This makes it hard to obtain positions in the field and mid-level industry certifications with work requirements due to the lack of directly related experience.
Security is a hot field so there are no shortage of players in the market looking to capitalize on this by getting into the certification space. Be careful what you sign up for.
- SANS stuff is expensive but always respected. (This doesn't mean it's good, just that it's a useful credential)
- OCSP is supposedly brutal and separates the men from the boys, but nobody in a position to hire you will have ever heard of it.
- CEH/Security+ is a joke (see above warning; both are beneath you and exist only to siphon DoD 8570 money).
The insult to people like yourself is that you went to the trouble of getting a Master's, yet the implication is that you're not qualified unless you also go out and buy an overpriced certificate and pay to maintain it.
How does one break into the cybersecurity industry given this scenario?
Start by being more specific and focus on that. There is no job title of "cybersecurity." But there is application security, network security, malware analysis, digital forensics, penetration testing, security engineering, security analysis, etc.
Then, relocate. Are you in middle America? Get out. Go where the financial and defense industries are, typically on either coast. Many of the security vendors who sell to them are located in California (San Jose, Sacramento, mostly northern). Go where the market is.
With a degree in something as broad as "cybersecurity," you've aligned yourself with the management track. Pursue that. You'll probably need a SANS cert. If you don't want to be management, pick a particular niche of security and beef up your technical skills in that domain (ex. for network, go the CCNP/CCIE route).
Not that it's impossible, but most people who end up in mid-level security-related positions did not start there. They tend to cut their teeth in a more technical domain first and build from it-- networking experts who've seen enough threats in the field to know something about it, developers who know how to break applications because they've spent enough time building them, etc. Myself, I cut my teeth as a sysadmin dealing with threats to infrastructure as a matter of course-- trial by fire.
I don't have any certifications. It hasn't stopped me from progressing in my career on either coast. The only qualification I don't have that has actually impacted me is lack of a security clearance-- it makes it very hard to get anywhere in the defense industry.
