On Friday, January 20, 2023, Google announced it would lay off 12,000 employees. Amazon and Microsoft have laid off a combined 28,000 people; Twitter has reportedly lost 5,200 people; Meta (Facebook, etcetera) is laying off 11,000\u2026 This is just the tech giants, and almost all the staff looking for new positions are, by definition, tech-savvy \u2013 and some will be cybersecurity professionals.<\/p>\n
Layoffs are not limited to the tech giants. Smaller cybersecurity vendor firms are also affected.<\/a> OneTrust has laid off 950 staff (25% of employees); Sophos has laid off <\/a>450 (10%); Lacework<\/a> (300, 20%); Cybereason<\/a> (200, 17%); OwnBackup (170, 17%); OneTrust<\/a> (950, 25%) and the list goes on.<\/p>\n SecurityWeek<\/em> examined how this layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment in cybersecurity.<\/p>\n The skills gap is a mismatch between the skills available in the workforce, and the skills required by employers. Required skills are continuously evolving with new technology and business transformation. People can learn how to use computers, and many staff currently being laid off will already have done so. But it is far easier to learn how to use computers than it is to learn how computers work. It is in the latter area that the skills gap becomes a talent gap for cybersecurity.<\/p>\n So, the first observation is that current large-scale layoffs may slightly reduce the skills gap at the computer usage level but will likely have little effect on the cybersecurity-specific talent gap where employment requires a knowledge of how computers work. The talent gap is simply too large, and layoffs in these areas are likely to be readily absorbed by new security startups and expanding companies. Many of the companies involved in cybersecurity reductions will almost certainly need to rehire next year or soon after.<\/p>\n Mark Sasson, managing partner and executive recruiter with the Pinpoint Search Group, agrees with this. \u201cMaybe it\u2019s going to be a little easier for organizations to recruit, because you\u2019re getting an influx of experience into the market. However, I don\u2019t think that\u2019s a fix for the talent gap \u2013 it\u2019s not going to have a mid to long term discernible impact. There are too few people that have the skills that organizations need today. And so, people are going to get scooped up and we\u2019re still going to have the same situation with the talent gap.\u201d<\/p>\n Cyber threats are still increasing and the demand for cyber defenders is still growing. Criminals are recruiting, not contracting.\u00a0<\/p>\n Reducing the talent gap in cybersecurity will more likely depend on changing attitudes with employers than adding numbers from those that have been laid off. You could almost say that the cybersecurity talent gap is a self-inflicted wound: employers want experience plus certifications plus new university degrees \u2013 which rarely exists in the real world.<\/p>\n Michael Piacente, managing partner and co-founder at Hitch Partners recruitment firm, takes a similar view. \u201cThe internal definition on scope and goals often varies greatly resulting in shifts, time delays, and often rendering the position \u2018unfillable\u2019,\u201d he told SecurityWeek<\/em>. \u201cPerhaps it is time to stop focusing so much on resumes and job descriptions. We see these tools as outdated and too often used as a crutch resulting in bad habits, and inconsistent behavior \u2013 and they are horribly unfair for under-experienced or diversity candidates.\u201d<\/p>\n He takes this to the extreme and has never supplied resumes with his candidates. \u201cInstead, we build a storyboard about the candidate created as a result of multiple meetings, interactions, and back channels in order to focus on the candidate\u2019s journey, the human character elements as well as their matching and gaps for the particular role.\u201d In short, the talent gap will more likely be reduced by redefining the gap than by seeking to match unrealistic demands to the existing work pool.<\/p>\n Dave Gerry, CEO of Bugcrowd, has a specific recommendation based on diversity candidates. He believes organizations need to be more open to the diversity pool \u2013 including neurodiversity (see Harnessing Neurodiversity Within Cybersecurity Teams<\/em><\/a>). \u201cOrganizations,\u201d he said, \u201cneed to continue to expand their recruiting pool, account for the bias that can currently exist in cyber-recruiting, and provide in-depth training via apprenticeships, internships and on-the-job training, to help create the next generation of cyber-talent.\u201d<\/p>\n However, even if the influx of laid-off experience will have little overall or lasting effect on the macrocosm of the skills gap, it will almost certainly have an immediate effect on recruitment in the microcosm of the cybersecurity talent gap.<\/p>\n Cybersecurity is not immune to the current round of staff trimming \u2013 and it includes security leaders as well as security engineers. Ultimately, it\u2019s a cost cutting exercise; and organizations can save as much money by cutting one leader\u2019s position as they can by cutting two engineers. \u201cOrganizations are asking themselves if they can survive letting one person go but still get the job done with the remaining team,\u201d explains Sasson. \u201cIf the answer is yes or even maybe, they\u2019re tending to let go of the more highly paid and highly skilled people because they think maybe they can do more with less.\u201d<\/p>\n That\u2019s a top-down approach to staff reductions, but the same argument is used in a bottom-up approach. Joseph Thomssen is senior cybersecurity recruiter at NinjaJobs (a community-run job platform developed by information security professionals). \u201cA company that is not security focused may feel like they can rely on their senior employees to pick up lower-level responsibilities,\u201d he said, \u201cand this can be detrimental to a security team.\u201d<\/p>\n The overall result is that we now have laid off cybersecurity engineers looking for new employment, and we have employed cybersecurity leaders looking for alternative and safer positions. \u201cMany of these layoffs in cybersecurity seem to be short-term attempts to save money,\u201d adds Thomssen \u2013 but he fears it may backfire on companies reducing their security workforce. Expecting fewer staff to take on more responsibility will likely have a detrimental effect \u2013 it may cause burnout. \u201cI call it the layoff\/quit combination,\u201d he said.<\/p>\n Piacente also notes the cuts are not simply targeted at weeding out under performing employees. \u201cThere are great candidates impacted due to them being in the wrong place at the wrong time; and we are seeing this industry wide.\u201d<\/p>\n Of course, there are many cybersecurity experts who believe this is a false and dangerous approach, and that cybersecurity is a necessity that should be expanded rather than cut. But that is an argument put forward by every business department in times of economic stress.<\/p>\n One effect of the cybersecurity layoffs and the accompanying increase in the number of experienced people seeking employment is that the recruitment market is moving from a candidate market toward a hirer market \u2013 just like home buying fluctuates between a buyer and a seller market depending on supply (properties available) and demand (money to buy). For many years, experienced cybersecurity engineers have been able to pick and choose their employer, and demand somewhat inflated salaries and conditions; but that is no longer the case.\u00a0<\/p>\n This is beginning to be apparent in the salaries offered. \u201cThey\u2019re leveling off,\u201d says Sasson, \u201cmaybe even going down. But this needs to be taken in the context of pretty dramatic increases from just a few quarters ago, during the candidate-driven market.\u201d Sasson thought at the time that these were unsustainable. But now, \u201cFolks that are looking for those massive compensation packages from just a year ago are going to have to adjust their expectations.\u201d<\/p>\n Sam Del Toro, senior cybersecurity recruiter at Optomi, has seen a similar growing misalignment between compensation expectation and realization \u2013 especially in the more senior positions. Because of the layoffs, there are now more mid to senior level candidates looking for new opportunities.\u00a0<\/p>\n \u201cOn the other hand,\u201d he said, \u201cover the past couple of years we have seen cybersecurity compensation rise significantly. Now, as organizations are tightening their budgets and being more fiscally aware, it is making it tough to align candidate and client compensation.\u201d<\/p>\n Thomssen sees another and different effect of the evolving hirer\u2019s market. \u201cI have seen security staff recruitment switch from direct hires to roles based on shorter term project contracts. In the past you would not see security professionals entertain such contracts, but the security staff recruitment landscape has seen a shift that way.\u201d<\/p>\n It\u2019s not clear whether this will develop into a common long term approach to cybersecurity recruitment or will just be a short-term solution to economic uncertainty. Is the gig economy coming to cybersecurity? It\u2019s been growing in many other segments of employment, and perhaps the current economic climate will boost an existing trend just as Covid-19 boosted remote working.<\/p>\n One visible sign might come with an increase in the employment of virtual CISOs (vCISOs). This would retain access to high level expertise while reducing costs. Another might be an increased use of managed security service providers (MSSPs). \u201cWe\u2019re seeing more and more security operations outsourced to consultants and contractors, or to vCISOs and Global CISOs, or whatever you\u2019d like to call it,\u201d comments Mika Aalto, co-founder and CEO at Hoxhunt. But he adds, \u201cThis can work with smaller companies, but it\u2019s risky. Security should be looked at as a competitive advantage and a growth strategy, not a luxury.\u201d<\/p>\n Piacente\u2019s firm has seen a 20% increase in the new candidate flow. While the primary cause is the economy, the detailed cause is difficult to isolate. Cybersecurity has always experienced rapid churn with staff from all levels regularly moving to a new company for promotion or improved remuneration. This churn continues, but is complicated by employed people just looking around \u2013 not because they are being laid off, but just in case they will be laid off.<\/p>\n At the same time, some people who might normally be on the lookout for better opportunities are choosing to keep what they have until more stable conditions return. \u201cOne other observation in these cycles,\u201d adds Piacente, \u201cis that candidates who fall into the diversity category tend to be more resistant to making a change. Since there are already significantly less candidates in this category it makes it more difficult for companies to achieve their goals of creating a more diverse organization or program. This is when companies really need to place care, attention, and a dose of reality into their change initiatives.\u201d<\/p>\n Bugcrowd is a firm that has actively sought to recruit from the \u2018diversity\u2019 pool. \u201cEmployers need to take a more active approach to recruiting from non-traditional backgrounds, which, in turn, significantly expands the candidate pool from just those with formal degrees to individuals, who, with the right training, have incredibly high-potential,\u201d comments Gerry.<\/p>\n It could be expected that with some companies laying off experienced staff and others simply not hiring new staff, breaking into cybersecurity for new, inexperienced or diverse people will become even more difficult. After all, companies reducing staff levels to save money are not likely to spend money on in-house training for new inexperienced staff.<\/p>\n Del Toro doesn\u2019t see it quite like that \u2013 it has always been almost impossible. \u201cI do not think that the influx of [experienced] candidates on the market has much of an impact on newcomers finding opportunities because there are simply not enough entry level cybersecurity roles in general,\u201d he said. \u201cOrganizations are almost always looking for mid-level candidates and above rather than bringing on competent and excited newbies, because the latter takes much more than fiscal resources.\u201d<\/p>\n It\u2019s difficult to determine the actual number of experienced cybersecurity professionals being laid off among the overall staff reductions, but it is likely to be substantial. Although boards have become more open to the idea that security is a business enabler, there is nevertheless no discernible line between security and profit. There is, however, a direct line between security and cost. It is almost a no-brainer for security to be heavily featured among staff reductions. But this may be bad thinking.<\/p>\n For all layoffs, companies should proceed with caution. When large numbers of staff need to be cut for economic reasons, those same economic reasons may cause it to be done swiftly and perhaps brutally. These suddenly unemployed people will have inside knowledge of the company and its systems; and some will have thoughts of retaliation. At the same time, the company may have reduced the effectiveness of its cybersecurity team to counter a new threat from malicious recent insiders.<\/p>\n \u201cLayoffs are affecting much of the tech industry and cybersecurity isn\u2019t immune,\u201d comments Mike Parkin, senior technical engineer at Vulcan Cyber. \u201cWhile no department should really be immune when companies have to tighten their belts, the threat from losing skilled personnel in security operations can have a disproportionate effect.\u201d<\/p>\n Overall, we\u2019ve had a candidate market in cybersecurity recruitment but we\u2019re shifting toward an employer market. Del Toro offers this advice for security people laid off and looking for a new position: \u201cI would tell job seekers to be prepared for longer interview processes and longer time before offers are extended. Hiring managers are under more pressure to be diligent so candidates will need to be more cognizant of interview etiquette. Most importantly make sure you are keeping your skills sharp \u2013 use your time off to find passion projects and get better at your craft, not only to stay relevant in the security space but to renew your love for what you do!\u201d<\/p>\n Related<\/strong>: Dozens of Cybersecurity Companies Announced Layoffs in Past Year<\/a><\/p>\n Related<\/strong>: US Gov Cybersecurity Apprenticeship Sprint: 190 New Programs, 7,000 People Hired<\/a><\/p>\n Related<\/strong>: How Will a Recession Affect CISOs?<\/a><\/p>\n Related<\/strong>: Four Ways to Close the OT Cybersecurity Talent Gap<\/a><\/p>\n The post The Effect of Cybersecurity Layoffs on Cybersecurity Recruitment<\/a> appeared first on SecurityWeek<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":" On Friday, January 20, 2023, Google announced it would lay off 12,000 employees. Amazon and Microsoft have laid off a combined 28,000 people; Twitter has reportedly lost 5,200 people; Meta (Facebook, etcetera) is laying off 11,000\u2026 This is just the tech giants, and almost all the staff looking for new positions are, by definition, tech-savvy […]<\/p>\n","protected":false},"author":2,"featured_media":16751,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[69,127,128,36,129,126],"tags":[],"class_list":["post-16750","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-featured","category-jobs","category-layoffs","category-management-strategy","category-recruitment","category-training-awareness"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/posts\/16750","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/comments?post=16750"}],"version-history":[{"count":0,"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/posts\/16750\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/media\/16751"}],"wp:attachment":[{"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/media?parent=16750"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/categories?post=16750"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/tags?post=16750"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}The skills gap<\/h1>\n
Recruitment in cybersecurity<\/h1>\n
Recruitment going forward<\/h1>\n