The Cybersecurity Job Market's Convenient Fictions
Why an industry that says it's desperate for talent keeps cutting people loose.
The Paradox
Cybersecurity has a jobs problem, and it isn’t the one the industry keeps telling you about.
Open LinkedIn on any given week and you’ll see two stories running side by side, as if they have nothing to do with each other. One says the field is short 4.8 million people and begging for talent. The other is a layoff announcement. Sometimes they’re posted by the same company, in the same quarter. I’ve stopped being surprised by it. I’ve started being angry about it.
I do this research because I think the people trying to build a career in this field deserve better than what they’re currently getting, which is a mix of recycled statistics, vendor talking points, and advice from people who have something to sell them. I have no course to sell. No certification bootcamp, no “10x your resume in 30 days” program, no affiliate link waiting at the bottom of this piece. What I have is a degree I paid for, a research background I actually enjoy using, and a low tolerance for organizations that say one thing publicly while their own numbers say another. If that makes this piece less comfortable for a few well-known names in this industry, so be it. I’d rather be useful to the person reading this than popular with the people I’m writing about.
Here’s the paradox in the numbers everyone already cites. Indeed’s Hiring Lab has security postings sitting at 113% of their pre-pandemic baseline. It’s the only major tech category still above where it was in February 2020 [1]. CyberSeek tracks over half a million open cybersecurity roles in the U.S. alone [2]. The Bureau of Labor Statistics projects 29% growth for information security analysts through 2034, with a median salary north of $124,000 [3]. Read those three numbers on their own, and cybersecurity looks like the last stable island in a tech industry that’s otherwise cutting headcount everywhere you look.
Now read the same industry’s own workforce data. ISC2’s 2025 Cybersecurity Workforce Study surveyed over 16,000 practitioners. It found that 32% of large organizations reported layoffs in the past year. 46% reported budget cuts. 49% reported hiring freezes. 41% froze promotions [4]. That’s nearly half the field’s largest employers pulling back at the exact moment the industry’s own marketing insists they’re desperate to hire.
Both of those pictures can’t true at the same time. I get that the answer is more nuanced and complicated than cherry-picked stats. But complicated isn’t the same thing as unknowable. I think a lot of the confusion here originates with the people who benefit from it staying confusing. I’m here to call out who has spent years telling us a version of the trutyh that happens to boost their bottom line, ie. the organizations who profit off the fantasy.
None of this is a case against working in cybersecurity. It’s a case against believing what you’re told about working in cybersecurity without asking who’s telling you, and what they get out of it if you believe them.
The Number That Wasn’t What It Said It Was
Every cybersecurity recruitment page you’ve seen probably cites the same number: “4.8 million unfilled jobs, global, and growing.” It comes from ISC2’s Cybersecurity Workforce Study, the largest and most frequently cited survey of the profession. It’s also a gross misrepresentation of reality.
That number is the result of ISC2 researchers asking survey respondents, mostly hiring managers and security leaders, how many additional people their organization would need to feel fully secure. The response gets aggregated against an estimate of the existing workforce, and the difference becomes “the gap.” It’s a measure of aspiration, not a count of open job requisitions. ISC2’s own CISO, Jon France, said as much on the record in Dark Reading: “For clarity, that doesn’t mean there is 4.8 million jobs out there” [5]. He described it instead as an estimate of how much the profession would need to grow to reach the security level respondents believe is necessary.
That distinction sat mostly unchallenged for years. It started to crack in October 2024, when Ira Winkler, CISO at CYE, wrote an open letter to ISC2’s board. Winkler had spent time talking with unemployed cybersecurity professionals frustrated by headlines promising abundant work they couldn’t find. His letter accused ISC2 of knowingly pushing a false narrative of a plentiful job market [6]. Ben Rothke, a senior information security manager at Experian, made a related point publicly. He tied the criticism directly to the marketing that fuels get-rich-in-cybersecurity training programs [7]. Jon Brandt at ISACA added the practical rebuttal. People can respond to any survey and say they need twenty more people, he said, but unless an organization is actively hiring, that isn’t a data point worth weighing [8].
ISC2 heard the criticism. The 2025 Cybersecurity Workforce Study, based on a record 16,029 respondents, dropped the workforce gap estimate entirely. The organization reframed the conversation around critical skills needs instead of headcount [9]. Read plainly, that’s a walk-back. A body with real influence over how tens of thousands of career decisions get made quietly retired its most quoted statistic after practitioners called it out in public.
This doesn’t mean cybersecurity teams are fully staffed, or that hiring is easy. StationX’s breakdown of the available data separates what’s actually being measured into three different problems that keep getting collapsed into one number. A skills gap exists in specific technical areas. A staffing gap is driven mostly by budget rather than a lack of candidates. And a hiring gap shows up wherever employers demand years of experience for roles labeled entry-level [10]. Those are three distinct issues with three distinct solutions. None of them get solved by more people earning a degree or a cert on the promise of a shortage that isn’t quite what it claims to be.
The Center for Strategic and International Studies raised a version of this same concern years before Winkler’s letter went public. Their analysis questioned whether cybersecurity workforce development programs and education pipelines were preparing people for the roles the field claims to need [11]. The pattern isn’t new. What changed is that practitioners finally pushed back enough that the organization behind the number had to answer for it.
“AI Did It,” Cybersecurity’s Version of a Bigger Story
Cybersecurity isn’t running its own show here. It’s playing a smaller part in a much bigger production, and the script was written well before anyone in this industry picked up a copy.
Between January and June 2026, Challenger, Gray & Christmas tracked U.S. tech employers announcing 139,156 job cuts, an 83% jump over the same period in 2025. AI was named as the reason for four consecutive months, a streak the outplacement firm says has no precedent in its data [12]. Read those layoff announcements and you’d think artificial intelligence had suddenly become capable of doing the work of six-figure engineers and analysts overnight. Read the people who study labor markets for a living, and a different story shows up.
Sam Altman called it “AI washing.” He’s acknowledged that almost every company doing layoffs blames AI whether AI is actually the reason or not [14]. Marc Andreessen was more blunt about the mechanism. He argued companies are using AI as a “silver bullet excuse” for correcting pandemic-era overhiring, staffing he estimates left large tech firms 25 to 75 percent overstaffed [13]. Wharton’s Peter Cappelli explained that companies say AI will cover the work, but most of them haven’t confirmed that it will. They’re hoping it does [15]. Deutsche Bank saw this coming in January 2026, predicting that “AI redundancy washing” would define the year [16].
The receipts back up the skeptics more than the headlines do. Gartner surveyed 350 executives at companies actively deploying AI in May 2026 and found that the firms cutting headcount the most showed no better financial returns than the firms cutting the least. Some of the companies that cut the least actually outperformed the heaviest cutters [17]. Meta is a clean example of the underlying math. The company grew from 48,000 employees in the first quarter of 2020 to more than 87,000 by the third quarter of 2022, hiring aggressively through the zero-interest-rate years before the cuts started. That overhiring needed correcting whether or not a single AI model ever entered the building [18].
None of this is abstract for the people losing their footing in cybersecurity specifically. Marketplace’s reporting followed Megan Osteen, a career-changer who did the coursework, earned a certification, and still couldn’t find an opening. It also followed JVS, a Bay Area job training nonprofit that pivoted into cybersecurity training when entry-level IT work dried up and is now questioning whether to keep the program running at all [19].
Go back to what ISC2’s own 2025 workforce data showed. Budget cuts overtook talent scarcity as the leading cause of staffing shortages for the first time the study has tracked it [4]. That’s the same story playing out inside cybersecurity’s own numbers, just with a security badge pinned to it instead of a general tech one. Companies aren’t cutting security analysts because a model learned to do their job. They’re cutting them because the same budget pressure hitting every other tech function is hitting this one too, and “AI” is a more comfortable line to put in a press release than “we hired too many people and now we’re fixing it.”
The On-Ramp Is What’s Actually Collapsing
Here’s where I think a lot of the panic gets aimed at the wrong target. The question people keep asking is whether AI will replace cybersecurity. That claim doesn’t hold up. The better question is what happens to the bottom rung of the ladder once AI can do most of what used to live there.
Let’s start with what’s shrinking. Entry-level cybersecurity postings, the ones asking for under a year of experience, fell from 25% of listings in 2022 to 17% today. Only 15% of new cybersecurity hires are people starting their careers for the first time. More than half, 52%, come from inside the existing talent pool, people already working in cybersecurity moving to a new role. Another 28% convert in from adjacent, non-cyber jobs [20]. Add those together and new entrants are competing for a sliver of a sliver.
Practitioners see it happening too. In one survey, 52% of cybersecurity professionals said they expect AI to reduce demand specifically for entry-level roles like Tier 1 SOC analysts, the job most people use as their first foothold in the field. Only 2% think AI will eliminate the cybersecurity profession outright [21]. That gap is the difference between a field contracting and a field reshaping itself at the bottom while staying intact everywhere else.
There’s a more optimistic read of the same data. An ISC2-linked workforce survey found that 44% of organizations are reconsidering roles and skill requirements because of AI tool adoption, but 31% think AI adoption could create new entry-level roles rather than eliminate them, work adjacent to monitoring and validating AI tools that didn’t exist before those tools did [22]. This shift is happening in real time and the dust has not settled. No one can be certain right now what the AI-powered workforce will look like, let alone how it will be reflected in job titles.
Job postings are a harder thing to argue with than survey sentiment, though. InterviewStack analyzed 5,379 active cybersecurity engineer postings in June 2026 and found that AI-skill requirements show up in 17% of senior and staff-level postings, compared to 9.3% of entry-level ones [23]. If AI skills were genuinely opening a new front door for beginners, you’d expect that ratio to run the other way. Instead, the people being asked to bring AI fluency to the job are mostly the people who already have the job.
Cybersecurity isn’t disappearing. The on-ramp into it is.
Nobody Is Tracking Whether the Pipeline Actually Works
The “on-ramp” to a career in cyber is often linked to achieving a degree in the discipline. Which begs the question, of everyone who’s earned a cybersecurity degree in the last several years, how many are actually working in cybersecurity? I went looking for a real answer. What I found instead is that nobody appears to have built the instrumentation to know.
The closest thing to an authoritative source is a federal report from NCSES, the National Center for Science and Engineering Statistics, produced through RTI International. It’s the kind of unglamorous government research that doesn’t get cited in recruitment marketing, and reading it, it’s easy to see why. The report states plainly that only 46% of people working in cybersecurity core occupations hold a degree closely related to their field of work [24]. More than half of the people currently doing this job didn’t get there through a cybersecurity degree at all.
The same report goes further. Its authors warn that counting cybersecurity graduates as a measure of workforce supply likely overestimates the actual pipeline, because completing a cybersecurity degree doesn’t mean that person ever works in cybersecurity [24]. The federal government’s own researchers are telling us that the numbers schools and certification bodies use to justify the shortage narrative don’t hold up under their own methodology.
Meanwhile, more people are enrolling than ever. Program completions across all cybersecurity award levels grew from 10,013 in 2016 to 23,746 in 2021, a roughly 19% average annual growth rate that outpaces general degree program growth by a wide margin [25]. More students are walking in the front door of these programs every year. Nobody is tracking, in any rigorous public way, how many of them walk out the other side into an actual cybersecurity job.
I’ll put myself in this data, because I have a cybersecurity degree circa 2022, but I never became a SOC analyst, a penetration tester, or an incident responder. Instead I landed in technical marketing for a cybersecurity vendor, work I genuinely love and I’m good at, but not what most people enrolling in these programs picture when they sign up. I got lucky, and I found a lane that used what I learned without requiring me to compete for the shrinking entry-level technical roles. Most people don’t get that lane handed to them. What they get instead is a degree, a stack of student loans, and a job search that never quite lands where the brochure said it would.
This is structural failure in a broken system, and it’s the missing piece in every conversation about the cybersecurity shortage. The industry has spent years measuring how many people it needs. It has never bothered measuring what happens to the people who show up.
The Schools Selling the Credential Won’t Publish Their Own Results
There are a handful of schools that show up constantly in cybersecurity career search results and ads when someone searches “cybersecurity degree online.” Top of my mind are University of Maryland Global Campus, University of Phoenix, Southern New Hampshire University, and Western Governors University. UMGC is my alma mater. I paid for that degree, and I still believe it was worth doing. But, I’m not willing to look away from what these schools do and don’t tell prospective students about what their money actually buys them. Spoiler: it’s not likely an entry-level role in cybersecurity.
Three of the four use nearly identical language to avoid saying anything specific. University of Phoenix’s cybersecurity careers page states that its cited salary ranges are not specific to students or graduates, and that the university offers no guarantee of “employment, salary level or career advancement” [27]. UMGC doesn’t publish a placement rate or a starting-salary figure for its cybersecurity programs at all. Its marketing leans instead on its NSA-designated Center of Academic Excellence status and an EC-Council partner-of-the-year award [28]. SNHU repeats a nearly identical line across at least four separate program pages, stating that its cited projections aren’t based on SNHU graduate outcomes and don’t guarantee actual salary or job growth [29]. That kind of identical, boilerplate language across a school’s entire site usually isn’t a voluntary transparency choice. It reads like standardized compliance language, the minimum a school has to say to satisfy federal disclosure rules, dressed up next to national growth statistics that have nothing to do with anyone who actually attended.
WGU is the more interesting case, because WGU does publish something. Its retention and graduation page cites a 2024 Harris Poll finding that 87% of graduates report being employed in their degree field, along with a 94% employer satisfaction figure and a 97% rehire-willingness figure [30]. On the surface, that looks like real disclosure, more than the other three schools combined. Then you find the footnote on WGU’s own cybersecurity program page, sitting right next to that same statistic. It cites a 2024 Harris Poll of 1,655 WGU graduates, and specifies that the survey was sent to “a representative sample of WGU graduates from all colleges” [35]. WGU is telling you, in its own words, on the cybersecurity page itself, that the number wasn’t measured for cybersecurity students. It’s an institution-wide figure covering business, nursing, teaching, and IT alike, borrowed and placed under a cybersecurity headline as if it belonged there.
The federal earnings data that does exist tells a partial story. College Scorecard-derived figures put UMGC’s Computer Information Systems bachelor’s graduates at a median of $75,619, above the $61,300 national median for that major. SNHU’s come in lower, $61,322 for a bachelor’s and $76,081 for a master’s. WGU’s sit highest of the four at $84,242 for the same bachelor’s category. University of Phoenix’s numbers vary so much by campus that some of them are built on cohorts of two graduates, which makes “median” a technically true but practically meaningless word here [31]. None of these figures isolate cybersecurity specifically. They’re Computer Information Systems numbers, a broader category that cybersecurity sits inside, because the federal government’s own data doesn’t cleanly separate out cybersecurity outcomes any better than these schools do.
The bottom line here is that four of the most heavily marketed cybersecurity degree programs in the country cannot show you verified data on what happens to their cybersecurity graduates specifically. Three hide behind a disclaimer. One borrows a number that was never about cybersecurity in the first place and lets you assume otherwise. My own degree came from one of these four schools, and even I can’t tell you, from anything they’ve published, how many people who sat in my classes ended up doing this work.
Who’s Selling the Gap
The schools aren’t the only ones with a stake in keeping the shortage story alive. I want to widen the lens here, because I’ve been citing one particular data source throughout this piece without saying who’s actually behind it. CyberSeek, the tool that tracks over half a million open U.S. cybersecurity jobs, the number I used back in Section 1, is a collaboration between Lightcast, NIST, and CompTIA [36]. CompTIA is a certification-selling trade association. The same organization co-producing the “neutral” job-opening count everyone cites, including me, also sells Security+, the certification most frequently recommended as the fix for that opening count. It’s worth knowing before you treat any single number in this space as disinterested.
EC-Council runs the same play from the education side. The organization named UMGC its Academic Partner of the Year in 2023 [37], the same year it was selling the Certified Ethical Hacker exam that UMGC’s curriculum is partly built around. ISC2, already covered in Section 2, deserves a second mention here. The organization that had to walk back its own 4.8 million figure is also the body behind the CISSP, the single most requested certification in cybersecurity job postings [38]. It’s diagnosing the shortage and selling the credential meant to fix it, twice over, from the same source.
Bootcamps follow the university playbook almost exactly, just with shorter timelines and better marketing copy. Industry-wide figures circulated by Course Report and the NACE Early Career Salary Survey claim 70 to 80 percent job placement within six months, with median starting salaries between $50,000 and $65,000 [39]. Those numbers come from the bootcamps themselves. Nobody outside the industry audits them. It’s the identical structural problem from Section 6, just wearing a hoodie instead of a cap and gown.
That pattern shows up at the individual level too. Evan Lutz built a following in the early 2020s teaching people a specific roadmap: get a Security+ certification in a couple of months, walk in with zero experience, land sixty thousand dollars a year. He’s said publicly that the roadmap he built his name on no longer works [40]. I respect that he corrected course when faced with current reality. Most of the people still selling variations of that same roadmap haven’t.
Search “how to break into cybersecurity” and most of what comes back reads like career advice. Read it closely and a lot of it is course marketing wearing blog post clothing [41]. The incentive is the same one running through every section of this piece so far. Convince someone the door is narrower than it is, or wider than it is, whichever version sells more seats.
The most expensive bet in the industry.
One of these certification factories has been pawning courses at outrageous prices and getting away with it for a very long time. I’m looking at you, SANS.
A single SANS course bundled with its matching GIAC certification runs roughly $9,779, before renewals [42]. SANS’s own institute arm, SANS.edu, charges $41,650 for a two-year bachelor’s degree and up to $22,800 for a graduate certificate [43]. A full year of in-state tuition at most public universities costs less than a single SANS course. Plus, SANS doesn’t discount the way most training vendors do. One analysis of the pricing pointed out that this training is realistically priced for the person whose company pays for it, not the person paying for it themselves [44]. That’s a telling admission. This isn’t a product built for the job seeker paying out of pocket. It’s a product built for corporate training budgets, marketed as though an individual could reasonably afford it.
In 2026, SANS’s own workforce report named skills gaps, not headcount, as the industry’s biggest challenge for the first time in the report’s three-year history [45]. Read that next to the price tag. The organization sounding the loudest alarm about a widening skills gap sells one of the most expensive fixes for it in the entire industry.
None of this means certifications are worthless or that bootcamps never work. Some of them do, for some people. What it means is that almost every voice telling you how urgent this shortage is, and how fast you need to move to close it, has a seat to sell you. That makes them a source you should read the same way you’d read a car salesman’s opinion on whether you need a new car.
Still Want a Job in Cyber? Here’s How.
If you’ve read this far, you might reasonably ask whether I think anyone should still try to break into cybersecurity right now. My honest answer is, not without a backup plan. Don’t treat it as your only bet. The entry-level door is narrower than the marketing says, and pretending otherwise doesn’t help anyone walk through it faster. What I can tell you is what actually seems to move the needle for the people who are getting hired in this market, based on who’s saying it and how they’re saying it.
Start with the bar itself, because it moved. Matthew Hartman at Merlin Group put it well when he told Dice that the bar for entry has risen. Employers now want candidates who can show hands-on experience and apply AI tools in practical ways, not just recite what a certification taught them [46]. That’s a real shift, and it’s a fair one to be frustrated by. It’s also not optional to ignore.
Evan Lutz, the coach I mentioned earlier who’s walked back his own old roadmap, is proof that the people closest to this market are recalibrating in public. Take that as a signal, not a discouragement.
Dr. Gerald Auger, who’s spent over twenty years in this field, gives advice that I wholly agree with based on my own experience. Hands-on work and genuine community presence beat chasing another certification. Common mistakes he warns against are relying too heavily on job boards, and underinvesting in personal brand and networking [47]. I’d add one more, based on everything I’ve learned. Don’t assume a degree alone is the credential that opens doors. It’s one input among several, not the whole plan.
There’s a portfolio argument worth taking seriously too. The strongest candidates aren’t the ones with the most certifications stacked on a resume. They’re the ones who can produce bounded, specific technical work that another practitioner could review and trust: a documented detection, a real authorization test, a clean technical write-up [48]. That’s harder to fake than a cert, and it’s harder to automate away than a checklist.
Here’s where I’ll say something as a marketer, because it’s the truth and I live it every day. The job search method that works right now isn’t throwing applications into an AI-flooded hiring pipeline and hoping volume wins. You have to show up consistently in the rooms where people in this field talk to each other, online and off, and let your work speak before you ever ask anyone for anything. Warm introductions get read. Cold applications get filtered by a system built to filter them. What we marketers call “personal brand” is really your professional reputation and you build that by engaging with people in the community, contributing to the conversations, and yes, once in a while giving yourself a public pat on the back for your achievements. It’s the mechanism that still works when everything else in this market is working against you.
None of that is a guarantee. Nothing in this piece has been. But if you’re going to bet real time and real money on breaking into this field, bet on the things that are still true. Hands-on proof over credentials. Relationships over resumes. A backup income plan while you build both.
The Morale of The Story
Every organization named in this piece would tell you they value evidence over hype. That’s the entire professional identity cybersecurity has built for itself. Read the data, follow the threat, don’t trust a claim you can’t verify. I’m holding them to their own standard.
I’m not the first person to say any of this out loud. Ira Winkler wrote an open letter to ISC2’s board, and the organization walked back its own headline number within a year. Ben Rothke put his name on a public critique of the training-marketing machine and kept his job at Experian. Neither of them got run out of the industry for saying what a lot of people were already thinking.
I know some people reading this are afraid to say any of it themselves. Their employer might be a partner of one of the organizations named here. Their own credentials might come from the certification body they’d be criticizing. The conference that pays their travel budget every year might stop inviting them to speak. Cybersecurity is a smaller industry than it looks from the outside, and burning a bridge with a group like ISC2 or SANS can follow you for years.
I get it. I’m just not going to let that fear be the reason nobody writes this down, with the sources attached.
If you’re building a career in cybersecurity, or thinking about starting one, you deserve the real picture and not the one that happens to be good for enrollment numbers or certification revenue. Now you have a fuller view and can make informed career decisions of your own.
References
[1] StationX, “Cybersecurity Job Market Statistics and Trends [2026],” StationX, 2026. [Online]. Available: https://app.stationx.net/articles/cybersecurity-job-market-statistics
[2] CyberSeek data, cited in Programs.com, “How Many Cybersecurity Job Openings Are There? (2026),” 2026. [Online]. Available: https://programs.com/resources/open-cybersecurity-jobs/
[3] U.S. Bureau of Labor Statistics, “Information Security Analysts,” Occupational Outlook Handbook, 2026. [Online]. Available: https://www.bls.gov/ooh/computer-and-information-technology/information-security-analysts.htm
[4] ISC2, “2025 Cybersecurity Workforce Study,” Dec. 2025. [Online]. Available: https://www.isc2.org/Insights/2025/12/2025-ISC2-Cybersecurity-Workforce-Study
[5] Dark Reading, “Has the Cybersecurity Workforce Peaked?” Nov. 2024. [Online]. Available: https://www.darkreading.com/vulnerabilities-threats/cybersecurity-workforce-peaked
[6] Infosecurity Magazine, “ISC2 Survey Reveals Critical Gaps in Cybersecurity Leadership Skills,” Dec. 2025. [Online]. Available: https://www.infosecurity-magazine.com/news/isc2-gaps-cybersecurity-leadership/
[7] Dark Reading, op. cit. [5] (B. Rothke commentary).
[8] Dark Reading, op. cit. [5] (J. Brandt, ISACA, commentary).
[9] ISC2, op. cit. [4].
[10] StationX, “Cybersecurity Skills Gap Statistics [2026]: The Real Data,” 2026. [Online]. Available: https://app.stationx.net/articles/cybersecurity-skills-gap-statistics
[11] Center for Strategic and International Studies, “The Cybersecurity Workforce Gap.” [Online]. Available: https://www.csis.org/analysis/cybersecurity-workforce-gap
[12] TechTimes, “AI Leads US Job Cuts for Record 4th Month as Tech Claims 31% of H1 Layoffs,” Jul. 2026. [Online]. Available: https://www.techtimes.com/articles/319588/20260703/ai-leads-us-job-cuts-record-4th-month-tech-claims-31-h1-layoffs.htm
[13] TechTimes, op. cit. [12] (M. Andreessen commentary).
[14] TechTimes, op. cit. [12] (S. Altman commentary).
[15] TechTimes, op. cit. [12] (P. Cappelli commentary).
[16] TechTimes, op. cit. [12] (Deutsche Bank analyst commentary).
[17] TechTimes, “Tech Layoffs Hit 1,115 a Day in 2026: Companies Cite AI but Cuts Fail to Boost Returns,” Jun. 2026. [Online]. Available: https://www.techtimes.com/articles/318466/20260616/tech-layoffs-hit-1115-day-2026-companies-cite-ai-cuts-fail-boost-returns.htm
[18] TechTimes, op. cit. [17] (Meta headcount data).
[19] Marketplace, “It’s a tough time to break into cybersecurity,” May 2026. [Online]. Available: https://www.marketplace.org/story/2026/05/18/ai-is-making-it-harder-to-get-a-cybersecurity-job
[20] Programs.com, “Cybersecurity Graduate Unemployment & Skills Mismatch Statistics (2026),” 2026. [Online]. Available: https://programs.com/resources/cybersecurity-graduate-unemployment/
[21] AnalyticsInsight, “How AI is Transforming Cybersecurity Hiring in 2026,” May 2026. [Online]. Available: https://www.analyticsinsight.net/artificial-intelligence/how-ai-is-transforming-cybersecurity-hiring-in-2026
[22] Dark Reading, “AI Won’t Wipe-Out Entry-Level Cybersecurity Jobs,” Jun. 2026. [Online]. Available: https://www.darkreading.com/cybersecurity-operations/ai-wont-wipe-out-entry-level-cybersecurity-jobs
[23] InterviewStack, “Cybersecurity Engineer AI Skills in 2026: Agents Lead, Defense Lags,” Jun. 2026. [Online]. Available: https://interviewstack.io/blog/how-ai-is-changing-cybersecurity-engineer-2026
[24] National Center for Science and Engineering Statistics / RTI International, “Cybersecurity Workforce Supply and Demand Report.” [Online]. Available: https://ncses.nsf.gov/760/assets/0/files/ncses-cwdi-supply-demand-report.pdf
[25] Gray DI, “Cyber Breaches Drive Demand For Cybersecurity,” Dec. 2024. [Online]. Available: https://www.graydi.us/blog/graydata/when-bad-news-is-good-news-cyber-breaches-drive-demand-for-cybersecurity-programs
[27] University of Phoenix, “The Complete Guide to Careers in Cybersecurity and Information Systems.” [Online]. Available: https://www.phoenix.edu/blog/the-complete-guide-to-careers-in-cybersecurity-and-information-systems.html
[28] University of Maryland Global Campus, “Cybersecurity” program page. [Online]. Available: https://www.umgc.edu/cybersecurity
[29] Southern New Hampshire University, “Cybersecurity Degree Online Bachelor of Science (BS)” and “Is a Cybersecurity Degree Worth It?” [Online]. Available: https://www.snhu.edu/online-degrees/bachelors/cyber-security ; https://www.snhu.edu/about-us/newsroom/stem/is-a-cybersecurity-degree-worth-it
[30] Western Governors University, “Retention and Graduation Rates at WGU.” [Online]. Available: https://www.wgu.edu/about/measuring-impact/retention-graduation-rates.html
[31] College Factual (College Scorecard-derived earnings data), Computer Information Systems program pages for University of Maryland Global Campus, Southern New Hampshire University, Western Governors University, and University of Phoenix. [Online]. Available: https://www.collegefactual.com/colleges/university-of-maryland-university-college/academic-life/academic-majors/computer-information-sciences/computer-information-systems-cis/ ; https://www.collegefactual.com/colleges/southern-new-hampshire-university/academic-life/academic-majors/computer-information-sciences/computer-information-systems-cis/ ; https://collegefactual.com/colleges/western-governors-university/academic-life/academic-majors/computer-information-sciences/computer-information-systems-cis/bachelors/chart-average-salary.html ; https://www.collegefactual.com/colleges/university-of-phoenix-florida/academic-life/academic-majors/computer-information-sciences/computer-information-systems-cis/
[35] Western Governors University, “Cybersecurity Courses Online – Bachelor’s Degree,” program page footnote citing 2024 Harris Poll methodology. [Online]. Available: https://www.wgu.edu/online-it-degrees/cybersecurity-information-assurance-bachelors-program.html
[36] Dark Reading, op. cit. [5] (CyberSeek / CompTIA / Lightcast / NIST collaboration).
[37] University of Maryland Global Campus, op. cit. [28] (EC-Council Academic Partner of the Year, 2023).
[38] ISC2, op. cit. [4] (CISSP certification data), cross-referenced with StationX, op. cit. [1] (CISSP as most-requested certification in postings).
[39] Research.com, “Cybersecurity Degree vs Bootcamp vs Certificate: Which Path Leads to Better Career Outcomes?” May 2026. [Online]. Available: https://research.com/advice/cybersecurity-degree-vs-bootcamp-vs-certificate-which-path-leads-to-better-career-outcomes
[40] Marketplace, op. cit. [19] (E. Lutz commentary).
[41] Pattern observed across vendor “how to break in” content, representative examples: FusionCyber (fusioncyber.co) and ITU Online (ituonline.com).
[42] Netguardia, “SANS GIAC Certifications: Which Ones Are Worth the $8K Price Tag?” Apr. 2026. [Online]. Available: https://netguardia.com/learning-development/certifications/sans-giac-certifications-which-ones-are-worth-the-8k-price-tag/
[43] SANS Technology Institute, “Tuition.” [Online]. Available: https://www.sans.edu/admissions/tuition
[44] Netguardia, op. cit. [42].
[45] Industrial Cyber, “SANS 2026 report flags cybersecurity skills crisis, putting critical infrastructure and OT sectors at measurable breach risk,” Apr. 2026. [Online]. Available: https://industrialcyber.co/reports/sans-2026-report-flags-cybersecurity-skills-crisis-putting-critical-infrastructure-and-ot-sectors-at-measurable-breach-risk/
[46] Dice.com, “Cybersecurity Careers: Advice for Grads Navigating an AI-Driven Job Market,” May 2026. [Online]. Available: https://www.dice.com/career-advice/cybersecurity-careers-advice-for-grads-navigating-an-ai-driven-job-market
[47] ClearanceJobs, “Breaking Into Cybersecurity and AI: Career Advice from the Expert,” Feb. 2026. [Online]. Available: https://news.clearancejobs.com/2026/02/09/breaking-into-cybersecurity-and-ai-career-advice-from-the-expert/
[48] Penligent, “Cybersecurity Jobs in 2026,” Apr. 2026. [Online]. Available: https://www.penligent.ai/hackinglabs/cybersecurity-jobs-in-2026/



