ByteSizedSecurity Cybersecurity Insights & Analysis
DevSecOps 5 min read Updated

Cybersecurity Hiring: Portfolios Trump Pedigree Now

Marc David
Marc David Senior Security Engineer · CISSP
cybersecurity careers hiring trends tech careers
Cybersecurity Hiring: Portfolios Trump Pedigree Now

Portfolios Over Pedigree: What Actually Gets You Hired in Cybersecurity Now

TL;DR: A new survey of 200+ engineering leaders found that side projects, GitHub portfolios, and internships are the top hiring signals… while school prestige and credentialing programs barely register. If you’re trying to break into cybersecurity, stop stacking credentials and start building proof. The market is tighter, but the opportunities have shifted to people who show up with evidence.


The Data Is In: Degrees Don’t Get You Hired Anymore

For years, the pitch was simple. Get a computer science degree. Maybe add a cybersecurity certification. Apply to jobs. Get hired.

That pipeline is broken.

A new survey of more than 200 engineering leaders, conducted by tech training nonprofit CodePath and shared exclusively with Fortune, paints a clear picture of where entry-level tech hiring stands right now… and what actually matters to the people making hiring decisions.

The headline numbers: 38% of respondents said their company reduced entry-level hiring over the past year. Nearly 1 in 7 reported pausing Gen Z hiring entirely.

But the more revealing data is about what signals matter when companies do hire.

What Engineering Leaders Actually Look For

When asked what matters most outside the interview process, engineering leaders overwhelmingly pointed to proof of real-world skills over formal credentials:

  • Side projects or portfolios: 38% (the #1 signal)
  • Internship experience: 35%
  • Public code portfolios like GitHub: 34%
  • Candidate’s degree or academic focus: 23%
  • School prestige: 17%
  • Credentialing programs: 4%

Read that last number again. Four percent of engineering leaders said credentialing programs were a top influence in hiring decisions.

This doesn’t mean certifications are worthless. They’re not. But it does mean that if your entire job search strategy is “get certs, apply, repeat,” you’re optimizing for the wrong signal.

What This Means for Cybersecurity

This data comes from engineering leaders broadly, but the pattern maps directly onto what I’ve seen in cybersecurity hiring for years.

The people getting hired aren’t the ones with the longest list of certifications on their resume. They’re the ones who can demonstrate they’ve actually done the work. Built something. Analyzed something. Solved a real problem and documented the process.

In cybersecurity specifically, here’s what “building proof” looks like:

  1. Build a home lab and document everything. Set up a virtualized environment. Configure firewalls, run vulnerability scans, practice incident response. Write up what you did, what you learned, and what you’d do differently. This is your portfolio.

  2. Analyze real breaches and write case studies. Pick a recent security incident. Research how it happened. Write up the attack chain, the root cause, and what the organization should have done differently. Post it on LinkedIn or a personal blog. This shows hiring managers how you think.

  3. Contribute to open-source security tools. Find a security project on GitHub and contribute. Even small contributions like documentation, bug reports, or minor fixes show you can work with real codebases and collaborate with other developers.

  4. Get an internship however you can. 35% of engineering leaders cited internships as a top hiring signal. If you can’t find a formal cybersecurity internship, look at IT help desk roles, small businesses that need security help, or nonprofit organizations that could use a security assessment. Any hands-on experience counts.

  5. Post your work publicly. The survey found that 34% of leaders value public code portfolios. In cybersecurity, this means making your work visible. Write-ups on LinkedIn. Projects on GitHub. Blog posts explaining what you’ve learned. If hiring managers can’t find evidence of your skills online, you’re invisible to them.

The AI Factor

The CodePath survey also highlighted a shift in what skills employers expect from early-career hires. Greater fluency with AI tools and frameworks was the most common expectation, followed by faster time to writing production-ready code and the ability to learn new tools quickly.

This tracks with broader labor market data. AI literacy topped LinkedIn’s list of skills companies are hiring for right now. And a Lightcast analysis of over 1.3 billion job postings found that roles requiring at least one AI or generative AI skill offered an average of $18,000 more in annual compensation.

For cybersecurity specifically, understanding how AI tools work isn’t optional anymore. AI is being used on both sides… by attackers to craft more convincing phishing campaigns and automate reconnaissance, and by defenders to improve threat detection and automate response. If you can demonstrate fluency with AI security tools, you have an edge.

The Opportunities Aren’t Gone… They’ve Shifted

Despite the slowdown, opportunities still exist. The U.S. federal government recently announced it would hire about 1,000 new engineers, data scientists, and AI specialists with salaries ranging from $150,000 to $200,000… no degree required.

CodePath CEO Michael Ellison put it well: “People are rewarded for being aggressive and for going after what they want. It’s surprising the opportunities that are hidden in plain sight.”

The market is genuinely tighter. That’s not fearmongering… it’s reality. But the response shouldn’t be to give up or wait for conditions to improve. The response should be to adapt.

Stop optimizing for credentials that carry less weight than they used to. Start building tangible proof that you can do the work. And make sure hiring managers can actually find that proof when they look for you.

The Bottom Line

The hiring market has shifted. Degrees and certifications still have value, but they’re no longer the primary signal employers use to evaluate candidates. What matters now is evidence: projects, portfolios, internships, and public proof that you can actually do the job.

If you’re trying to break into cybersecurity, the path forward isn’t more studying. It’s more building. More documenting. More showing your work.

Stop waiting for permission. Start building proof.

For a practical look at how broken the application pipeline has become and why networking now outperforms applying, read our deep dive on navigating the broken cybersecurity job market. And for the complete playbook — from landing your first role to beating automated hiring — see our Cybersecurity Career Guide.

Source: Fortune / CodePath survey of 200+ engineering leaders (https://fortune.com/2025/12/18/tech-hiring-slow-but-not-fully-stalled-exclusive-codepath-data-new-secret-to-land-tech-role/)

Share This Article

Comments