nnAmid considerable positivity around job security, earnings andnopportunities, global economic pressures caught up with cybersecuritynemployers in 2023.nn
nnCybersecurity professionals are used to dealing with stressful environments,nso the regular ups and downs of cybersecurity do not necessarily pose anproblem for professionals who are used to finding solutions to problems,noften on-the-fly.n
nnHowever, the reality is that the world is in a particularly fractious state,nwith macroeconomic issues exacerbated by geopolitical volatility. Even thenrobust and in-demand world of cybersecurity is not entirely sheltered fromnwhat’s happening elsewhere in the global economy.n
nnThis year’s ISC2 Cybersecurity Workforce Study highlights the extent tonwhich cybersecurity teams are being impacted by organizational pressures,nnot just from a morale or resources point of view, but in terms of impactingnthe effectiveness of cybersecurity activities and, ultimately, impactingnbusiness resilience. It highlights what senior management should be doing tonmaintain resilience, regardless of staffing levels.n
nnWhile 50% of respondents have not experienced any layoffs at all, and anfurther 28% have only seen cutbacks in other departments, just over one innfive (22%) of respondents said they had experienced layoffs in cybersecuritynteams. Similarly, the study revealed that while just over a quarter (26%)nsaid they had experienced a freeze on promotions and/or raises, more thannhalf (52%) have not and a further 22% have only seen this happening in otherndepartments, not in cybersecurity.
n nnSpending cuts also impacted teams, with roughly a third saying theynexperienced budget cuts, with a further third (32%) saying budget cuts hadnaffected other departments only. Even though cybersecurity was not affectedndirectly in the majority of respondent cases, 28% said there had beennlayoffs in their broader organization, with frozen promotions/raises andnbudget cuts hitting 22% and 32% respectively.n
nn
nEven Possible Cutbacks Have an Effect
nn
nnHalf of respondents had not experienced layoffs, and slightly more said theynhad not experienced freezes on promotions/raises, while 38% had notnexperienced budget cuts, which is further encouraging signs for thencybersecurity community and is likely reflective of the fact that supplyncontinues to outstrip demand, prompting companies to prioritize retainingnskilled cybersecurity staff, even when faced with tougher economicnconditions.
n nnWhen it comes to cyber layoffs, there were clear sectoral differences, withnless than one in 10 military or government respondents – includingncontractors – reporting cyber layoffs. By contrast, a third of respondentsnin entertainment/media had seen layoffs, dropping to 31% in the constructionnand security software/hardware development sectors.n
nnLikewise, while just 11% of Hong Kong respondents, and 18% of US respondentsnreported cybersecurity layoffs, the rates in Brazil and Mexico werensubstantially higher, at 38% and 37% respectively.n
n nLayoffs are never easy. Like other cutbacks, they create a ripple effectnthat can unsettle the remaining organization.n
nnData suggests that where budgets are under pressure, some organizations arenseeking new efficiencies through restructuring and slowing otherninvestments. Over half of respondents reported delays in purchasing ornimplementing technology, while 40% said the security team had beennrestructured, or moved within the organization. A quarter said somencybersecurity software licenses had not been renewed.n
nnIndividual team members also felt the effect, with over a third sayingntraining had been cut, with 29% noted that spending on certifications ornprofessional development reimbursements had been reduced.n
nn
nEmployers Relying More on Existing Staff
nn
nnSecurity professionals are rarely underemployed at the best of times. But onnan individual or team level, 71% reported an increase in workload with 57%nsaying the ability to respond to threats had been impacted, and 52% citingnan increase in inside risk related incidents.
n nnWhen cutbacks are in the air, employees become more sensitive aboutnemployment risks. Almost a third expect further cutbacks in theirnorganizations, with over two thirds expecting these to include layoffs.nThose who know someone who was laid off, even from another organization, arenfar more likely to expect further cuts.n
nnThere can be a pronounced difference between perception and reality. Therenwere key differences in how senior executives saw the outlook forncybersecurity teams and how workers at the sharp end did. Asked whether theynexpected their organization to employ more cybersecurity staff, 32% ofnC-level executives, 30% of directors/middle managers and 30% of executivenmanagement, said they did. Less than half in each category expected to cutnstaff. However, 65% of junior staff and 56% of managers said they expectedncuts. The outlook might not always be as negative as junior staff think, butnthat message is not reaching them.n
nnIf reductions in staff and tooling have an undeniable effect, things arencompounded when skills shortages are also considered. Two thirds ofnrespondents said their organization had skills shortages that affect theirnability to prevent and troubleshoot cybersecurity issues.n
nnThe most cited reason for skills gaps is that the organization just can’tnfind enough qualified talent (41%). However, a range of other issues alsonemerged with 34% citing budget – up five points on the previous year. Pay, anlack of career progress, reduced training and sheer lack of planning werenall issues.n
nn
nThe Pernicious Impact of Skills Gaps
nn
nnThese are all individual headaches, but they add up. In fact, just 8% ofnrespondents said there were no skills gaps in their organization, while 17%nsaid they had one or more critical gaps. And the problem was more pronouncednin those companies that had layoffs – 23% reported one or more criticalnskills gaps.n
nnEven when organizations have an apparent surplus of people, this can bennegated by skills deficits. When 59% agree that “skills gaps can be worsenthan total worker shortages” while a similar amount agree that efficientndistribution of skills across the team can mitigate worker shortages, wenshould assume this is informed by real-world experience.
n nnWhich makes it even more shocking that a quarter of respondents reportednthat the reason for skills gaps was “people with these skills recently werenlaid off and we haven’t replaced them.”n
nnA more mundane cause for skills gaps is an overfocus on degrees, and a lacknof focus on entry level staff. Meanwhile, companies often neglect thenpotential for training non-security IT staff as cyber specialists.n
nnPerhaps unsurprisingly, shortages are most acute in areas such as cloudncomputing security, artificial intelligence (AI) and machine learning (ML)nand zero trust implementation – areas which are going to become even morenimportant in the next few years.n
nnThese gaps translate into increased risk for organizations, both in how theynanticipate and respond to cyberattacks. Staffing shortages put organizationsnat risk of attack, said 57% of respondents. Half said shortages leave themnwithout sufficient time for adequate risk assessment and management, whilen45% say it leads to oversights in process and procedure, while 38% said itnleads to misconfigured systems while a similar amount said it slows downnpatching of critical systems.n
nnBut it also cripples teams during an attack. Over a third said shortagesnmean they are unable to “remain aware” of all active threats, while 30% saidnit led to slowness in responding to incidents.n
nn
nWhat It Means for Organizations
nn
nnIt’s clear that staff shortages, and even more so skills shortages, have annundeniable impact on companies’ resilience and safety. The latter can be thenmore crippling.n
nnCompanies can go a long way to addressing these concerns by being realisticnabout where they’re falling short. They can then concentrate on upskillingntheir existing workers, including non-cybersecurity specialists, along withntaking a broader approach to hiring. As we’ve seen elsewhere in the report,nthis broadening of hiring practices should go hand in hand with DEIninitiatives.n
nnLeaders need to own this problem and not look for quick fixes. It’s worthnnoting that the study found “outsourcing services had little to no effect onnmitigating staffing shortages.” Sending the issue off-site or off-shore maynprovide access to more people, but it simply does not guarantee access tonthe skills and aptitude needed to address the shortfall. You may well end upnwith the same unresolved problem, combined with a much higher wage bill.n
nnSenior leaders should also take workers’ concerns into account. Thatnincludes understanding the effect of expected or real-world layoffs onnmorale and resilience. It also includes simply being aware of their worries.nSenior management might not have cybersecurity team layoffs on their to donlist, but many junior staffers haven’t received the memo and they need to.nSimply keeping people up-to-date must be one of the least resource intensivenways to steady the ship and bolster a positive working environment.
n- n
- The full report for 2023 can be downloaded atn n https://www.isc2.org/research, along with the Cybersecurity Workforce Study reports from previousn years for further comparison. n
- A preview session on the Cybersecurity Workforce Study findings tookn place at ISC2 Security Congress in October 2023. This is now availablen for on-demand replay atn n https://events.isc2.org/ n
- Join the conversation – let us know your thoughts on the findings overn in then n ISC2 Community n