The Chartered Institute of Information Security (CIISec) is urging the cybersecurity industry to increase salaries and provide better working conditions to prevent up to 10% of the workforce from leaving the profession. This warning follows qualitative dark web analysis, revealing that professionals working in legitimate roles are offering their skills to cybercriminals in an effort to increase pay, replace dried up work, or buy Christmas presents. This sentiment was echoed in CIISec’s latest State of the Profession report, which highlighted that remuneration is the primary reason for people leaving roles in cybersecurity, and that 22% of security professionals work more than 48 hours per week, risking burnout.
“Gartner research shows that 25% of security leaders will leave the security industry by 2025 due to work-related stress – and that’s just leaders,” says Amanda Finch, CEO of CIISec. “Salaries and long hours are contributing to this, and we’re starting to see the impact. Our analysis shows that highly skilled individuals are turning to cybercrime. And given the number of people projected to leave the industry, many of those will be desperate enough to seek work in an area that promises large rewards for their already-existing skills and knowledge. Preventing this means ensuring we are doing all we can as an industry to attract and retain talent.”
The detailed research – conducted by Mark, a former police officer and covert operative, now working as a subject matter expert in the private sector – trawled dark web forums from June–December 2023 for job adverts. The professionals advertising for roles fell into three groups:
• Experienced, skilled security and IT workers: These professionals tended to be highly skilled and experienced, with some boasting more than a decade of experience in security or IT. There was evidence of individuals currently working for a “global software agency”, professional pen testers offering to test cybercrime products, AI prompt engineers, and web developers. Some offered a portfolio of work as evidence of their skills, whilst others stated that they needed a “second job” or even that “Xmas is coming and my kids need new toys”.
• People just entering the security workforce: These seemingly young or inexperienced professionals are looking for work and education. One asked for advice on “where do I start in hacking as a programmer?” and there were low-cost options for a “beginner designer” whose “creative journey has just begun”. Hacking groups also advertised, looking to hire students and offering training services – from OSINT to dark web and social media hacking – to wannabe hackers.
• Wider industry professionals looking to expand into cybercrime: A smaller number of individuals from industries outside of security or IT are still tempted by cybercrime. The research uncovered an out of work voice actor advertising for work on phishing campaigns, a “creative wizard” offering to “elevate your visual content”, a PR for a hacking group, and content writers.
“After years of working in the cybersecurity and law enforcement fields, it becomes relatively easy to spot cybercriminals from professionals moonlighting from other industries,” says Mark, subject matter expert in dark web investigations who led the investigation. “These adverts might allude to current legitimate professional roles, or be written in the same way as someone advertising their services on platforms like LinkedIn. In an industry that is already struggling to stop adversaries, it’s worrying to see that bright, capable people have been enticed to the criminal side.”
“There is a huge breadth of skills being advertised on the dark web, many of which are transferable,” says Finch. “A job in cybersecurity has so much to offer for people of all industries, whether you’re a creative, a developer, or even a voice actor. But as an industry, security can seem like a narrow field. We must do more to showcase that there’s room for all in security, or we’ll lose more and more talent to cybercrime.”