We’ve all seen the ad: ‘Entry-level cybersecurity analyst – must have three years’ experience.’ It’s become a running joke in the industry, but for candidates trying to break in – and for companies desperate for talent – it’s anything but funny.
So why do so many ‘entry-level’ roles come with unrealistic requirements, and what can employers do differently?
Why this happens
Cybersecurity feels too high-risk to train on the job.
Unlike other IT functions, cyber is tied directly to risk. One misstep can expose sensitive data, trigger a breach or lead to regulatory fines. For many hiring managers, it feels safer to bring in someone battle-tested rather than invest in developing junior talent.
Rigid job specifications get inherited.
Job ads are often written by human resources or recruiters using outdated templates. If a role once required three years’ experience, that line might persist even when the role itself changes. Over time, specs balloon into laundry lists of certifications, tools and years served – none of which truly reflect what’s needed on day one.
Lack of structured junior programs
Unlike fields such as accounting or law, cybersecurity doesn’t have widespread graduate pipelines. Without a framework to bring in and train juniors, companies default to expecting fully formed professionals who can “hit the ground running”.
The consequences
Talented juniors get locked out.
Capable graduates, career changers and self-taught technologists can’t get a foot in the door, no matter how much potential they have.
The industry reinforces its own shortage.
Australia alone is projected to face a shortfall of tens of thousands of cyber professionals over the next few years. By refusing to invest in entry-level talent, companies deepen the very skills gap they complain about.
Teams stay overstretched.
Senior analysts end up doing work that could be handled by juniors, such as triaging alerts, documenting processes or managing day-to-day monitoring. This leads to burnout and reduced retention.
How to fix it
The good news is this isn’t a talent problem, it’s a pipeline problem. Employers have the power to change it – here’s how.
- Define real entry points.
Instead of ‘Three years’ experience’, decide what’s actually required to succeed at a junior level. Can someone with strong problem-solving skills, basic networking knowledge and a security certification contribute from day one? If yes, that’s your entry role. - Invest in mentoring and upskilling.
Every senior analyst was once a junior. Pairing new hires with experienced mentors not only accelerates learning but also strengthens culture and loyalty. - Pilot internships and contract-to-permanent models.
Structured short-term placements allow companies to test and train talent without the same risk as a permanent hire. Many successful cyber teams use internships or six-month contracts as feeders into full-time roles. - Shift the mindset.
Cybersecurity is critical, but not every task is high stakes. Alert triage, ticketing and documentation are perfect training grounds. By letting juniors take on these responsibilities, you free up seniors for the more strategic work.
The bottom line
If the industry keeps demanding ‘entry-level candidates with three years’ experience’, the skills shortage will only worsen. But with clear entry points, mentoring and structured junior pathways, companies can help build the pipeline they desperately need. Because the truth is simple: Tomorrow’s seniors won’t exist unless we train them today.
