Cut-backs, furloughs, travel constraints: Are you about to lose cyber security staff to the market
Cyber security staff are not immune to companies re-evaluating their approaches to home-working, office space requirements, travel and global operations in light of the adaptions they have been forced to make during the pandemic.
Some companies will move to continue video conferencing rather than face to face meetings, some might move some staff to be home based longer term to reduce their real estate costs, some might refocus on critical activities and reduce distractions. However, others might swiftly return to the pre-lockdown normal and re-establish everything they did before as quickly as possible.
There are also likely to be changes resulting not from the pandemic, but the economic situation that we will all find ourselves in. Company restructuring, job cuts, outsourcing, rationalisation are all on the agenda as businesses struggle to survive the global recession.
Cyber security staff are still scarce
While some businesses may reduce security staff headcount, or at least slow expansion, in an effort to cut costs, the reality is that many security teams are already under-resourced and have vacancies. While security teams might have to tighten their belts along with other departments, there might not be much surplus to pare back. Especially given the ever-present pressure on budgets.
It is a fair assumption that if security teams lose headcount or stay the same size, there will still be vacancies and hence “work” that doesn’t get done. Cyber security improvement projects, threat hunting, reassessing the effectiveness of security controls – all the activities that are not driven by direct and immediate stimuli – may end up taking a back seat while the security operations centre fights fires.
Changing employment expectations
A more worrying prospect for security managers is that the pandemic lockdown and the aftermath may well cause staff attrition due to individuals re-evaluating their own needs from the security job market. In some cases, these decisions may be impossible to head off.
Some staff may have enjoyed working at home – the freedom, flexibility, time and money savings from not having to commute. If they have got used to seeing more of their families, they may not be keen to return to an office-based role when they have managed to prove that working remotely from home can be just as effective.
Conversely, if companies try and rationalise office space and move former-office based staff to be home workers more permanently, those people who find that home working is isolating and severs social contacts and connections might actually find that they want to seek another role with a desk and a team they sit beside and interact with.
It may be that these two employees will end up working for each other’s companies… but the world of recruitment and retention is seldom as fortuitous and neat as that. It’s a longer process with notice periods, recruitment agents’ finder’s fees, re-training, handovers, inductions and delays.
The cyber security jobs market
The cyber security jobs market may not grow in the face of a recession, but the latent demand for skilled people will persist – even if the pandemic and lockdowns cause a pause in the processes. It seems clear that people will end up looking at the market. This might be due to changes in work patterns that they want to make for themselves, or changes their employers make that don’t work for them as well. It may even simply be that their personal circumstances have changed.
If nothing else the level of disruption of the last few months might just make some employees (and employers) re-evaluate what they want from, and what is important in, the work relationships they have.
A perfect storm
To put this into context look at this precarious staffing situation from the point of view of the security manager.
They probably didn’t have a full team anyway due to the ongoing shortages of good, skilled people and the tightness of budgets. If they lose people, as the current team seek new opportunities elsewhere, they are further hampered. Then add in the fact that cyber threats have never been greater (ransomware, phishing, APTs) and you are approaching a perfect storm.
Re-evaluating cyber security processes
The conclusion from this is that the next year could be volatile in terms of headcounts, vacancies, departures and changes of personnel. Businesses and security managers are going to have to deal with that. Over-reliance on key individuals and on teams of people that have a current level of capacity and knowledge is a risk that must be managed.
Processes that depend heavily on people, rather than happening automatically, are going to be in peril if the availability of resource or the experience of doing it become short.
Undoubtedly this will translate into finding ways to operate more efficiently – whether it is as a result of having fewer staff, or the same number of staff but less time as teams try and recoup the backlog of lost time.
Data is just as sensitive, regulations just as important, business risks if anything have increased due to home working and more reliance on online trading/transactions. One thing that businesses can’t do is take their foot off the gas, or run out of fuel altogether, where security is concerned.
We’ve seen many moves towards automating, simplifying and operationalising aspects of security. For example, patch management systems and application whitelisting that aim to control the presence of inherent vulnerabilities and limit the ability of users to introduce more. For security foundations such as these – having processes that operate independently of “being driven” are vital, and the extension of that – the monitoring and reporting on them being done systematically and automatically rather than manually – also helps to focus security minds on the more specific and challenging problems like new projects, technology changes and incidents that have arisen.
There has been a growth in building these kinds of cyber security innovations into areas like third party assurance, in security alert/incident playbooks and workflows and more recently in GRC, security auditing and reporting on performance metrics.
The more that basic, core security functions can be trusted by making processes more systematic, the less exposed security functions will be to the fluctuations in supply and demand regarding their human capital.
It is worth bearing in mind that if teams do change in make-up and security staff depart, then what you don’t want is people leaving with the sole knowledge of the processes (and risks) in their heads.
If you have cyber security solutions in place that implement and monitor security controls programmatically, you don’t lose visibility of how processes around things like patching or PUAM are operating – the reports and data still get produced. You are somewhat insulated from the loss of headcount because the basics of cyber resilience are more deeply entrenched in “normal” system behaviours.