As chief information officer of (ISC)2, Bruce Beam is usually thinking about how his IT team's efforts can advance the mission of the organization, which is focused on educating and certifying security professionals for work in the field. But lately, like many organizations, the (ISC)2 workforce has shifted largely to remote work, and Beam is thinking more about his team's internal security efforts.
"My help desk and my basic security team right now, they are really on the front lines," Beam says. "Attacks are up all over globe, and we are as prime of a target as you can get."
Beam pointed to the criticality of what his security team was doing amid the COVID-19 pandemic as exactly the reason why security roles remain essential, despite what might be happening with the economy.
"In general, security needs are going to increase because of a growth in the attack surface," Beam says. "I don't see a company backing off on it. I think security is going to not only maintain but grow as we move through this.
But contrast Beam's outlook against the fact that in the United States alone, 17 million people filed for unemployment benefits in the three-week period ending April 4, according to the US Department of Labor. In many states, that's well over 10% of the workforce (11.2% in California, 12.6% in Washington, and 16.6% in Michigan, for example).
Several months ago, compensation software and data company PayScale called cybersecurity a career that could weather a recession. In September, long before "pandemic" was a word used daily, a Grant Thornton survey of more than 250 business owners and C-suite executives found that more than half of C-suite officials (55%) planned on increasing cybersecurity investments, even as a recession loomed as a concern.
But now that the rubber has hit the road, and the coronavirus has made a mess of the economy in multiple sectors, we wanted to know what might change for security professionals in an environment where purse strings must be tightened.
'Nothing Is Off the Table'
Despite the overall blue-sky forecasts for security, the future is not so clearly bright.
Last week, for example, Israeli cybersecurity company Aqua Security laid off just under 10% of its workforce – covering sales, marketing and engineering positions in Israel, North America and Europe. A glance through Twitter turns up scattered announcements of individual cybersecurity professionals being laid off or furloughed.
The confidence that infosec people will be immune to job loss is misplaced, according to Jeff Pollard, vice president and principal analyst at Forrester.
"If customers disappear, then the company disappears. There's a massive amount of 'status quo fetishism' going on, and it seems like lots of security practitioners out there forget that when major downturns happen, everything gets cut, and security won't be an exception to that," Pollard says. "When a company is struggling to survive, nothing is off the table. We often discuss how there's a disconnect between security and 'the business.' This belief confirms that the gap still exists."
Small businesses have already been hit particularly hard, and, according to the latest (ISC)2 Cybersecurity Workforce report, 19% of the infosec workforce is employed by businesses of under 100 employees. A recent survey of small businesses by the US Department of Commerce and Met Life revealed that about one-quarter think they're less than two months away from closing up shop for good, and 43% said their doors will shut within six months if the situation doesn't improve.
At CyberSN, a staffing firm specializing in connecting hiring firms and security professionals, Deidre Diamond notes how the state of the security job market has changed in recent weeks.
"So far we have seen very little to no layoffs for security professionals … [but] 70% of our clients put all hiring on hold," she says. "About 10 percent of those started hiring again [the week of March 30th]. We expect another 10% will do so this week and each week after providing the health crisis stays under control."
But Diamond also notes that CyberSN does not service sectors that have been harder hit by the pandemic, such as travel and hospitality. "Our clients are financial organizations, healthcare, software companies, energy and power, of all sizes," she says. "We mostly place hands-on cybersecurity engineers of all types to include experienced [cyber incident response and security analysts]. I would expect that any industry that was directly affected by the health crisis will lay off a portion of all roles."
But the recent Department of Labor statistics show that even the healthcare sector has seen some cuts already. And in the coming months when governments make budgetary changes to try to repair their ravaged economies, the many security jobs in the government sector may be disrupted.
Regardless of sector, Pollard thinks change will be essential for almost all types of organizations in the coming months – even for their security teams and professionals at all levels.
"In early interviews with leaders that are already making cuts, numbers range from somewhere between 10% to 30% of staff," Pollard says. "This could mean shifting security from a 24x7 support model to 8x5, but overall it will require security teams to accept much slower response times."
In addition, Pollard says, there is often "a moratorium on new projects and investments – especially those not related to remote access technologies. Freezes on promotions and annual increases could happen, and new hiring freezes are already in effect for many organizations. Lean teams will get leaner."
Pollard worries about CISOs losing their jobs. "Many CISOs report to CIOs," he says. "This is a time when those CIOs could look across the expenses within their organization and decide absorbing a senior executive role [like a CISO] pays for and preserves a number of practitioner jobs. I don't think that will be common, but it could happen."
(Continued on next page: The skills in
highest - and lowest - demand)
While security will still be essential, organizations may be forced to cut what they can while preserving as much security posture and maturity as possible. Theresa Lanowitz, director of cybersecurity communications with AT&T Cybersecurity, thinks the move to a managed security services (MSS) provider might make sense for some organizations that need to build a program within their budget and can't afford an internal team.
"Organizations of all types want and need to be able to innovate safely and deliver value for its customers," she says. "As business models shift and change, this need for innovation of core competencies will become a mandate. Another mandate will be the need to reduce the complexity and cost of fighting cybercrime. Marrying these two mandates means that security practices and functions will move to an MSS model."
The Skills in Highest (and Lowest) Demand
But even amid cost-cutting, Beam says he can’t imagine how difficult it will be to hire infosec pros once the economy normalizes if companies lay off in that division now.
"If we can keep them, I will have a team that’s more loyal in the future,” Beam says. “And I am not hunting like the rest of the world. I know it’s a difficult balance if a company doesn’t have liquidity, but it will come out stronger on other side.”
And amid digital transformation and other technology investments, he thinks security professionals with cloud security expertise will be particularly hard to find. John Dickson, a principal with The Denim Group, an application security firm, echoes Beam’s statement.
"Below the surface, I see an acceleration of the trend favoring more technical security expertise, particularly involving cloud and DevOps, at the expense of softer security skills like security policy and compliance,” Dickson says.
Valmiki Mukherjee, chairman and founder of Cyber Future Foundation, a nonprofit focused on collaboration among industry, public agencies, and academia in cybersecurity.
"With so many in the industry going through digital transformation, someone well-versed in cloud security fundamentals will do very well," he says. "Every organization is now going into full-swing digital transformation. COVID-19 accelerated that. How can we secure the journey? How can we enable the journey? With cloud security platforms."
Whatever the immediate future brings, those in security who are motivated to stay relevant or, if laid off, be rehired quickly may be well-served to make the best of their downtime with education, Dickson says.
"I see companies making decisions more on performance at this point – getting rid of their 'C players,'" he says. "On an individual basis, this is an ideal time to knock out a certification or plus-up on a technical skill that you’ve been meaning to address for a long time."
While security is seen as a cost center in many organizations, it will still be a people issue when it comes down to deciding where to cut costs, Mukherjee says.
"When somebody gets fired or laid off, who goes? Those who are not trainable. They are not essential workers because they cannot flexible," he says. "If you are not a team player, you will be vulnerable."
(Continued on final page: Is infosec
more important than ever?)
Now is definitely not the time to cut costs on security with an increasing number of threat actors trying to take advantage of the chaos amid the pandemic, says Grant McCracken, senior director of program and security operations at BugCrowd.
"Malicious or nefarious actors don't slow down just because there’s a recession. In fact, they become more active," he says. "In downturns, there may be a temptation by leadership to cut security budgets because the value of security can often be hard to see for those not familiar with the inner workings of a security team — which is to say it's easy to feel security is always excessive, that is, right up until it isn't."
"When a pandemic or crisis strike, attackers and bad actors always try to take advantage; therefore we expect an& increase in phishing attempts and other scams," adds David Stuart, senior director at social media security firm ZeroFOX. "Pile on economic calamity and forced remote working, and we may have the perfect storm of events leading to unprecedented opportunity for cybercriminals to profit. ith increasing threats and work process disruption, information security needs will likely increase. This will most likely translate to increased infosec skill demand, but it will also likely manifest as increased workloads for already burdened infosec teams."
And from the lessons learned during the massive shift to remote work, Laurence Pitt, global security strategy director at Juniper Networks, thinks security will not only remain as an essential part of business but be called on to help with future growth initiatives.
"In the coming months, we will see a lot of learning emerge from the current situation," Pitt says. "Not just the obvious of failed disaster recovery, or lack in remote access scaling, but also requirements for user behavior monitoring and analytics that will be introduced as users work with corporate devices on their home networks. The infosec team will be at the center of any new strategy discussions to look at how changes introduced today become corporate security strategy in the future."
Related Content:
- COVID-19 Latest Security News and Commentary
- Beyond Burnout: What is Cybersecurity Doing to Us?
- Keys to Hiring Cybersecurity Pros When Certification Can't Help
- State of Cybersecurity Incident Response
A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19.