With COVID-19 cases dropping across the U.S. in late January and early February, the Omnicron variant appears to be waning. This latest chapter in the ongoing global pandemic, however, is having repercussions beyond people’s health—it’s making many employees, including cybersecurity professionals, rethink their livelihoods.
The so-called Great Resignation has seen millions of U.S. workers voluntarily leave their jobs over the past several months. Employees feel empowered to negotiate better compensation or move to a new position as employers struggle to find enough talent. The latest report from the Bureau of Labor Statistics finds that 4.3 million people left jobs in December—a slight drop from the 4.5 million who did so in November, but still a significant number.
At the same time, U.S. businesses reported about 11 million job openings, according to the Feb. 1 report. What’s not clear is how the Great Resignation is specifically affecting information technology as well as cybersecurity, a field already struggling with more job openings than potential candidates to fill those positions. Experts say, however, that cybersecurity is likely following this trend closely.
“Over the last year or so it’s become clear that this is a seller’s market. The great resignation has exacerbated the already short supply of practitioners, and quality of life issues such as remote work and limited travel have been elevated in importance,” said Mike Hamilton, a former CISO for the City of Seattle who is now the founder and CISO at security firm Critical Insight.
Observers and industry experts see numerous opportunities for cybersecurity professionals over the next several months, especially if the Great Resignation continues to track well into 2022. In the short term, there’s a clear path to a higher paycheck and additional benefits; for those looking to advance, especially into management positions, opportunities are likely to grow, as well.
“While careers in cybersecurity are already stressful positions, the Great Resignation may be giving people reason to rethink their career path,” said Heather Paunet, senior vice president at security firm Untangle. “There are generally two things that employees look for when assessing their career path, one of which is the title they have that comes with the influence they have in the organization that they work in, and the second is the money to be made. In cybersecurity, as with any position, the importance of those two components depends on the individual.”
A Seller’s Market
Even before the Great Resignation began to manifest in the fall of 2021, cybersecurity openings were already plentiful.
An analysis from Cyber Seek, a job-tracking database developed by the Department of Commerce and CompTIA, estimates there are over 597,000 open cyber positions across the U.S., with about 38,600 of these positions open across federal, state and local government agencies.
The lack of cybersecurity professionals both in the U.S. and outside comes at a time when many workers remain remote and networks and infrastructure are susceptible to attacks, whether from ransomware or another type of cyber threat. A recent report by cybersecurity firm Fortinet found that 73 percent of organizations had at least one intrusion or breach over the past year that is partially attributed to a lack of cybersecurity skills.
Another 68 percent of respondents in the Fortinet survey reported that their organization had trouble hiring and retaining cybersecurity talent.
These two factors are what’s likely to drive a red-hot market for cybersecurity talent and management. Axios, for instance, reports that the Biden administration is looking to convince some of those who have left their previous cybersecurity and IT jobs to join the federal workforce to support various initiatives, including an executive order designed to improve the way government delivers services.
“There has been a shortage of cybersecurity professionals over the last few years, as many organizations seek to hire experts to keep them protected from the catastrophic types of attacks that have been prominent in the news,” Paunet told Dice. “While the shortage of cybersecurity professionals has already been an issue, with demand for qualified personnel outpacing those looking for positions, now it’s all the more a job-seekers market for those with the right skills and qualifications.”
Others agree that the Great Resignation has opened new doors for those who want to remain in cybersecurity, but want to change their current employment situation. “The pandemic has made many people question what is important in their lives. It created a period of reflection and a desire for a higher purpose outside of the daily grind,” John Morgan, CEO of cybersecurity firm Confluera, recently told Dice. “Competitive compensation is still important to all, especially as there remains a lack of qualified cybersecurity expertise for critical functions such as incident response, threat storyboarding and forensic investigations. The passion for IT and security remains, there’s no resigning from that.”
Climbing the Ladder
While seeking additional pay or added benefits is the goal for some, others are using this time to leap into more senior roles, especially those who want to obtain a VP or CISO title as a career goal.
Hamilton, who also served in cyber positions at the U.S. Department of Homeland Security, noted that even with the openings afforded by the Great Resignation, those who look to achieve top security positions still need certain skills to distinguish themselves.
“The ‘top’ position is somewhat dependent on how someone in cybersecurity is predisposed. Very technical roles ascend to architect or engineer,” Hamilton told Dice. “Good communicators frequently make the jump to sales engineer and possibly to sales executive. Someone with a business education may move into programmatic management—as in CISO, chief risk officer or VP of a business unit in a cybersecurity company. There are a lot of roles, and the ‘top’ is more defined by someone’s skills and focus.”
Kevin Dunne, president of security firm Pathlock, noted that security professionals usually look to elevate their career into three areas: security leadership, security services or security research. As the Great Resignation continues, the opportunities for career advancement have also increased—especially on the leadership side, since nearly all enterprises large and small feel the need to address cybersecurity issues.
“Security leadership roles typically ‘top out’ as a CISO level, where someone is the most senior person responsible for security programs across the enterprise,” Dunne told Dice. “As the number of threats increases, the number of companies hiring CISOs is growing. Whereas it was an emerging role even 10 years ago, it is now a required position at almost every enterprise.”