Tech shortages have seen some sectors buck the downturn with wages increasing above inflation rates. Cybersecurity is a good example, with salaries in high-demand jobs such as incident response and identity and access management (IAM) climbing 10 percent per year, fuelled by a demand that is only set to increase.

In fact, the Cyber Workforce Study 2023 from the (ISC)2 reveals that the skills gap in the UK is up 29% this year, translating into 73,439 vacancies, and there is an annual shortfall of 11,200 according to the Cyber security skills in the UK labour market 2023 government report.

Inevitably this was going to lead to cutbacks in other areas which is what’s now happening. The (ISC)2 survey found that 47% have experienced layoffs, budget cuts and hiring or promotion freezes in 2023. With respect to security cutbacks, 40% reported that their security teams were restructured or moved within the organisation but there’s also been a cull in the spend on training. Over a third saw cybersecurity training programs eliminated and professional development is also being hit, with fewer organisations reimbursing staff.

Similarly, The State of Cybersecurity 2023 report from ISACA shows there was an increase in the number of businesses declining to reimburse tuition expenses with respect to university (down 5% to 28% compared to 2022) or certification fees (down 1% to 65%). There was also a notable gap of 10% between those paying for certifications and the renewal fees for certifications (55%), revealing that having made the initial investment, the expectation is that the onus is on the employee to keep them valid.

Flight risk

The clamp down could be down to a widespread perception that training carries the risk that employees may leave because they have become more valuable in the marketplace, according to the government report. It’s a sentiment echoed by ISACA which found 58% thought cybersecurity professionals primarily leave when recruited by other companies followed by poor financial incentives (54%) and then limited promotion and development (48%). But the reality is that most employees, provided they are supported and nurtured, want to stay with their current employer.

In many respects, these cutbacks are a false economy. According to the (ISC)2, 47% of the organisations that did not offer reimbursements for certification courses or exams had significant skills gaps in cybersecurity, which was just 38% among those that do offer reimbursements. This suggests that focusing on keeping the workforce you have skilled is a more advantageous strategy in terms of retention and preventing the workforce from being poached. Failing to meet the costs of continuing education requirements does of course not only hurt the development of certified practitioners but the advancement of the sector as a whole.

There were also consequences associated with other cutbacks. Deprived of the tools and resources they need and expected to do more with less, the reports note that workloads escalate and morale declines, creating a divide between the workforce and senior management. Layoffs, too, can create a vicious cycle, with over half of those that let staff go experiencing skills gaps in one or more areas compared with the 39% of organisations that have not fired staff, revealing that skills gaps are most prominent in those businesses that invest the least.

Plugging skills gaps

In an attempt to fill these skills gaps, 45% of those questioned in the ISACA survey said they were pursuing alternatives. These included cross training non-security staff to enable them to move across into security roles but other methods such as resorting to using contractors/external consultants or using AI/automation again saw cutbacks. In fact, efforts were either the same as or lower than the preceding year across the board with the exception of ‘nothing has been done’ which increased to 14%, revealing a worrying inertia.

Clearly budgets are being cut and businesses do need to prioritise spend. They have no choice but to compete in terms of salary and pay market value for valuable and scarce resources. If they don’t, they can expect to suffer significant skills gaps in their cybersecurity capabilities. Harking back to the (ISC)2 report again, this found nearly half of organisations that don’t offer competitive salaries have significant skills gaps, compared with 31% that do offer competitive compensation, and the majority (57%) said shortages put the organisations at moderate or extreme risk of attack.

So, the question these organisations are pondering is where they can make that spend back, be it by reducing headcount, training or investment in technology. But by looking to recoup that cost by targeting the workforce, these businesses end up spiralling and haemorrhaging talent. The workforce becomes overburdened, stressed and demoralised, resulting in employees becoming less productive or leaving altogether.

Why humans are worth it

In contrast, focusing on spot training to fill key skills gaps can create a more united team that feels invested in. Even though the organisation has made cutbacks, continuing to dedicate spend to training, education and certification reimbursement programs will make those employees feel valued and give them a sense of career progression and job security that in times of economic uncertainty is even more likely to translate into employee loyalty. Interestingly, the (ISC)2 report concludes that even in those organisations that did layoff staff but kept these three programmes the chance of the business experiencing significant organisations skills gaps in cybersecurity was much diminished.

Rather than looking at professional development as an expendable cost, the organisation should judge it against the potential losses that could result. Sacrificing employee advancement will see the business lose out and even become more exposed. Any short-term gain will be negated by the loss to the security posture which may then escalate risk, resulting in a breach of vulnerability being exploited with financial and reputational repercussions. And there are of course wider ramifications, with a lack of investment leading to a stalled workforce that then hampers the economy.

It’s for these reasons that any decision to cut back on the costs associated with career development would be unwise and counterproductive. The question now is how these struggling businesses can continue to fund that investment, leading many to ask if intervention is needed.

Jamal Elmellas, Chief Operating Officer, Focus on Security
Chief Operating Officer at Focus on Security

Jamal Elmellas is Chief Operating Officer at Focus on Security, the cyber security recruitment agency, where he is responsible for delivering an effective and efficient selection and recruitment service. He has specific expertise in and is adept at designing and delivering secure, scalable and functional ICT services.

Prior to joining Focus on Security, Jamal built a successful Security consultancy and undertook the role of CTO. He was responsible for delivering secure ICT services for both government and private sectors. He has also fulfilled the role of Lead Security Architect and Assurance practitioner within sensitive government departments and blue organisations.

Jamal has almost 20 years’ experience in the field and is an ex CLAS consultant, Cisco and Checkpoint certified practitioner.