The declaration of COVID-19 as a global pandemic in March 2020 quickly changed how we work, turning office culture on its head. Companies quickly adapted to a fully remote model, while employees learned how to balance work and personal life within the confines of their home. This new work environment put added pressures on cybersecurity professionals. Not only were they, in many cases, shifting from in-person to remote work, but they were also tasked with giving remote workers what they needed to operate securely and head off a host of new threats.
Now that working from home is the new normal, for the foreseeable future, many cybersecurity professionals are rethinking what they want out of their own work life. Companies are looking at a wide range of new policies to retain talent and attract new workers. Because cybersecurity professionals are in high demand and the need to maintain security is great, leadership must create work environments that work for the company and provide what cyber professionals want.
According to Gallup, the percentage of employees working from home doubled, from 31% to 62% in the three weeks during the start of the pandemic. Research and polling on employee sentiment indicate workers want to keep these work-from-home options in place. That same Gallup poll found that of the people who wanted to continue remote work, those in tech fields were among the highest percentage.
Prudential’s Pulse of the American Worker Survey, released in May, shows that the majority (68%) of workers expect working from home will become a normal part of business, and about 20% said they were considering changing to a job that allows them to work from home fully remote. Here were some other takeaways from the survey:
It’s clear from these data points that remote work has had a positive effect on employees in some ways, but they are looking to leadership to continue improvements to the workplace in this new COVID-19 era.
One of the biggest advantages working from home has given companies, especially those looking to hire cybersecurity professionals, is the increases in the pool of candidates. Companies no longer need to hire local talent, but can recruit from anywhere. It also increases the competition—if more companies are recruiting cyber pros who are fully remote, then your company must find ways to compete.
Jim Harter, Ph.D. coauthor of the bestseller It's the Manager, which addresses urgent issues organizations face today, said recently that in light of new workplace policies, “managers must learn how to lead remote teams and leaders must implement strong remote work cultures,” to maintain healthy workplaces. Harter notes that using science-based judgements to make workplace policies will help companies meet the needs of their workers—and attract new ones. These include:
Workplace culture is an important part of any employee’s opinion of a company, and can make the difference between a new hire and someone who passes on your offer. Company leaders may have leaned upon in-person workplace benefits to entice professionals in the past, whether that was an on-site gym, work outings, or free conference attendance. Without these perks, offering other benefits such as flexible work hours, more paid time off, and additional training opportunities will be of greater value to those looking to make a job change.
The changes in the workplace will likely continue to put strains on the company’s IT and cybersecurity departments, forcing managers to assign people to new roles to fill critical needs. This will require “upskilling”—training and professional development to make sure each team member has the resources and knowledge to do their job well.
The small pool of qualified cyber professionals considering a job change is adding another layer of complexity to cybersecurity hiring during COVID-19. Company leadership must prioritize maintaining and emphasizing what cyber pros find most desirable. That includes opportunities for training and advancement, a healthy, supportive work environment, and flexibility to balance family and home life in these chaotic times.
Emily Wilson, cross-portfolio lead for employee experience management at SAP SuccessFactors, wrote in Forbes that companies should not assume that people are clamoring to work for you just because some companies happen to be laying off.
“With the number of laid off and furloughed workers increasing daily, there is the misconception that employees with jobs are grateful just to have them,” said Wilson. “COVID-19 has significantly changed employee expectations to be sure. But just as employees are expected to adapt to a new way of working, businesses also must learn to support them in new ways. Businesses must take this opportunity to learn to be flexible as well.”
No matter the size of the company or the strains put upon cybersecurity departments due to COVID-19, companies must provide what employees need to perform their jobs, stay motivated, and be able to adapt to changes when they arise. Doing so will make your company more resilient and strengthen its ability to overcome the challenges that lie ahead.
Hi Friends,
Over the past few weeks, I have been sharing what we are seeing during this crisis (which you can find in my first two blogs here and here). In this installment, I am adding a new section that speaks to why people are leaving their current job for another. I believe this information proves the point that the reason why people leave their job is the same regardless of what crisis is going on. Stay well. xo
We are still seeing about 60% of the market keep their jobs to fill on hold. This concerns me greatly considering cybersecurity professionals are being taken off of security tasks so they can support IT, which ISC2 recently documented in a survey on this challenge. Many companies are still working to get on the same page within their organizations and aren’t able to address jobs that were open when COVID-19 crisis began. Until these organizations can get ahead of firefighting, we expect these jobs will remain on hold.
Layoffs continue to be under 5% for cybersecurity professionals; fingers crossed this continues. Unfortunately many organizations are planning for large layoffs or have already started, yet we remain very optimistic for cybersecurity professionals job security.
Yes, they are. These companies are not only hiring they are also taking advantage of pipeline development. There is no doubt that organizations that are hiring during this crisis are seen as extremely sound because they are hiring, showing the community that they believe in what they are doing and will keep moving forward.
Unfortunately, we are still dealing with visas taking months to finish sponsorship paperwork when it used to take weeks. This is causing non-US citizens to not get hired because the two to three month start date is a lot for an organization to absorb when they need work done. Many organizations are still hiring people who need sponsorship; just much less during this time or expedition being on hold.
Cybersecurity threats are up even more. With the economy needing us all to go back to work, cybersecurity professionals are just as stressed as anyone. Long months of working from home come with vulnerabilities that add to this stress. Check out our CSO and Strategist’s blog post about key threats from our “new normal.”
CyberSN has real data on the reasons people are leaving their job, based on placements we made in March and April of 2020. Even during this crisis the number 1 reason people leave their jobs is lack of advancement and opportunity. The number 3 reason for leaving, listed below, is certainly a reflection of the times.
I hope leaders can think powerfully right now; for the future requires us to make good decisions. Everyone who is laid off will have to be hired back and the roles put on hold will need filled in order to succeed again.
Moving Ahead
CyberSN has been closely tracking cybersecurity hiring and staffing levels throughout the country and is a trusted resource for a number of large businesses. Later this spring, we will unveil new service options that can help companies find the talented cybersecurity professionals they’re looking for. Check back on our blog for more updates on this exciting new development, as well as the state of the cybersecurity job market. Stay tuned!
Deidre
Friends,
In continuing to share up-to-date information about the state of the cybersecurity job market, I am happy to say our profession is proving to be very, very resilient. Companies are still hiring to fill cybersecurity jobs. Unfortunately, we’ve also recorded cybersecurity layoffs over the last two weeks in industries that were affected by Covid-19.
(If you’d like to read my previous “State of the Cybersecurity” reports you can view the last one here.)
Companies that focus on gig workers, transportation, and hospitality have recently been hit hard and in turn reduced their security teams. We are seeing the layoffs at these companies concentrated in IR, SOC and Corp/IT Security. We are not seeing layoffs at these same firms for product security or application security. From seeing this data, I can’t help but think that while it seems smarter to let go of your hunters vs your product security professionals, how does one even make that decision?
“Cybersecurity threats and privacy risks do not just disappear during the COVID-19 downturn in business. Incidents and breaches will continue,” said Dom Glavach, CyberSN’s Chief Security Officer. “Cyber criminals and adversaries are leveraging all aspects of the pandemic to land and launch attacks, insider threats generally increase with employee reduction actions, and privacy compliance does not have a pandemic waiver.”
The economic reality at these companies and the opportunistic nature of cyber attackers are creating a perfect storm. Business leaders have to find a way to weather the crisis, and that has played out in leaner budgets and layoffs. Right now, this means that cybersecurity professionals are doing more than just cyber operations, and in some cases, layoffs have created disgruntled employees. Worse yet, phishing attacks are up 37 times since January 2020.
Effective cybersecurity is a triad of people, process, and technology, with each dependent on another. Processes will fatigue and technology atrophy will occur without enough people, or the right people, in place. All of this gives the advantage to the attacker.
Besides the risk of employee burnout and increased attacks, cyber layoffs have other risks to consider.
While I share all of this, I also know that capitalism makes these risk decisions unbearable and impossible. I feel for those making these decisions and for those who are affected by them; the good news is for all the talented professionals who are laid off, there are wonderful people looking to hire you. Stay strong. Stay kind. Stay inclusive. Seek to learn always. Love will prevail.
Sincerely,
Deidre
While many companies are today working from home, at some point, the workforce will return to the office. It’s not clear what this will look like; it may be a small portion of workers heading back in phases or everyone at once. There is also the possibility that working from home will remain the norm and working in an office becomes a scheduled routine. Regardless of the when, how or how many, managing cybersecurity risks during an office homecoming after adapting to remote work can be challenging. Establishing a post-COVID cyber baseline as devices and people return to the office can minimize the cyber threats.
When organizations quickly pivoted to work-from-home, they adapted quickly to facilitate work with new software, tools, and reduced availability of people in critical roles. During that period of rapid transition, people could have potentially shared passwords to critical business systems with co-workers. This could include sharing passwords to laptops and video conferencing services used at home by family members.
Baseline: Reset passwords to laptops and essential accounts. Ensure multi-factor is enabled.
In the rush to get people working remotely, not every employee was able to take a company laptop home. In some cases, the company laptop failed during the stay-at-home. This forces employees to use personal devices to connect to the company network. New research from Bitsite found that almost half of companies had malware on their corporate-associated home networks, compared to 13% of corporate networks.
"Use of personal devices creates problems around document preservation matters and adds increased risk," wrote Brenda R. Sharton, a litigation partner and global chair of Goodwin's Privacy + Cybersecurity practice, in an article for the Harvard Business Review. "In addition, the software powering some home equipment can be months or even years out of date."
Baseline: Scan the network to identify new or unknown devices.
People across the organization have been tasked with getting things done, sometimes putting aside security because of urgency. Sending emails on mobile devices could result in accidental sends from personal emails, and online storage and USB devices could have been used for downloading or printing documents. These activities mean confidential information or PII data may be everywhere.
Baseline: Use SIEM alerting on common file storage services and personal emails with attachments.
Many organizations are susceptible to lost hardware during times of rapid change. Furloughed employees may still have their company-issued laptop, while others took advantage of the swift deployment of working from home to grab a device from the office. Lingering devices put you at risk of data loss or a network breach.
Baseline: Update laptop and mobile device inventory and disable missing devices.
Working from home likely required software installs, whether for office productivity, video conferencing, PDF-converters, or electronic signatures. Some software even supported virtual happy hours and entertainment to keep teams connected. By one estimate, 62% of people have signed up for new tools and platforms during the COVID-19 crisis. Some of this new software may not meet company requirements, or could have vulnerabilities that put your company at risk.
Baseline: Scan for laptops for unauthorized software and potential shadow IT.
Application and operating system updates were likely part of your work-from-home cyber strategy. But this may not have included infrastructure devices supporting the physical office and changes to firewall policies, cloud security groups, and other security software that is just as essential to update to keep the organization protected.
Baseline: Scan, prioritize, and update infrastructure devices and policy rules.
As people return to the office, the pace and focus will be on connecting and restoring the workload. People will be busy playing catch-up and not necessarily focused on cyber threats. With six out of 10 people reporting they have fallen victim to a phishing scam before the rise in attacks during the COVID crisis, it stands to reason phishing and ransomware will continue.
Baseline: Include cybersecurity awareness into the return to the office messaging.
While another major shift in the work environment may seem daunting, the investment in work-from home security sets companies up well for a return to the office. Keeping track of what was done as people shift to work-from-home will give organizations a solid baseline. Track what worked well and use the things that didn’t work as well to make security modifications and tighten access restrictions. These lessons learned will only enhance your organization’s ability to be agile if any major disruption happens again.
“The Three Little Pigs” is a children's story about being prepared for when you need something, even if you have to make a few short-term sacrifices along the way. It’s a lesson we should heed right now as we look toward uncertainty about what work will look like in the weeks ahead. Although not always fun, being prepared will pay off when you need it the most.
COVID-19 has proven remote cybersecurity jobs can be highly efficient from those who work from home. In many ways, it’s been better because it provides the same point of view as an attacker—a view from outside the company. If you want to work from home for the rest of your life, you better be prepared with strong arguments that show it’s value, or work for Twitter. That company just announced all of their employees can work from home...forever. Here’s how you can do the same.
A Salesforce Research survey found that the COVID-19 work environment has caused only a 1% reduction in productivity, but some managers may need convincing that sustained productivity from home is possible. You should keep a diary of everything you do each day, with accurate start and end times. It can be as simple as a legal pad or as detailed as Evernote. This will help you answer any productivity questions that managers might have. Record when you begin your day, any breaks you take, and when you end your day. Also note any “extra” time you put in. This will give you concrete data if you need to present your case.
Logs, in my mind, are more detailed than a diary. They are the detailed record of why some tasks took longer than others. Was something particularly difficult? Was it a wild goose chase? Was it a one-off event that sent your day sideways and nothing on your to-do list was completed? The more detail the better. Justify why you took the action and why it took so long.
Remote workers can definitely feel disconnected because the office chatter is cut off. You are probably thinking ”I’m a cybersecurity professional. I don’t have time for chatter.” Having multiple touch point meetings with the team each week will ensure relationships don’t atrophy.
Adopt the habit of managing up. Communicate with your boss and send them a list in writing each Friday of what you have accomplished, what you did not do and intended to, and what you are planning to accomplish next week. You already have a diary and detailed logs. Condense and summarize. Even if they do not read it, it will be appreciated that you did it. And now you have a written record to refer to if necessary.
How do you eat an elephant? One bite at a time! Take those large projects and break them down into mini or micro tasks. It will make you more organized and prove you are getting things done. It will also give you a sense of accomplishment and some instant gratification.
Create a great work-at-home space and show it off. Let people know you have everything you need at home and that your home working environment is conducive to productivity—perhaps even better than when you worked in an office.
Make sure to share your calendar when you are busy or available. This will make it much easier and efficient for people who require your assistance to offer meeting times that fit with your schedule. Scheduling internal meetings can be quite frustrating without some minimal insight into other’s calendars.
Open your meeting five minutes early and have a little chit chat before you get started. This way you will have a personal connection without it impacting your meeting productivity.
Are you sleeping better without having to wake up as early? Or slogging through a horrible commute? Can you now work out in the morning? Make sure your boss knows how working remotely has allowed you to be in a better mental state to make better decisions and has resulted in a greater sense of loyalty to your company for this privilege.
The coronavirus outbreak has forced companies to make a major shift in how they operate for the time being, but for many employees, this change is long overdue. A Glassdoor survey found that 67% of employees would support working from home indefinitely. Remote work may be more accepted now that so many have experienced it, but some managers still insist on facetime. Being prepared to argue for full work-from-home status with hard evidence is going to help you make the case that permanent remote work is not only the best fit for you, but also for your company.
Friends,
Since I was a young girl I have felt a sense of responsibility to care for others, a responsibility to always help when people are scared, sad or stressed. Today I feel this even greater, as our world and our country faces a major healthcare crisis and as our economy is negatively affected; I am compelled like you to help. Thankfully myself, my team, and those I love have not gotten sick. Those of us who have this luck must do more and so we will.
We are all concerned, we are all affected; and we must stay informed. My team can help support us all to stay informed on the cybersecurity job market. By sharing what CyberSN sees in the cybersecurity job market from week to week we can lower our anxiety together 🙂 Knowledge is power. CyberSN can support the cybersecurity community by offering solutions to the new job challenges we will experience. Today is my first weekly share of knowledge and solutions. CyberSN is here to help. Please read on to learn how and share with our community.
As you read my assessment of the state of the cybersecurity job market, it's good to understand where my data comes from. CyberSN is a national full-service cybersecurity staffing and technology company. We have a high concentration of staffing leaders specifically in New England and the Bay Area. In our almost six years of business we have only staffed cybersecurity roles, no IT, no SW developers. We are the largest solely focused direct hire cybersecurity staffing firm in the US. We speak only cybersecurity.
Over the last four weeks myself and the entire CyberSN team have felt your stress, for your stress is our stress and vice versa. By way of business we are connected by jobs and jobs are the foundation of how we support ourselves and our families. In an economically challenged market, many jobs are at risk and everyone is concerned. At the same time the cybersecurity space was already short 500,000 professionals in the US before the COVID-19 crisis. In theory, this means that there should be no problems for cyber professionals to find work and yet there is more to this story. Unfortunately, our current job searching and matching system is broken, I have spoken about this vulnerability for years. You can see my talk from the RSA Conference 2020 to learn more about our broken job searching system. Now and moving forward through this economic challenge we will feel the impact of this broken job searching system even more. Today amongst all the unknown, we must think strategically about what we are doing and understand the risks upon us. Here is what we are seeing in the market, the problems and solutions included 🙂
As of today April 2, 2020:
70% of businesses put all jobs on hold two weeks ago and these roles are still on hold. These firms are putting all roles on hold, not just cybersecurity positions. Most cyber leaders feel the hold will last two to four more weeks and yet there has been no concrete timeline from those they report to. In addition, companies that are pre-IPO or directly affected by the health crisis directly such as manufacturing, travel, hotels, airlines, restaurants, and staffing services have put all roles on hold indefinitely and beginning layoffs or furloughs. We have not seen cybersecurity professionals being laid off at these firms. We have not seen these layoffs for cybersecurity professionals amount to greater than 1% as of yet.
30% of the market is moving forward, interviewing, hiring and onboarding cybersecurity professionals. These organizations understand that their cybersecurity teams are already overloaded and putting roles on hold would do more harm than good. The challenge for these organizations is the candidate pool is scared to make a move during the health crisis, further diminishing the available pool of talent.
Companies are pushing start dates for new hires that were scheduled for late March or April. We have not seen offers being rescinded from our clients and we have heard from 2% of the market that this has happened to them. Much of the start date push is due to the work from home mandate for non-essential industries. Many companies are not in the cloud and find the remote onboarding process to be too difficult.
Employment Eligibility Verification (Form I-9) seems to be a big challenge since law is that I-9 has to be verified in person. Good news, on March 20, the Department of Homeland Security provided some assistance for I-9 verification by announcing temporary COVID-19 provisions that permit employers to inspect the Section 2 documents remotely, through a video call, email or fax, to onboard remote employees. This knowledge should help leaders through this challenge so they can move forward and onboard remotely.
Exhausted cybersecurity professionals are working even more during the crisis. They have no relief in sight. Their firms have been looking to hire people year over year with little success. Now their already overworked cyber teams are doing more work. What these companies are lacking is a budget to pay for an external recruiting service.
This was a challenge way before the health crisis and now our fellow colleagues feel this pain even more. Already, recruiting departments don’t have the skill to find and match qualified and interested cyber professionals to jobs. This is because they don’t speak cybersecurity and they don’t have access to cybersecurity professionals. As this case study conducted by Chenxi Wang reports, “cybersecurity roles remain unfilled on average eight months; until an outside recruiting firm is brought in”.
Cyber professionals are getting burned out quicker due to working around the clock during this crisis. This bothers me greatly at a time like this when stress is high at home and work. I want to make sure that all cyber professionals affected by this crisis will find well-matched jobs quickly. To do this and help those leaders that don’t have a budget to use an outside staffing resource like CyberSN, I am offering our services at our cost for new job searches.
We are a privately held firm with no outside investments. We care deeply about the health and well-being of our community. I am grateful that we can make this offer. This offering will allow organizations who truly want to fill their roles the ability to do so and at the same time make sure no cyber professional goes unemployed for long. There is no greater stress than that of unemployment. I suspect we will see layoffs and we will feel greater pain. Together we will succeed. I will keep sharing what we are seeing as things change rapidly. Love and safety to you all.
Sincerely,
Deidre
