No field is totally immune to economic downturns, but flexible, practical and prepared cybersecurity professionals should be able to weather any upcoming storms.
During periods of economic uncertainty, the outlook often seems to change daily. In a single week, a great jobs report or slowing interest rate hikes might offset disappointing earnings reports -- that is, until major companies start announcing massive layoffs.
In such turbulent times, prudent cybersecurity professionals might well question how a recession would affect their job security and the field at large.
Why cybersecurity is recession-proof
The good news is that a full-blown recession is unlikely to have a major effect on cybersecurity job security and the cybersecurity industry at large for the following two reasons:
Enterprises (still) face ongoing cyber talent shortages. Cybersecurity teams are chronically understaffed. One would be hard-pressed to find a single business executive who would say they currently employ too many security professionals.
According to a report from (ISC)2, an estimated 4.7 million people worked in the field globally as of late 2022, with 3.4 million unfilled positions. Most research suggests the situation will only worsen in the years ahead, with the cybersecurity talent gap growing faster than the workforce.
Even if the most pessimistic economic forecast came to fruition, it would likely do little to address this massive imbalance. Meanwhile, cybercrime is unlikely to slow during a downturn. Demand for security practitioners will, therefore, remain high.
Cybersecurity is (still) a growing business priority. The importance of cybersecurity issues continues to grow within the broader enterprise. Almost every corporate board member I know has cybersecurity as a top agenda item for the business. The number of cyber threats and threat vectors continues to rise. Increasingly capable AI and automation will only add to the types and volumes of cyber attacks -- and the need for security practitioners to combat them.
It is hard to imagine a recession would seriously threaten cybersecurity job security.
Considering these factors, it is hard to imagine a recession would seriously threaten cybersecurity job security at the macro level.
On the other hand, these professionals are responsible for challenging, high-stakes work and face substantial day-to-day risk, irrespective of economic conditions. Unfortunately, some security practitioners are likely to take the fall if -- or, increasingly, when -- an attack adversely affects their companies. On the micro level, cybersecurity job security may, therefore, be less assured, relative to other fields.
How a recession would affect cybersecurity
Of course, all the above is not to say a recession would have no effect on cybersecurity. Consider the following possible impacts.
New talent
A recession would likely influence the cybersecurity job market, if relatively indirectly. For instance, a worsening economy could push nonsecurity professionals to move into the field, due to declining job security in their previous positions.
Such an influx of newcomers could increase the comparative market value of longtime, experienced cybersecurity practitioners and their skill sets. To fully capitalize on this advantage, however, these professionals might need to be flexible about where they are willing to work geographically and how they practice their security trade. For example, professional opportunities could increase significantly in security consulting and educating and training those interested in pursuing security careers.
The cybersecurity skills gap will persist in an economic downturn, requiring security leaders to act strategically to acquire and retain talent.
Smaller security budgets
In a recession, even companies that survive have to deal with constrained budgets. And, while virtually everyone agrees security is essential, it is not always easy to demonstrate the ROI of any specific security product or process.
Security professionals' best plan of attack is to build data-driven reports that clearly demonstrate the following:
Attack mitigation cost savings.
Threat containment metrics.
Hiring and training metrics.
The more specific, concrete benefits security managers can demonstrate in their reports, the better chance they have of justifying their budgets.
More demand for cloud, machine learning and AI security technologies
Increased budget pressure would drive security managers to look for ways to do more with less. As such, demand for the following security technologies would likely increase in a recession:
Cloud-based security services. By outsourcing some security services to third-party cloud providers, enterprises can reduce operational costs and scale spend up or down as necessary. For example, in an ongoing trend, more companies are moving from Microsoft's on-premises Active Directory to its cloud-based Azure AD managed services.
Automation, AI and machine learning. Products that use AI and machine learning can automate the most tedious and repetitive cybersecurity tasks, dramatically increasing a company's ability to keep pace with incoming threats. This supports security teams by lessening the effect of ongoing staff shortages and leaving practitioners more time for higher-value activities, such as proactive threat hunting.
Note that one technology not on the above list is quantum computing. While there has been a lot of talk lately about its promise and potential for breaking existing encryption schemes, machines large enough to do so are years away. Quantum is, therefore, unlikely to have any near-term effects on enterprise security, in a recession or otherwise.
