CrankySec

When You Wish Upon a Star

I wasn't going to write about this at all. My plan was to sit down to bitch about the scam we call "bounty hunting", but, as usual, I got sidetracked.

My day job sometimes involves looking at job descriptions for cybersecurity positions, and friends... it's getting even worse. Just this week I was presented with a job description that a) was 3 pages long, and b) had 46 bullet points. These people want someone to do incident response, cybersecurity architecture, risk assessments, compliance, threat intel, policies and procedures, mentoring, auditing, application security, SDLC security, vulnerability management, cloud security, API security, IAM, security operations, and, of course, AI security. Add to that the usual ridiculous education, certification, and experience requirements.

Job descriptions like that are the norm, mind you. But, as you can imagine, filling positions like this one is getting harder. Not that hard, though. Not yet. The pipeline is still somewhat full, but that's about to change. Remember when the Anthropic guy went on the record to say his products would—and I quote—"wipe out half of all entry-level white-collar jobs."? Pepperidge Farm remembers.

People training to enter the workforce take those things into consideration when they pick their areas of study. And the smart ones know that spending hundreds of thousands of dollars for the privilege of applying for a fucked up job like this one is not the way to go. And that's without factoring in the time and money needed to keep those racketeers "professional associations" in business. Take all that into consideration, and you'll find yourself in a situation where young people would rather try their luck at becoming an influencer than enter this line of work. I guess you can go ask Claude to do all the things this job requires, eh?

Is Claude even a CISSP? No? Wait. Are you telling me that it is possible to perform cybersecurity without being one? Checkmate, liberals!

We all know that LinkedIn people used to bitch and moan about some "talent shortage" that was completely imaginary, and I am pleased to inform them that they might actually be right about that. Like, in the way a broken clock is right twice a day. There will be a talent shortage, all right. Because very few peeps will be dumb passionate enough about cybersecurity to subject themselves to the financial, mental, physical, societal, cultural, spatial, maritime, temporal, digital, and analog stresses of becoming qualified for this profession.

All these years of "Number One LinkedIn Thought Leader CISO" whining about the lack of people willing to subject themselves to exploitation are finally paying off. The problem right now is that they will be absolutely right about the shortage. Give it some 4-5 years, and I would bet (RemindMe! 4 years) the pipeline will be bone-dry.

So, congratulations on predicting a talent shortage? For the rest of us stuck with this because we put all our eggs in this one stupid basket and don't really have any other marketable skills, get used to your new coworker/intern/manager/CISO Grok, who'll fire your ass for not being nazi enough. And get used to doing five jobs for half the pay. What? No. Five additional jobs. On top of the five you're already doing. The prosperous future we all dreamed about.

I'll write about that other stuff next week, ok? In the mean time, join our Discord, will ya?