There are millions of unfilled cybersecurity roles, yet capable entry-level candidates are rejected every day.

The industry publicly claims a severe skills shortage while quietly filtering out anyone who has not already been trusted elsewhere.

That is why “entry-level” roles demanding three to five years of experience are so common.

This is deliberate risk avoidance in a field where one bad hire can be catastrophic.

If you approach this market like a normal entry-level job hunt, you will keep failing for reasons no one is incentivized to explain. This post explains how security hiring actually works, and how to work within it.

At the end of this post, you will understand:

• Why cybersecurity hiring behaves differently from software and IT

• Why trust, not skill, determines who gets hired at the junior level

• How elite hiring culture quietly shut the door on newcomers

Entry-level, 5 years required.

You may have heard the stat: 3.5 million unfilled cybersecurity jobs globally.

And yet you apply to dozens of roles, get ghosted by most, and rejected by the rest for “lack of experience.” This happens across tech, but it is far more pronounced in cybersecurity. That is not an accident.

Here’s what’s actually happening: cybersecurity hiring is not a talent market. It’s a risk market. That single reframe changes everything.

When I was a security manager at Amazon building out my team, I reviewed hundreds of resumes every week for a handful of critical roles. Even when the role demanded seniority, the bar was unforgiving. The more relevant the experience, at scale, in complex environments, the better. Not because junior candidates lacked ability, but because I could not afford the risk. The role did not allow for learning on the job.

That is how most security hiring works.

Hiring managers aren’t optimizing for growing talent primarily. They’re optimizing to avoid blame. If they hire a senior and something goes wrong, that’s bad luck. If they hire a junior and something goes wrong, that’s bad judgment.

Software engineering, arguably, tolerates iteration and mistakes better. In cybersecurity, being 99% times right can still be a failing grade.

The “skills gap” is not about skills. It is about risk tolerance. And as the stakes rise, risk tolerance collapses.

The system is not broken. It is working as designed.

But this still leaves an obvious question. If security hiring is about avoiding risk, who absorbs that risk?

The answer is predictable.

Juniors

In any risk-averse system, uncertainty gets pushed to the edges. In cybersecurity hiring, juniors are that uncertainty.

I’m not here to tell you the system should change. I’m here to tell you how to win within it. But first, you need to understand why you keep losing.

Training juniors is expensive in ways job descriptions never mention. Seniors lose hours to mentorship they can’t afford. Every new hire with access expands the attack surface security teams are supposed to shrink.

But the real killer is asymmetric consequences. The junior makes the mistake. The manager owns the fallout. No one gets promoted for taking a risk on a junior. People absolutely get fired when that risk goes wrong.

Many teams would rather stay understaffed than take on unknown risk. That open role might stay open for 18 months because “nobody qualified applied” is an easier conversation than “I hired someone junior and they caused an incident.”

This is not fair. But it is rational. And there’s another layer making it worse. One that has nothing to do with risk math and everything to do with culture.

Culture eats strategy for breakfast. And juniors for lunch.

I spent years at Amazon and served as a Bar Raiser. For those unfamiliar: Bar Raisers are trained interviewers who sit on hiring loops to ensure every new hire raises the functional bar (Are they better than 50% of their would-be peers in similar roles?), and, that they have the long term growth potential in the company through cultural fit. When everyone shares the same mental models, you move faster in a crisis.

I remember one candidate who was deep functionally and a strong coder. But across multiple interviews, he hadn’t shown the builder mindset. No ownership signals. No inherent leadership qualities. The hiring manager wanted to hire fast and focused only on technical skills and made an argument to hire the candidate. I pushed back - amazing tech skills don't automatically raise the bar on culture. We did not hire the candidate.

That system works at Amazon because Amazon invests on both sides. High bar plus high support. Rigorous interviews plus intensive onboarding, and a bazillion mechanisms (like automated tools, paved road solutions) that prevent mistakes from becoming real incidents.

Here’s the problem: many companies copied Amazon’s filter, but few copied Amazon’s investment. Smaller companies adopted elite hiring standards without the onboarding, mentorship, tooling, or safety nets that make them survivable. Risk aversion plus borrowed elite culture equals an industry hostile to beginners.

To Wrap It Up

The skills gap is real, but not how you’ve been told.

There’s no shortage of people who want security jobs. There’s a shortage of people that hiring managers feel safe betting on.

Security hiring avoids risk by design. Juniors are excluded rationally. Elite culture tightened the gate without adding support.

This is not your fault. But it is your problem.

Here’s the one key insight from this post: In cybersecurity, trust is the entry-level requirement. You don’t convince security teams you’re smart. You convince them you’re safe. Every resume bullet, every interview answer, every portfolio piece should answer one question: why is hiring me lower risk than hiring nobody?

In Part 2, I’ll break this down into two practical paths. One for entering security from adjacent roles. One for borrowing credibility when you have none.

Your neighborhood security nerd,

Aditya :)