Main image of article College Grads Looking for a Cybersecurity Career Face a Shifting Job Market

Summary

For years, cybersecurity hiring remained robust. Data showed that the industry’s most significant problem stemmed from a “talent gap,” with more open positions advertised than could be filled by the available candidate pool. Increasing budgets for security personnel also reflected growing concerns over ransomware and other large-scale threats organizations face.

Tech professionals interested in jump-starting a cybersecurity career could find entry-level positions, such as a security operations center (SOC) analyst, to help them learn security basics (as long as they could avoid burnout from chasing a never-ending series of alerts).

But the Class of 2025 (i.e., those students graduating from colleges and universities this month) now faces with fresh challenges in landing a cybersecurity job, given the career landscape shifts over the past few years. Across the U.S. tech sector, including cybersecurity, budgets have been slashed over the last several years, and layoffs are more prevalent as organizations continue to refocus resources in a post-pandemic market.

A recent SANS and GIAC survey of 3,400 cybersecurity professionals and decision makers shows how organizations are moving away from hiring scores of security professionals and focusing more on skilled workers. The researchers found that 52 percent of respondents identified “not having the right staff” as their primary challenge, compared to 48 percent citing “not having enough staff.”

“While the cybersecurity workforce shortage is real, organizations emphasize that the challenge lies more in finding the right skills than simply hiring for open jobs as quickly as possible,” according to the study. “Data shows that cybersecurity managers and HR professionals increasingly focus on developing comprehensive skills rather than just expanding headcount.”

To further that point: A 2024 study by ISACA reported that 57 percent of organizations surveyed were understaffed and hiring has slowed slightly from years past.

Adding to a reduction in cybersecurity positions are the recent moves by the Trump administration, which is reportedly preparing to cut security positions at the U.S. Cybersecurity and Infrastructure Security Agency and other federal agencies.

Finally, there is the role that artificial intelligence is playing in the cybersecurity industry. Many organizations are attempting to use generative AI platforms and other tools to automate parts of the cyber organization that require significant manpower and investment. In turn, lower-level jobs are at risk of being eliminated.

“Machine learning and automation have already had serious impacts regarding cybersecurity roles; they effectively take the place of entry-level resources who perform repetitive tasks,” Chris Gray, field CTO at security firm Deepwatch, recently told Dice. “Artificial intelligence capabilities continue to grow past these points, causing concerns in many areas that were, historically, for early-career resources. Like all times of significant upheaval—and this is exactly that—newcomers to the workforce need to fine-tune their capabilities to enhance the technological advances, not compete against them.”

For this year’s college graduates, finding a cybersecurity job and starting a security professional career requires more than a degree. Developing key skills and experience is crucial, and understanding how AI and other technologies are changing the industry is a must.

Cybersecurity experts and insiders note that while AI is bringing significant changes to the industry, the technology still needs human help and intervention, and those graduates who understand that part can thrive even as entry-level jobs become scarcer. Beyond AI, other areas of the security field offer career opportunities for those willing to look.

While AI has been the main buzzword in tech and cybersecurity over the last two years, the technology remains in its infancy as a commercial solution, and organizations are attempting to come to grips with how it can be used.

Still, recent graduates need to understand that more and more aspects of cybersecurity are ripe for automation, which means that jobs are shifting toward roles that require creative problem-solving, such as cybersecurity analysts, ethical hackers and cloud security engineers, said J Stephen Kowski, field CTO at SlashNext.

“College grads can stand out by learning how to spot and stop advanced threats, especially things like phishing and social engineering, and by getting hands-on practice through online labs, capture-the-flag events, and open-source projects,” Kowski told Dice. “The best way to get noticed is to show you can think like an attacker and use real tools to protect people and data, not just follow checklists. Tools that use AI and automation let new hires focus on the tricky stuff, so being comfortable with those technologies is a big plus.”

Deepwatch’s Gray noted that AI still needs human intervention. Cyber pros who can thrive in this world are those who understand how to integrate these tools into security operations.

“Humans will be needed to understand and continue to drive the adoption of AI-centered platforms and capabilities,” Gray added. “Designing, developing and integrating these systems into our legacy platforms will require significant effort. The latter piece will likely take longer to perform than the first two. Organizations will certainly jump to acquire these technologies, but, as we have seen time and again, adoption is always the lagging productivity factor.”

With automation and AI streamlining some of the more repetitive security tasks, the notion of the entry-level cybersecurity job is evolving. 

These opportunities are shifting toward roles that require analytical thinking, a working knowledge of threat actors and the ability to operationalize modern tools, including Endpoint Detection and Response (EDR), Extended Detection and Response (XDR), Security Orchestration, Automation and Response (SOAR) and cloud-native security stacks, said Heath Renfrow, CISO and co-founder at Fenix24.

What are these jobs and career opportunities, then? Renfrow sees four areas that recent graduates can focus on:

  • Threat hunting and detection engineering: While AI tools can flag anomalies, humans are still needed to interpret intent.
  • Incident response and digital forensics: In areas such as ransomware recovery, understanding business impact is as critical as technical response.
  • Cloud and identity security: As enterprises mature, there's a rising need for professionals who can secure infrastructure-as-code, container workloads and federated identity systems.
  • Governance, Risk Compliance (GRC) and compliance automation: With frameworks like the Digital Operational Resilience Act (DORA), the NIST Cybersecurity Framework 2.0, and CISA’s expanded mandates, regulatory fluency becomes essential.

For this year’s graduating class, Renfrow pointed to five areas that these aspiring tech and cyber professionals can focus on:

  • Specialize early: Learn one key area deeply, such as cloud security, Microsoft Active Directory abuse paths, or threat intelligence.
  • Certifications matter: A solid entry-level cert (CompTIA Security+, AWS CCP, or Microsoft SC-900, for example) helps show commitment.
  • Follow real-world breaches: Analyze post-incident reports from knowledgeable sources such as CrowdStrike, CISA or Mandiant to understand tactics and tools.
  • Learn by doing: Get hands-on with platforms like TryHackMe, Hack The Box, or build a home lab with open-source SIEM, firewalls and Active Directory.
  • Internships still rule: Even unpaid roles in IT or managed service providers (MSPs) settings provide the kind of exposure recruiters value more than theory.

“Many organizations now offer virtual SOC analyst internships or red versus blue team simulations, ideal for grads trying to break in without a referral network,” Renfrow told Dice.

While technical skills remain the headliner when it comes to giving graduates advice, experts note that soft skills continue to matter as cybersecurity incidents affect more of the business and require attention from non-technical leaders within an organization.

“Mastery of operating systems and networking serves as the north star for anyone aspiring to excel in this industry, as it forms the foundation for understanding and mitigating security threats and understanding how threat actors think,” Jason Soroko, senior fellow at Sectigo, told Dice. “Strong communication skills are just as vital as technical skills for people who aspire to rise to the top. Being able to explain complex technical issues to non-technical stakeholders is invaluable. Problem-solving and critical thinking skills are crucial for identifying and addressing security challenges effectively.”

Even as AI and virtual chatbots give the appearance of human interaction, experts noted that human decision-making and the blending of hard and soft skills are still most important.

“Ethical considerations, business critical decisions that weigh in multiple complex and interwoven factors, and relationship management will all continue to require a person on the other end of the phone,” Gray added. “Machines execute what they are told to do.  For now, humans still need to define the ‘what.’"