- The Human Element
- Posts
- H1 Cybersecurity talent market report
H1 Cybersecurity talent market report
There is no spring without winter
Hello friends,
Here we are in mid-summer. The weather is hot, the pools are packed, the ice cream stores are doing a brisk business.
But the theme of what we are talking about today is spring. Specifically the green shoots that emerge after a cold winter.
Our industry has been in a winter now for at least a year and a half, closer to 2 years by some measures. While the US economy has avoided a recession, it would be hard not to say that cyber has been in its own recession. At least, that’s what it has felt like.
In today’s report, we’ll review the prospects for our industry and what lies ahead particularly for job seekers.
If you would prefer to read this in PDF version, you can find it here.
Before we get there, though, I have a few projects that I’ve recently been up to that I’d like to share with you.
1) I’ve written quite a lot on the impact of AI on the hiring process and was featured in a recent WSJ article. You can read it here.
2) I spoke at the Rocky Mountain Infosec conference on the topic of AI and implications for the cybersecurity career path- the discussion focused on career opportunities to seize, ways to reconsider traditional career paths, and the evolution of the hiring process. You can find the presentation itself here.
3) Last, but not least, we dropped some major enhancements to our platform recently, including the addition of vendor roles to our job board. More to come soon on this front.
Enjoy,
Brad
2024 H1 Talent market report
There is no spring without winter
Our perspective on the current cybersecurity job market
We live our lives amongst rhythms and cycles. The earth around the sun, the migrations of the birds, the dawn and end to a school year. And so it is with the tides of the economy as well.
Just as the falling of leaves nurtures the soil, the lean times produce the kind of focus that’s needed to emerge stronger, and better.
Our industry has needed that for a while. Years of rising spend on products, services, and people were justifiably driven by increasing recognition of the risks and costs associated with cybercrime. And for many enterprises the overall investment levels remained modest enough to remain a reasonable part of the cost structure, and so not to collect undue scrutiny.
And that growth drove shortages of technical talent, rapidly escalating salaries, incredibly high valuations on tech companies, all of which coincided with a flood of venture capital money that propelled hundreds of new companies into the market each year.
Winter's grip recedes,
Blossoms break through thawing earth—
Spring's breath softly sings.
And thus a set of problems and bad practices that became endemic:
An oversupply of vendors chasing revenue at all costs, willing to resort to significant bends of the truth in order to drive sales (and valuation)
A proliferation of categories, point features masquerading as businesses, acronyms, ambulance chasing, and FUD
Unsustainable amounts of money being burned on revenue acquisition.
Companies without strong product-market fit or sound economic models being kept alive in order to mark up to the next round
A rotating door of security leadership
Relatively few security leaders with the mandate or time horizon to build talent organically vs. buying highly experienced talent or outsourcing work to external consulting firms
The ability to justify incremental investments based on simple priority lists and headline breaches rather than economically driven business cases grounded in risk
Excessive emphasis on large enterprise spend at the expense of focusing on protections for SMB and consumer markets
In short, at the enterprise level not enough linkage of spend to solid risk-based economic justification, and at the vendor level, all the bad behavior that comes from pursuit of growth at all costs.
I don’t want to imply that there’s been a surplus of investment in security or vast amounts of wasted time and energy from enterprise security teams. To the contrary, maturity levels remain shockingly low for the vast majority of companies and spend still isn’t where it needs to be in order to cover and buy down risk.
But the speed of growth unquestionably gave the ability for a lot of waste to penetrate the system.
As a thought exercise, if you look at 2021-2022 levels of venture funding, with back of the envelope math and a few simplifying assumptions, it equates to >$1M of sales and marketing activity being spent per year per target customer, by the industry. That’s a lot of SDR calls, booth swag, and golf tournaments. (assumes $20B+ of funding, 10K target customers (enterprises >2K employees), half of funding going toward GTM).
Just as forest fires are healthy over the long term, so are cyclical downturns that focus prioritization and drive out inefficient spend.
And look at what has happened over the past couple of years. Increasing focus on tool consolidation and spend efficiency. An elevation of cybersecurity into more board room conversations (still not nearly enough, though). A growing recognition that cybersecurity needs to be a business function centered around risk rather than an IT backstop function. An emphasis on outcomes and results.
These are all good things.
That is of course, not to say this has all been good. If you have been in the job market at all (and odds are, you have been, since most people are open to new roles currently), you know how absolutely brutal it has been. The most recent time that the job market for cyber has been like it is now is at least 2008. Maybe never.
Recessions are painful, no doubt. And that pain takes the form of uncertainty, being stuck in unfulfilling (or worse) jobs, the exhaustion and self-doubt that creeps in from months of unsuccessful job hunting.
So where are we right now?
These three charts tell the story. The BLS only tracks data at a high level by industry, so these are all jobs in information/ tech (data in thousands, monthly), but they will directionally tell the tale for cyber.
Layoffs are down from peak, but still definitely happening, particularly on the vendor side. Overall layoffs are closer to levels you see in good economic times (2021).
Job openings are down significantly, ~50% vs. peak in the first half of 2022.
Hiring has been sluggish with some signs of a rebound in 2024.
Are we close to a return to normal levels of growth?
Vendors
On the vendor side, we are seeing signs of normalization. M&A activity has picked up, with both strategic buyers and private equity becoming more active. Funding levels are rebounding from their 2023 lows. Enthusiasm (and apprehension) about AI is driving a new class of startups.
Credit: Mike Privette, Return on Security
Increased funding will inevitably mean more investment in GTM and product. While some security firms are continuing to tighten belts and execute RIFs, the pace is significantly below 2023, and enough firms are hiring that the market is starting to feel more balanced. Qualitatively, with companies and candidates we are working with, we are starting to see more ‘on the market’ candidates end up with multiple offers, and competition for talent appears to be picking up.
Services
On the services side of the market, most indications are that business remains depressed relative to the highs of 2021 to mid 2022. The largest bellwether, Accenture, grew its cybersecurity business at a 20% CAGR for years up to 2022. This year it is calling overall revenues basically flat, and has taken $1.5B in severance charges over the past 2 years. At the same time, there are many cybersecurity practitioners that have hung out their own shingle over the past 3 years and we are seeing a flourishing of boutique firms offering risk assessments, vCISO, and security advisory services- which is a great fit for a middle market that cannot afford the big 4, but desperately needs security posture improvement.
Enterprise
On the enterprise side, activity remains fairly muted. Budgets were locked in late 2023 in most cases at zero to slight growth and this has kept the market largely frozen. Dissatisfaction with existing roles remains high, but people see the challenges in the current job market and are sitting in current roles until the conditions improve.
We track the job movements of ~200K cybersecurity practitioners across the US. We saw elevated movement into new roles in Q4 of 2023 and Q1 of 2024, but that’s subsequently quieted down in Q2. Overall, it’s hard to see this situation changing significantly in the remainder of 2024, but hopefully with continued economic growth we will see better budgetary expansion in 2025, which should set off rounds of job movements.
So where does it leave us?
In total, it paints a picture of a market that is still soft, but with some green shoots. Barring anything unexpected at the macro level, the worst should be behind us. How long it will take to fully rebound is anyone’s guess, but for now things appear to be moving in the right direction.
And while it may be of little comfort to think about the long term if you are in the middle of a job search, it’s clear that the current period of retrenchment will have been a healthy thing for the industry overall. It has forced more discipline and focus on value. It has sharpened a focus on business value for both practitioners and vendors. And it has started to mature cybersecurity into more of a business function.
If you are in the market, stay in the fight. This is a long game that we are in and it’s only the early chapters that have been written at this point. Security remains an incredible place to build a career.
Here are some resources that you may find helpful:
The Data.
Here’s how the market is looking, according to data that we analyze from the thousands of job postings that run through our job board.
Certifications in demand
Technology expertise in demand
Individual contributor vs. managerial roles
Generally, 60-80% of security jobs are individual contributor roles.
Highly technical roles tend to skew individual contributor, with ‘consultative’ roles having more managerial slots.
Remote work trends
We are seeing some increase in hybrid roles in 2024, which slightly runs against observations of a hard return to office shift this year.
Cybersecurity compensation trends
Cybersecurity comp has gone down in 2024
If you’ve been in the market, you’ve felt it. Certainly not seeing some of the massive offers that folks you know left their last job to get. Not only are we not seeing the eye-watering offers for top talent, but overall, the comp levels for posted jobs are down. We normalized the data by required years of experience (the best predictor of salary), and found that on average, the mid-point salary level for posted roles is down 5%. And keep in mind, this is in an inflationary environment.
Average salary by domain and level of seniority
We are seeing security architecture and appsec roles pay top dollar in 2024. Pen testing and IR are notably down from prior reports.
Talent trends
We analyze the movements of ~100K cybersecurity professionals in the US to understand which sectors and geographies are growing.
Growth by state
Growth by industry
Unsurprisingly the most new jobs are being created in the IT space, as well as large, regulated industries such as financial services and healthcare.
The lines show relative job creation.
Security leadership moves
We track CISOs landing in new roles. Congrats to all!
Jennifer West is Chief Digital and Trust Officer at Takeda
Mike Gordon is SVP, Chief Information Security Officer at McDonald’s
David Bell is Chief Information Security Officer at CBRE
Tim Dawson is Group Chief Information Security Officer at Caesar’s Entertainment
Stephen Harrison is SVP, CISO at MGM Resorts International
Ariel Weintraub is CISO at Aon
Daniel Dubowski is SVP & CISO at Hertz
Guy Delp is Global Head of Enterprise Security at Vanguard
Vinny Hoxha is SVP, Chief Information Security Officer at McKesson
Stephen Ford is Vice President and Chief Information Security Officer at Rockwell Automation
Erick Rudiak is Chief Information Security Officer at Walgreens Boots Alliance
Karl Schimmeck is EVP & CISO at Northern Trust
Ryan Barbour is VP & CISO at Reliaquest
Craig James-Heer is VP, Chief Information Security & Infrastructure CISO at Clorox
Juman Doleh-Alomary is Chief Information Security Officer at BorgWarner
Tim Rains is VP & CISO at ADT
Events
One of the (awesome) features of our new website is a comprehensive list of upcoming conferences. It’s one of the largest collections of cybersecurity conferences available. Check it out!
🤝Bsides Pittsburgh. Pittsburgh, PA. July 12.
🤝Black Hat. Las Vegas, NV. Aug 3-8.
🤝Bsides Las Vegas. Aug 6-7.
🤝Defcon. Las Vegas, NV. Aug 8-11.
🤝ISACA GRC Conference. Austin, TX. Aug 11-14.
🤝CSA Sectember. Bellevue, WA. Sept. 10-12.
Thinking about your next move? Join our network
Looking for awesome talent? Post a need for free
Crux is the talent platform for cybersecurity. Check us out