We've recently seen substantial layoffs across the tech sector, to the tune of around 140,000 redundancies made by big names such as Amazon, Salesforce, Microsoft, and Tesla. As the recession bites, falling stock prices and further contraction in the market, together with merger and acquisition activity, are expected to force businesses to reduce head count further still. Yet the cybersecurity sector, thus far, has remained relatively unscathed with respect to cyber professionals (it’s a different story with vendors, which are subject to the mores of the market). The question is why, and will it continue to buck the trend?
Much of the reason why the security industry remains so buoyant is down to the fact that there simply isn't the fat to cut from security teams. Most businesses are struggling to recruit sufficient staff due to a widening skills gap — the ISC2 "2022 Cybersecurity Workforce Study" reports that while there is a global workforce of 4.7 million, the gap is almost as big at 3.4 million — and that means teams are often short-handed, leading to job creep, whereby staff have to take on extra responsibilities. "The State of Security 2022" report found that 76% of cybersecurity staff had to take on responsibilities they were not ready for in an attempt to fill the void.
Is My Job Safe?
Yet despite professionals being in demand, the wider cybersecurity sector is beginning to feel the pain. Budgets themselves remain robust, with analyst houses such as Gartner predicting strong investment in cloud security, application security, and other information security software. But even if cybersecurity spending increases in 2023, it's being eroded by rising inflation and increasing solution/licensing costs, and the majority (70%) believe budgets will be cut or frozen this year, according to ESG Research.
So, what are the implications for the year ahead? First, cybersecurity talent will remain in short supply, while the annual shortfall, together with an exodus of talent, will see the gap widen, increasing demand still further. Jobs will, therefore, largely be safe, although this doesn't apply across the board.
The shortages are focused, with those with three to four years or more of experience most in demand, according to the Department for Digital, Culture, Media, and Sport, as well as those with experience in emerging or nascent technologies, such as cloud security, security operations center (SOC) analysts, and security admin and security architects, according to Fortinet's "2022 Cybersecurity Skills Gap" report. Those findings broadly tally with ISACA's "State of Cybersecurity 2022" report, which lists the top five skill sets as cloud computing, data protection, identity access management, incident response and DevSecOps. However, positions further down the hierarchy are likely to prove less recession-proof.
Investment in Tech
Second, shrinking budgets could slow investment in automation, which many had hoped would alleviate the skills shortage and improve retention rate by providing security teams with some much-needed assistance. That's bad news for the industry, as it will stifle progress, but it could also see organizations become more exposed. The ISACA report found 69% of those businesses that suffered an attack last year were somewhat or significantly understaffed, and it's a problem that is turning out to be something of a self-fulfilling prophecy. Half of staff say they are much more likely to quit following a cyberattack, and job candidates are far less likely to want to work for a business that has suffered from cyberattacks, according to "The True Cost of Cyber."
However, the jury is still out on just how affected cyber spending will be. According to "The 2023 State of IT" report, cybersecurity is expected to increase its take out of IT budgets with respect to software (11%), hardware (7%), cloud (6%), and managed services (11%). Furthermore, the "2023 Global Tech Outlook" report found cybersecurity is now viewed as a higher-priority spend than innovation in digital transformation projects. IT security (44%) came out top as a spending priority for the next 12 months, followed by cloud infrastructure (36%) and IT/cloud management (35%).
Third, we're unlikely to see salaries continue to escalate as they did pre- and post-pandemic, when some salaries experienced double-digit percentage growth. The Harvey Nash Hot Skills & Salary Report found that certain cybersecurity roles have plateaued, with 67% not receiving a pay rise. Realistically, this will make retention more difficult, and businesses are going to have to work to hang on to their hard-won talent (60% of businesses have already had staff poached, according to ISACA). That said, with the market contracting, some cybersecurity professionals may opt for job security over salary.
It looks unlikely that the cybersecurity sector will escape entirely the ravages of the recession. Demand for skilled professionals will remain high, but with cyber budgets being eaten away, there will be less cash to go round, forcing businesses to prioritize. In a bid to do more with less, workloads are likely to go up, in turn increasing staff turnover, jeopardizing business continuity. That means the one certainty we do seem to have is that businesses will be understaffed — and overexposed.