective on certifications and what they mean in the job market.

Brad Rager:
Nobody will hire you because you have a cert, but someone looking for a person with a particular set of skills may feel more confident that you can do the job if you have a cert. And so what I say to folks is that motivation matters here. If your motivation for getting assertive is to bolster your resume, that’s wrong. And it’s not going to work. If your motivation for getting assertive is born out of a genuine curiosity and desire to learn a space or deepen your skill set, it is the first learning, and the fact that you can put it on your resume second can drive impact. And. And there are, you know, certain certifications within specific disciplines that you can go to on our website and look at our quarterly reports. I publish a chart of the most in-demand certifications employers ask for in the cybersecurity segment. If you’re interested in going deep into cloud security, go to Cloud Security Alliance and get certified cloud security Products. If you’re interested in broad leadership and having a complete overview of cybersecurity and want to reach that kind of CISO and team leader, work towards your CISSP. That is the gold standard for a generalist security degree. There are some offensive security certs and ones that get very, very specialized. If you’re, if you’re in to offset, there are some great options, but do it because you’re in a space, you’re intrigued by it, and you want to learn things that you don’t already know. And goodness follows from that. It is not necessarily because it will, but because it will be inauthentic. Nobody looks for somebody who has 25 certifications. Somebody who has a lot of certifications. Maybe it’s because they love to learn, and that’s okay. And that says something about you. So that’s how I think about it. And, I don’t believe that when you look at where certs sit on job descriptions, they are usually in the preferred section rather than the required one. So don’t look at it as a barrier; look at it as an opportunity, and make sure it’s balanced in your time portfolio relative to other things.

Sam Grise:
It is essential to do it because you’re interested. As opposed to, hey, I need this certification because X, Y, and Z are a big difference. Value you’re going to be bringing to the organization as well. And it leads us to the next point, as you mentioned, on the job listing, which is the preferred section for some of those things. I’m on email lists. I see stuff about job listings all the time for opportunities, whether it’s LinkedIn or Indeed, and contract hires all over the place. But I would love to get your perspective on when those things are published. From my experience, once it was published on LinkedIn, I often felt behind the game. Like the networking side, I am creating opportunities for myself. I’m behind the game, but I’d like your perspective on a couple of different pieces because I’ve seen some outrageous job listings regarding salaries. It’s just super, super high. And I’m like, wait a second, you know, and not in the cyber security space, but in one, you know, $800,000 a year for a marketing director. And I’m like, that is not accurate. Like, yeah. But would love to get your perspective on, on that from a per, you know, those job listings that are going out, how to spot a good job listing if people are applying that way, you know, what are the goods and bads both from a, you know, a hiring perspective of how do I make my job listing stand out, but also from somebody that’s looking for a job of yes, that looks like a real job that they’re going to be hiring for. The description is accurate. I would love to get your perspective on those kinds of best practices.

Brad Rager:
Yeah. So maybe we’ll take it first from the employer side, and then we’ll look at it from the candidate side on the employer side. I have my kind of pet peeves, and you know, I can get on my soapbox around crappy job listings of which, which, you know, 80% of job postings probably in my mind fall, fall into that category. And you know, I think that the, the problem is that people kind of pencil whip this or they, they hand it to their HR team or they cut and paste from the last thing or they hop into chat GPT and they don’t spend the time to think through what are the outcomes I’m looking for, what is the work that needs to be done? What are the skills that are necessary to complete that work? Well, what can be taught, and what is innate? And then how do I reflect that on a job posting, and you end up getting kind of a mess of things where maybe there’s a lot of the work listed that doesn’t reflect the nature of the job? However, the biggest issue is long lists of required qualifications that aren’t necessarily great proxies for the needed skills. Part of that is because oftentimes, a lot of the needed skills are difficult to assess outside until you start talking to a candidate and getting to know them. You can write excellent communication skills. You can try to think of a proxy for how smart somebody is and how quick they are to learn. But you can’t cleanly codify that in a job description or resume. So, you get five years of experience working with this particular technology. You get entry-level jobs requiring a CISSP, which requires five years of working experience in cybersecurity to develop your CISSP. Like you get all these things that just don’t make sense. You get VP-level jobs, and that’s great. You see ones where the comp is high; I’ll often see ones where the comp is low. And you get analyst-level salaries on VP-level jobs. More than anything else, it speaks to a lack of thoughtfulness regarding what’s going on there. And so that’s it on the employer side. It is my encouragement to think through the outcomes you need. Think through what you need. Recognize that whatever you say is probably going to go through some literal interpretation layer when somebody is doing the screening for you, particularly if it’s an internal recruiter, and be mindful and thoughtful of that and treat your job description as a marketing tool in the sense that like you want to try and get somebody excited about, about it. So that would be the first thing I would say. And then on, on the candidate side, if you’re playing the game of, of applying and, and you know, paying attention to the market that way, the first thing I would say is to think about it first and foremost for intelligence rather than particular opportunities. So, look through the job descriptions. Look and see who’s hiring. Who has many job openings, seems to be active, and’s posting new ones and closing down old ones, implying that they’re filling jobs and hiring people. That is it. That’s a great proxy. Who’s writing good job descriptions? Who’s writing lousy job descriptions? That can inform the companies you want to work with and talk to, and then know that timing matters so that the most important one is the first day or two after a job is posted. And if the company is getting their candidates that way and a lot of them don’t, but if the company is, the people who drop their first applications will be in the best shape, particularly if there’s a lot of them. Because they’ll fill up, you know, some number of screening conversations, they’ll fill up interviews. You may not be in that batch when you’re two weeks late to the party, so pay attention. But again, I’d say it’s not probably going to be a winning game. I’m not saying it doesn’t work out for some people, but I just don’t think that’s the door that most people walk into their jobs through. And you know, as a recruiter, I will say oftentimes, you know, the best talent is not always the talent that is looking at a given moment. So there’s also that which happens, which is, you know, the tapping on the shoulder type of a thing. And that’s as true in this market as in other markets. However, I would also say that at the same time, there is great talent out there who are looking right now, and there is better talent than there was five years ago. For sure. For sure. I love that and the concept of using the listing as a job hunter more as a resource of who’s hiring. Are they closing down those job descriptions? Are they getting filled? Is it a solidly written job description based on the outcome you’re talking about? Because you’re learning more about the organization as a whole and somebody you work for. So, I am using it more as a resource, of course. The 8020 rule, as you mentioned. Of, you know, applying. But really, where should our time be spent? Probably to be the most effective to fill that role. But I’d never thought of using it more as a resource. What is the company’s trajectory? Are they closing down those job descriptions? Are they filling those roles? You know, what does that look like? So that’s a great insight there. And so we move on to our next topic, if you will, of resources, where people can go. And we’ve touched on a little bit of the networking groups that we’ve talked about, you know, the meetups, you know, being a part of the cloud security alliance, you know, those kinds of items. Denver Tech on Tap, as we’ve mentioned, but I would love to pick your brain as well as any other job boards or, you know, areas that people can be networking or thinking about. Additional resources for individuals who are looking for those jobs.

Brad Rager:
Yeah, it’s funny; I say all these semi-negative things about job boards, and I run one. So, at Crux, we have a job board for cybersecurity jobs. There’s at any given time about 2,000 job opportunities that are out there, and you can sort by the, you know, remote or on-site location domain of cybersecurity. It’s a great tool to see who’s hiring, find particular opportunities, check salary ranges and compensation, and look at what folks are asking for. It’s an excellent research tool and a good tool if you’re in the market and we curate them. We will eliminate a lot of the Ones that we feel are pretty junky. So yeah, there are so many resources and Discords for folks in the market looking to network. So discord, slack channels, local meetups, local resources, local communities. Think about where you want to specialize and what you’re interested in. In the market you’re in, there are some in-person opportunities, and, more broadly, there are sub-communities of practitioners, many of whom are just doing it because they like meeting people. They want to give back and provide advice. Go to those places and build relationships. It just starts with it, hey, how are you? You know, nice to meet you. You know, hop on a Zoom, chat, and who knows where things go from there? Who knows where things go?

Sam Grise:
You mentioned something I didn’t ask yet, but I have a question. And that’s remote work. We’re seeing companies return to the office or adopt a hybrid model. Is there any trend with cybersecurity for remote work versus in the office? They’re in the business of protecting data and so on. So, you can potentially get classified access, especially if you’re working towards the federal side of the business or the sled side of the company. Do you see any trends with that?

Brad Rager:
We track that closely, and the trends have uniformly been towards back in the office. As you’ve seen in my stacked bar charts, the pure remote has been shrinking, the hybrid’s been a bit stable, and the full-time in-office is growing. Part of that is a function where there are a lot of cybersecurity jobs, which is a function of a fair amount of cybersecurity budget. And you see, industries like financial services and healthcare spike on. Like they have large cybersecurity teams, and you have a lot of bosses in those areas that are like, we want butts and seats. And you know, I know a lot of people in, in the financial services world, and they’re sitting in offices, you know, even if they’re doing pen testing and they’re, you know, ostensibly trying to get into networks from the outside, they’re doing it from, from an office. That’s where the world is swung back to, and employers have generally had bargaining power over the past few years. It’s normalizing. But the other thing is you see it in compensation, too. Fully remote jobs pay less than hybrid and on-site jobs because more people want to do that work, and those can be competitive. So, these are just all things for folks to know.

Sam Grise:
I’m one of those psychopaths who loves being in the office. I’m remote today to have a good conversation without distraction. I love being in the office because you learn so much more sometimes. Yeah, hearing other conversations and so on. But yeah, great insight. So, I am wrapping it up here with my final thoughts. You know, I’ve got a ton here. You know, one is the networking side of it. Sell yourself. Build those relationships. Another significant aspect is that the circs aren’t necessarily going to get you a job. Those are components but have the value of why you will be doing that, not just doing it to do it.

Not all jobs are created equal. It depends when we look at some stats you will hear online or on the news. Those entry-level jobs that we’ve talked about. Being, you know, more saturated, if you will, the more experienced job being less saturated. Not all jobs are created equal. And network your way in. Network your way in. Build relationships and bring value to the business. One of my favorite things you said today that I enjoyed is, if you have a technology you love, how do you secure it? How do you get it to that security state? That’s a great pathway to break your teeth, if you will, into cyber security. So, we’d love to open it up to you for final thoughts.

Brad Rager:
Yeah, those are good ones. Get out there and be out in the world. And look, this industry skews more on the introverted side and can be challenging for folks. Sitting behind your computer and managing it entirely digitally can also be easy. And that is a difficult game to play out there. And, if you can put yourself in an uncomfortable position if it isn’t natural to do the networking, that’s not a bad thing because that will help you grow in ways that will benefit your career more broadly. You know, the more senior you get in any organization, the more whether you want to sell or not, everybody sells at some level. Learning how to market yourself to build relationships and trust is a good learning process. It’s not always an easy one, especially if that’s not your natural inclination, but that it’s. It’s a worthwhile thing to do, and it’s a necessary thing in this job market.

Sam Grise: 

Thanks for joining. I appreciate it. Feel free to connect with me on LinkedIn. Shoot me an email. I’d love to help. From a networking perspective, as you may be starting this journey—is there anything I can do to help? As I mentioned, our vision is to create a positive daily impact. So shoot me an email with the subject line cybersecurity, and I would love to connect with you. Grab a coffee and help out in any way we can. But a big thank you to Brad for joining us today and bringing insight into the space. But Brad, anything you would like to add?

Brad Rager:
Thanks for having me on, Sam.