On today’s episode of CyberSound, Jason, Steve, and Matt discuss specific factors contributing to this downturn in the industry and alternative approaches to hiring, such as seeking more diversified candidates to ensure greater success in your organization.
Economic Effects on the Cyber Industry
Listen to this episode on
This is CyberSound. Your simplified and fundamentals-focused source for all things cybersecurity, with your hosts, Jason Pufahl and Steven Maresca.
Jason Pufahl 00:10
Welcome to CyberSound. I’m your host, Jason Pufahl. Joined, as always, by Steve Maresca and Matt Fusaro. Hey guys.
Steven Maresca 00:19
Certainly, preparations for leaner times, I think it’s a fair thing to say. Hey.
Matt Fusaro 00:19
How are you?
Jason Pufahl 00:19
So are we going to chat about an uplifting topic today? Maybe the burgeoning economic unrest in the cybersecurity industry? I mean, honestly, with the economy the way it is in perhaps a recession looming, or maybe almost already here. Are we seeing a downturn finally in sort of the security industry to some degree?
Matt Fusaro 00:29
Yeah, I mean, NASDAQ is down 20%. I think, to your date, this point, right, that most of the tech stocks are in that. Yeah, it looks like a lot of the CEOs of at least publicly traded companies are looking to downsize workforce, probably to meet some shareholder demands, right. Cybereason has said to be doing some of that with I forget exactly what the percentages are cutting, I think they’re taking out about 100 people.
Jason Pufahl 01:19
Yeah, I think they say 10% of their workforce.
Matt Fusaro 01:21
Yep, SentinelOne, down 66%. CrowdStrike, down 35%. So there’s some big numbers that we’re looking at as far as coming down off their highs in the stock markets.
Steven Maresca 01:36
Despite by all respects, you know, being ahead of revenue for projections this year, at least.
Matt Fusaro 01:40
Jason Pufahl 01:41
Well, and that’s the challenging part, right. So the companies that you just mentioned, are all pretty big players in, say the ransomware prevention industry. And we’re seeing a push, right, like insurance companies are pushing using these browser products. Certainly, you know, we’ll talk about that. You know an EDR and MDR, being a sort of a fundamental control, their businesses are doing well. And yet, they’re laying off employees. And back to your point, the stock market’s killing them.
Matt Fusaro 02:13
Yeah, yeah, growth stocks are getting murdered right now. They’re usually the first to go when you’ve got some type of recession on your hands, right? We’re at least prepping for one.
Steven Maresca 02:22
And, you know, I have to say, some of that has to do with the nature of many of these companies, they’re always searching for new rounds of investment, and they’re starting to see that dry up. Therefore, they need to scale back to simply sustain.
Matt Fusaro 02:36
Yeah, and money is getting more expensive for them too, right? So if they do have to go and get money, or any type of loans or anything like that, it’s more expensive now than it was. So yeah, they’re probably trying to plan for at least the next year out, and keep costs down and get employees off the books, unfortunately.
Jason Pufahl 02:53
So the challenge with that, though, so you’ve got you’ve got some pretty big name companies, laying folks off. And, you know, there was a recent study that I read, it was the cybersecurity firm trollocs commissioned a survey, right, where they surveyed 1000 cybersecurity professionals, and the response they got was about 30%, were looking to potentially leave the industry. So you’ve got large companies laying people off, you’ve got studies that said people voluntarily might step away from the industry. I mean, all of that certainly leads towards more challenging, you know, sort of more challenging in filling security positions that are open,
Steven Maresca 03:39
Which is already tough enough to begin with.
Jason Pufahl 03:41
It’s already tough enough, right? I think, what do we see, give or take 40% of jobs go on unfilled at this point. So I mean, that just makes that even harder.
Matt Fusaro 03:50
Yeah, job postings, also, in cybersecurity, in general, typically are for cybersecurity, they’re open way longer than any other IT position.
Steven Maresca 03:58
Even in markets that are competitive, outside of them, you know, even more challenging.
Jason Pufahl 04:03
And, yeah, how much of that is, you know, partly due to the fact that this is a reasonably stressful role, typically, you know, it takes a certain type of person, I think, to sort of take these and frankly, last in the industry, right, it’s not, they’re not easy roles, you’re oftentimes dealing in high pressure, high stress situations. And I think partly the filling up open job racks is extra challenging because there’s a shortage of skilled people, right. I mean, I think from a training standpoint, you’re seeing a lot of people either have to enter into the positions at a really high level. So you really need experienced people, or, you know, really junior where somebody’s willing to put a little bit of effort in, but that middle ground is really hard to fill.
Matt Fusaro 04:48
Yeah. It’s very similar to you can’t be a running back until you’re 45, like it’s a young person’s game, almost this field, you know, unless you’re moving up to more of a managerial role. I think that’s 30% number might be a lot of people that have been here for a while, that are starting to look for, like you said, things that are a little less stressful, a little less demanding. Maybe not a SOC analyst.
Steven Maresca 05:15
I think a lot of them come from organizations that have been hit pretty hard in the last two years. And depending on where you go, ransomware is up, you know, 25%, year over year, something like 70% of organizations that are surveyed and willing to talk anyway, say that they’ve had some sort of incident. Those are the organizations where things are stagnant because of the last two or three years of chaos in many respects, it seems lucrative to people in those roles to exit towards private sector. So there’s a pendulum that’s swinging back and forth. And I think that’s maybe part of the problem. I can’t make a strong assertion there, but just reading the winds.
Jason Pufahl 05:59
So are you suggesting that people are just changing jobs or leaving the industry altogether then?
Steven Maresca 06:07
I think there are some people who are at the degree of burnout, that might be considering a career change. You know, IT can be unforgiving and brutal, in some respects, especially the case for cybersecurity. When attacks are up, and overall support is down, you know, the funding of security is down, generally speaking, therefore, you know, it’s harder to actually achieve positive outcomes in those adverse events. So, you know, it only takes one or two to really hurt from a psychological standpoint, as well as family and you know, everything else that is attached to it, some people I think, have made the decision that it’s not worth the money that’s been stagnant in some of the industries for their positions.
Matt Fusaro 06:53
Yeah, while these positions command higher salaries, they’re not, sometimes it’s not worth the money. Most organizations don’t have the funding to keep enough people around to make that hurt less. So when you get to a certain point in life, like you say, you have kids, family, whatever it might be, might be burning out. At some point, it’s not worth being in that position anymore.
Jason Pufahl 07:22
So that means that seems like it would give opportunity, then to other folks who might not have that background, right. And frankly, maybe we need to look at a little bit more diverse candidate pool.
Steven Maresca 07:32
Honestly, I think that’s a reasonable segue, because a lot of the hiring challenges to fill the positions that we talked about a moment ago, remaining open, are actually because there isn’t like a junior position that’s being opened by many organizations, they only have authority or approval to open one position, or to fund one position so they aim high. Therefore bypass anyone with, you know, a trainable background.
Matt Fusaro 07:57
Yeah, a lot of candidates don’t even get out of that, the HR gate, like to call it, they’ll put these postings out a lot of times, they won’t even get into a first interview, because you’re requiring three, five years of experience, you’re acquiring college degrees and all that, in this particular field, a college degree may not equal a viable candidate, or you might find a great candidate who never went to college, right. So starting to look at more, like you said, more diverse hiring pool of people that may or may not actually meet a lot of the demands that you’ve been putting on your recruits before.
Jason Pufahl 08:37
Right. So is there any is there any good news here in terms of employers? Well, honestly right. So we’ve got some companies laying folks off, which would suggest that there will be some candidates in the market who may not have been there before. We’ve got a study that says, a certain percentage rate, up around that 30% mark, people might leave voluntarily, you know, for totally different positions, right? Is it gonna get any easier to hire? Do we have any choice but to start really looking at sort of different style candidates?
Steven Maresca 09:20
I think there needs to be a greater willingness to establish mentorship and training programs within organizations because you can hire anyone meeting a technical level of proficiency. But as we’ve said many, many times here, security is greater than 50% understanding risks to business and business process. Therefore, in my opinion, it’s to some degree tolerable to have someone who’s a little more junior, who can be trained and be brought up to level because the more important aspect is actually understanding the business and what makes it run, what makes it risky, what things need to be understood to protect it.
Jason Pufahl 10:02
Yeah, and in fairness to these studies, there really is no clarity about what type of role is exiting voluntarily, right? Or, even really what roles, those companies are letting go. They don’t, it’s not necessarily a set of programmers, it’s not necessarily purely a set of analysts.
Steven Maresca 10:20
All that said, the initial thing we mentioned is certainly relative to Silicon Valley scuttlebutt, right. It’s bias toward service industry, it’s bias toward solutions providers, software vendors, those people started in the defensive IT realm, if they weren’t application developers purely right. So they’ve migrated to Silicon Valley or adjacent organizations, writers, I think that they may simply shift back if the burnout is as significant as we expect, in some places, perhaps they’ll return to earlier positions or more comfortable areas.
Matt Fusaro 11:00
Yeah. Yeah, possibly. And Silicon Valley itself has changed, too, right? Imean, there’s been a mass exodus of that area, it’s just gotten too expensive for people to be in, companies can’t pay people the amount money need to be paid to stay there. Quite honestly, venture capital is looking in other directions right now, right, they realize that high growth potential companies that are asking for, you know, billions of dollars now to fund their companies, they’re not seeing the returns. So we have this perfect storm of money is drying up, money is getting more expensive, we don’t have enough people, and people are leaving the industry. So it’s gonna be really difficult time over the next probably three years. So to figure this all out for everyone.
Steven Maresca 11:48
So for every one, what does that actually mean for impact? If you’re not hiring, like, how can we, on the other end of that equation, expect services to change or diminish? Or, you know, become less effective? I suspect there’s some element of that, in this trend that we’re talking about.
Matt Fusaro 12:07
Yeah, as far as how services are going to change, I mean, I think you’re gonna find that calling support is what used to be, right. I think you’re gonna find that you’re gonna have to find good ways to train people. You’re gonna find people in your organization that maybe come in and do these things, with a little bit of training, be willing to do that. And I think people in the security industry, quite frankly, better at training. It’s always been a real issue in our field, mostly, because a lot of us got good paying jobs where we are actively practicing, not so much teaching.
Jason Pufahl 12:47
Steven Maresca 12:48
And, you know, to be fair, on that standpoint, a bit of a counter discussion, training is very expensive. Yeah, excessively expensive. So there’s an element there that, you know, organizations need to invest a bit of money to bring up newer, younger staff, or younger is unfair, right, less experienced in cybersecurity. And that has a cost, but it must be accounted for in a budget. If you do that, while hiring. I think that changes the dynamic a little bit, and you can seek out differently diverse candidates and be more likely to have hiring success.
Jason Pufahl 13:28
I mean, you know, the other alternative for some organizations might be outsourcing some of that work, right? In spaces where you maybe you don’t need full time security practitioners, or you might need support, sort of in regulatory compliance, you know, there are ways to address organizational gaps, sort of using external support or external, external labor, right.
Steven Maresca 13:53
I think that, you know, regulatory bodies are actually beginning to acknowledge that reality. For example, late last year, the GLBA Safeguard amendments actually included a slight change where you only need to qualify designated individual to oversee a program, I’m getting into very specific language. But the point is that you’re no longer expected to designate a CISO. So that means you can use third party. So the trend is to be more flexible in at least that regard. So that’s an angle. I think it’s worth pursuing.
Jason Pufahl 14:27
And I think really to that point. They’re trying to acknowledge that you might have to lean on somebody who doesn’t have that depth of expertise, but is paying attention or are sort of assigned to those duties and expected to be able to fulfill them to some degree but without maybe without that, you know, 10 years of experience that’s needed to get into some of these maybe more senior positions. But you know, I’d say it is the first time that we really are honestly talking about a downturn in this Information Security space. You know, it’s been, you know, to your point, Matt, right, it’s been reasonably well paid, reasonably easy to get positions. And in a lot of ways, I think your peers can kind of write their their own ticket to some degree now that we’re certainly starting to see, some layoffs, and layoffs in product in the product space that I think we know, is really important, right. So it’s not, it’s not some niche security technology. I mean, these are really mainstream companies that are offering a service that mostly every company is utilizing in some way. I mean, it’s a real harbinger of things to come
Steven Maresca 15:42
All the same, like I said earlier, they’re meeting their revenue targets now, those product driven companies have been heavily dependent upon funding after funding after funding round, in order to sustain the level of investment in development that has been, frankly needed to address the evolving nature of cybersecurity. We may be reaching a bit of a plateau, where they’re still hitting their revenue projections, perhaps, but we’re not seeing wildly exploratory development, less investment in R&D, you know, the product sets might be as capable, but it’s just the flow of the cycle.
Matt Fusaro 16:23
Especially with these companies with the way they were, where their valuations work, when they got this money. Just because they’re hitting revenue targets doesn’t mean they’re profitable.
Steven Maresca 16:32
Matt Fusaro 16:32
These people burn cash so much. And, you know, we all knew it was gonna catch up with this industry. We all knew it. I guess, here we are.
Jason Pufahl 16:43
Yeah. And we’ll see a consolidation to some degree. I mean, we recently went to a conference where, you know, there were these next generation, AV vendors. I mean, that probably was 50% of the vendor space, where we were offering largely the same thing. So large, largely the same capabilities, we’re gonna see a consolidation I think so, you know, it might not be as dire as we’re painting. Yeah, at least in that industry.
Matt Fusaro 17:06
Yeah, I think we have a lot of tools, we have a lot of software out there. Now it’s time to start getting people to back it up and actually use all this stuff. And that’s, where you’re gonna have to fill the gap right now.
Jason Pufahl 17:19
So to some degree then in conclusion, because this is probably not as specific as some of the discussions, we often have, it probably is our way of saying pay attention to the industry a little bit understand that you might get a little bit more challenging hiring people, I think there’s people who are reevaluating their career trajectories, I think people are reevaluating sort of value and the value of the pay that they receive and sort of, you know, that commensurate with the level of effort they put in or the stress that they have. maybe be a little bit more open to the types of folks that you’re interviewing, when people are actually looking at candidates. You’ll give people an opportunity to grow into positions perhaps might be it might be a strategy,
Steven Maresca 18:05
Along with, you know, training budget increase, like I suggested, and overall willingness to expend personnel time towards better utilizing existing investments in the space because that, certainly in our experience on a regular basis is frankly, where the mark is missed a lot of the time. It may not be necessary to expand workforce if the existing tools in play are used more effectively. Now that there are lots of levers.
Jason Pufahl 18:36
Fair enough. Well, as always, guys, thanks for joining today. interesting topic, maybe not one of the most uplifting ones we’ve we’ve had but at the same time, I think it’s fair to keep an eye on this industry and just understand where it’s going to in frankly, how it’s going to affect your organizations from a hiring standpoint.
Stay vigilant, stay resilient. This has been CyberSound.