Cybersecurity professionals are increasingly prepared to moonlight as cybercriminals in a bid to top up their salaries, according to new research from the Chartered Institute of Information Security (CIISec).
The institute enlisted the help of a former police officer and covert operative to analyze dark web forum job adverts from June to December 2023.
What he found was a surprising number of what seemed to be cybersecurity professionals at various stages of their career prepared to sell their skills for nefarious ends.
“After years of working in the cybersecurity and law enforcement fields, it becomes relatively easy to spot cybercriminals from professionals moonlighting from other industries,” he explained.
“These adverts might allude to current legitimate professional roles, or be written in the same way as someone advertising their services on platforms like LinkedIn. In an industry that is already struggling to stop adversaries, it’s worrying to see that bright, capable people have been enticed to the criminal side.”
The study revealed three types of professional touting for business on underground sites:
- Experienced IT and cybersecurity professionals, including pen testers, AI prompt engineers and web developers. Some claimed to work for a “global software agency” while others stated they needed a “second job”
- New starters in cybersecurity looking for both work and training. Professional hacking groups also advertise for young talent, with some offering on-the-job training in areas such as OSINT and social media hacking
- Professionals from industries outside cybersecurity/IT, including PR, content creation and even one out-of-work voice actor advertising for work on phishing campaigns
CIISec warned that, in many cases, salaries do not reflect the long hours and high-stress environments that many security professionals find themselves in. CIISec CEO, Amanda Finch, cited Gartner research revealing that 25% of security leaders will leave the industry by 2025 due to work-related stress.
“Our analysis shows that highly skilled individuals are turning to cybercrime. And given the number of people projected to leave the industry, many of those will be desperate enough to seek work in an area that promises large rewards for their already-existing skills and knowledge,” she argued.
“Preventing this means ensuring we are doing all we can as an industry to attract and retain talent.”
Finch called on the industry to increase salaries and improve working conditions, or risk as many as 10% of the workforce leaving a profession already experiencing persistent skills shortages.