The Money Problem in Cybersecurity

You probably got into cybersecurity because it seemed like a smart, future-proof move. Maybe you saw the salary ranges on Glassdoor. Maybe someone on LinkedIn told you there are “1 million unfilled jobs.” The message was clear: learn the skills, get a few certs, and the doors will open. Life-changing money, remote work, purpose. The perfect tech career.
But you’re here now, probably with a few courses under your belt, maybe a few rejections, and it doesn’t feel that simple anymore.
🎯 Most of the advice you’re seeing is broken
Cybersecurity isn’t one job. It’s a whole ecosystem of overlapping roles that barely talk to each other. There’s red teaming and appsec and vuln management, yes. But there’s also cloud risk, data governance, vendor assurance, and regulatory compliance. These roles don’t share the same toolkits or speak the same language.
What that means is if you’re following advice meant for a bug bounty hunter but you’re trying to land a GRC or IAM role, you’re going to waste time. And you’ll probably start to think you’re not good enough, or not technical enough, when in reality, you were just never shown the full map.
🪤 The myth of bug bounty riches
Let’s talk about bug bounties for a second. I don’t deny that some people have made real money from them. This article showcases million-dollar hackers. It’s impressive. But it’s not the norm.
Most people in that world spend hours competing for scraps in over-reported programs with vague scope and inconsistent triage. Katie Moussouris, one of the people who helped build the bug bounty model, has been blunt about how it’s been twisted. She calls it “bug bounty Botox” when companies launch flashy programs while ignoring the fundamentals. Behind the scenes, a lot of these orgs can’t even handle the incoming reports.
So when a junior tells me they’re trying to get noticed through bug bounties, I tell them the truth. It’s valid, but it’s not a stable ladder. And it can burn you out fast.
Also, pro hint: everybody is in the TryHackMe 2%.
🎓 Not all paths to learning are equal
I personally went through university. It made sense for me. I had two kids, I needed structure, and I wasn’t in a rush to gamble on something vague. But I’m not here to tell you that university is the right way. In fact, it often moves too slow for the pace of tech.
What worries me more are the bootcamps and influencer-led programs that overpromise. “Land a $120k job in 12 months” is a wild claim to make, especially when it’s backed by a couple of outdated slides and a Discord server. Most of these sellers are marketers first, mentors second, if at all.
The problem isn’t bootcamps. It’s the expectation they create. A $2,000 training program can be helpful. But it won’t magically make you job-ready unless you understand where it fits in the broader ecosystem of hiring and capability-building.
✨ The most valuable work is often invisible
There’s a perception that unless you’re building exploits or doing pentests, you’re not in real security. That’s garbage. Some of the most impactful security work happens in Excel, Jira, or boring SharePoint documents. Asset governance. IAM lifecycle. Change advisory boards. These things aren’t sexy, but they’re what keep organizations resilient.
Helen Patton, a well-respected CISO, talks openly about hiring people who can translate risk, not just detect it. She looks for communicators, strategists, systems-thinkers. These folks rarely end up in flashy LinkedIn posts, but they’re the backbone of real-world cybersecurity teams.
If your strengths lie in organizing, translating, or connecting people, there’s a place for you here. You don’t have to code your way into the field to be valuable.
📉 Cybersecurity isn’t recession-proof
Let’s drop another myth while we’re at it. Cybersecurity is not immune to layoffs. Yes, the field is important. But from a finance lens, we’re a cost center, and cost centers get cut.
If you’re trying to break in right now and it feels like nobody’s hiring, that’s not on you. It’s the job market. There’s a difference between “jobs exist” and “entry-level roles that will sponsor you, onboard you properly, and teach you the ropes.” CyberSeek might show tons of openings, but many of them are reposts, recycled roles, or senior positions disguised as junior.
The hard truth is this. Unless you understand how a company makes security decisions, and unless you can position yourself in that story, you’ll keep getting passed over.
🛡️ Your brag doc is your safety net
Whether you’re in the field yet or not, start a brag document. Julia Evans wrote a great piece on it here, and I’ve used the same technique for years.
This is more than just a feel-good folder. It’s your career fire extinguisher. When layoffs hit, when you need to advocate for a raise, or when you’re applying for that stretch role, your brag doc is what saves you. It helps you tell your story clearly, with impact. What did you work on? What changed because of your work? How did your presence make the team better?
If you track it now, you won’t have to panic when it matters.
So what can you actually do?
Here’s the unsexy advice.
Stop chasing one-size-fits-all answers. Learn the ecosystem. Understand how your target role fits into business. Say no to grifters promising dream jobs in a few months. Document what you learn, even if nobody’s paying you yet. Build relationships, not just credentials.
This field still has room for people who think deeply, work hard, and play the long game. But the hype machine has left a lot of folks feeling broken.
You’re not broken. You’re not behind. You’re just navigating a noisy industry while trying to build something real.
And that takes more than a bootcamp. But it’s still worth it.