For everyone

for hiring managers

For everyone

H1 Cybersecurity talent market report

Job market

Remote work trends

Cybersecurity industry

Certifications

Share:

Text Link

Вывод URL текущей страницы

Текущий URL страницы:

2024 H1 Talent market report

There is no spring without winter

Our perspective on the current cybersecurity job market

We live our lives amongst rhythms and cycles. The earth around the sun, the migrations of the birds, the dawn and end to a school year. And so it is with the tides of the economy as well.

Just as the falling of leaves nurtures the soil, the lean times produce the kind of focus that’s needed to emerge stronger, and better.

Our industry has needed that for a while. Years of rising spend on products, services, and people were justifiably driven by increasing recognition of the risks and costs associated with cybercrime. And for many enterprises the overall investment levels remained modest enough to remain a reasonable part of the cost structure, and so not to collect undue scrutiny.

And that growth drove shortages of technical talent, rapidly escalating salaries, incredibly high valuations on tech companies, all of which coincided with a flood of venture capital money that propelled hundreds of new companies into the market each year.

Winter's grip recedes,
Blossoms break through thawing earth—
Spring's breath softly sings.

And thus a set of problems and bad practices that became endemic:

An oversupply of vendors chasing revenue at all costs, willing to resort to significant bends of the truth in order to drive sales (and valuation)
A proliferation of categories, point features masquerading as businesses, acronyms, ambulance chasing, and FUD
Unsustainable amounts of money being burned on revenue acquisition.
Companies without strong product-market fit or sound economic models being kept alive in order to mark up to the next round
A rotating door of security leadership
Relatively few security leaders with the mandate or time horizon to build talent organically vs. buying highly experienced talent or outsourcing work to external consulting firms
The ability to justify incremental investments based on simple priority lists and headline breaches rather than economically driven business cases grounded in risk
Excessive emphasis on large enterprise spend at the expense of focusing on protections for SMB and consumer markets

In short, at the enterprise level not enough linkage of spend to solid risk-based economic justification, and at the vendor level, all the bad behavior that comes from pursuit of growth at all costs.

I don’t want to imply that there’s been a surplus of investment in security or vast amounts of wasted time and energy from enterprise security teams. To the contrary, maturity levels remain shockingly low for the vast majority of companies and spend still isn’t where it needs to be in order to cover and buy down risk.

But the speed of growth unquestionably gave the ability for a lot of waste to penetrate the system.

As a thought exercise, if you look at 2021-2022 levels of venture funding, with back of the envelope math and a few simplifying assumptions, it equates to >$1M of sales and marketing activity being spent per year per target customer, by the industry. That’s a lot of SDR calls, booth swag, and golf tournaments. (assumes $20B+ of funding, 10K target customers (enterprises >2K employees), half of funding going toward GTM).

Just as forest fires are healthy over the long term, so are cyclical downturns that focus prioritization and drive out inefficient spend.

And look at what has happened over the past couple of years. Increasing focus on tool consolidation and spend efficiency. An elevation of cybersecurity into more board room conversations (still not nearly enough, though). A growing recognition that cybersecurity needs to be a business function centered around risk rather than an IT backstop function. An emphasis on outcomes and results.

These are all good things.

That is of course, not to say this has all been good. If you have been in the job market at all (and odds are, you have been, since most people are open to new roles currently), you know how absolutely brutal it has been. The most recent time that the job market for cyber has been like it is now is at least 2008. Maybe never.

Recessions are painful, no doubt. And that pain takes the form of uncertainty, being stuck in unfulfilling (or worse) jobs, the exhaustion and self-doubt that creeps in from months of unsuccessful job hunting.

So where are we right now?

These three charts tell the story. The BLS only tracks data at a high level by industry, so these are all jobs in information/ tech (data in thousands, monthly), but they will directionally tell the tale for cyber.

Layoffs by month — Bi-monthly Graph of Layoffs

Layoffs are down from peak, but still definitely happening, particularly on the vendor side. Overall layoffs are closer to levels you see in good economic times (2021).

Job openings are down significantly, ~50% vs. peak in the first half of 2022.

Hiring has been sluggish with some signs of a rebound in 2024.

Are we close to a return to normal levels of growth?

Vendors

On the vendor side, we are seeing signs of normalization. M&A activity has picked up, with both strategic buyers and private equity becoming more active. Funding levels are rebounding from their 2023 lows. Enthusiasm (and apprehension) about AI is driving a new class of startups.

Credit: Mike Privette, Return on Security

Increased funding will inevitably mean more investment in GTM and product. While some security firms are continuing to tighten belts and execute RIFs, the pace is significantly below 2023, and enough firms are hiring that the market is starting to feel more balanced. Qualitatively, with companies and candidates we are working with, we are starting to see more ‘on the market’ candidates end up with multiple offers, and competition for talent appears to be picking up.

Services

On the services side of the market, most indications are that business remains depressed relative to the highs of 2021 to mid 2022. The largest bellwether, Accenture, grew its cybersecurity business at a 20% CAGR for years up to 2022. This year it is calling overall revenues basically flat, and has taken $1.5B in severance charges over the past 2 years. At the same time, there are many cybersecurity practitioners that have hung out their own shingle over the past 3 years and we are seeing a flourishing of boutique firms offering risk assessments, vCISO, and security advisory services- which is a great fit for a middle market that cannot afford the big 4, but desperately needs security posture improvement.

Enterprise

On the enterprise side, activity remains fairly muted. Budgets were locked in late 2023 in most cases at zero to slight growth and this has kept the market largely frozen. Dissatisfaction with existing roles remains high, but people see the challenges in the current job market and are sitting in current roles until the conditions improve.

We track the job movements of ~200K cybersecurity practitioners across the US. We saw elevated movement into new roles in Q4 of 2023 and Q1 of 2024, but that’s subsequently quieted down in Q2. Overall, it’s hard to see this situation changing significantly in the remainder of 2024, but hopefully with continued economic growth we will see better budgetary expansion in 2025, which should set off rounds of job movements.

So where does it leave us?

In total, it paints a picture of a market that is still soft, but with some green shoots. Barring anything unexpected at the macro level, the worst should be behind us. How long it will take to fully rebound is anyone’s guess, but for now things appear to be moving in the right direction.

And while it may be of little comfort to think about the long term if you are in the middle of a job search, it’s clear that the current period of retrenchment will have been a healthy thing for the industry overall. It has forced more discipline and focus on value. It has sharpened a focus on business value for both practitioners and vendors. And it has started to mature cybersecurity into more of a business function.

If you are in the market, stay in the fight. This is a long game that we are in and it’s only the early chapters that have been written at this point. Security remains an incredible place to build a career.

Here are some resources that you may find helpful:

Crux cybersecurity job board (now featuring vendor AND enterprise roles)
Tactical guides on finding your next role: part 1 and part 2
Josh Fullmer’s tech dream guide blog

The Data.

Here’s how the market is looking, according to data that we analyze from the thousands of job postings that run through our job board.

Certifications in demand

Technology expertise in demand

Individual contributor vs. managerial roles

Generally, 60-80% of security jobs are individual contributor roles.

Highly technical roles tend to skew individual contributor, with ‘consultative’ roles having more managerial slots.

Invdividual Contributor vs. Managerial Roles

Remote work trends

We are seeing some increase in hybrid roles in 2024, which slightly runs against observations of a hard return to office shift this year.

Cybersecurity compensation trends

Cybersecurity comp has gone down in 2024

If you’ve been in the market, you’ve felt it. Certainly not seeing some of the massive offers that folks you know left their last job to get. Not only are we not seeing the eye-watering offers for top talent, but overall, the comp levels for posted jobs are down. We normalized the data by required years of experience (the best predictor of salary), and found that on average, the mid-point salary level for posted roles is down 5%. And keep in mind, this is in an inflationary environment.