Cyber professionals frustrated with stagnating salaries and poor working conditions are increasingly turning to the cyber criminal underground to increase their pay, cover expenses and replace dried up work, the Chartered Institute of Information Security (CIISec) has warned in its latest State of the profession report.
The study highlighted that a lack of appropriate remuneration is now the primary reason for security professionals moving on from their jobs, ahead of stress and burnout. It warned that employers needed urgently to address the issues, otherwise they risked losing up to 10% of the cyber workforce.
“Gartner research shows that 25% of security leaders will leave the security industry by 2025 due to work-related stress – and that’s just leaders,” says Amanda Finch, CEO of CIISec. “Salaries and long hours are contributing to this, and we’re starting to see the impact. Our analysis shows that highly skilled individuals are turning to cyber crime.
“And given the number of people projected to leave the industry, many of those will be desperate enough to seek work in an area that promises large rewards for their already-existing skills and knowledge. Preventing this means ensuring we are doing all we can as an industry to attract and retain talent.”
CIISec enlisted a former cop and covert specialist to trawl the dark web over a six-month period in 2023. The evidence he found of skilled security and IT workers advertising in this space, many boasting years of experience in cyber, is shocking.
The researcher found posts from individuals claiming to work for global IT companies and software firms, professional penetration testers offering to test cyber crime products such as malware, AI prompt engineers and web developers. Some offered portfolios of their work as evidence of their skills. Some said they needed a “second job”, one said “Xmas is coming and my kids need new toys”.
Others were greener, and appeared to be young or inexperienced IT people looking for work or even education. One asked how they might “start in hacking as a programmer” or offered low-cost options for web design. Many of them seemed to be responding to ads from known threat actors and cyber criminal gangs looking to prey on students and offering to train them in needed areas such as open source intelligence (OSINT) or social engineering.
Then there were those from fields outside or adjacent to technology looking to expand into cyber crime. Although smaller in number, these included an out-of-work voiceover artist advertising his skills for use in voice phishing (vishing) campaigns, graphic designers, a public relations (PR) pro, and even content writers.
The investigator – going by the pseudonym Mark – enlisted by CIISec said that after years of working across the cyber and law enforcement fields, it was actually relatively easy to spot a dyed-in-the-wool cyber criminal from a moonlighting IT professional.
“These adverts might allude to current legitimate professional roles or be written in the same way as someone advertising their services on platforms like LinkedIn,” he explained.
“In an industry that is already struggling to stop adversaries, it’s worrying to see that bright, capable people have been enticed to the criminal side.”
Finch said: “There is a huge breadth of skills being advertised on the dark web, many of which are transferable. A job in cyber security has so much to offer for people of all industries, whether you’re a creative, a developer, or even a voice actor.
“But as an industry, security can seem like a narrow field. We must do more to showcase that there’s room for all in security, or we’ll lose more and more talent to cyber crime.”