I’m a cybersecurity professional in the SF Bay Area (security engineering, architecture, compliance, platforms, etc) , and I can assert that despite the apparent demand, it isn’t yet strong enough because it’s a lousy career choice even now:

1. If you do a great job nobody cares. Because nothing happens — people are focused on revenue growth. Why would somebody choose a job where the best thing that can happen to you is don’t get fired?
2. The pay isn’t that good and the required skills are high. Security is like Earthquake insurance in CA, something you know you need, you’re not excited to pay for, so you avoid it. And when you finally do budget for it, you keep that as low as possible.
3. And the low budgets mean you can’t do a decent job, as you don’t have enough resources and management wants each security person to do the job of three people…forcing managers for example to write code. And given #1, why bother?
4. Pretty much all mangers can’t tell the difference between good and bad security, so they pick the cheap and easy stuff, again lower pay, not enough resources and tools to integrate into a risk management set of best practices. And since the Board doesn’t understand it either and doesn’t care, proper deployment and management isn’t done.
5. Many jobs are focused on compliance (paperwork) and security operations (identifying threats and incidents which have so many confusing false positives that people ignore them.). So for these these kinds of jobs, you are thrown into a corner room, with a bunch of tedious work so you can comply, but you are largely ignored unless something goes wrong in which case you’re fired. Sounds like a great job…not. Shit job like that? I rather be a cocktail waitress.
6. Many people think they understand security and want to learn more, but they are clueless how to integrate security technology with business processes because that’s too complicated. So the experts are marginalized (too much hassle) and the newbies do the work in order to get this stuff in their resume while everybody is essentially banking on an serious attack not happening

So learn something complicated and abstract with low pay and something nobody (with money) really cares about?? No thanks. I mange to earn a decent living and have a flexible lifestyle doing mostly security engineering consulting because there is always somebody who is too confused or screwed up on a project that involves this confusing technology so they call me in to clean it up and finish it. But when it comes to doing security consistently and properly, nobody’s buying. I’ve had the best luck with Fintech, but even with them it’s not a good career move because they don’t understand it.

Even with Medical device security, something you would think would be high priority , it’s been a very long road lobbying the FDA to augment compliance. They’re very slowly improving. Who has the time to talk with Medical device companies ad nauseam over months and months only to have them eventually limit the security budget, and hire a bunch of paper pushers to just fill out the minimum compliance paperwork’s.

Sounds hard to believe? No harder to believe than how we are destroying our environment. Humans suck at managing risk.