The Impact of Cyber Security Layoffs on Recruitment

Google has laid off 12,000 employees. Amazon and Microsoft have laid off a total of 28,000 employees. Twitter has apparently laid off 5,200 employees. Meta (Facebook, etc.) laid off 11,000. This is simply the tech behemoths and practically all of the employees searching for new jobs are, by definition, tech-savvy – and some will be cyber security experts.

Layoffs are not restricted to tech behemoths. Smaller cyber security vendor companies are also impacted. Lacework has laid off 300 people (20%); OneTrust (952, 25%); Sophos (450, 10%); Cybereason (200, 17%); OwnBackup (170, 17%); and the list goes on.

Cyber News Live examined how the inflow of experienced professionals into the job seeker market as a result of layoffs is influencing or may influence the cyber security skills gap and recruitment.

The Skills Gap

The skills gap refers to a mismatch between the skills available in the labor force and the skills demanded by employers. With new technologies and corporate innovation, required skills are always evolving. People can learn to use computers, and many of those who are being laid off have already done so. However, learning how to use computers is significantly easier than learning how computers function. In the latter case, the skills gap transforms into a talent gap for cyber security.

So, the first point is that current large-scale layoffs might reduce the skills gap at the level of computer usage but will likely have minimal influence on the cyber security-specific talent gap, where employment requires an understanding of how computers work. The talent gap is simply too great, and layoffs in these areas will almost certainly be easily absorbed by new security startups and expanding enterprises. Many of the organizations that have reduced their cyber security staff will almost probably need to reinstate next year or soon after.

Mark Sasson, managing partner and executive recruiter of Pinpoint Search Group, concurs. “Perhaps it will be a little easier for organizations to recruit because there will be a rush of experience into the market.” However, I do not believe that is an appropriate answer to the skills shortage; it will have no apparent influence in the medium to long run. There are far too few employees with the talents that organizations require today. As a result, people will be snatched up, and we will still have the same situation with the skill gap.”

Cyber threats continue to grow, as does the demand for cyber defenders. Criminals are recruiting rather than contracting.

Reducing the cyber security skill gap will most likely rely on altering company attitudes rather than increasing the number of individuals who have been laid off. The cyber security skills gap is largely self-inflicted: employers want experience plus certificates plus new university degrees – which rarely exist in the actual world.

Michael Piacente, managing partner and co-founder of the recruitment agency Hitch Partners, agrees. “The internal definition of scope and goals varies significantly, leading to shifts, delays in time, and often rendering the job ‘unfillable,'” he told Security Week. “Perhaps it’s time to quit obsessing over resumes and job descriptions. We consider these tools to be outdated and, all too frequently, utilized as a crutch, resulting in bad habits and inconsistent behavior – and they are brutally unfair to inexperienced or diverse candidates.”

He follows this to its logical conclusion and never shares resumes with his candidates. “Instead, based on multiple meetings, interactions, and back channels, we create a storyboard about the candidate that focuses on the candidate’s journey, personality factors, and matching and openings for the particular role.” In short, reframing the talent gap is more likely to close it than attempting to match excessive demands to the actual employment pool.

Bugcrowd CEO Dave Gerry offers a specific suggestion based on diverse applicants. He believes that organizations should be more open to the pool of variety, including neurodiversity (see Harnessing Neurodiversity Within Cyber Security Teams). “Organisations,” he continues, “need to continue to expand their applicant pool, account for the bias that can currently exist in cyber-recruiting, and offer comprehensive instruction via training programs, internships, and job-specific instruction to help create the next wave of cyber-talent.”

Even if the infusion of laid-off experience has little overall or long-term impact on the macrocosm of the skills gap, it will almost certainly have an immediate impact on cyber security talent recruitment.

Recruitment In Cyber Security

Cyber security is not exempt from the current round of employee cuts, which includes both security leaders and security engineers. Ultimately, it’s a cost-cutting exercise, and organizations can save just as much money by eliminating one leader as they can by eliminating two engineers. Institutions are unclear if they are able to lose a single individual while managing to get the work done with the existing team,” claims Sasson. If the answer is “yes” or even “maybe,” they might fire the highest-paid and most qualified workers because they believe they can get more done with fewer people.

That’s an upward approach to staff cutting back, but the same case may be made from the bottom up. At NinjaJobs, a job board run by information security professionals, Joseph Thomssen is a senior cyber security recruiter. It can be harmful to a security team for a company that is not security-oriented to assume that higher-ranking individuals will take on lower-level duties, he argues.

As a result, we have laid off cyber security engineers searching for new jobs and hired cyber security leaders looking for alternative and safer professions. “Many of these layoffs in cyber security appear to be short-term attempts to save money,” Thomssen adds, but he is concerned that it would backfire on organizations that reduce their security team. Expecting fewer employees to take on greater responsibility will almost certainly have a negative impact, possibly resulting in burnout.

Piacente also points out that the cuts aren’t just about getting rid of underperforming personnel. “There are excellent applicants who have been affected because they were in the wrong location at the incorrect moment, and this is something we are seeing across the industry.”

Of course, many cyber security professionals argue that this is a mistaken and hazardous strategy and that cyber security should be enhanced rather than decreased. However, in times of economic stress, every business department makes this case.

One effect of the cyber security layoffs and the resulting increase in the number of experienced people looking for work is that the recruitment market is shifting from a candidate market to a hirer market, just as home buying fluctuates between a buyer and a seller market depending on supply (available properties) and demand (money to buy). For many years, skilled cyber security experts could pick and choose their employer, demanding slightly inflated compensation and working conditions; however, this is no longer the case.

This is beginning to be reflected in the pay being provided. “They’re leveling off,” Sasson says, “and may even be declining.” However, this must be viewed in the light of quite large increases just a few quarters ago, during the candidate-driven market.” Sasson thought they were unsustainable at the time. “Folks who are hoping for those massive salary increases from just a year ago will have to adjust their expectations,” he says.

Sam Del Toro, the senior cyber security recruiter at Optomi, has noticed a similar rising discrepancy between wage expectation and reality, particularly in higher-level positions. As a result of the layoffs, more mid to senior-level applicants are looking for new jobs.

“On the other hand,” he added, “we have seen significant increases in cyber security compensation over the last couple of years.” As organizations reduce their budgets and become more financially conscious, it is becoming more difficult to connect candidate and client compensation.”

Thomssen sees a different effect of the changing hiring market. “I’ve seen security staff recruitment shift away from direct hires and towards roles with shorter-term project contracts.” Previously, security professionals would not contemplate such contracts, but the security staff recruitment environment has shifted in that direction.”

It’s unclear whether this will become a prevalent long-term approach to cyber security recruitment or simply a temporary solution to economic uncertainties. Is the gig economy making its way into cyber security? It has been growing in many other areas of employment, and possibly the current economic climate will amplify an existing tendency, as Covid-19 did.

One apparent symptom could be an increase in the number of virtual CISOs (vCISOs). This would provide continued access to high-level expertise while lowering costs. Another possibility is a greater reliance on managed security service providers (MSSPs). “We’re seeing an increasing number of security operations being delegated to consultants and contractors, or to vCISOs and Global CISOs, or whatever you want to call it,” says Mika Aalto, co-founder, and CEO of Hoxhunt. “This is possible with smaller businesses, but it’s risky,” he continues. he adds. Security should be viewed as a competitive advantage and a growth strategy, not as an extravagance.”

The number of new candidates at Piacente’s firm has increased by 20%. While the economy is the fundamental driver, the specific explanation is difficult to pinpoint. Staff at all levels have frequently moved to a new organization for promotion or better remuneration in the cyber security industry. This turnover continues, but it is exacerbated by employed people shopping about – not because they are being laid off, but just in case.

At the same time, some people who would ordinarily be looking for greater chances are choosing to stay there until more stable conditions return. “One other observation in these cycles,” Piacente continues, “is that candidates who fall into the diversity category tend to be less willing to change.” Because there are currently much fewer candidates in this group, organizations will find it more difficult to meet their aims of developing a more diverse organization or program. This is the time for businesses to put care, attention, and a dose of reality into their change programs.”

Bugcrowd is a company that actively seeks to hire from the ‘diversity’ pool. “Employers must take a more active approach to recruit from non-traditional backgrounds,” says Gerry, “which, in turn, significantly broadens the candidate pool from just those with formal degrees to particulars who, with the expert training, have probably high potential.”

With some organizations laying off experienced employees and others just not employing new employees, it is reasonable to predict that breaking into cyber security for new, inexperienced, or diverse individuals will become even more difficult. After all, organizations that cut workers to save money are unlikely to invest in in-house training for new, inexperienced employees.

Del Toro, on the other hand, believes it has always been nearly impossible.”There are simply not enough entry-level cyber security roles in general, so I don’t think the flood of [experienced] applicants on the job marketplace has much of an impact on beginners finding opportunities,”  he added. “Organisations almost always seek mid-level applicants and above rather than bringing on skilled and enthusiastic newcomers, because the latter requires far more than financial resources.”

Recruitment Going Forward

The precise number of skilled cyber security specialists laid off among the overall personnel cutbacks is difficult to establish, but it is likely to be significant. Although boards are becoming increasingly open to the idea of security as a business enabler, there is no clear line between security and profit. However, there is a clear relationship between security and cost. Security is almost a foregone conclusion when it comes to personnel reductions.

Companies should use prudence in any layoffs. When significant numbers of employees must be laid off for economic reasons, the process may be hurried and, in some cases, harsh. These newly unemployed individuals will have intimate knowledge of the business and its processes, and some will consider retaliation. At the same time, the company’s cyber security team may have diminished its ability to combat a new threat from malevolent recent insiders.

“Layoffs are affecting much of the tech industry, and cyber security isn’t immune,” Mike Parkin, senior technical engineer at Vulcan Cyber, says. While no part of an organization should be exempted when expenses need to be cut, the fear of losing personnel who are knowledgeable about safety measures can give the wrong impression.

We’ve had an applicant market in cyber security recruitment overall, but we’re transitioning to an employer market. Del Toro advises security personnel who have been laid off and are looking for new opportunities: “I would tell job applicants to be prepared for longer rounds of interviews and more time before proposals are extended.” Hiring managers are under increased pressure to be diligent, thus candidates must be more aware of interview etiquette. Most essential, make sure you’re sharpening your skills – use your time off to pursue passion projects and improve your craft, not only to stay relevant in the security sector but also to refresh your enthusiasm for what you do!”