The demand for cyber workers kept steady in recent months as the broader tech industry suffered from a wave of cost-cutting layoffs, according to data published today.

Why it matters: Cybersecurity job openings present a bright spot in an otherwise grim hiring outlook for the tech sector.

• More than 57,000 people at tech companies have been laid off this month, per Layoffs.fyi. Those layoffs are highly likely to continue.

By the numbers: The total number of employed cybersecurity workers in 2022 remained relatively unchanged from previous estimates at around 1.1 million, according to new data from the National Initiative for Cybersecurity Education at the National Institute of Standards and Technology, trade group CompTIA and data firm Lightcast.

• At the same time, employers posted 755,743 cyber job openings throughout all of 2022 — down roughly 2% from the 769,736 posted between October 2021 and September 2022, the last time these groups compiled such data.
• Public-sector cybersecurity demand grew 25% throughout 2022 with 45,708 job postings, the report says. Private-sector demand grew roughly 21% to about 710,000 listings.

The big picture: Will Markow, vice president of applied research at Lightcast, told Axios that although demand for new cyber hires didn't skyrocket, it "definitely still remains as strong as it has ever been."

• The two most in-demand roles remain cybersecurity engineers and cybersecurity analysts, Markow said, adding that there is also strong demand for penetration testers and network security architects.

Zoom out: Employers have been struggling for years to fill open cybersecurity roles.

• In 2022, there were 68 cybersecurity workers for every 100 open roles, according to the new data. The U.S. needs nearly 530,000 additional cybersecurity workers to bridge the gap.

Between the lines: The scarcity of workers puts cybersecurity employees in a better position to survive layoffs across the tech industry, Markow said.

• "There's still going to be attacks coming from every angle," Markow said. "Laying off cybersecurity workers feels a lot like firing the sheriff when Billy the Kid is riding into town."

Yes, but: Some cyber workers have still been victims of layoffs. Last week, TechCrunch reported that Sophos plans to lay off 450 employees, or roughly 10% of its workforce.

The intrigue: An economic downturn could inspire more employers to prioritize entry-level cybersecurity hires, who often have lower salaries and have traditionally had difficulties breaking into the industry.

• Only 10% of cyber jobs are open to someone who doesn't have a bachelor's degree, and about 10% to 15% of roles are open to people who have less than three years' experience, Markow told Axios.
• "This is effectively cutting out the entry-level rung in the cybersecurity career ladder and making it very difficult for us to bring fresh blood into the industry," he added.

The bottom line: As hacks and breaches increase, cybersecurity isn't seeing the same devastating round of layoffs as other tech industries.

• Instead, the industry is still struggling to build up the workforce it needs to meet demand.

The nation's cyber defense agency has drafted a plan for schools to beef up their cybersecurity operations in a highly anticipated report first shared with Axios and released this morning.

Why it matters: Schools have been inundated with ransomware attacks and other cyber incidents in recent years — but with smaller security budgets and fewer personnel, they've struggled to respond.

The big picture: The number of reported cyber incidents each year between 2018 and 2021 rose from 400 to more than 1,300, according to the new report from the Cybersecurity and Infrastructure Security Agency.

• Just this week, the Los Angeles Unified School District confirmed that contractors' Social Security numbers were affected in a ransomware attack last fall.

Details: The report includes a mix of achievable, individual to-do items and broader community calls for cultural change across school districts.

• CISA encourages K-12 organizations to start with a "small number of prioritized investments," like setting up multifactor authentication, creating and testing an incident response plan, and implementing cybersecurity training.
• The report challenges K-12 administrators and superintendents to prioritize cybersecurity and go the extra mile in "securing necessary resources" — including seeking out grant funding and creating better deals with technology vendors.

Catch up quick: Congress passed a law in late 2021 requiring CISA to issue the report published today, which details the threats posed to K-12 schools and includes recommendations for strengthening their defenses.

Between the lines: These recommendations aren't enforceable. However, CISA crafted them with input from teachers, school administrators and security specialists to help make them more achievable.

• During roundtable listening sessions, "an overwhelming majority of stakeholders across the educator and administrator communities reported that they had too many responsibilities and not enough time or resources to fulfill them," the report notes.

What they're saying: "This report is an important step to helping K-12 schools across the country protect themselves against cyberattacks that put the personal information of students and staff at risk," Senate Homeland Security chair Gary Peters (D-Mich.), who led the bill mandating this report, said in a statement to Axios.

Apple is launching a new workshop series at its retail stores to teach customers how to use the privacy features on their iPhones.

Why it matters: Apple has spent years creating new privacy features, but the in-person workshops are the company's first attempt to actually teach consumers about the relatively new tools on their phones.

Details: The new privacy-focused sessions will be offered on an ongoing basis as part of the company's "Today at Apple" workshop series.

• The 30-minute sessions will teach participants how to use settings for passwords and passkeys, email privacy protection, location services, app tracking and other privacy tools.
• Apple also released a video with "Ted Lasso" star Nick Mohammed that goes through this information for those who can’t make it to a physical retail location.

Catch up quick: In recent years, Apple has debuted several new privacy features — including those that allow users to customize when an app tracks their online behavior and to lock down their devices to prevent spyware and government snooping.

What's next: The first privacy workshop is slated to start on Saturday, which also marks the annual, government-recognized Data Privacy Day.

@ D.C.

🤖 A top Ticketmaster executive reiterated during congressional testimony this morning that malicious bot traffic caused the Taylor Swift ticket meltdown. (Billboard)

✈️ TSA is investigating a potential cybersecurity incident that left the agency's "no-fly list" publicly accessible. (The Daily Dot)

@ Industry

👍 Meta now lets end-to-end encrypted Messenger conversations incorporate themes, custom emoji, message reactions and other core functions. (The Verge)

📊 Microsoft is working on a new security tool that blocks malware delivered through Excel sheets. (BleepingComputer)

💸 Cybersecurity crisis response startup CYGNVS raised a $55 million seed round led by Andreessen Horowitz. (SiliconANGLE)

@ Hackers and hacks

😬 LastPass parent company GoTo confirmed that a recent data breach affected encrypted password backups for customers in the Central and Pro product tiers. (BleepingComputer)

🇰🇵 The FBI confirmed that two North Korea-linked hacking groups were behind the theft of $100 million from crypto firm Harmony's Horizon bridge. (Reuters)

👾 Researchers at Bitdefender Labs warn that they've seen an increase in attacks exploiting the ProxyNotShell vulnerability in Exchange servers. (Bitdefender)

Jason Hall, a researcher at Chainguard, included a disclosure at the bottom of a report published yesterday about GitHub paying him for finding and sharing information about a security bug in one of its products. He ended up donating the reward to a cause he cares about — and Chainguard added to the donation. (h/t Ryan Naraine)

• That got me thinking: How many other companies are getting payment for vulnerabilities they're finding in others' products? And what are you doing with the payments? I'd love to hear! 👀