Of the nearly 10 million Americans who recently have filed for unemployment insurance – 6.6 million this week and 3.3 million the week before – as the coronavirus pandemics shut down businesses and the economy, the cybersecurity workforce seemingly has been spared. But experts warned that widespread layoffs in the future could leave organizations vulnerable.
“It will be dangerous if cybersecurity jobs are thought of a luxury, or a component that can be downsized when times get tough,” said Timur Kovalev, chief technology officer at Untangle. “The costs that could be incurred if a data breach occurs, or if systems are taken down because of malware or ransomware could easily put a small- to medium-sized company out of business for months, or forever.”
For companies that remain operational the need to have someone standing guard is even more important, Kovalev said, as criminals go after hospitals with ransomware attacks, targeting those expecting federal financial aid or offering phony retail advertisements via texting to coerce people into clicking.
“Cybersecurity and IT professionals are going to be crucial, essential positions during this time, especially as employee and business leaders are focused on weathering the crisis, and possibly missing the signs of an attack happening to them,” he said.
Chris Morales, head of security analytics at Vectra, noted that much like those manning other frontline positions in the war on COVID-19 he is seeing security staffers working even harder right now.
“Cybersecurity and IT are seeing an upward trend and these staffers are a priority for organizations of all sizes in today’s remote work environment,” he said.
The criticality of cybersecurity teams as well as the shortage of skilled personnel that preceded the pandemic have likely limited layoffs in the field. And the uptick of cybercrime – miscreants not only aren’t letting the coronavirus curb their activities, they’re also leveraging the virus in campaigns and capers – make a strong case for maintaining a strong security team.
“Cybersecurity concerns don’t magically go away during a downturn or recession, so while the job market might tighten up when compared to recent years, it’s likely to be less impacted than many other sectors,” said Tim Erlin, vice president, product management and strategy at Tripwire, adding he has not heard or seen of layoffs taking place yet in the industry.
The general consensus, at least to this point, is security teams are likely to avoid being among the first impacted when a company decides layoffs are necessary.
“Most organizations understand that this is one of the very last areas that you afford to cut back on,” said Stu Sjouwerman, founder and CEO of KnowBe4. “Cybersecurity has been designated as ‘essential’ in the recent COVID shutdowns. I honestly do not expect any organization to furlough their InfoSec team, that would essentially be inviting the fox in the henhouse.”
Gene Fredriksen, executive director and CEO at National Credit Union ISAO, said that while automated systems could hold the line for a very short period in the end need they human guidance to truly work effectively.
“Basically, you need to remember that security controls are a combination of people, process, and technology. We could probably assume that the technology will continue to function for the short term and will be robust if kept patched. However, the security processes require people to keep them running,” he said. “Patching, loading files, monitoring, auditing, etc... Can definitely be affected by layoffs. Also, the progress made in the devsecops world could be unraveled by the layoff of key developers.”
Sjouwerman pointed out that if cybersecurity and IT people are let go the cybersecurity implications would be disastrous since criminals have increased their attacks by 667 percent in March alone.
The high level of malignant activity is likely spurring some anecdotal evidence indicating hiring has not abated in the industry.
“Obviously, I can’t speak for everyone, but I really haven’t seen IT people, especially in the cybersecurity field, lose their jobs,” said Pierluigi Stella, CTO, of MSSP NetworkBox USA. “If anything, I’ve seen a renewed interest in hiring. Just yesterday, I was on the phone with a banking client of ours and she told me she was interviewing someone for an IT position because they’re swamped. They can’t keep up.”
Although the Department of Labor’s weekly report did not breakout or specifically mention cybersecurity or IT workers being included in the latest wave of jobs impacted by COVID-19, the category was conspicuously absent. Instead, the jobs most hit across all 50 states were food services, transportation and warehousing, health care and social assistance, administrative, support, waste management, and remediation services, mining, retail trade, manufacturing, real estate rental and leasing and construction industries.
“The volume of jobs in cybersecurity and IT far exceeds the available people to do those jobs. The only employees I could imagine losing their jobs are from companies that are in a very bad position right now and are laying off a large mass of personnel,” said Morales.
A.N. Ananth, Chief Strategy Officer at Netsurion agreed with Morales saying that while he has not observed any significant layoffs those industry verticals where entire staffs are let go, such as travel, hospitality and entertainment, will likely have IT and security personnel included in any staff eliminations.
To put his staff at ease Palo Alto Networks CEO Nikesh Arora has publicly committed to a no layoff policy associated with the uncertainty caused by COVID-19.