Amid the widespread tech-industry layoffs we’ve seen this past year, there’s at least one glimmer of hope: Cybersecurity teams aren’t being hit as hard as previously thought.
A recent global study by the nonprofit (ISC)² found that while half of the 1,000 C-suite execs polled are very likely to approve layoffs this year, only 10% expect to eliminate cybersecurity personnel. That echoes other positive signs for security teams: The total number of employed cybersecurity workers in 2022 remained relatively unchanged from previous estimates, according to data published in January, and hiring is on the rise in the public sector at places like the National Security Agency (NSA), which launched an “unprecedented” hiring effort to fill cybersecurity jobs in 2023.
This suggests enterprise leaders in both the private and public sectors know they can’t cut cybersecurity staff too deeply given the rise of ransomware, business email compromise, and other ongoing threats. But layoffs will unquestionably alter the threat landscape, making it even more important for enterprise leaders to regularly update their cybersecurity strategies.
For example, companies and users may see an uptick in phishing attempts, which try to trick workers into clicking on dangerous links. In addition to phony surveys, awards, and pleas to help troubled Nigerian princes, laid-off workers could start receiving phishing scams with links promising updates on their company benefits.
Organizations can also be adversely affected by “left-behind” employees feeling down, worrying if they’ll be next to receive pink slips, and becoming less productive, says Max Solonski, CISO for Hexview, an executive advisory firm.
“When companies drop a number of employees, the morale of remaining employees isn’t often high,” he says. “They may not care enough, in some cases, to react to problems, which elevates overall risk.”
Even worse, a sour attitude among staffers will increase an enterprise’s insider risk, demanding yet another security pivot. Layoffs, even if they don’t affect security teams directly, always exact a price.
The ‘dirty little secret’ of IT layoffs
To be clear, chief information security officers and their teams have not avoided layoffs entirely, and some are even cutting entire security teams. For example, Patreon, a creator membership platform that hadn’t been breached since 2015, let go of its five-person cybersecurity team last September.
If you go two years with no security, yes, you save $20 million. But you face an extremely high risk of losing a lot more than that.
“I guarantee you there are large companies that have laid off their CISOs and IT security staffs while downsizing their organizations,” says Steve Zalewski, former CISO for Levi Strauss and founder of S3 Consulting. “They do not highlight that. It’s their dirty little secret.”
The allure of saving a few near-term bucks is understandable, but such an approach is “shortsighted,” suggests Richard Stiennon, chief research analyst for IT-Harvest.
“To have good security, it costs about $10 million a year,” Stiennon says. “If you go two years with no security, yes, you save $20 million. But you face an extremely high risk of losing a lot more than that.”
Indeed, companies could find having fewer security professionals on staff leaves them less able to defend against the types of increasingly sophisticated attacks likely to come their way in the next few years.
“With fewer resources, organizations may not be able to keep up with the latest security updates and patches, increasing the risk of vulnerabilities being exploited,” says George Lamont, chief information officer and founder of IronNet Cybersecurity. “Software developer teams will often default to placing security fixes and patches in backlog, which adds risk to systems and products until they can be resolved.”
Coping with the aftermath
Experts warn companies must do their utmost to maintain their security postures, especially in the wake of layoffs, which will transform an enterprise both internally and externally. To prep for those changes, here are a few proactive steps enterprise and security leaders can take.
1. Get everyone on the same page
Lamont says that when staffing gets tight, it’s even more important to ensure that everyone still working for the business—from IT and operations to HR, legal, marketing, service, and support—is in synch and ready to roll if a cyberattack takes place. This means dusting off and reviewing your incident response playbooks, or developing those plans if you don’t have them already. He also advises holding joint role-playing exercises, like war games.
A sour attitude among staffers remaining after a layoff increases insider risk, demanding another security pivot.
“So many times, during a cybersecurity tabletop exercise (TTX), you find out the names and call-trees of key personnel have changed,” Lamont says. “You don’t want to experience that in a real-world event.”
If there are fewer people to handle security issues, automation of essential tasks won’t be a choice; it will be a necessity. Security automation, once considered a holy grail and not terribly popular, is now enjoying a renaissance.
Security automation tools can help reduce immediate risks and ease burdens on burned-out workers and chronically understaffed IT teams. Converged endpoint management systems, for instance, support end-to-end automation by accessing real-time data. Centralizing and automating identity management, which is often siloed within business units, can help ensure that users and devices have access to only those appropriate resources and data to which they are entitled.
Faced with tough budget considerations, leaders must eliminate redundant and unnecessary toolsets. Too often, organizations think the solution to something their existing tools aren’t handling is to throw more into the mix.
Unfortunately, this leads to tool sprawl where an overwhelming number of point solutions leads to added cost, complexity, and cyber risk. Having a single sanctioned platform to handle multiple functions is the more efficient and viable solution, some experts say.
4. Hire, hire, hire
It may seem counterintuitive to a company that’s been laying people off, but there’s probably more security talent looking for work right now than there has been in years. And considering more than 3.4 million cybersecurity jobs remain unfilled, according to another (ISC)² study, that spells pure opportunity. Just as real estate investors find deals in down markets, savvy employers can scoop up some hidden talent gems in this turbulent economy.
This is an especially prudent move for security leaders in the public sector. According to the Office of Personnel Management, the federal government plans to fill more than 22,000 tech positions this year, including at the NSA and the Cybersecurity and Infrastructure Security Agency (CISA), which added hundreds to its rolls last year and plans to hire even more in 2023.
5. Consider third-party support
Often, as may have been the case with Patreon, companies that have trimmed staff discover they do not have the in-house expertise to fortify themselves, and they turn to managed security services providers (MSSPs) for assistance. Stiennon says this is a smart approach for many businesses.
“There are hundreds, if not thousands, of good MSSPs who would be more than happy to take that over for you,” he says. “It would be a net expense increase because you still have severance and COBRA payments for employees you just let go. But you would be covered for cybersecurity.”