Cybersecurity seems to be bucking the trend against layoffs

A few weeks ago a SeekingAlpha post predicted, “Here come the layoffs”. Cybersecurity seems to be bucking the trend, however, thanks to a combination of a fiscal reality check, demand growth, and rising security awareness in corporations. And the potential for complacency ensures continued business.

Yes, there are layoffs happening in private cybersecurity companies, but most of those are coming in sales and marketing departments, according to every analyst contact for this story. Those areas were inflated by cash infusions from investors who saw a quick buck to be made from increasing concern over security worldwide.

Correction cycle

The industry is going through a correction cycle, said Brad LaPorte of Lionfish Tech Advisors, a company that works with venture capital firms in bringing portfolio companies to market “There has been a lot of bloat in marketing budgets around the industry. For a couple of years now, VCs have required only 6 to 12 months of runway on the belief that revenues would come quickly. Now they are requiring 22 months. Laporte said startups are still looking for experienced engineers but not so much sales and marketing.

Amer Deeba, CEO of the startup Normalyze, verified the change in requirements. “In 2020 and most of 2021 we were turning VCs away because we weren’t ready to take investment. Then, in late 2021 when we started looking for investors, the runway was much longer. Now investors want companies to have two years of cash in the bank before any additional rounds are sought.” Normalyze describes itself as a data-first cloud security platform.

It’s fairly easy to see why. LaPorte mentioned one company that just finished a Series A funding round and used part of the money to sponsor a race car. According to a recent study by Gartner, the most a company should put into marketing is 11.2 percent, yet it is not uncommon for cybersecurity and cryptocurrency startups to push that limit much higher. A Dubai cryptocurrency company on its website boasts that it has invested 25 percent of its seed money into marketing and they are looking for A round financing.

Private equity do-si-do

But it isn’t just excess causing the belt-tightening. Private equity firms are voraciously gobbling up both private and public companies and cobbling together new companies with multiple and often duplicative services.

One particular convoluted acquisition was when Symphony Technology Group bought MacAfee Enterprise and FireEye. They formed Trellix earlier this year from that acquisition, then spun off FireEye’s Mandiant group as a public company before Google stepped up to buy it. The group plans to launch an IPO but not until after significant retooling and integration.

On the public-company level, however, headcount is rising, according to Richard Steinnon, principal at IT-Harvest and the author of the most comprehensive database of cybersecurity companies in the world, said almost all of the 42 public companies are growing staff along with revenues at a swift pace. “Zscaler is growing at almost exactly the same rate as their revenue numbers, 60% YoY.  Only 6 shrunk during 2022 with Mandiant the biggest loser but that could be attributed to the ongoing plan to be acquired by Google.”

Companies are “getting it”

As in any market, demand drives growth and it seems most corporations are “getting it” when it comes to making employees aware of the need for a security mindset, and are investing in tools and services to enhance that awareness. Many studies have repeated the fact that 9 of 10 successful attacks began through individual employees failing to follow simple security practices, like not clicking on a link in an unsolicited email. But according to the 2022 Global Cybersecurity Awareness Training study by ThriveDX and Lucy Security showed that 96% have increased security awareness training and that IT security improved as a result.

Savvy employees can make cybersecurity tools and services much more effective, which makes investment in them more attractive. That drives sales of tools and services making an investment in sales and marketing less important for the companies offering them. However, email and text filters will catch around 90 percent of malicious content, the notifications keep employees aware of ongoing threats and make them wary of the remaining 10 percent.

Complacency or awareness?

The question is do the tools and services drive awareness or complacency?

“I’m of the opinion, based upon my 25 years in cybersecurity, that education and training are necessary but overrated,” said Brent Watkins, director of business Development for Tego Cyber and a retired supervisory agent for the FBI. “It’s not all about the human, but effectively using technology as well.”

Ian Thornton-Trump, CISO for Cyjax, agreed. “A cybersecurity awareness tool is only as good as the policy which enforces its use. The threat of malware delivered via attachment or weblink is not nearly as prevalent as credential-stealing malware to gain access. Effective security awareness has to align to the various roles in the organization as well. Security Awareness training for the payroll department should be tuned to the type of threats a payroll department faces as opposed to the type of threats a call center may face.”

Moreover, he said physical security awareness training and “Guest, Contractor, and Vendor” verification and/or escort procedures. All your Cyber security can be undone in an instant by a physical compromise of the organization.

Complacency is a major problem and a reason many breaches happen, he explained. Organizations need to train employees to “anticipate and mitigate” rather than talk about “lessons learned.”

Until that lesson is learned, the cybersecurity industry is bulletproof.