Cybersecurity professionals are finding it more attractive to take their talents to the Dark Web and earn money working on the offensive side of cybercrime. This puts enterprises in a tough spot: cut into profit growth to keep cybersecurity skills from flowing to the highest bidder, or figure out how to defend their networks against those who know their weaknesses most intimately.
Layoffs and consolidation across the cyber sector is ratcheting up the pressure on the remaining workers, while at the same time salary growth is stalling — making a cybercrime side hustle an increasingly attractive way for cyber pros to make ends meet, according to a new study out of the Chartered Institute of Information Security (CIISec), which analyzed Dark Web advertisements for cybercriminal services provided by professionals with cybersecurity day jobs.
The CIISec report found a raft of offers on Dark Web sites, including a pro Python developer who would make chatbots for $30 an hour to earn extra Christmas present money for their kids. Another seasoned developer will make phishing pages, crypto drainers, and more, while yet another will use AI to help with coding, starting at $300 per hour, CIISec reported.
Cyber Pros Turning to Cybercrime: An Alarming New Trend
This alarming trend marks an entirely new era in cybersecurity, according to Devin Ertel, CISO at Menlo Security.
“I’m shocked and troubled to witness skilled professionals turning to cybercrime amidst mass layoffs,” Ertel says. “This marks a significant shift, reflecting the urgent need for both employment and ongoing training within the field.”
Ertel points to a surplus of cyber talent and economic uncertainty as potential drivers of the “unfortunate trend.”
Gartner predicts that by 2025, 25% of cybersecurity leaders will leave their roles due to stress. And despite layoffs in the cybersecurity sector, which have largely focused on non-technical roles in marketing, sales, and administration, there are still hundreds of thousands of open jobs in the US cybersecurity sector alone.
Cybersecurity Morale Could Drive Insider Threats
That puts even more pressure on teams that remain, driving down morale across the industry, which cybersecurity expert and consultant Hal Pomeranz worries might also lead to a spike in insider threats.
“Rather than worrying about external threats, I would be on the lookout for insider attacks,” Pomeranz says. “Mass layoffs in the tech industry destroy employee morale and breed cynicism and contempt for management. I wonder how many of the remaining employees would feel comfortable selling out their employers if the price was right?”
The solution for many enterprises requires a better understanding of the roles they’re trying to fill and matching them with the right employees, Gareth Lindahl-Wise, CISO with Ontinue, says.
Cyber Needs to Adapt to Solve Skills Gap
“There is, without doubt, a shortage of both skilled and experienced cyber professionals,” Lindahl-Wise explains. “However, I would be as blunt as saying there is some misguided expectation on the part of the buyer. Do you really need someone with X years’ experience on a security domain tangential to the job you want them to do?”
Once hired, cybersecurity talent should be presented with a additional professional development opportunities as well as a career path, Patrick Tiquet, vice president of security and architecture with Keeper Security, advises.
“Business leaders are challenged with sourcing the necessary cybersecurity talent to keep their organizations secure as they balance distributed remote workforces and a growing number of endpoints with a threat landscape that continues to expand,” Tiquet explains. “Beyond competitive compensation, organizations must provide clear career paths for those looking to advance, professional development opportunities, and flexible work arrangements that allow for remote work when possible.”
Beyond recruiting and hiring, and closing the cybersecurity skills gap, ColorTokens VP Sunil Muralidhar urges managers to focus on mental health and stress management among their cybersecurity teams.
“Working with security professionals across different roles — from practitioners to executives, to partners — reveals a common thread of high stress levels among them,” Muralidhar says. “This is largely due to the disproportionate burden that security bear in safeguarding the organization with significantly limited resources.”
Source: www.darkreading.com