Cybersecurity professionals are used to dealing with stressful environments, so the regular ups and downs of cybersecurity do not necessarily pose a problem for professionals who are used to finding solutions to problems, often on-the-fly.
However, the reality is that the world is in a particularly fractious state, with macroeconomic issues exacerbated by geopolitical volatility. Even the robust and in-demand world of cybersecurity is not entirely sheltered from what’s happening elsewhere in the global economy.
This year’s ISC2 Cybersecurity Workforce Study highlights the extent to which cybersecurity teams are being impacted by organizational pressures, not just from a morale or resources point of view, but in terms of impacting the effectiveness of cybersecurity activities and, ultimately, impacting business resilience. It highlights what senior management should be doing to maintain resilience, regardless of staffing levels.
While 50% of respondents have not experienced any layoffs at all, and a further 28% have only seen cutbacks in other departments, just over one in five (22%) of respondents said they had experienced layoffs in cybersecurity teams. Similarly, the study revealed that while just over a quarter (26%) said they had experienced a freeze on promotions and/or raises, more than half (52%) have not and a further 22% have only seen this happening in other departments, not in cybersecurity.
Spending cuts also impacted teams, with roughly a third saying they experienced budget cuts, with a further third (32%) saying budget cuts had affected other departments only. Even though cybersecurity was not affected directly in the majority of respondent cases, 28% said there had been layoffs in their broader organization, with frozen promotions/raises and budget cuts hitting 22% and 32% respectively.
Half of respondents had not experienced layoffs, and slightly more said they had not experienced freezes on promotions/raises, while 38% had not experienced budget cuts, which is further encouraging signs for the cybersecurity community and is likely reflective of the fact that supply continues to outstrip demand, prompting companies to prioritize retaining skilled cybersecurity staff, even when faced with tougher economic conditions.
When it comes to cyber layoffs, there were clear sectoral differences, with less than one in 10 military or government respondents – including contractors – reporting cyber layoffs. By contrast, a third of respondents in entertainment/media had seen layoffs, dropping to 31% in the construction and security software/hardware development sectors.
Likewise, while just 11% of Hong Kong respondents, and 18% of US respondents reported cybersecurity layoffs, the rates in Brazil and Mexico were substantially higher, at 38% and 37% respectively.
Layoffs are never easy. Like other cutbacks, they create a ripple effect that can unsettle the remaining organization.
Data suggests that where budgets are under pressure, some organizations are seeking new efficiencies through restructuring and slowing other investments. Over half of respondents reported delays in purchasing or implementing technology, while 40% said the security team had been restructured, or moved within the organization. A quarter said some cybersecurity software licenses had not been renewed.
Individual team members also felt the effect, with over a third saying training had been cut, with 29% noted that spending on certifications or professional development reimbursements had been reduced.
Security professionals are rarely underemployed at the best of times. But on an individual or team level, 71% reported an increase in workload with 57% saying the ability to respond to threats had been impacted, and 52% citing an increase in inside risk related incidents.
When cutbacks are in the air, employees become more sensitive about employment risks. Almost a third expect further cutbacks in their organizations, with over two thirds expecting these to include layoffs. Those who know someone who was laid off, even from another organization, are far more likely to expect further cuts.
There can be a pronounced difference between perception and reality. There were key differences in how senior executives saw the outlook for cybersecurity teams and how workers at the sharp end did. Asked whether they expected their organization to employ more cybersecurity staff, 32% of C-level executives, 30% of directors/middle managers and 30% of executive management, said they did. Less than half in each category expected to cut staff. However, 65% of junior staff and 56% of managers said they expected cuts. The outlook might not always be as negative as junior staff think, but that message is not reaching them.
If reductions in staff and tooling have an undeniable effect, things are compounded when skills shortages are also considered. Two thirds of respondents said their organization had skills shortages that affect their ability to prevent and troubleshoot cybersecurity issues.
The most cited reason for skills gaps is that the organization just can’t find enough qualified talent (41%). However, a range of other issues also emerged with 34% citing budget – up five points on the previous year. Pay, a lack of career progress, reduced training and sheer lack of planning were all issues.
These are all individual headaches, but they add up. In fact, just 8% of respondents said there were no skills gaps in their organization, while 17% said they had one or more critical gaps. And the problem was more pronounced in those companies that had layoffs – 23% reported one or more critical skills gaps.
Even when organizations have an apparent surplus of people, this can be negated by skills deficits. When 59% agree that “skills gaps can be worse than total worker shortages” while a similar amount agree that efficient distribution of skills across the team can mitigate worker shortages, we should assume this is informed by real-world experience.
Which makes it even more shocking that a quarter of respondents reported that the reason for skills gaps was “people with these skills recently were laid off and we haven’t replaced them.”
A more mundane cause for skills gaps is an overfocus on degrees, and a lack of focus on entry level staff. Meanwhile, companies often neglect the potential for training non-security IT staff as cyber specialists.
Perhaps unsurprisingly, shortages are most acute in areas such as cloud computing security, artificial intelligence (AI) and machine learning (ML) and zero trust implementation – areas which are going to become even more important in the next few years.
These gaps translate into increased risk for organizations, both in how they anticipate and respond to cyberattacks. Staffing shortages put organizations at risk of attack, said 57% of respondents. Half said shortages leave them without sufficient time for adequate risk assessment and management, while 45% say it leads to oversights in process and procedure, while 38% said it leads to misconfigured systems while a similar amount said it slows down patching of critical systems.
But it also cripples teams during an attack. Over a third said shortages mean they are unable to “remain aware” of all active threats, while 30% said it led to slowness in responding to incidents.
It’s clear that staff shortages, and even more so skills shortages, have an undeniable impact on companies’ resilience and safety. The latter can be the more crippling.
Companies can go a long way to addressing these concerns by being realistic about where they’re falling short. They can then concentrate on upskilling their existing workers, including non-cybersecurity specialists, along with taking a broader approach to hiring. As we’ve seen elsewhere in the report, this broadening of hiring practices should go hand in hand with DEI initiatives.
Leaders need to own this problem and not look for quick fixes. It’s worth noting that the study found “outsourcing services had little to no effect on mitigating staffing shortages.” Sending the issue off-site or off-shore may provide access to more people, but it simply does not guarantee access to the skills and aptitude needed to address the shortfall. You may well end up with the same unresolved problem, combined with a much higher wage bill.
Senior leaders should also take workers’ concerns into account. That includes understanding the effect of expected or real-world layoffs on morale and resilience. It also includes simply being aware of their worries. Senior management might not have cybersecurity team layoffs on their to do list, but many junior staffers haven’t received the memo and they need to. Simply keeping people up-to-date must be one of the least resource intensive ways to steady the ship and bolster a positive working environment.