A billboard on the NJ Turnpike.
Mike Calia | CNBC
A recession could be brewing, so job seekers will likely be on the lookout for positions in relatively safe fields.
Schools are advertising cybersecurity as one of those options. Informal studies by groups including Cisco, Symantec and Cybersecurity Ventures have touted a shortfall of millions of cyber jobs in the coming years.
But the truth is more complicated. There is indeed high demand for cybersecurity jobs, but those positions cover a far wider range of roles than most people think — and some of those jobs will be easier to automate or otherwise cut if the economy hits rough times.
Which jobs are best positioned to survive a recession? We asked some experts in the field to weigh in.
What to focus on
Surveys don't often take stock of precisely which cybersecurity roles are most needed, and companies can have a difficult time quantifying which skills they need, said Valmiki Mukherjee, chairman of the Cyber Future Foundation, a cybersecurity education nonprofit that conducts research.
"Current and historic data and predictions on cybersecurity capacity have been through annual surveys and analysis from various job postings," Mukherjee said. "Historically, it has been mostly a guessing game, and there has to be some serious work done to get to the bottom of the number and nature of jobs that are required, and available."
Mukherjee also said demand for different types of cybersecurity jobs can vary by regions. He points to an interactive map run by Cyberseek, a project of certification company CompTIA, which describes cybersecurity job trends by state and region. Though these jobs are heavier on the technical side of cybersecurity, the information can give a strategic look of the regions that hire the most cyber professionals and therefore are more likely to have alternative work available if one company experiences layoffs. Virginia, for instance, has about 33,000 open cybersecurity jobs with further opportunities in Maryland and Washington, D.C. California offers about 36,000 open cyber jobs, and Texas has 24,000.
But "stability" can be difficult to measure, even when the economy is soaring. Organizational conflicts within companies may also create unpredictable job patterns particularly in the cybersecurity world, said George Rettas, a long-time financial services cybersecurity executive who now hosts Task Force 7 Radio, a cybersecurity industry program.
"For years, cybersecurity professionals have enjoyed being exempt from budget reductions while senior executives from the lines of business, including the operations and technology departments, have been forced to reduce costs year over year," Rettas said.
This has created friction within organizations.
"Cybersecurity departments are part of a business," Rettas said. "And with nerves on edge and everyone seemingly bracing for a recession, the days of scaring executives into increasing their budgets without any real scrutiny are quickly coming to an end."
Heavily regulated industries
People looking to land in a safer spot should look past generalist roles and instead focus on heavily regulated industries like financial services, health care or energy, said Joe Bernik, chief technical strategist for cybersecurity company McAfee. These areas are less likely to shed cybersecurity jobs, as their necessity is dictated by legal concerns and not economic factors.
Jobs that require working with U.S. and international privacy regulations, Payment Card Industry regulatory standards or Health Insurance Portability and Accountability Act (HIPAA) rules will always be in demand because those standards won't fade even if budgets are cut, Bernik said.
"This is true globally, not just in the U.S. These countries are getting more and more prescriptive, including European and Asian countries," Bernik said.
Peter Marta, who recently joined the cybersecurity practice at law firm Hogan Lovells from his prior role as global head of cybersecurity law at J.P. Morgan Chase, advises focusing on industries that society cannot live without.
"In my view, cybersecurity is the single biggest risk facing any organization, and it's especially important for companies in 'critical infrastructure' industries," Marta said.
Those industries include banking, energy, facilities, nuclear and emergency services. There are 16 in all, as designated by the Department of Homeland Security.
Steve Winterfeld, senior director of security strategy at distributed computing giant Akamai Technologies, said the cybersecurity jobs most resistant to recessions are the ones "closest to the fight."
"I would not cut active defenders. Folks in the [active security operations role], and forensics are too important and to be effective should be part of the organization," Winterfeld said. "Operations is generally safe but can be at risk if the company changes technologies."
Look at the big picture
Rather than guessing which specific roles may be bound to grow, Cyber Future Foundation's Mukherjee recommends considering big-picture factors more likely to drive the cybersecurity job market.
Companies are investing more than ever in digital transformation and technologies are getting more complicated, as regulators and executives are paying closer attention. This growing complexity and scrutiny means new cyber risks will emerge all the time, and there will probably be many yet-to-be-determined jobs to meet those needs, he said.
People most often associate cybersecurity jobs strictly with "hackers," otherwise known in the industry as threat hunters, penetration testers or members of a "red team."
"We probably don't need 2 million-plus cyberthreat hunters," Mukherjee said. So instead of new students flooding into these narrow disciplines, those who can bring other skills to the table, like translating specific risks in dollar terms or business needs, or anticipating trends in regulatory affairs, can have an advantage.
Cybersecurity jobs are also "slow" jobs, Mukherjee said, meaning skill development can take a great deal of time. Companies that invest in skills development might also be safer bets in the long term because they are less likely to want to divest of a longer-term security strategy.
"We also believe that there is an opportunity to cross-skill a lot of technology and business professionals into cyber professionals across different disciplines and domains," Mukherjee said.