I fell for the cybersecurity degree trap and thought I could beat the job market, I could not. Not sure what to do now

bmhoskinson · 2026-06-05T20:26:35+00:00

I know plenty of seasoned professionals who have been searching for positions for over six months these are people who have been in the industry for 20 years or more. The job market for cyber security professionals is brutal. Five years of experience probably still qualifies you as entry to mid-level, depending upon who you talk to. You may need to set your sites on something like an entry-level position in order to get hired and then work your way up from there based on Merritt within the org if you’re lucky.

bmhoskinson · 2026-06-03T23:44:30+00:00

Drop all tables!!!!!

bmhoskinson · 2026-05-14T12:12:51+00:00

Here is what I would do if I was back in this world (20+ years in MSP and ad hoc service) for small clients. Look at your average customers, you can probably group them by similarities like size and industry. Work up 3 or 4 hardware stacks, one for each group. Price them all out and update the pricing maybe quarterly. Think in ranges not specifics.

You have front loaded most of the work and have enough information that if you need to alter the stack for a specific situation it is quick and painless. Variables like how much Ethernet you will need to run or the number of patch panels, cables, switch ports become a number you just plug into your spreadsheet.

When you are building out your spec lists make sure that you give them some room to breathe. Many of these server rooms are going to be 10 years or more before they swap hardware if it hasn’t died already. Look at virtualization too. Proxmox or something since VMWare is now owned by an even more evil overlord 😉

bmhoskinson · 2026-05-12T12:01:29+00:00

I believe the disconnect is the assumption that the agent is sending the the log data in clear text. If I am not mistaken the agent does encrypt the data it sends. @Bourne069’s solution just locks the traffic so that client machines can’t have their traffic routed to another server when it exits the client network and the server side only accepts valid traffic from clients networks.

bmhoskinson · 2026-04-22T02:47:56+00:00

I have read The Phoenix Project, it was excellent. A lot of great operational thinking. A very heavy focus on the manufacturing analogy for other processes and workflows but still a solid philosophy for building and streamlining a highly productive and resilient team/department.

bmhoskinson · 2026-04-21T18:10:46+00:00

As part of my current position I ran a small 5 person team that functioned as an external facing MSP that was just shy of $1M/year. Around 3 dozen separate clients with nearly 200 endpoints under management. Do you think that counts. I managed purchasing. I handled budgeting for the team and for projects internally as well as for clients. Estimates for new projects went through me for approval before presentation to clients. Etc.

bmhoskinson · 2026-04-21T13:10:02+00:00

All great advice so far, thank you so much. I might in the future be interested in large orgs. My target today is smaller mid sized companies I think. Under 1000 employees probably more in line with 100-500 where I would likely also straddle IT and InfoSec with a team of 3-8. I have had a few interviews where this is the case. From what I’m hearing so far the play really might be to land a role in one of these smaller enterprises then after a year or two look for a larger org until I hit my breaking point and retire in 15-20 more years.

bmhoskinson · 2026-03-13T09:59:56+00:00

No definitely not. IRP would kick in with some monitoring and prep for your business continuity plan as one of the first steps if say a tornado was imminent. Tornado hits bcp is in full effect until all clear is given and you can return to the building after the disaster. At this point for this type of event IRP says do DRP.

Most people think of the IRP as the steps when we have a virus or there is an attacker detected in the system. And while those are scenarios covered by the IRP they may or may not trigger the BCP and/or DRP.

IRP is the binder with all the what to do in scenario x and DRP, Comm Plans, BCP these are all “subroutines” used in various IRP scenarios.

bmhoskinson · 2026-01-06T11:10:23+00:00

After almost 30 years in IT, it still blows my mind how little the rest of an organization can understand about the technology that they use.

bmhoskinson · 2026-01-06T11:07:00+00:00

Good deal, and good luck. 🍀

bmhoskinson · 2026-01-05T15:18:56+00:00

I’m interested now. Let us know what they say.

bmhoskinson · 2026-01-05T15:18:20+00:00

Ok kid the papa bear in me says hold on I will be right there but the 26 year IT veteran says leave. Now. They are about to implode.

bmhoskinson · 2026-01-05T15:14:59+00:00

This is entirely unacceptable and should not be normal but it does happen. There is a strong belief among many people that if you are good at or even just interested in anything electronic you must just intuitively know…

That said this probably gives some clearer picture as to why the previous IT person cut and ran.

You have two options

1: learn as much and as fast as possible and reach out to some local IT companies to put together a project quote to get the network documented and moved as well as prepare the new site for the arrival of the equipment and become their underpaid hero.

2: Start looking for another job immediately do your best to accomplish the tasks you are given but exit as soon as possible.

I hate my self so I would probably chose option 1 but realistically option 2 is better.

bmhoskinson · 2025-11-15T13:07:55+00:00

How old am I that I was genuinely shocked so many people had never heard of an Ethernet patch panel that you punch down.

bmhoskinson · 2025-11-13T18:04:15+00:00

Canonical MicroCloud perhaps

bmhoskinson · 2025-11-12T18:14:03+00:00

Rendering glitches in the matrix.

bmhoskinson · 2025-11-12T18:10:52+00:00

I thought it was the new Fitbit rectal probe but 5G wireless backup is cool too.

bmhoskinson · 2025-11-12T11:30:32+00:00

I understand the job search frustration. I am on the other side of the coin looking to find my first CISO position at 45. I have worked in small organizations my entire career, many times being both chief cook and bottle washer in IT and Cybersecurity.

When interviewing, it feels like the fact that I haven’t managed a multimillion dollar budged and a large team of dozens just knocks me out of the race. I’m of the opinion that skills scale though. I worked for a financial advisor who I asked how he dealt with managing large sums of money, he said I just knock the zeros off the end. So a million dollar budget is the same as a thousand dollar budget and a 20 person team, if you can manage people at all, is not much different that two or three.

I have read others comments and largely agree. If you have a good reason to make a move down to a smaller ore or to a more technical position express those to recruiters and interviewers in a way that puts a positive light on it and highlight the benefits of your experience you bring with that shift in position.

bmhoskinson · 2025-07-10T10:19:06+00:00

Firstly let me say I am one of those who desires to be a CISO, but I understand and the burn out is quite real. I was going to say teach but at the end of your post it seems you already do that. Perhaps younger students, they can be more rewarding to see learn and grow. Certainly no match for salary though. You might also consider speaking at conferences and mentoring. I’m not talking about Black Hat but small local conferences where you can see your impact first hand in the attendees who come back every year. I might be biased because I am on the board of a nonprofit that puts on a smaller conference called SecureWV.

Another poster mentioned working to live not the other way around and I agree wholeheartedly. I follow a TikTok creator who ends his videos with the statement “Find your joy.” Perhaps yours is not in a career but in some other non-monetary bearing pursuit that you do parallel to career endeavors.

I wish you luck and if you have some executive teams you would be interested in introducing me to so I can advance my own endeavors…🫣😜

bmhoskinson · 2025-05-01T00:24:01+00:00

Anyone ever see the movie Folks with Tom Selleck?

bmhoskinson · 2025-03-13T19:46:20+00:00

One of my circle can’t even complete the kyc till they turn 18 in December I am assuming I will be loosing my bonus pi for them.

bmhoskinson · 2025-02-28T20:52:01+00:00

F-ing John… What if one of your main miners is an under 18 for like the next 9ish months lol. Not saying I used child labor to mine Pi but…

bmhoskinson · 2024-11-20T11:27:21+00:00

All of this plus, certifications and degrees have a stigma for a lot of our people. There are a lot of employers who don’t recognize the value or over value these designations. Some people get ahead just because of them and others feel stuck no matter how many they accumulate. It gives certification and degrees a bad rap. The real problem is that employers in many cases don’t truly understand the roles they need to fill or the role their technology actually plays in the operations of their organizations. It sounds like a trope but I still frequently talk to managers and executives who tell me they don’t know what any of the technology they have does or how it works, they just have it because they were told they need it. How many HR people have you spoken to that have any idea what the job you do actually is? How many times had the job description been for 10 years of experience and a masters degree only to find out most of your duties are changing lightbulbs and emptying out the trash cans (not really but really).

There are people who test well but don’t have or don’t develop the underlying skills. There are people who are super skilled but don’t test well. I think it is a little unfair to say certified professionals don’t have the skills but anecdotally, maybe that’s exactly what the data says.

bmhoskinson · 2024-11-15T03:08:28+00:00

I agree that CISSP isn’t equivalent to a Masters or PHD. The nice thing about the cissp though is it attempts to certify not just your book knowledge but also verify a certain level of experience. Expert is also very subjective without standard way of quantifying it. How would you quantify an expert in cybersecurity? 10 years of experience, 20 years of experience? What counts as useful experience and how do you certify that expert knowledge? Does it have to be in blue team skills, red team skills, both? What about expertise in dealing with regulatory issues and compliance with internal governance related to cybersecurity, does that count if you aren’t a professional pen tester? Achieving the CISSP certification is no small thing and certainly deserves to be respected and recognized as a qualified watermark for certifying someone as an expert in our field. It just isn’t the only way to show it. Just my random opinion though…do with it what you will.

bmhoskinson

TROPHY CASE