Apr 21, 2023 - Technology

U.S. cyber defenders are burned out

Illustration of a business man being crushed by a large briefcase.

Illustration: Maura Losch/Axios

This year's wave of tech layoffs is leaving cyber workers exhausted, overextended and eager to quit their jobs, according to new data.

Why it matters: The U.S. cybersecurity industry was already stretched thin to meet demand across the country — leaving security defenders facing burnout after several years of headline-grabbing cyberattacks.

  • Now, those workers are strained even more after layoffs hit their teams in recent months, a pair of recently released surveys show.

The big picture: 77% of security professionals say their departments have faced layoffs in the last six months, according to a survey released by Cobalt earlier this month.

  • A HackerOne survey released Wednesday found that 40% of companies plan to make even more security headcount cuts this year.

Zoom out: Some companies have spent the last few quarters re-evaluating what security products they purchase to keep their networks secure amid a weird economic environment.

  • Worsening economic conditions have been prompting boards to more closely scrutinize their budgets, including cybersecurity spending.
  • Many have started laying off some of their security employees and outsourcing their work to third-party vendors as part of that process, Caroline Wong, chief strategy officer at Cobalt, told Axios.

By the numbers: Half of workers affected by layoffs now want to quit their jobs, the Cobalt survey found.

  • 61% of cyber workers surveyed now say they're burned out, compared to 58% in last year's Cobalt poll.

What they're saying: "Even if someone doesn't quit, but they want to quit, they're not going to be doing their job at 100% if they're feeling so overwhelmed and so burned out," Wong said.

  • "A person in that mental state is not going to be in a position to do an extraordinary job," she added.

Between the lines: Dwindling security budgets and decreasing worker headcounts are leaving companies with more unpatched, hackable flaws in their systems.

  • Every time a security worker leaves their job or a company decides to freeze headcount, the remaining employees have more items added to their to-do list, making it difficult to get to everything, said Mark Loveless, a security engineer at GitLab, during a recent press event discussing HackerOne's survey.
  • "It's rough because, for those who are still doing this, the load is increasing," Loveless told reporters. "You're going to end up with a little bit of burnout, and I'm seeing a bit of that already."
  • HackerOne found in its survey that half of organizations have seen an increase in system vulnerabilities in the last 12 months.

The intrigue: Organizations will need to get creative to stave off burnout and keep their networks secure as they battle wobbly economic conditions, experts say.

  • At organizations that need to reduce their security headcount, simultaneously slowing down product development could help them maintain the same level of security, said Joseph Thacker, senior offensive security engineer at AppOmni, during the HackerOne press event.

Yes, but: Some reports suggest that demand for cybersecurity professionals overall is still high.

Sign up for Axios’ cybersecurity newsletter Codebook here

Go deeper