Sign in Subscribe
11 min read Cyber Careers

Is Cybersecurity a Good Career? An Honest Answer After 20 Years in the Field

Wooden Scrabble tiles spelling CYBER on a wooden table
The word fits on five wooden tiles. The career does not. - Photo by Markus Winkler / Unsplash

May 2026

Cybersecurity is a good career. It is also a career where the labour market is broken in two opposite directions at the same time, and the conventional careers advice has not caught up.

According to CyberSeek's March 2026 data, US cybersecurity employers can fill only 74% of their open roles. The most recent breakdown by experience level, from Lightcast's Q3 2024 quarterly report prepared for the White House (the latest in the series), shows the gap is structurally split: a 10% worker surplus at entry-level alongside a 24% shortfall at mid-career.

Too many candidates for the easy roles. Not enough for the hard ones.

AI is making this gap worse rather than better. The bootcamp-driven entry-level pipeline produces candidates for the part of the market that is already saturated, while the contextual judgement-heavy work that mid-career and senior roles require remains structurally scarce. Only 7% of existing cybersecurity workers were hired directly out of education (Lightcast Q3 2024); the other 93% came through adjacent fields first, and that pattern matters more, not less, in 2026.

This piece is for the person considering entry, the early-career analyst wondering whether the choice still pays off, and the mid-career specialist asking whether the work will still matter in five years.

What the Cybersecurity Career Narrative Gets Wrong

Across the labour market data, four claims of conventional cybersecurity career advice no longer hold up at the decision point.

The first wrong claim is "always in demand." Some cybersecurity work is in demand, and the experienced end of the market is genuinely under-supplied. The entry-level end is not. The Lightcast 10% surplus at entry-level is not a temporary blip; the bootcamp-driven entry-level pipeline produces graduates faster than entry-level roles can absorb them.

The second wrong claim is "easy six figures." Some senior cybersecurity work pays well. Entry-level work pays at the level of any other technical role, and the path from one to the other is multi-year, not multi-month.

The work also burns people out at a rate the salary tables do not capture. Per the 2025 ISC2 Cybersecurity Workforce Study, 48% of cybersecurity professionals report feeling exhausted from trying to stay current on threats and emerging technologies. Burnout is not a personal failure, it is a structural feature of the work.

Third claim: the hacker-in-hoodie image. Most cybersecurity work is governance and risk and compliance (GRC), incident response, security engineering, business roles at security companies, and many other variations. The vast majority is not red-team exploitation.

The image is wrong, and the wrong image attracts the wrong people.

The fourth wrong claim is "passion is enough." Passion gets you started. It does not get you through the doubt-and-difficulty pattern that the work produces, and it does not substitute for the discipline of methodical work under pressure. The career rewards formation through difficulty, not enthusiasm alone.

What a Cybersecurity Career Looks Like in 2026

The work is variety, not uniformity. The customers I have worked with across twenty years on the vendor side (working at companies that sell security products to other organisations) come from threat intelligence, security operations, risk, governance, vulnerability management, application security, identity and access, and detection engineering.

Each of those is a distinct discipline with its own daily rhythm, tools, and career trajectory. The same word, "cybersecurity," covers very different jobs.

Some of the work is on-call. Not all of it. The SOC analyst role (the entry-level role most career changers aim for, focused on monitoring security alerts and triaging incidents) carries shift work, alert fatigue, and the structural risk of burnout that the 48% exhaustion figure reflects.

GRC and security engineering roles tend to be less reactive, more project-based. Vendor-side and consulting roles involve customer time, travel, and stakeholder communication that some people thrive on and others find draining.

A significant amount of the work is solitary analytical work. Reading logs. Writing detection rules.

Mapping attack paths through unfamiliar environments. Documentation. The conventional extrovert-in-a-hoodie image misses how much of the actual work suits people who like to think alone and concentrate for long periods.

The full breadth of cybersecurity roles, technical and non-technical, with role-by-role detail, is in the cybersecurity career paths article. The point for a decision-stage reader is simpler: the field is not one job. If one specific picture of cybersecurity work does not appeal, that does not necessarily mean the field as a whole does not.

How AI Is Recalibrating the Cybersecurity Career Question

The AI capability data of the past twelve months shows the same pattern: AI is the accelerant of the existing labour-market split, and the recalibration is ongoing. Each new generation of model capability extends the compression further, which means the picture in this section will look different in twelve months, and different again in twenty-four.

The specifics keep moving. The structural pattern does not.

Two recent data points illustrate where the capability sits today. In April 2026, Mozilla shipped Firefox 150 with fixes for 271 vulnerabilities found by Anthropic's Project Mythos, an AI model evaluated through the restricted Project Glasswing programme. In the same month, Palo Alto Networks reported that Mythos accomplished the equivalent of a year of pentesting work in less than three weeks (per SecurityWeek's coverage of Palo Alto's preliminary testing data).

Both are point-in-time observations. Both indicate that AI is now capable of finding and reasoning about vulnerabilities at a scale individual security researchers cannot match.

What does this mean for cybersecurity careers? AI capability compresses entry-level cybersecurity work, the routine alert triage, the first-pass log review, the standard vulnerability scan interpretation, the work that historically built foundational judgement. What AI does not replace is the contextual judgement built through years of exposure to attacks, environments, and stakeholder pressure.

Per the 2025 ISC2 Workforce Study, 59% of organisations report critical or significant skills gaps, up from 44% in 2024. The shortage is in the contextual end of the work. The entry-level surplus widens as AI compresses the easy work; the mid-career scarcity sharpens as the demand for contextual specialism grows.

CyberDesserts has tracked this evolution across multiple angles. The argument that AI amplifies expertise rather than replacing it sits at the core of our AI security analysis.

The OpenClaw malicious skills disclosure demonstrates that AI agent security is creating new specialist work rather than eliminating cybersecurity as a field. The Scattered Spider operations show that human-layer attacks remain the dominant breach vector, and human-layer defence is exactly the kind of contextual work AI does not touch.

The hiring market is already shifting. Lightcast Q3 2024 reports that the share of cybersecurity job postings requesting AI skills rose from 6.3% to 9.6% over the past year. AI fluency is becoming a core hiring requirement, observable in posting data right now, not a future-tense aspiration.

From the vendor side, I am seeing this shift faster than posting data shows.

The implication for careers is structural and ongoing. Tomorrow's models will compress more entry-level work; the same models will create new specialist work.

The candidate posture this calls for is AI fluency, not AI fear. Treat AI as a sparring partner, not an answer machine: build skills in using AI for security work, evaluate AI-generated code, write detection rules with AI assistance, understand AI-specific threats. AI security as a discipline is expanding precisely because AI capability is also the next attack surface.

The field grows alongside the threat. The 2025 ISC2 study found 70% of cybersecurity professionals are pursuing AI qualifications, evidence that the working-professional consensus is already aligned with this posture. Many specifics about the next two to three years remain genuinely unknown.

Two dispositions hold up regardless of how the trajectory evolves: a learning mindset, and critical thinking applied to whatever the next model can do. The specifics keep changing. The dispositions do not.

Already in a Cybersecurity Career? Guidance for Where You Are

If you are pre-entry, the rest of this section is targeted at people already in the field. Skip ahead to the next section if that is more useful. If you are in the field, the next two sub-sections are written for two distinct stages of the career.

Early-Career (12-36 Months Into a Cybersecurity Career)

You are likely in a SOC analyst role or similar entry-level position, watching AI tools encroach on the routine work that used to fill your day, and wondering whether you made the right call. The honest answer is that you are in the segment of the market most affected by the structural pressure described above, and the way out is not more of the same.

Your edge is the depth and judgement you build on top of the entry-level foundation. Deepen contextual judgement. Build AI fluency as a portfolio differentiator: use AI tools in security work, document the workflow, evaluate AI-generated code, demonstrate that you can do AI-augmented security work.

Work toward the in-demand skills (AI security, cloud security, GRC, application security, security engineering). Build adjacent foundations in the technical-IT-and-related space that 93% of cybersecurity workers entered through.

The next analysis worth reading is whether AI is going to replace SOC analysts, which addresses the worry directly. After that, the industry-side perspective on what SOC hiring managers actually look for is worth reading; the top criteria reported are largely nontechnical, learning mindset, critical thinking, communication.

The 2024 ISC2 hiring manager survey found 51% agreement that nontechnical skills will be more important in an AI-driven world. The longer-term direction is in the cybersecurity career playbook.

Mid-Career (5-15 Years Into a Cybersecurity Career)

You are likely watching the AI news cycle and asking whether your specialism will still matter in five years. The structural data says yes, more so than at entry-level. Mid-career scarcity is exactly where Lightcast reports the 24% shortfall, and it is the segment AI is least equipped to compress.

Your edge is years of context, pattern recognition across incidents, stakeholder relationships, judgement built through repeat exposure to ambiguity. AI tools are how that context scales: pair existing depth with AI fluency and the result is a defender capable of working at speeds and across surfaces a generalist cannot match.

Build AI security asymmetry into your specialism set. The compounding judgement you have already built is the moat. AI augmentation extends it rather than replacing it.

Who Struggles in a Cybersecurity Career

Across the customers and teams I have worked with on the vendor side, five profiles consistently struggle in this field. These are patterns, not gatekeeping. Each profile below is a real type the work tends not to suit, and the reason matters.

The passion-only entrant. Someone drawn to cybersecurity by image and interest, without the technical foundations or the willingness to build them. Passion alone gets you to the application stage.

Without the foundations to do the work once hired, the role becomes punishing.

The person who cannot separate from the work. Cybersecurity carries genuine on-call burden, alert volume, incident pressure, and the cognitive load of staying current with threats. 88% of professionals report at least one cybersecurity incident in their organisation linked to a skills shortage (2025 ISC2 Workforce Study), which translates to ongoing pressure on under-resourced teams.

People who cannot mentally switch tasks at the end of the day burn out fast. The pattern is well-documented in occupational psychology: the inability to mentally detach from work during off-hours predicts emotional exhaustion and reduced well-being. Switching from operational work is not the same as switching off from the field, but both are disciplines.

The early-career-stuck pattern. Bootcamp-to-entry-level candidates who never build adjacent foundations or progress into specialism, and find themselves three years in, still applying for the same SOC tier-one roles, increasingly competing against AI-augmented entry-level work. The structural pressure described earlier hits this profile hardest.

The certainty-seeker. Most security work is comfort with not knowing. Most attacks present as ambiguity, partial signals, contradictory evidence.

People who need a clean answer at the end of the day struggle, because the answer is often "we did our best and we will know more in twenty-four hours." I have watched this profile self-select out of the field within their first eighteen months.

The communication-averse. Some cybersecurity work is solitary analytical work. Most of it eventually involves explaining what happened, why it matters, and what to do, to people who do not share the technical vocabulary.

People who want zero stakeholder communication find roles narrow over time.

These patterns do not mean the field is closed. They mean the field rewards specific dispositions, and recognising the dispositions in advance is more useful than discovering them three years in.

Who Finds a Cybersecurity Career Rewarding

Four operational dispositions tend to predict whether someone will find this work sustainable.

The first is being energised by learning. Continuous, non-optional, beyond the certifications. The disposition that holds up regardless of which generation of AI capability arrives next.

Specific tools change. The learning mindset does not.

The second is building discipline through difficulty. The work makes you methodical because methodical is the only thing that survives a high-pressure incident. People who find difficulty formative rather than draining tend to stay.

The third is being comfortable with not knowing. Most of the work happens in partial information. The signal is fragmentary, the timeline is unclear, the stakes are uncertain.

Comfort with sustained uncertainty is a real disposition, and the field rewards it.

The fourth is the ability to detach. This one filters more people out of the field than the other three, in my experience. The work is intense, sometimes around the clock during incidents, and the cumulative pressure adds up.

Genuine stepping away is non-negotiable, the kind that has nothing to do with security at all. The recovery research on this is unambiguous.

The other discipline is switching modalities to make thinking time, the kind operational work systematically denies. Reading long-form security write-ups, listening to a podcast on a walk, experimenting in a lab without consequences. Both disciplines are needed.

People who can mentally step away when the operational work is done last in this field.

What Twenty Years in a Cybersecurity Career Has Taught Me

I have lived through every major attack era since the late 1990s. Late 1990s in the sense that I was working in IT then, with the Y2K-era covered for Cybernews sitting just before security became its own discipline, which is part of the point. ILOVEYOU, fakeware and FBI scareware, Conficker, Sality32, WannaCry, and many others in between.

The Conficker malware outbreak of 2008 to 2009 infected millions of machines globally and evolved through multiple variants over weeks. I worked through the response live, building the playbook as the team went along, recovering systems through iterative clean-state strategies as new variants emerged.

Some incidents took hours. Some took many days. The work taught me the discipline of working calmly and methodically in new situations, and balancing high-stakes execution with stakeholder communication.

That kind of experience cannot be obtained from a course. It can only be built through living it.

The point of the story is not Conficker. Conficker was one node in a long career of similar nodes, going back to the helpdesk work I covered for ITBrew where the cybersecurity career effectively began before it had that name.

Across twenty years on the vendor side, I have struggled with this work many times, doubted whether I should keep going, made wrong turns and changed direction. Each time the reward of coming through has been the thing that keeps me in the field, and that is the honest answer to whether cybersecurity is a good career: it is, for the people who find that pattern rewarding, and it is not for the people who do not.

When I describe parts of my career as "lucky," what I mean is two habits compounded over time. Volunteering for tough projects, and getting picked for harder ones when those came along. Building relationships through years of customer work, webinars, and on-site enablement, not transactional networking.

The substance of those relationships was solving problems with people, that is where the actual learning happened.

What to Do Next If You're Considering a Cybersecurity Career

If you are still deciding whether to enter, start with the cybersecurity career guide, which covers the full decision-to-job-ready journey, then the cybersecurity skills roadmap for the technical foundations. If you are technically inclined and unsure how technical, the question of whether you need coding for cybersecurity covers the answer.

If you are a graduate, the cybersecurity graduate career guide is written for the transition from degree to first role.

For everyone, what is in demand right now is shifting. The 2025 ISC2 Cybersecurity Workforce Study currently identifies AI security (41%), cloud security (36%), risk assessment (29%), application security (28%), security engineering (27%), and GRC (27%) as the cybersecurity skills employers most want to develop on their teams. Twelve months from now this list will read differently, which is the point: the snapshot matters less than the habit of tracking it, and the in-demand skills and roles breakdown is the next read.

All of these are starting points. The path through them will not be linear, and it should not be.

Resilient careers in this field belong to people who stay through the hard problems, and the reward is the learning itself, compounding over time and sharpening how they work.

The cycles will keep coming. What has kept me here for twenty years is one truth: tomorrow is never the same as today.

Published by:

Shakel Ahmed

You might also like...

30
Mar
Person browsing books on a library shelf

Best Cybersecurity Books for 2026

Last updated: April 2026 Most cybersecurity book lists are generic. This one is different. Every recommendation here is either used
20 min read
23
Mar
Government Cybersecurity Resources

How to Use UK Government Cybersecurity Resources to Advance Your Security Career

March 2026 LinkedIn Post Copy Link UK government cybersecurity resources are the most underused career asset in the profession. While
6 min read
20
Mar
Blue Team Handbook: Incident Response Edition (Don Murdoch) version 3.0

Best Blue Team Cybersecurity Books to Read in 2026

A first-year student asked me what to read for blue team. The answer surprised them, not because the list was
4 min read
14
Mar
SOC Analyst Skills In 2026

What SOC Hiring Managers Test For In Interviews

SOC hiring managers reveal what actually gets analysts hired: soft skills rank above technical ones, MITRE ATT&CK fluency is the X-factor, and AI is raising the bar without replacing the role.
6 min read
28
Feb
Cybersecurity Graduate Guide

Cybersecurity Graduate Guide: From Degree to First Job

Cybersecurity graduates can bridge the gap between degree and first job by building hands-on skills in four areas most programmes
6 min read

Member discussion