Why cybersecurity teams escaped big tech’s layoffs

There’s a silver lining to the rise and rise of cybercrime: as the wider tech industry reels from large-scale layoffs, security experts appear largely impervious to redundancy
Two cybersecurity specialists talking about a project at their computers

During Microsoft’s quarterly earnings call at the end of January, its executive chairman and CEO, Satya Nadella, pointed out that the annual turnover of its cybersecurity arm had hit the $20bn (£17bn) mark – up from $15bn the previous year. Only a few days beforehand, the software giant had revealed plans to lay off 10,000 workers in anticipation of an overall slowdown in revenue growth.

These contrasting disclosures illustrate how the cybersecurity field and those working in it have escaped relatively unscathed from the wave of redundancies that’s swept through big tech in recent months. That’s largely because businesses are under siege online, facing a constant barrage from criminals using tactics ranging from phishing to ransomware attacks. 

A landscape bristling with threats

The statistics make worrying reading for the potential victims of cybercrime. For instance, Verizon’s 2022 Data Breach Investigations Report indicates that the number of ransomware attacks rose by 13% between 2020 and 2021, the biggest growth in five years. It also notes that the use of stolen log-in credentials to hack into organisations in 2021 had increased by 30% since 2017. 

Damaging security breaches affecting high-profile organisations – for instance, the SolarWinds supply chain hack in 2020 and the Colonial Pipeline ransomware attack in 2021 – have at least spread awareness of the threat. 

A survey of business leaders published by the World Economic Forum in January found that 91% of respondents think that “a far-reaching, catastrophic cyber event is at least somewhat likely in the next two years”. It also revealed that 43% believe that an attack is likely to affect their firms materially over the same period. 

There is still huge demand for cybersecurity professionals, although hiring is slowing down in line with the wider IT market

The more that enterprises digitalise, the greater the cyber risk they run, notes Michael Mulligan, practice executive, risk and security services, at US-based IT recruiter TEKsystems. 

“There are just so many different digital access points – so many more opportunities for bad actors to exploit,” he says. 

Mulligan, who is based in Chicago, reports that hiring activity seems to be regaining momentum after a softening in demand for cybersecurity specialists among his firm’s clients in H2 2022. 

“What we’re seeing out of the gates in 2023 is that we’re kind of back to the level of activity we were seeing early last year,” he says. 

John Lynes is MD of Ashdown Group, a London-based IT recruitment specialist whose clients are mainly private firms employing 50 to 500 people. His experience of 2023 so far has been slightly different. He reports that “there is still huge demand for professionals in the cybersecurity space, although hiring is slowing down in line with the wider IT market”.

A web-based tracking tool hosted by Ashdown Group analyses IT vacancies from about 11,000 UK companies. According to this, the number of job postings seeking cybersecurity engineers in January was just over 400, down from 880 in August 2022.

Lynes attributes this decline to the broader downturn in the British economy, which saw weak growth in 2022 and is expected to shrink this year. But he adds that salaries for cybersecurity jobs still rose by about 17% on average last year, reflecting the continuing skills shortage. His firm estimates the UK median salaries for an information security manager and an engineer as £73,596 and £57,826 respectively.

Efforts to close the skills gap

There are about 4.7 million cybersecurity specialists working in a world that still requires about 3.4 million more to join their ranks, despite the addition of 464,000 professionals last year. That’s according to the International Information System Security Certification Consortium, a not-for-profit body providing qualifications in the field.

Closing this yawning talent gap is a goal of both public and private sector initiatives. Westminster’s National Cyber Strategy 2022, for instance, calls for the expansion of post-16 training programmes to enhance the cyber workforce, including “skills bootcamps” and the national roll-out of the Institutes of Technology.

Similarly, the newly created Office of the National Cyber Director in the US, with $100m in initial funding, has named cyber workforce development one of its key functions. And last month the US National Security Agency began one of its biggest recruitment drives surges in three decades, aiming to fill 3,000 roles, many of which relate to cybersecurity.

In the private sector, Microsoft and cybersecurity specialist Fortinet have been going to great lengths to tackle the skills shortage. In 2021, Microsoft started a programme for community college students, with the goal of filling 250,000 cybersecurity roles in the US by 2025. Fortinet has pledged to train 1 million people in cyber skills by 2026.

Time to retrain?

So far, then, the cybersecurity function seems to have escaped the worst of big tech’s big cull. 

“It’s an area of safety, relatively speaking, as cybersecurity solutions are often the last on the chopping block as businesses optimise their costs,” says Malik Ahmed Khan, an equity analyst specialising in technology at Morningstar. 

He also doesn’t expect the wave of redundancies to strike the publicly traded companies that specialise in cybersecurity, including Fortinet, Palo Alto Networks and CrowdStrike.

Underscoring this point, Rob Rashotte vice-president of global training at Fortinet, wrote a guest post on the website of tech recruiter Dice this month in which he urged newly redundant hi-tech workers to consider pursuing a career in cybersecurity. 

“Cybercriminals aren’t going away,” he pointed out. “Now, more than ever, cybersecurity talent is critical.”