Cybersecurity professionals will likely weather an economic downturn better than most other workers, as corporate executives worry that a recession could bring an increase in cyberattacks and acknowledge the difficulty in hiring knowledgeable workers, according to a new study by (ISC)2, a cybersecurity certification group.
The survey of 1,000 nontechnical C-level business leaders found that companies are more likely to cut employees in human resources, finance, and operations, and least likely to cut in cybersecurity, IT, and operations.
The reasons are pretty clear: 87% of executives thought a reduction in their cybersecurity team would increase their business risk, and 80% believed that economic troubles will lead to more cyber threats.
The results suggest that even non-technical executives have increased the priority of cybersecurity, says Clar Rosso, CEO of (ISC)2.
"In the workforce study every year, we're talking to cybersecurity professionals, so we know what they think," she says. "Now we see that organizational leaders are saying that [cybersecurity professionals] are on the bottom of our list to cut, and they're on the top of our list if we need to hire back."
Economists still widely expect a recession in 2023, despite strong job data and the Federal Reserve's continued efforts to increase interest rates and reduce money supply. In December, a Bloomberg poll showed economists predicted a 70% chance of a recession, and in January, a Wall Street Journal poll of economists suggested a 61% chance of a recession.
Yet, with annual inflation remaining above 4% for the past 22 months, companies have already started taking steps to prepare for an economic downturn, including staff reductions. In the cybersecurity industry, for example, more than 55 vendors have already laid off workers, according to Layoffs.fyi.
Cybersecurity Gigs Are Resilient
The (ISC)2 survey suggests that most layoffs are not cybersecurity or IT jobs, but administration and support. In cybersecurity, only 31% of companies expect to reduce their cybersecurity workforce if the economy declines, while 51% will prioritize reinvestment in cybersecurity if the economy improves, according to the survey.
The spread between the two sentiments is the highest for cybersecurity among all business units, with IT teams coming in second place, facing a 35% expectation of a reduction in bad times and 49% expectation of reinvestment in good times. Human resources and sales are the most at risk, with 44% and 41% of executives indicating they will lay off HR and sales staff in bad times, respectively, while 29% and 30% will prioritize the reinvestment in those departments if the economy improves.
Highlighting the pent-up demand in cybersecurity, three-quarters of executives (74%) would consider hiring cybersecurity workers laid off from other companies, the (ISC)2 survey found.
"With reports of job cuts at organizations including Twitter, Meta, Microsoft, Amazon and Google, cybersecurity staff could benefit from proactive hiring targeted towards those recent layoffs," the report stated. "With so many tech jobs impacted by recent layoffs, it is possible that many of those individuals may find opportunity in pursuing a career in cybersecurity, where they can apply related skills and expertise."
The resilience in demand for cybersecurity professionals comes as many workers burned out and resigned, part of the Great Resignation in 2022.
Organizations that lost valuable specialists did so for three main reasons, Rosso says. Cybersecurity teams have traditionally not had great career advancement opportunities, so their ability to gain promotions and increased salaries at their current company are often limited. In addition, the culture surrounding many security teams has often led to burnout and mental stress, she says.
"We know, for example, that at the end of 2021 and beginning of 2022, the Log4j issue was causing people to clock a lot of hours, and that led to some burnout," she says. "Not that cybersecurity professionals aren't always working long hours and hard, but it's just kind of a spike above and beyond."
Finally, the push to bring workers back to the office has often led people with in-demand specialties to look elsewhere.
Cyber Threats Abound
The resilience of cybersecurity jobs is buoyed by the constant reminders of business risks that come in the form of ransomware attacks, data breaches, and stolen intellectual property. The vast majority of executives (81%) believe that threats will increase in 2023.
The survey did not poll technical executives, such as chief technology officers (CTOs) or chief information security officers (CISOs), but gathered opinions from the nontechnical executives, such as CEOs and chief financial officers (CFOs).
"It is likely this maturing view of cybersecurity has been shaped by a continuing series of high-profile and damaging breaches," the report stated. "Security incidents have left no doubt as to the lengths threat actors will go to steal data or disrupt operations, in some cases even putting lives at risk."
In the last (ISC)2 workforce survey, the gap between available cybersecurity workers and demand shrank to 2.7 million, from 3.1 million the prior year. Many companies had closed out positions as the economy became unpredictable, leading to decelerating demand, Rosso says.
"When we were heading into 2021, our predictions were that we would see the workforce gap go up incredibly, and it actually contracted," she says. "The reason it contracted was because there was economic uncertainty, and what organizations did was they froze, or they eliminated, their open positions."
With economic growth, however, the need for cybersecurity workers will continue, she says.