Arguably the worst strategy to take when you’re being attacked is to reduce your defenses. Still, this is precisely what some organizations are doing right now while trying to balance growing cyber threats in a now uncertain economy.
This shortsightedness may prove to be far worse for an organization than the costs associated with keeping their best guard up. Nearly a day doesn’t go by without another cybersecurity breach reported, and with well-known organizations being affected regularly, organizations are still looking at Cyber teams to be on the chopping block.
A recent study: ISC2’s 2023 Cybersecurity Workforce Study (https://www.isc2.org/Research) gathered research from the front line of nearly 15,000 cyber professionals. The summary of the study is as follows: “…our study shows that a perfect storm of economic uncertainty, rapidly emerging technologies, fragmented regulations and ever-widening workforce and skills gaps, are creating huge uncertainty for a profession whose role it is to protect global infrastructure and systems from attack.”
Specifically, the study found that 67% of the group was already reporting to have a significant shortage of cybersecurity professionals to defend and respond to online incidents. Still, layoffs are happening in an industry that is seeing a 4 million worldwide people shortage of cyber professionals. This is happening despite cybersecurity hiring growths of 8.7% US, and 12.6% world-wide, since 2022. There is an almost a “schizophrenic” hiring – and firing – of cybersecurity professionals depending on the organization and their individual risk management. As for the laid off cybersecurity professionals, they will have a far greater chance of finding a soft landing than other corporate colleagues who have fallen victim due to economic uncertainty.
Earlier this year, before cyber layoffs became more common, ICS2 CEO Clar Russo stated, “there has been a much greater understanding from the c-suite that reducing cyber staff increases cyber risk to their organization and resulting financial and reputational harm, ‘but they do it anyway.’ She then added: “The logical conclusion from that is they are more concerned about economic risk than cyber risk, and they’re not fully understanding the equivalency between the two risks because they are inextricably tied together.”
Digging deeper into the ICS2 study, 71% of the respondents are realizing higher workloads creating a negative influence on their ability to complete their goals. Even worse, a clear majority are concerned about cutbacks increasing the risk of malicious insiders. The majority of those polled are already seeing a noticeable increase in insider risk related activity. As economic uncertainty increases, so does the threat of a malicious insider. Cyber professionals have reported an increase in being approached by malicious actors this year, and those that have had layoffs are three-times more likely to be approached. Thus, it’s not just the risk of decreasing the protective staff, but also understanding that this staff holds the knowledge to keep an organization safe.
Cybersecurity layoffs aren’t confined to corporate America defending themselves; they’re affecting the very companies developing tools for our protection as well. Major organizations like IronNet, Malwarebytes, Fortinet, NCC Group, and Rapid7 have all disclosed staff reductions. Despite the high demand for cybersecurity products and experts due to growing threats, intensified competition and economic strains are prompting these companies to downsize, cutting workforces by 10% to 20%. Even with the sustained need for cybersecurity skills, the current economic uncertainties are pushing vendors to implement cost-cutting measures as well. These human capital losses from cyber vendors mean fewer, and slower to market, tools are available to combat the crisis.
AI’s role: AI can facilitate lessening the effects of cybersecurity job reductions, but to what effect is yet unknown. Machine learning algorithms aid in spotting and countering potential threats, diminishing reliance on manual involvement. Still, acknowledging the constraints of AI is crucial; current AI cannot replace human roles but is a new tool used on both sides of the battle.
In summary: Boardroom and c-suite executives must carefully weigh the short-term benefit of lower costs to having their company’s reputation, and operations, permanently damaged. A major incident will cost far more than the benefits of letting their guard down. Cyber risk is not going away and needs to be part of every company’s, small and large, overall strategy. Certainly, the bad actors aren’t cutting back but see our uncertainty as their opportunity. Executives must evaluate cyber risk through a wider lens and act accordingly.