Layoffs appear imminent, but executives say cybersecurity workers will be less impacted than others
Organizations of all sizes are bracing for staff cuts in 2023, with 85% of respondents in a new ISC2 study saying they believe layoffs will be necessary as the economy slows. Cybersecurity teams, however, will be the least affected by staff reductions, as organizations anticipate an increase in cyber threats in 2023.
The study gathered input from C-suite business leaders – excluding technology executives such as CIOs and CISOs – concerned about the economy. Should layoffs be necessary, respondents expect bigger cuts in other areas of their businesses such as HR, finance, operations, marketing and sales, than in cybersecurity. Only 10% of respondents foresee reductions in cybersecurity teams, compared to an average of 20% in other areas.
The reluctance to lay off cybersecurity professionals suggests that top executives understand the critical role cybersecurity teams play in their organizations, along with the potential for increased cybersecurity threats during a period of economic difficulty. There is also a practical reason; executives recognize how difficult it is to recruit skilled cybersecurity professionals because they have always been in short supply.
When asked why cybersecurity teams were less likely to be impacted by staff reductions than other departments, participants told us:
“Because as the economy gets worse, and more people are out of work, cybercrime will increase. We have to be prepared with cybersecurity to combat the threat.”
“Cybersecurity is one of the top priorities in my organization. We can't jeopardize our reputation, lose trust and face the penalties due to lack of security.”
“They are essential to the business’ welfare and its continuation.”
The Value of Cybersecurity Teams
To assess the impact of a potential economic downturn on cybersecurity teams, ISC2 polled 1,000 C-suite executives in December 2022 across five countries: Germany, Japan, Singapore, the U.K. and U.S. The findings indicate leaders no longer view cybersecurity as a nice-to-have function when budget is available, but rather an essential, critical asset that delivers value.
It is likely this maturing view of cybersecurity has been shaped by a continuing series of high-profile and damaging breaches. Security incidents have left no doubt as to the lengths threat actors will go to steal data or disrupt operations, in some cases even putting lives at risk.
Executives are now aware of the threat, with 87% noting that reductions in their cybersecurity teams would increase risk for their organizations. That awareness appears to be weighing on their minds as they consider staff reductions across their organizations.
Asked to rank business functions most likely be involved in a first round of layoffs, 31% of respondents cited cybersecurity as the least likely to be impacted. In comparison, a far higher number of respondents ranked HR (44%), sales (41%) and operations (40%) higher for likely job cuts.
Moreover, once staff reductions are complete and organizations get ready to rehire personnel, cybersecurity workers are at the top of the list for re-investment.
Just over half of respondents (51%) say cybersecurity professionals would be prioritized for hiring or rehiring. IT is another priority (49%), with research and development (R&D) not far behind (41%). Lower on the rehiring priority list are marketing (35%), finance (34%), operations (31%), sales (30%) and HR (29%).
Further evidence of the importance executives place on cybersecurity teams is a willingness to hire despite uncertain economic conditions. Nearly three quarters of respondents (74%) are open to recruiting cybersecurity talent laid off elsewhere should the opportunity present itself. With reports of job cuts at organizations including Twitter, Meta, Microsoft, Amazon and Google, cybersecurity staff could benefit from proactive hiring targeted towards those recent layoffs. With so many tech jobs impacted by recent layoffs, it is possible that many of those individuals may find opportunity in pursuing a career in cybersecurity, where they can apply related skills and expertise.
The willingness to keep hiring cybersecurity personnel is the continuation of a cybersecurity workforce investment trend. At least 90% of participants from all countries represented in the study said they increased cybersecurity hiring in the last two to three years. The only exception was Germany, where only 78% of participants cited increased hiring over the same period. It is worth noting that the ISC2 Cybersecurity Workforce Study tracked a 165% increase in the size of the German cybersecurity workforce in 2021, when it overtook the U.K. for the first time as Europe’s largest cybersecurity employer.
Rising Threat Awareness
Regardless of the economic outlook, the study reveals a realistic assessment of the threat landscape within the C-suite. A solid majority of respondents (81%) believe threats will rise during 2023. This is hardly surprising, considering the upward trend of recent years combined with current global economic and political issues. Statistics collected by various organizations indicate that 2022 was a banner year for cyberattacks.
Most respondents (80%) believe a weakening economy will increase cyber threats. And a larger majority (87%) think a staff reduction in their cybersecurity teams will further increase risk. Data suggest executives understand the importance of keeping their cybersecurity teams intact even if wider organizational layoffs become unavoidable.
The findings also revealed some regional variations in concerns about risk. When asking respondents if they believed reducing cybersecurity staff would increase risk for their organizations, some clear divides emerged. 73% of participants in Germany were concerned about increased risk due to possible reductions in cybersecurity staffing. Meanwhile, 96% of participants from Singapore and 94% from the U.K. were concerned about increased risk if staff cuts are necessary. German respondents are also least likely to believe cyber threats will rise in 2023 (65%), while more than 80% of participants from the rest of the countries covered in the study believed threats will escalate in 2023.
Fears of increased risk notwithstanding, the overwhelming majority of respondents (91%) express confidence their organizations are prepared for a cyberattack. Should layoffs of cybersecurity professionals occur, that number drops to 83%.
Cybersecurity Layoff Considerations
We asked participants to share how they would determine which staff would be impacted if layoffs within their cybersecurity teams become necessary.
While layoffs would be spread across experience levels, the survey suggests the C-Suite believes junior staff will be impacted at a higher rate (63%) followed by senior team members (41%),managers (29%) and cybersecurity executives (21%).for other criteria for deciding which staff to layoff, salary emerged as the least important factor. It is cited by only 30% of respondents, compared to other factors such as performance (50%), expertise/skill set (49%), skill redundancy (43%), and diversity/team composition (37%).
As scarce as qualified talent is, the C-suite isn’t willing to overlook performance. That it ranks as the most important factor in deciding whom to include in staff cuts underlines the importance of advocating for one’s self and demonstrating value back to the team and organization, even in a field where qualified professionals are in short supply. Regardless of skill level, commitment and hard work are still considered essential and valuable assets.
Potential layoffs aren’t the only challenge cybersecurity professionals may face during a recession. In response to uncertain economic times, respondents told us their teams may be impacted by increased adoption of automation (41%) and by asking team members to work longer hours (40%). Other contingencies for softening the impact of an economic downturn include hiring more entry- and junior-level staff (36%) and a freeze on promotions and raises (30%). Only a small minority of respondents (8%) believe a recession would not impact the cybersecurity team at all.
Despite the increased reliance on automation, cybersecurity professionals already work long hours. The bad news for cybersecurity professionals is that those hours might be further extended at a time when raises and promotions are likely off the table.
Whether a global recession occurs in 2023 remains to be seen. Staff reductions are already underway as companies seek to preemptively tighten their belts in the face of near-double-digit inflation across G20 nations.
For cybersecurity professionals, the field as a whole appears it will weather uncertain economic times better than other business functions. Even when considering layoffs across the board, C-suite executives are reluctant to cut their cybersecurity teams and say they will do what they can to retain talent and shield teams from downsizing for as long as they can.
The C-suite, leaders and hiring managers need to take stock and understand the full extent of their cybersecurity workforce. While a headcount reduction in some form may seem inevitable or unavoidable, any such decision needs to consider the cost incurred of acquiring and developing skilled individuals in the first place, along with the cost and likely availability of the same people when economic conditions improve. Our findings suggest that executives are aware demand for cyber talent outpaces supply and believe that they will benefit from retaining people now to avoid chronic shortages later.
Cybersecurity professionals may have less to fear when it comes to layoffs than their colleagues in other departments. And even if they are included in a staff reduction, the prospects of quickly finding other employment are high. Nevertheless, the demand for and high value placed on cybersecurity personnel will not shield the profession completely from the pressures caused by layoffs. The findings of this study highlight that cybersecurity staff and people leaders need to brace themselves for longer hours and greater workloads just as economic challenges may serve as a catalyst for increased cyber threats around the world.
We surveyed a total of 1,000 business executives in December 2022 from Germany (200), Japan (200), Singapore (200), the U.S. (200) and U.K. (200). Respondents were screened to allow only non-tech/security C-suite professionals to participate. Respondents were also limited to those working within an organization with a cybersecurity team of at least two (2) employees and anticipating economic challenges in 2023. The margin of error for the global descriptive statistics in this research is +/- 3.1 at a 95% confidence level.
ISC2 is an international nonprofit membership association focused on inspiring a safe and secure cyber world. Best known for the acclaimed Certified Information Systems Security Professional (CISSP®) certification, ISC2 offers a portfolio of credentials that are part of a holistic, pragmatic approach to security. Our association of candidates, associates, and members, nearly 330,000 strong, is made up of certified cyber, information, software, and infrastructure security professionals who are making a difference and helping to advance the industry. Our vision is supported by our commitment to educate and reach the general public through our charitable foundation –The Center for Cyber Safety and Education™. For more information on ISC2, visit www.isc2.org, follow us on Twitter, or connect with us on Facebook and LinkedIn.