The Cyber Leadership Labor Surplus

It’s an unprecedented time in tech right now.

In conversations with leaders between Nov 2023 and May 2024 I was hearing over and over CISO’s and Security Leaders being laid off, almost every week!

CISO’s and Security Leaders are finding it harder then ever to find a job. Executive recruiters have a backlog of CISO’s looking for work, but no active roles. They are focusing on engineering roles instead.

Why Are CISO’s Being Let Go?

It’s simple really, it comes down to money and market economics. If a company has to choose between surviving (ie making their numbers) or take the chance of worse security, they will choose to survive.

Here is an example I’ve heard a few times:

Acme Corp wants to go public, so they invest everything needed as well as hiring a security team. They get an experienced (and well paid) CISO to lead efforts and ensure they’re doing everything right. CISO hires security people, systems and processes are built, and even a few compliance certifications are met.

The CISO took the organization from 0 to 1 in security, and even beyond that. They have security engineers, analysts, and even a compliance manager. Things are going well.

Then the market tanks. 📉📉📉

It’s no longer viable to go IPO and on top of that, funding is tight. The company has downward pressure from its investors to reduce costs. Guess what the biggest cost to almost every company is? People.

So they look around and see this well oiled security machine. They see the top person in that org is being paid 300-400k. They ask another leader (maybe engineering or legal) if they are willing to take on the security org. They say sure! (It’s not really a question).

So they let go of the CISO, move the security team over, and switch to… KTLO mode. KTLO mean Keep The Light On. This is the minimum effort required to having everything functioning. Remember the security team has accomplished so much by this time. Major risks have probably been eliminated.

Switching to KTLO mode buys time. The possibility that a major security bug or risk being being introduced to the ecosystem and unresolved (because no senior leadership is advocating for it) does increase over time, but for the time being the company is willing to take the risk. Remember, you can’t secure a company that doesn’t exist.

This is not a one off story. I have personally talked to several people (CISO’s or one-person security teams) in the past few months that were let go.

Current State of Startup Security

We are kind back to a point in the startup industry where security is seen as a nice to have again. On top of that, SOC 2, their associated software, and dishonest or lazy auditors have fooled leadership into a false sense of security.

Are there startups that care about security? Yes, of course! Often times the gateway is security questionnaires because they need to make sales —> to survive. With a competent or experienced security person at the helm they will improve their security naturally. Scale-ups like AI companies are hiring security folks like crazy, so while non-AI companies are hemorrhaging security people, there is definitely a need in AI, Healthtech, and Fintech.

Thanks for reading! I appreciate you.