For years there has been the general understanding that there is a shortage of cybersecurity professionals in comparison to the cybersecurity jobs available. My general experience is that is true. However 2020 has changed that - or at least flashed the gremlins of potentially dangerous habits companies decide to embrace: cost-cutting by targeting "cost centers" like IT and HR. I get it. I really do. I also believe it is shortsighted and often the easy way out.
I recently had a job opportunity vanish somewhere between the verbal offer and the approval for a formal written offer. I had been through a series of interviews, both online and in-person. I nailed them all and my almost boss was excited to have me. Then the financial landscape shifted, and the company decided to offset the projected shortfalls by cutting IT by 30%, changing the senior role I was interviewed for into a junior role, and also scale back the HR department. I am aware that I'm biased - being in IT and Cybersecurity as well as losing out on a job - but I'm trying to remain objective.
The problem with this move, and I wish the company the best, is they are in retail. They sell things - and do so with credit/debit card payments - and do not have the appropriate compliance standards for any card issuer that is a member of the PCI foundation. Additionally, they have an online presence, therefore regulations such as GDPR and CCPA also apply - especially since they have a physical presence in California. This company is lacking a cybersecurity team, and they are honestly doing their best with just the security aware IT management. Still, knowing this is an issue and going through the process where a candidate is waiting for an offer letter, they decide to hold off for at least the next quarter.
My point is this, because they opted for the easy approach - axing budgets for critical departments - I believe they are doubly liable if a breach occurs. During this pandemic, the need for cybersecurity and IT is rising. Instead of having a single network to protect, you now have rapidly expanded VPN use and the remote workforce, adding hundreds of new entry points to the network. All to the tune of a $15K per month in employee costs. I get it. That's not a small sum. What happens if your company is the next to be on the news with a headline "10,000 credit card numbers stolen" next to your name? I'll tell you this: the cyber insurance premiums for the likely million+ penalty fees, the $100K deductible, and the brand damage will be much more costly.
That's my piece and peace on the subject. I'm not going to wallow about it. Onward and upward as my personal journey continues. I wish them the best (in part because they did send my information out to some recruiting firms - a form of outplacement assistance). However, I also wanted to take a moment to express my concerns because I know this isn't the only business cutting back on cybersecurity when they know they have problems. Gambling with a business is gambling with the welfare of your employees. The quantifiable risks need to be understood.