Features 20.06.2023
How brutal are the cybersecurity cuts compared to attrition in the broader tech sector, and how much will the layoffs in cybersecurity jobs metastasise to the broader economy?
The last few months have not been kind to the tech industry. Layoffs have devastated big tech firms, and cybersecurity vendors haven’t been immune. The question is, how brutal are the cybersecurity cuts compared to attrition in the broader tech sector, and how much will the layoffs in cybersecurity jobs metastasise to the broader economy?
We’ve seen some significant layoffs in the cybersecurity category in the last few months. Secureworks let 9% of its workforce go in February, following cuts from Sophos and Okta earlier in the year. Most recently, Dragos laid off 50 employees representing almost one in ten workers.
The cuts have affected employees across the board, from techies through to more administrative roles, but those employed to drive corporate growth are especially susceptible, warns Mark Sasson. He is a managing partner at the recruitment company Pinpoint Search Group, which focuses on cybersecurity vendor recruitment.
“There was a lot of over-hiring because a glut of money came into this industry,” Sasson says. Venture capital companies expected big returns, pushing companies hard to hire. “They hired people everywhere, and we’re seeing a substantial pullback.”
“If you’re not fully vested and they let you go, then unless you’re an executive with some sort of change of control or trigger option associated with your contract, you’re out of luck” Mark Sasson
Customers suffering from their own financial pressures are limiting their IT purchases, which chokes vendor product growth plans. “Vendors are pulling back from expansion and focusing on their core product or service offerings,” he adds. That means hiring freezes for technical staff hired to improve or expand on product features.
Cybersecurity vendors can’t easily go to the market for more capital because the era of cheap cash is over for the foreseeable future. They, like many, have been struggling to raise money since at least 2021.
One company that snuck in under the wire was ten-year-old late-stage startup Exabeam. In 2021 it landed an F-series round for $200m. Matt Rider, VP of sales engineering, says that the company was also careful about growth, focusing on retooling its product for a SaaS model.
“I think we were a little bit lucky,” he says, adding that the funding landed before the deterioration in macroeconomic and geopolitical conditions. “That money bought a lot more engineering and post-sales. We didn’t actually grow the sales engine at all.”
For those vendors that are pulling back, layoffs could sting hardest for employees that took stock options as part of the package. They must work at a firm for a set period – typically a year – before those options become available. The stock options then trickle in, typically over a four-year vesting period.
“If you’re not fully vested and they let you go, then unless you’re an executive with some sort of change of control or trigger option associated with your contract, you’re out of luck,” Sasson warns.
Rider gets to speak with many customers who use, rather than sell, cybersecurity products. The devastating layoffs aren’t hitting the companies he sees because security teams are still relatively small.
“This is the first time we’ve seen a cut so deep that it’s affecting the CISO directly” Michael Piacente
“Cybersecurity had never grown that big, so it wasn’t bloated,” he says, arguing that the discipline is now important enough to board members that they worry about stripping it back. “The problem is still bigger than our ability to solve it. Otherwise, there would be no breaches,” he says. He sees a slowdown in new customer cybersecurity hires and a requirement to do more with less.
The numbers bear this out. In a December 2022 survey of 10,000 business executives from multiple regions, industry association (ISC)2 noted that 85% of companies predict layoffs in a slowing economy. However, it found that cybersecurity staff are most immune to the threat. Only 10% of companies planned to decrease cybersecurity staff, compared to 14% sharpening the knives for general IT staff. Pity the poor HR executives; at 30%, they’re the most likely for the chop.
Organisations told (ISC)2 that cybersecurity is a top priority. “As the economy gets worse, and more people are out of work, cybercrime will increase,” said one respondent. “We have to be prepared with cybersecurity to combat the threat.”
Michael Piacente, a managing partner at cybersecurity recruitment company Hitch Partners, concurs with (ISC)2‘s findings that mid-level management levels and below are relatively safe. However, in his specialist area of senior management and CISO recruitment, the picture is grim.
“We’ve seen multiple dips in the economic situation, but never anything like this,” he says. “This is the first time we’ve seen a cut so deep that it’s affecting the CISO directly.”
Hitch Partners maintains regular contact with a community of CISOs, but since the end of last summer, the company has been fielding far more calls from CISO-level candidates than ever before.
“They are not thinking about a change a year down the road,” he says. “They are calling us because they are looking for a change right now. We’re realising that the market is not so kind to them.”
One of the drivers for the ‘CISO-pocalypse’ is cost. Companies looking at a function analyse which role vacuums up the most cash, especially in relatively under-sponsored functions like cybersecurity, which tends to be the CISO. Even though they’re responsible for security strategy, their salaries make them an easy layoff choice.
“In times like this, companies are willing to give up on strategy,” Piacente says. “They think they might be able to supplement with MSSPs and other functions without fully understanding what happens.”
This strategic attrition couldn’t come at a worse time. Rider has concerns about laid-off staff being willing to venture to the dark side to help hackers. People fired after years of service and hurting in a bad economy might be disgruntled and broke. “That’s a genuine threat vector,” he says. “The vast majority of customers or prospects are saying they’re really worried about insider threats.”
“In times like this, companies are willing to give up on strategy” Michael Piacente
The potential damage of losing IT strategists could have longer-lasting effects warns Piacente. “Over the long term, it will affect our ability to protect a growing and complex attack surface,” he says.
He also worries about diversity issues. Homogeneity in the cybersecurity workforce is already a problem. Hitch Partners’ 2023 Cybersecurity Leadership survey found the implementation of diversity initiatives decreasing from 97% to 67% among privately held companies in the last year.
“What’s happening is they’re not even focusing on the diversity programmes to allow these individuals to enter into the organisation and be successful,” he says, adding that the downturn in diversity initiatives is economically driven.
“Diversity was a level of convenience for when things were good,” he continues. “When they aren’t good, they’re going to go ahead and decrease it, and that’s super disappointing.”
To misquote William Gibson, the cybersecurity belt-tightening is already here, it’s just unevenly distributed. There is some respite, however. Piacente notes a rise in virtual CISO or fractional CISO roles, where former full-timers pick up contract gigs from multiple clients. His stable of vCISOs has risen from around 20 to 90 during the downturn.
“CISOs have always been hit first and hit hard, and then they bounce back first,” he says. “We’re hoping to see that again, but we haven’t figured out where the bottom is yet.”
That bottom will arrive. After we hit it, experts like Piacente believe that the industry will bounce back stronger than before as companies continue to integrate cybersecurity more closely with the business. Until then, the key is to stay diligent, humble, and ultimately, stay employed.
Features 14.05.2024
Education was the most attacked sector in the UK in the last six months
Features 09.05.2024
Top security leaders share their three biggest cybersecurity concerns
Features 07.05.2024
We used AI to clone the voices of myself and our CEO to launch a targeted phishing attack on an Assured team member!