Let's piss off every cybersecurity influencer, bootcamp, and certification body whose marketing strategy relies on the deception that there are "millions of unfilled cyber jobs," shall we?

I believed certifications mattered. Hell, I even got short-listed for the EC-Council Canada Hall of Fame and made YouTube videos promoting this stuff.

I didn't even get a CPE for that effort.

I got my CEH and I'm glad I did because building that home lab, staying up late figuring out how things broke, sharing war stories with other wannabe hackers. That part was genuinely valuable because it lit the spark.

But here's the uncomfortable truth someone needs to say, and I'd rather it come from someone who's been exactly where you are rather than you discovering this fact 8 months into your rejection journey.

The Marketing Bullshit

No, Security+ and Google Cybersecurity Certificate are not enough to land an entry-level role in the current market. Stop asking.

The entire certification industry is marketing on false premises. They keep pushing the narrative that there are "millions of unfilled cyber jobs," but that's straight-up deception built on the assumption that exponential growth from my era would continue forever. Spoiler alert: it didn't.

I started in 2015, when companies were literally plucking students off campus in their first year of university. I signed a full-time job in second year and only finished my degree because I wanted to, not because I had to. That world doesn't exist anymore.

Back then, it was Target, Yahoo, Ashley Madison breaches. Later, Equifax. Companies were moving to the cloud, building massive security teams that were finally breaking away from infrastructure and IT to become their own thing. You'd have auditors discovering Windows NT systems with LM hashes that a red team could crack in minutes.

Now the industry has matured. The problems are "higher hanging fruits" requiring more seniors: cloud security, AppSec, GRC engineering. The market has bifurcated completely: senior roles are safe with increasing demand, but entry-level is brutal.

My story is a success story from a different time. Problem is, everybody assumed this trend would continue forever. Every school in my province now has a cybersecurity degree! In 2015, there were none. Security wasn't even cool! All computer sciences students wanted to do were AI, videogames and mobile.

We get 500+ applicants for a single intermediate role. Do you like those odds?

The Certification Bodies Didn't Keep Up

Here's what happened while everyone was getting sold the "cybersecurity gold rush" story: the certification curriculum stayed idle.

Certifications like CEH and Security+ still focus on foundational skills (think Kali Linux, Windows environments, switches and networks). But the real world has moved on. Today, the "foundations" should be Kubernetes security, cloud IAM, supply chain risks and AI governance on top of the existing ones. The bar needs to rise!

Everyone's doing the same path: YouTube/Udemy → Google Cyber → CompTIA → TryHackMe → Splunk. Then Tenable → CrowdStrike → ELK. It's hard to differentiate when everyone's following the same playbook, and certification bodies haven't caught up. They're still operating like it's 2015, including the curriculum.

Those vocational curriculums sound like a good start, but they won't get you hired in security right off the bat. They're the bare minimum, like someone doing their own taxes thinking that qualifies them to be a corporate accountant.

You're now competing with hundreds of thousands of people who were told the exact same thing about security being the path of the future. The bottom of the market is completely saturated with identical applicants who all have Security+, Google Cybersecurity, and some general IT knowledge. Demand is crushing supply. I call this "the slush pile".

What Actually Works (And What I Did)

You need to acquire the skills, meet people, get noticed. I did this too.

I landed an internship with a paper resume at a career fair simply because I was fascinated by "access management of documents" and, yes, Mr. Robot. Yes, it was an easier market. Still, my strategy was still better than the "spray and pray" applications I see most of you using. I had attended a "Lunch and Learn" event on campus where a security analyst spoke about transitioning careers while raising toddlers (I had 2 myself at the time). I emailed him afterwards, visited the company premises weeks later, and spoke with a dozen people about the job. Four months later, when I applied for that internship, they remembered me. That's what I mean by "getting yourself out there"!

Your best bet at pivoting is becoming the job you want from within your current role. If you're currently employed, you have a much better shot at pivoting by actually speaking with people. What good is it if you just do a bunch of certs in your corner?

Make friends with the compliance team! Show how what you do enables compliance, how your work helps secure systems. Join the security champions program. Get noticed, and you'll get actual experts speaking with you. You'll learn much better talking with people than rummaging through textbooks.

Don't ask for mentorship. Ask for people's opinions on something you both care about. "Will you mentor me?" is like asking "Will you be my friend?" to a stranger.

We Need to Stop the Certification Narrative

We need to stop the "school narrative," wherein you acquire a credential and that credential "unlocks a new level" (a job). I'm seeing people plot their pathway to CISO, one certification at a time. That doesn't work like that!

Certifications teach you how to pass a multiple-choice exam. We need to stop pretending you can multiple-choice your way to companies' current problems.

Here's what works: you need to provide value for people to find you interesting. Stop thinking about HTB boxes and start thinking about inefficiencies in triaging techniques. Think about that PowerShell script you're running to get Azure events: make it compute faster while avoiding API rate limits. THM is fine, but how many times do you run Bloodhound in day-to-day work versus finding a better way to document false positives?

Your manager needs efficient workers more than HTB champions.

The Uncomfortable Truth

I'm letting my CEH expire this year. I'm done. After close to a decade in this field, I've learned something painful: the certification treadmill doesn't take you where you think it's going. The "certification industry" needs to stop selling fantasies to entry and intermediate level people.

Getting into cyber nowadays means you have to be in it because this is what you want to do and can't imagine doing anything else. There's been huge marketing about cyber being an easy path toward six-figure salaries, but this is deceptive and objectively wrong. This isn't the convenient career path anymore.

In my city we need construction workers, nurses, and teachers. I imagine it's the same everywhere. These are the current easy-to-get jobs.

I'm grateful for my CEH because it got me started, but I've outgrown it, and so has the industry. The reality is harsh: no certification body is keeping up with the pace of change.

The careers are still being built. Just not the way the certification industry wants you to believe. And definitely not the way I used to promote in those YouTube videos.

Now that you know my story, what's yours going to be?