By one count, the cybersecurity job market is running dry

Job postings for certain cybersecurity positions have dropped so much, it is affecting national security. One survey shows fewer openings in insider-threat analysis, product-security engineering, and DevSecOps. That is according to analysis by a company called Cyber S-N, which helps clients manage cybersecurity talent. For the details, the Federal Drive with Tom Temin talked with founder and CEO Deidre Diamond.

Interview Transcript: 

Tom Temin  Now, you’ve often heard the statistic we’ve all heard that there’s a million jobs going wanting in cybersecurity in the country, your report shows about 330 Maybe 331,000 listings? Could it simply be that, golly, the other two thirds of a million have been filled, and things are getting better?

Deidre Diamond  That’s one way to look at it. I wish that were the case, you know, the million little plus jobs that are open that we’ve all heard about is a bit of a myth to us all. So there’s one piece of data that we’re all unsure of. So I would say that what we do know is that there’s a decrease in the advertisement of cyber jobs in, you know, corporate us as well as state and local governments and government contractors. I mean, this, this data represents, you know, 30 major job boards, as well as websites of fortune 500 companies. So I don’t think anything’s getting better. I’m 10 years into this now. And I get the, you know, more and more nervous every day. Because burnout has been our biggest threat for the last many, many years. And now with this economic shift, causing capitalism to reduce the need of cyber professionals in organizations, burnout is even getting higher and higher.

        Download our Insider’s Guide where we provide information, insights and advice you need to better understand and use AWS Marketplace to address your cybersecurity needs, sponsored by Carahsoft.

Tom Temin   Well, the aggregated numbers then go through some of the trends of specific job categories that the listings are down for.

Deidre Diamond  Yeah, as well. We’re the founders of the job matching taxonomy. It’s aligned to nice, it’s, it’s extended beyond, and we have 10 categories. And so the 10 categories that we track are all jobs that fall under, you know, defense, so application security, cloud security, those types of roles, there’s 13 of them. And then there’s the product security category, the management category, GRC, planning, offense, response, education and research. So in those 10 categories, there’s 45, sight, functional cyber roles within those 45, you read off the top ones that have decreased, which really represent, you know, tech companies a lot, right? So product security dev SEC ops, those are roles that you traditionally see in companies that are building tech or manufacturing, but mostly tech companies. And that’s that’s where we see the largest decrease, there are increases as well, in the data. We can talk about that too. But yes, there are 25 in this report that we took the top 25.

Tom Temin  Right. And there’s growth in for example, Chief Information Security Officer, cybersecurity, technical writer, cybersecurity software engineer. So as you say, those are going up. I guess my question is, if the categories that are down that we’ve mentioned, could it be that the jobs are filled?

Deidre Diamond  Yeah, well, no, because as a an agent with a professional services arm that does direct placement, direct hiring, as well as contract, what we are hearing is the exact opposite and seeing and feeling which is a retraction of hiring many organizations laid off cybersecurity professionals, which we’ve never seen before in our industry. And so no, unfortunately, it’s the opposite. A lot of retraction. And again, if you had open jobs, and then you retract them, that means there was a need people were already doing too much work, because the cyber This isn’t, you know, go to market strategy for some new product that’s coming down the line and you’re hiring for that growth. That’s not how it goes. If you’re hiring and cyber, you’re hiring, because your people are already doing too much. And you need more hands on the wheel. And so to retract from that means massive problems. There’s nothing good happening within these numbers, other than the categories that went up.

Tom Temin  We’re speaking with Deidre Diamond, dnd she’s founder and CEO of CyberSN. And let’s take your postulate then that people are overworked. They can’t find people. So they’re withdrawing listings. What does that mean? Do you think what’s the effect of all of that? Does that mean products will get shipped that are insecure in their coding and so forth.

Deidre Diamond  Exactly. They’re not retracting the job positions because they’ve the they don’t need them. They’ve it’s because they need to cut budgets and need to cut spend companies are, you know, in this economic climate for the last two years has seriously affected the cyber community? And yes, that’s exactly what it means. It means that we are building products that have less touch in from a security perspective. It means that we’re running leaner in most organizations than than we were previous years with security talent. And yet we know that the threat landscape continues to grow, significantly grow. So you know, so that’s pretty easy math to figure out if you detract you lay off you stop hiring when you were already understaffed, that there’s going to be a problem. And all of us believe the problem is already happening, as we’re all speaking and it’s just a matter of time before we’re hearing more and more.

Tom Temin  Is there any indication from the data of the distribution of company size? Where the job cutbacks are happening? Could it be more localized? Or could it be in specific industries, or maybe just a few companies account for the decrease in job listings? This is month over month, or year over year? By the way? Yes, this And the Defense Department is preparing rules for something called the Cybersecurity Maturity Model certification program, which will require its contractors and their subcontractors to have a certain controls and certain cybersecurity practices in place. Is it your sense that if contractors are actually cutting back on these listings or not hiring the people they need or not going after, then that could affect their ability to meet those types of goals?

Deidre Diamond  is year over year. So this is 2023, compared to 2022. And usually we do it through the year but this year, we’ll do a six month update. I do think that this is heavy tech company oriented, meaning it’s the technology organizations, even the Amazons right, that let’s consider them tech organizations at this point, they are right. Those folks that are the ones that are doing the majority of the downsizing, but that then affects everybody. So while you see the bulk in the bigger companies, it’s just because they have more people, all of that affects all the vendors and all the people that support those companies that then you know, can’t afford their staff. And so it has been very difficult on small organizations and mid sized organizations, this economic hit for cyber. Oh, for sure, for sure. And yet we need them. We need those controls, we need the federal government making more regulation. I’ve been in cybersecurity now for 20 years and nothing moves the needle, the way that the needle needs to be moved other than regulation. So, you know, when PCI was mandated, nobody listened until the fines became real, you know, there was talk of fines, it didn’t launch fines from the beginning, I was out there selling, you know, vulnerability management software for rapid seven. And I saw a drastic change. We’re seeing the same thing. Every time we get a new regulation, this this last one with the SEC huge making that’s why you know, more people are hiring Chief Information, security officers and so forth. So I think Yes, everything’s going to be more difficult for us right now. We even have in the corporate space, I see this at volume. It’s disturbing. security leaders becoming consultants, because they don’t want to deal with the way that business is done. And the liabilities because they’re understaffed, and what have you. So they’re just going to consult and also many of them are retiring much earlier than they would have wanted to if it was enjoyable to work with the money. It can be enough. These days of somebody that’s been at it for 30 years, they don’t need to work 50 And that’s a problem for America big time. So yes, everything’s about to get harder slash is harder. It really is a problem that 80% of the security leaders that I speak to and I spend most of my days speaking to them are disenchanted.

        Read more: Cybersecurity

Tom Temin  All right. Well, let’s hope it turns around, Deidre Diamond.

Deidre Diamond  I’m doom and gloom and you know what, that’s my job. If I’m going to bear the burden of seeing this then it makes no sense unless I get out in the public and share it because we need the federal government to keep making regulations. In fact, I’m calling for compliance control for retaining and developing cybersecurity talent.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.