First of all, many people say that the shortage of cybersecurity jobs is much, much bigger, but many students majoring in cybersecurity are not willing to do cybersecurity. So why don't companies raise their salaries to attract these people to come? The answer is that the market has decided it's not worth it.
In other words, the current market is underpricing cybersecurity, and not just in China, but globally, which is why the so-called giants of cybersecurity are baby-sized in the eyes of the real IT giants. (If internet vendors don't have to compensate their users for security incidents then why would they pay for security services?) You can go to quora on this topic, there are a lot of answers. Also, I think I remember the global security market market capitalization in 2018 was something like $80+ billion or a little over $100 billion out of the gate, how much do you think that is compared to the total global IT market capitalization?
Also, always remember: security is a cost item that doesn't directly bring in revenue, so it's in the same incredibly awkward (and low) position as the risk control departments of financial firms.
Additionally, from the learning curve, security is extremely difficult, you just need to choose a programming language to dry 1-3 years can become familiar with, while security is different, the operating system kernel, the browser kernel, x86 hardware characteristics, software debugging (0 ring +3 ring), mainstream programming languages, etc. You need to be proficient in a number of items in order to really get out of the "rookie" level. You can't really get out of the "rookie" level until you are proficient in several things, and you don't even know how the system and the main software (browsers, web containers, all kinds of middleware, etc., etc., etc.) work, so how can you talk about security? Come back and think about this in graduate school.
Despite the difficulty of getting started in the security industry, the fact is that a large number of practitioners of network security (especially security services) and even many of the basic computer knowledge have not even hit the ground running (will not be the basis of programming, scripts will not write, etc.), began to mix in the security company, so much so that a certain boss drunk spit out the truth: "the security industry is shallow and more than a king of water! ". How are you going to improve if you hang out with these watery bastards more? (I'm not going to beat security service people to death with a stick, many of the big boys, including the one who led me through the door, are security service people, but there's still no denying the fact that security services are watery).
The problem with the demand for high quality personnel, and the low quality of the actual personnel, is that many security companies don't actually solve problems for their customers; talk to the A-side more often, and you'll hear a lot of vitriol.
And with the current situation in China, security company customers are mainly non-commercial organizations and large companies within the system, so this is essentially a license business, not fully market-oriented, and not completely innovation/technology-driven, so the company's operational efficiency than the 2C Internet company is a notch worse (although the value of what they are doing may be higher than a lot of Internet companies, but the inefficiencies are just that: inefficiencies). So you get tons of stupid product design, arrogant products, angry but undermanned ansers, nepotism, mid-level infighting, etc.
All that nonsense is to say: don't do cybersecurity unless it's true love! And especially don't do it as an undergraduate major! (Even if it's true love, like me, I'm now having second thoughts about switching careers)