There is a growing demand for workers in the cyber security industry – analysts have predicted 30,000 unfilled jobs in Australia by 2026, with a global projection of 3.5 million jobs unfulfilled by 2025.

But, if it’s that big of a deal, why is it so hard for me to get my foot in the door?

I left my radio production and journalism careers and joined programming school 42 Adelaide in mid-2021, shortly after writing about the organisation.

At the school I learned C by reprogramming many parts of the C library, and, at some point, I got bitten by the cyber security bug.

In my spare time I dabbled in Python and Javascript, read IT books, beefed up my cyber security knowledge through TryHackMe, Hacker101 and a couple of Capture The Flags, listened to tech podcasts, took several courses on Udemy, started some dedicated Twitter and Discord accounts to immerse myself in the latest conversations in the industry, and tried to network with my peers.

Over this period, I applied for multiple entry level tech jobs through LinkedIn, my school’s paid internship program, and other job portals while being supported by the last of my savings, my breadwinning partner, and my very kind parents, without whom none of this would be possible.

In that time, I heard a lot of promises from publications and peers alike: there are more tech jobs than ever, it’s good money, you can find work anywhere, cyber security is booming, qualifications aren’t necessary if you demonstrate your potential, you can easily pivot from your previous career – it’s even encouraged, those soft skills are highly sought after!

Or maybe not.

I never got my foot in the door.

So, now what?

At the end of 2022 I was feeling hopeless and lost in my failed attempt to find work, and the itching financial pressure had me applying for jobs outside of tech.

The whole thing didn’t make sense.

How was it this hard to break into an industry begging for a new generation of workers?

And, more puzzling, how was I supposed to apply as an entry level security analyst if a lot of those entry level positions required 1-5 years’ experience, with certs to boot?

It took some thinking, but I arrived at the all-too-simple answer: the industry is desperate for workers, but it sure as hell is not desperate enough to train them.

I was gloomy and needed advice, so, on New Year’s Eve, I went through the random connections that I’d accumulated on LinkedIn to try and find someone in the industry who could give me some advice.

I got in touch with Craig Ford, a cyber security professional of ten years, who not only writes for multiple publications but has also published his own sci-fi novel.

I vented my frustrations with him: If the skills shortage is so dire, why are employers not training people at the entry-level?

“I think it’s an experience shortage – the industry needs to stop with all the ridiculous qualifications and certifications requirements and, as you said, start to put time in to train people who have the interest and aptitude for the job,” he said.

“As a man with two masters: uni is not going to fix the issue, you need experience – qualifications are important and good to have but won’t guarantee you a role.

“Show you are trying to learn, show you are hungry and then tell people you are doing it. Someone will notice and you will get a shot.

“It won’t be easy or fast but I have seen it work over and over. It worked for me as well. I didn’t get my first cyber job from an ad or almost none of them since.”

It was validating to hear this coming from Craig, and it gave me that mental boost to want to give it another go in 2023.

Still, why does it have to come down to networking and luck – why am I rolling a pair of dice and waiting for it to come up with sixes before I can get employed?

How does a worker-starved industry opt for a perfect, ready-made employee instead of training their own in such a desperate worker crisis?

Peeling back the Silicon Onion

I had a call with one of my friends, Tess O’Brien, a masters student in biology at the UNSW, a statistician and podcaster about statistics, who has a finger on the pulse of hiring stats.

She explained to me that while the problem isn’t unique to tech, it’s incredibly common in the industry.

“The tech sector has a lot of short-term, “casualised”, precarious workers which are financially advantageous to a company, but that loss of long-term employment means there’s less incentive for employees to be loyal, and when they don’t stick around, training them becomes wasted money,” she said.

“Investment and training looks like an expense to anyone in charge of business – why are you training these people who leave, when you can just hire someone who is modularised for the job?

“It is putting the pressure on other educational systems to fill the gap, and as remote work gets more possible, and more education systems can get entry level underpaid programmers, those jobs disappear from places like Australia.

“You have inadvertently stumbled upon something much bigger, and it has layers, like some kind of Silicon Onion.”

Sure, a rational business keeps a close eye on the bottom line, but if the tech industry tries to correct the worker shortfall with as little investment as possible, the gap may only widen.

It’s irrational to challenge the profit-at-all-costs mentality and to take a risk in training up cyber security professionals, but that might be a necessary cost when it comes to getting enough workers to shore up Australia’s cyber immune system.

In the meantime, I’ll keep rolling the dice, and wait for the sixes to come up.