False economy: How cutbacks are crippling the cybersecurity sector

Even cybersecurity has not proved immune to the economic slowdown but pruning security costs without increasing the risk to the business is proving more difficult than some organisations envisaged. The predominant strategy so far has been to freeze investment, with 32% freezing hiring and 26% promotions and salary increases but around a third are now making budget cuts and a fifth are laying off staff, according to Statista Research. Those figures are borne out by the ISC2 Cybersecurity Workforce Study 2023 which found that almost half (47%) of respondents had experienced layoffs, budget cuts and hiring or promotion freezes.

It's interesting to look at exactly where those cuts are being made. The majority of organisations are delaying purchasing or implementing new technology (53%) which means we could see a slowdown in the progress being made with respect to the deployment of automated solutions and digital transformation projects such as Zero Trust initiatives. Some have taken even more radical action, with 40% saying the security team has been restructured or moved within the organisation, 35% eliminating cybersecurity training programs altogether and 24% choosing not to renew cyber software licences (24%), according to the survey. 

 When it comes to training provision, a worrying trend is emerging in that employers are withdrawing remuneration. The State of Cybersecurity Report 2023 by ISACA reveals university fee reimbursement fell from 33% to 28% over the course of the last year while paying for certification fees also dropped slightly to 65%, while only 55% of employers currently pay for the renewal of certifications. Failing to pay for these will inevitably see some forced to let their certifications slide, hurting the development of certified practitioners and the advancement of the sector.

A knock-on effect

In fact, the effects of these cutbacks are already being felt. 47% of organisations that do not offer reimbursements for certification courses or exams have significant skills gaps in cybersecurity, compared to only 38% that do offer reimbursement, according to the ISC2 report. 

With respect to the other cutbacks, 40% said these had disproportionately affected the security team in comparison to the rest of the organisation, with 71% reporting increased workloads, 63% lower morale and 62% lower productivity. Not surprisingly, this is then elevating risk, with 57% saying cutbacks had compromised their ability to respond to cybersecurity threats and 62% their ability to prepare for future threats.

There is a direct correlation between those organisations that have laid off staff and those suffering staffing shortages, with 28% of those that had done so experiencing shortages compared to 18% of those who had not. This is because these cutbacks erode the security culture within the business and the trust between management and the security team. So much so that layoffs were also the causal link in a rise in uncertainty over the risk posture of the business, with 63% of those working in companies who had laid staff off no longer confident versus 47% who had not. 

A risky strategy

These staffing shortages were then found to place the organisation at moderate or extreme risk of cybersecurity attack because they simply didn’t have the necessary resource to prevent and troubleshoot security issues. Half said they no longer had sufficient time to conduct proper risk assessment and management, 45% reported oversights in process and procedures, 38% misconfigured systems and 38% were then slow to patch critical systems. 

All of these findings prompt the question, are these cutbacks worth the risk? If staff are demoralised and retention becomes an issue, if the security posture is being compromised, and the organisation becomes more exposed over time and vulnerable to attack, any cost savings are eclipsed. If the worst happens, and the organisation does suffer a breach, the resulting financial and reputational damage would render the strategy pointless.

The IBM Cost of a Data Breach 2023 report found that organisations in the UK pay £3.4m on average for data breach incidents and that those organisations that didn’t deploy AI and automation technologies paid £1.6m more. Therefore depriving security teams of the tools they need to do their jobs is a false economy both financially but also in terms of generating job satisfaction, morale and loyalty to the business. 

Focus on efficiency not frugality

So, if cutting back in these areas is not the answer but organisations need to conserve spend, what should they be doing? The ISC2 report has some important pointers here. Nearly a quarter of those questioned stated resources were misaligned, with too many staff in some areas and not enough in others. This suggests poor workforce planning which is essential to ensuring that resource is properly allocated and that any recruitment drive fulfils a need, not just an empty seat.  

A similar number also said there were insufficient opportunities for growth or promotion which points to lack of attention to career progression. The business may not be able to reward an employee with a raise but could recognise efforts with a change in job title accompanied by training. Especially given that those organisations that did continue their training, education and reimbursement programs were better prepared for economic uncertainty and were less likely to experience organisational gaps in their security.

The key takeaway has to be that people matter. They are a key asset in the organisation and effective people management is essential, particularly given the unique challenges the cybersecurity sector is facing. Strictly speaking, times of economic hardship mean it is not a candidate’s market but skills shortage have up-ended the usual rules of supply and demand. Globally, the workforce has expanded by 9% to 5.5m but the workforce gap has outpaced it, rising 13% with 4m vacancies over the past year and the skills gap is set to continue to grow, creating a scarcity of resource. In such a scenario, it makes sense for the organisation to prioritise investment in the security team today to be able to protect the business but also to attract the talent of tomorrow.