For years, cybersecurity appeared largely immune from the ups and downs of the tech job market. With cyber threats such as ransomware increasing, and adversaries targeting not only private businesses but also critical sections of U.S. infrastructure and networks, spending on cybersecurity seemed poised for limitless growth.
In a recent forecast, Gartner predicted security spending will reach $187 billion in 2023, an increase of about 11 percent from 2022. And as another report noted, there are still an estimated 600,000 open security positions throughout the U.S.
Over the last month, however, market forces have clouded this picture of seemingly endless growth. Concerns about inflation and a bear market, coupled with chatter about a possible recession, have some rethinking their long-term forecasts for tech spending of all kinds.
Some cybersecurity-focused companies have begun to cut staff. Security vendor Cybereason, which had a market valuation of about $3 billion and was poised for a significant IPO later this year, instead announced it would lay off about 10 percent of its staff (about 100 employees) and focus on reducing costs, according to CNBC. At around the same time, cloud security firm Lacework announced a round of layoffs as part of a broader focus on profitability.
As experts note, these developments show that cybersecurity is likely prone to the same fiscal pressures as other industries, although the long-term effects aren’t clear just yet.
“The layoffs are likely not due to an individual or team performance but, rather, related to financial performance targets not being met or the expectation that they will not be met without staff reductions,” Andrew Hay, chief operating officer at LARES Consulting, a Denver-based information security consulting firm, recently told Dice. “We see a lot of vendors claiming new funding round and ‘unicorn status’ only to reevaluate their financial position after the round.”
For many industry observers of cybersecurity vendors, the recent layoffs are most likely a reaction to short-term market changes and not indicative of a prolonged downturn in this particular industry.
“I've seen and heard quite a few companies retract offers and issue temporary holds on new hires due to the current economic climate,” Hay added. “This is likely because they don't want to adversely impact their financial targets for the fiscal quarter, half or year. I don't anticipate this lasting, however, as the need for these individuals remains and will only become more important over time.”
And while some security vendors are cutting back on hiring as stock prices drop and access to capital tightens, cyber threats remain a rising issue. Organizations still need skilled cybersecurity experts to counter internal and external attacks, said Karlin Clayton, vice president at security consulting firm Coalfire.
“Cybersecurity is a growth industry and prospects look good for the job market. While some companies may be facing layoffs, many of us in cybersecurity are still growing,” Clayton told Dice. “Organizations should hire for the cyber talent they need today and also build a plan to help employees learn and develop new skills as the threat landscape changes. By attracting outside talent and also focusing on culture, engagement, and the career development of existing employees, organizations will continue to make cybersecurity a sought-after career destination.”
One area that continues to see the need for skilled technologists is cloud computing, especially given the rise of remote work and increasingly sophisticated cloud-based apps and services. But companies that rely on the cloud have not kept up with security, and the need for cybersecurity workers with cloud expertise will continue, said Jasmine Henry, field security director at JupiterOne.
“The rush to the cloud has outpaced the maturation of cloud security, and the security skills gap has continued to grow,” Henry told Dice. “Organizations have yet to define secure-by-design means in the cloud, understand the full scope of their evolving security risks, or determine which policies should be applied across cloud assets.”
With cloud computing, Henry noted, organizations will continue to have open positions and will look to fill those with recent college grads. There are also openings for technologists who have followed non-traditional paths such as vocational training. The challenge, he added, is ensuring that companies follow what cybersecurity experts are telling them.
“In a cloud-native world, businesses need to prioritize collaboration between security and IT teams to ensure essential security measures are implemented in this new normal,” Henry said. “Few security professionals have the cloud security expertise to provide the right guidance. And even if they provide guidance, they lack the authority to make it an order—and time-pressed engineers have little incentive to slow deployment for the sake of security.”
A Word of Caution
While many experts see the cybersecurity industry's long-term trajectory as supporting bigger budgets and more careers, some industry watchers are noting caveats to these outlooks.
Shawn Melito, chief revenue officer at BreachQuest, pointed to a recent report that found when it comes to ransomware attacks, there has been a marked decrease in the number of claims cyber insurers have seen over the past year. If organizations see payouts from ransomware dropping, it might lead to budget cuts and reduced spending on cybersecurity.
“Furthermore, many of the claims professionals and breach coaches I speak to regularly are seeing a similar decrease, with some not having paid a ransom in months,” Melito told Dice. “So, I don’t think it is surprising to see layoffs if organizations are perceiving less of a threat.”
And while there could be both short- and long-term cuts in cyber spending, John Bambenek, principal threat Hunter at Netenrich, noted that security professionals can bounce back and find new homes for their skills.
“Cybersecurity professionals also have rallied around those laid off to help get them placed quickly, which is unique among other professionals that I have seen,” Bambenek told Dice. “We are not immune to economic cycles. However, the reality is that thievery and other criminal behavior continue regardless of economic cycles. Like other professions who deal with the less-than-upright aspects of humanity, there will always be a need for people to protect digital assets.”