Skip to content
Woman with PhD hat and a red scroll in hand smiling into the camera

PhD to InDusTry: from the degree to a job in cybersecurity

Published by dbof on September 27, 2025

For many people finishing their PhDs, the jump from academia to the industry is a path riddled with doubts, unknowns, and a number of surprises. At least, that what it felt for me, when my academia journey finished, and I was met with the decision: What now?
Here is some wisdom about my journey, and some hard-learned lessons on the way to become part of the cybersecurity industry.

Misconceptions about the cybersecurity job market

I started my job hunting journey with a pretty open mindset and a PhD title in my hands. So, I had expectations and assumptions on how it would go.

1. The job market is looking for me

I expected lots of open job positions, companies desperately trying to fill them with a cybersecurity professional, and of course my PhD would make me the top choice for these companies. Why would I think that?

Since school days, I was told that IT is the emerging field that will conquer the world, and the society will need my IT expertise in every job imaginable. When I started to get interested in IT security, the message was even clearer: IT security professionals get paid a lot of money, more than software engineers, more than other IT professions. Cybersecurity is the field that will be the most profitable in the future, as more and more money will be needed to secure the number of IT systems operating in the future.

The reality is very different:

  • The job market is down, in general. For IT, the big companies are laying off a lot of people, and for cybersecurity, the number of position drastically dropped since my last job hunt in 2019.
  • More open positions are targeted at “experienced professionals” with more than 3–5 years of hands-on experience.
  • Job positions are left open intentionally, or not even publicly available.
  • A huge number of people, which started their cybersecurity journey for the same reasons I did (money, job security, lower barriers of entry), entered the market 5 years ago. So, the supply increased, while demand slowed down.

As a result, the job search is more tedious than I was told for years.

2. A PhD is a good qualification (on the job market)

Of course, a PhD in cybersecurity is a great qualification, right? Not everyone has a PhD, it is a very demanding challenge, and you can be proud of yourself if you got one. B… does this make it easier to get hired?
Well, it really depends. In my experience, very few people understand what a PhD means. They compare it to a regular study program. So technically, for some employers, you are fresh out of university, and you probably do not have any work experience!

My experience is: you need to explain it, you need to prove yourself, and you need to defend it. What I did was lay out exactly what I did, how I helped my partner companies to achieve better security. You need to sell it well, and it might help stand out in the sea of applications every company receives.

3. Industry certificates matter

This one is short and simple: During my last job hunt in 2019, industry certificates were requested in every non-entry-level position, for example:

  • Certified Information Systems Security Professional (CISSP)
  • Certified Ethical Hacker (CEH)
  • Certified Information Security Manager (CISM)
  • TISP (TeleTrusT Information Security Professional)
  • (ISC)² CCSP (Certified Cloud Security Professional)

The good news (in my opinion) is: these are not as required as before, they fall more into the category “nice-to-have”. The bad news is: now significantly more people have these certifications, and to stand out, you might need to acquire them, too.

4. I will find a job in my PhD expertise

Of course, this depends on your PhD niche, but in most cases, your PhD work will vary greatly from your industry job. That is because your niche is only interesting to very few people and companies, in general, and finding those relevant positions is like finding a needle in a haystack containing no needles. If you are really keen to continue working in your specific field, your job search will need to be more focused, limited, and take longer.

5. I can do anything

I’m convinced that after surviving a PhD, you can definitely do everything. In the cybersecurity space, you can only do so much. The field is big, and you need to find your niche, and specialize in a field.

I always wanted to be a generalist, a jack-of-all-trades, and in some way, I am. But cybersecurity requires that you focus on specific niches, because there is so much to learn, and you cannot reasonably learn it all in the depth to call yourself an expert.

As Lesley Carhart, a fellow cybersecurity expert, puts it in their blog:

There is just too much to know that changes far to fast. […]
However, eventually we all do have to make a choice in order to have a coherent career track and resume, focus on the right training and certifications, and just be able to manage it all.

This is 100 % spot on, but if this is your first cybersecurity job after the PhD, you can allow yourself to dabble in different niches until you find the one you really thrive in.

In the end, you need to know what you want to do. Want more practical tasks, or do you want more conceptual work? Do you want to be a Security Engineer, working out the details of a system, or a Security Architect, working on the big picture? Or maybe you want to have a managerial role instead?

6. Companies know what they are looking for

This was also a hard lesson to learn. I expected that, if you apply for an IT Security Manager role, you will mostly manage stuff, and work less on technical stuff. This is not always the case.

The people working in companies that hire cybersecurity professionals, apart from very few exceptions, have no idea what they need and what the job title should be. So it is very probable that, by looking for “cybersecurity manager”, you will find engineering roles, IT support roles, and Information Security Officer positions. The same for consulting: everyone can call themselves a consultant, so consultants are not just “the people who advise clients”. I saw and applied to consulting positions that turned out to be pentesting gigs, GRC (Governance, Risk & Compliance) roles, or even application development positions. Very frustrating!

Do some research before you start applying, learn all the specific job titles that you might be interested in, and be ready for companies to misnaming your job description.

Advice and tips for the job hunt

This is only some general advice, because every job search is individual, and what can be a very frustrating experience for someone, for another person it can turn out to be really rewarding. So here are some tips in no specific order:

Define your boundaries regarding the hiring process. The hiring situation has become crazy, and you do not need to accept it. Having more than 3 rounds of interviews has become more common, because companies think they get Google-level candidates if their hiring process mirrors the Google / FAANG ones.
Define beforehand what is acceptable for you. Hiring processes are tiresome and drain your energy faster than you think. Imagine being in 5 different hiring processes, and for each job, you need to meet up to 3 times before you get any feedback. That is 15 meetings only to have progressed no further than “a company might be interested in me”.

For me, I prefer a maximum of three rounds:

  • A phone screening interview (or video call): you get to know each other, the company, and what the position actually is. The company can do simple checks to assess that you are not a crazy person.
  • A meeting with the team lead / supervisor / manager, to get to know each other and already discuss details of the position.
    • Optionally a meeting with the team: I call this “vibe check”, to get to know what your coworkers will be like.
  • Then the company makes you an offer, and you only meet to discuss the offer details (compensation, requirements, etc.) and shake hands (on-site or virtually).

If you have connections into the industry, use them. Hiring by applying is very broken right now, with AI becoming a roadblock for both sides of the interaction. If you know people in the field or the company you are interested in, do not be shy and contact them. Whenever you can get an advantage over normal job applications, do it.

Use an updated CV for every application. If your network is not strong enough to get you a job, you will need to play the hiring game. And in 2025, this game consists of finding the right combination of keywords such that AI based HR software will not filter you out before a human gets to see the application. Use words from the description in the job opening, and keep it simple (e.g., a one-pager CV) for when a human actually looks over it. Every company I have talked to, they tell you they have way more applications than open positions, so you really need to be concise and interesting to HR people with a very limited attention span.

Job requirements are wish lists. There is a saying that female applicants do not apply if they do not meet all requirements for a position, while male people do apply even if they do not meet them. This is probably not true, as this 2024 study shows.
I will let you in to a secret, something you either know or you don’t: HR people create these job postings online, and they have no idea what is required for a role. Even managers sometimes do not know what is strictly required, and what is “nice-to-have”. Also, 99 % of job postings nowadays use generative AI, so they will sneak even more unrelated “requirements” in there. Therefore, apply nonetheless if the job description sounds remotely like something you might be interested in. I beg you, we need more diversity in cybersecurity!

Be visible on the internet. This is related to another tip above: create a network of people, and be visible enough that people might find you if they are looking for your expertise. This means:

  • have a LinkedIn profile
  • have a “professional” social media profile
  • have a website
  • have a blog / podcast / YouTube channel
  • give public talks
  • do stuff that makes people talk about you (public events, talks, join groups)
  • Talk about yourself on social media if you did something interesting (related to your job or profession)

I have several professional opportunities come to me because someone saw a talk I gave, or found reports about my work. The good thing is: not as many cybersecurity people are that public about the profession, the number of security professionals that are public about their jobs is pretty limited, so much more chance for you to stand out.

You can start today, even if you just finished your PhD. Start by talking about your research, or a presentation you gave three years ago. Everything counts to generate clout.

Work with HR professionals specialized in cybersecurity. Not every HR person is competent, but I noticed that many companies work with these HR agencies and professionals. These “hiring professionals” get a lot more open job positions, and can help you get an interview faster that trying to apply to a public posting. Just make sure that you know upfront what you are willing to do and accept as offers, because they will try to pitch you offers that may not be the right fit for you.

So, this is my take on the cybersecurity job market. This post was heavily inspired by Lesley Carhart’s posts about mentoring, so please check those out, too.

Let me know what you think in the comments, and share it with your fellow PhD people that might need this.

Photo by Felipe Gregate on Unsplash

Published inIT-SecurityPersonal

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *