As chief information officer for (ISC)2, Bruce Beam is usually thinking about how his IT team’s efforts can advance the mission of the organization, which is focused on educating and certifying security professionals for work in the field. But lately, like many organizations, the (ISC)2 workforce has shifted largely to remote work, and Beam is thinking more about his team’s internal security efforts.
“My help desk and my basic security team right now, they are really on the front lines,” Beam says. “Attacks are up all over globe, and we are as prime of a target as you can get.”
Beam pointed to the criticality of what his security team was doing amid the COVID-19 pandemic as exactly the reason why security roles remain essential, despite what might be happening with the economy.
“In general, security needs are going to increase because of a growth in the attack surface,” Beam says. “I don’t see a company backing off on it. I think security is going to not only maintain but grow as we move through this.
But contrast Beam’s outlook against the fact that in the United States alone, 17 million people filed for unemployment benefits in the three-week period ending April 4, according to the US Department of Labor. In many states, that’s well over 10% of the workforce (11.2% in California, 12.6% in Washington, and 16.6% in Michigan, for example).
Several months ago, compensation software and data company PayScale called cybersecurity a career that could weather a recession. In September, long before “pandemic” was a word used daily, a Grant Thornton survey of more than 250 business owners and C-suite executives found that more than half of C-suite officials (55%) planned on increasing cybersecurity investments, even as a recession loomed as a concern.
But now that the rubber has hit the road, and the coronavirus has made a mess of the economy in multiple sectors, we wanted to know what might change for security professionals in an environment where purse strings must be tightened.
‘Nothing Is Off the Table’
Despite the overall blue-sky forecasts for security, the future is not so clearly bright.
Last week, for example, Israeli cybersecurity company Aqua Security laid off just under 10% of its workforce – covering sales, marketing and engineering positions in Israel, North America and Europe. A glance through Twitter turns up scattered announcements of individual cybersecurity professionals being laid off or furloughed.
The confidence that infosec people will be immune to job loss is misplaced, according to Jeff Pollard, vice president and principal analyst at Forrester.
“If customers disappear, then the company disappears. There’s a massive amount of ‘status quo fetishism’ going on, and it seems like lots of security practitioners out there forget that when major downturns happen, everything gets cut, and security won’t be an exception to that,” Pollard says. “When a company is struggling to survive, nothing is off the table. We often discuss how there’s a disconnect between security and ‘the business.’ This belief confirms that the gap still exists.”
Small businesses have already been hit particularly hard, and, according to the latest (ISC)2 Cybersecurity Workforce report, 19% of the infosec workforce is employed by businesses of under 100 employees. A recent survey of small businesses by the US Department of Commerce and Met Life revealed that about one-quarter think they’re less than two months away from closing up shop for good, and 43% said their doors will shut within six months if the situation doesn’t improve.
At CyberSN, a staffing firm specializing in connecting hiring firms and security professionals, Deidre Diamond notes how the state of the security job market has changed in recent weeks.
“So far we have seen very little to no layoffs for security professionals … [but] 70% of our clients put all hiring on hold,” she says. “About 10 percent of those started hiring again [the week of March 30th]. We expect another 10% will do so this week and each week after providing the health crisis stays under control.”
But Diamond also notes that CyberSN does not service sectors that have been harder hit by the pandemic, such as travel and hospitality. “Our clients are financial organizations, healthcare, software companies, energy and power, of all sizes,” she says. “We mostly place hands-on cybersecurity engineers of all types to include experienced [cyber incident response and security analysts]. I would expect that any industry that was directly affected by the health crisis will lay off a portion of all roles.”
But the recent Department of Labor statistics show that even the healthcare sector has seen some cuts already. And in the coming months when governments make budgetary changes to try to repair their ravaged economies, the many security jobs in the government sector may be disrupted.
Regardless of sector, Pollard thinks change will be essential for almost all types of organizations in the coming months – even for their security teams and professionals at all levels.
“In early interviews with leaders that are already making cuts, numbers range from somewhere between 10% to 30% of staff,” Pollard says. “This could mean shifting security from a 24×7 support model to 8×5, but overall it will require security teams to accept much slower response times.”
In addition, Pollard says, there is often “a moratorium on new projects and investments – especially those not related to remote access technologies. Freezes on promotions and annual increases could happen, and new hiring freezes are already in effect for many organizations. Lean teams will get leaner.”
Pollard worries about CISOs losing their jobs. “Many CISOs report to CIOs,” he says. “This is a time when those CIOs could look across the expenses within their organization and decide absorbing a senior executive role [like a CISO] pays for and preserves a number of practitioner jobs. I don’t think that will be common, but it could happen.”
(continued on next page: the skills in highest — and lowest — demand)
Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online. View Full Bio
Is your business effected by a COVID-19 / Coronavirus related Cyber Crime?
If a cyber crime or cyber attack happens to you, you need to respond quickly. Cyber crime in its several formats such as online identity theft, financial fraud, stalking, bullying, hacking, e-mail fraud, email spoofing, invoice fraud, email scams, banking scam, CEO fraud. Cyber fraud can lead to major disruption and financial disasters. Contact Digitpol’s hotlines or respond to us online.
Digitpol is available 24/7.
UK +44 20 8089 9944