Cybersecurity industry braces for tighter visa rules
Email authentication company ValiMail just got done with the process of bringing in a new employee under the H-1B visa program, which allows companies to hire foreign experts.
"We just made it under the wire," said Alexander García-Tobar, CEO and co-founder at San Francisco-based ValiMail. "However, there are additional hires that we are considering, and we are very concerned."
The entire U.S. technology industry, including the cybersecurity sector, is heavily dependent on foreign talent. Not only are U.S. companies interested in hiring the smartest people available, no matter where they are from, but there is also a severe shortage of infosec professionals.
So when President Donald Trump signed an executive order on Tuesday that is expected to restrict immigration, the tech industry responded in force.
The very next day, more than 160 technology companies signed an animus brief arguing that American innovation and economic growth are tied to immigration, and that the executive order will harm the competitiveness of US companies.
The "Presidential Executive Order on Buy American and Hire American" requires the Department of Homeland Security and other agencies to come up with new rules to protect US workers and restrict H-1B visas to the most-skilled and highest-paid applicants.
That's a fundamental shift in the rules about how people enter the country, the tech companies said, and is an over-reach of power by the president. Plus, it will do harm to the country.
"The Order will make it more difficult and expensive for U.S. companies to recruit, hire, and retain some of the world’s best employees," they wrote in the amicus brief. "It will disrupt ongoing business operations. And it will inhibit companies’ ability to attract talent, business, and investment to the United States."
That's just as true for cybersecurity, experts said.
"U.S. firms can’t find workers with the cybersecurity skills they require," said David Berman, senior director of product marketing at San Jose-based CipherCloud. "In fact, there is a shortage of cybersecurity workers globally, even as data breaches and regulations have companies increasing their staffing plans for security analysts, auditors, engineers and other security functions."
The biggest hit will be the regulated industry, he added, including financial services, health care and retail.
"A review of the current system is not a bad thing as government programs can always be improved," said Justin Daniels, executive director of the cybersecurity accelerator at Memphis-based Baker Donelson Bearman, Caldwell & Berkowitz, PC. "The issue is the broad brush characterizing all foreign workers as taking jobs away from qualified U.S. workers. In cybersecurity, that is not the case as we already have a gap between the jobs and qualified people to fill them."
There are problems with the current visa system, technology experts said, but the new executive order might not address them.
"The current H-1B visa process has flaws, notably the 85,000 cap and the somewhat arbitrary lottery process, and should be reformed," said Tom Hopcroft, CEO at Burlington, Mass.-based Mass Technology Leadership Council. "However, it should be done in a deliberative manner, in Congress, and not at the end of the application submission period."
Instead of restricting visa applicants, he said, the focus should be on lifting the cap. In Massachusetts, for example, there are now close to 20,000 openings for tech jobs.
"In recent years, the H-1B lottery system has not kept up with industry demand," said Bobbie Kilberg, president and CEO at Herndon, Va.-based Northern Virginia Technology Council.
The council recently surveyed technology companies in northern Virginia, many of whom do work for the federal government, and found that they struggled to fill open positions in cybersecurity, data analytics and software development.
It remains to be seen whether the executive order will help the situation, and Kilberg said the answer depends on the agency recommendations that emerge in response to the executive order.
"We should have a better sense regarding impacts on cybersecurity, job migration, and other outcomes once the review is completed," she said.
One effect that is already being felt is a drop in H-1B visa applications. According to the U.S. Citizenship and Immigration Services, 199,000 applications have been received for 2018, down from 236,000 the previous year.
The agency also temporarily suspended premium process of H-1B petitions last month.
The drop in applications is most likely due to an anticipation of more restrictions, and an increased likelihood of being rejected, said Kon Leong, CEO and co-founder at San Jose-based data archiving firm ZL Technologies.
"The US is the preferred destination for international professionals, particularly in technology, but the trend could fade if internationals find greener landscapes elsewhere as America’s landscape turns brown," he said. "Other countries have been desperately trying for decades to create their own Silicon Valleys, and they’re now starting to make inroads."
If the executive order leads more limitations or restrictions on visas, the results could be devastating for all technology industries, said Morey Haber, vice president of technology at Phoenix-based BeyondTrust.
"This is just a huge unknown," he said. "It may spawn a new level of outsourcing or code development outside of the US if businesses are unable to bring in the talent to their current development facilities."
But in some parts of the outsourcing industry, the effect could be the opposite, if outsourcing firms can't bring their employees to the U.S. to work directly with clients when needed.
And other international tech firms may suffer as well.
"As a foreign company, we sometimes have to apply for visas and work permits for people we need to send over to the US, to help our customers there," said Rafael Laguna, CEO at Nuernberg, Germany-based Open-Xchange. "From that experience we know how hard this is, how expensive and lengthy."
Open-Xchange is a provider of open source communication software for service providers, and has more than 200 engineers on staff.
Engineers need to be able enter the country to not impede the growth of the industry, he said.
"I can't see a need for making this even harder," he said. "It is already putting too much sand into the gears that drive the tech industry."
ValiMail's García-Tobar has already begun working on contingency plans should H-1B visas become more difficult to get.
First, if the best candidate requires a visa, the company will also look for a backup.
"We might always have to double up," he said. "If our first choice is going to take much longer, or we might not be able to obtain the visa, we might go with someone with less desirable skills."
The company is also preparing to spend more time hiring people.
"And they're going to be more expensive," he added, "because you now have fewer people to pick from."
Another possible strategy is to open a remote office in another country.
"A company that is growing quickly like we are, it makes sense to put an office in a new market that you want to penetrate," he said.
For ValiMail, that means Europe or Asia. That office may now be opened earlier than it would have otherwise, and be home to both developers and sales teams.
He is also considering what options the company has for getting people together.
"Clearly, if it's hard for people to come into the country to visit us, or for company meetings, or a company off-site or brainstorming session, we'll make more use of video conferencing technology and do it that way," he said.
In order to get 24-7 coverage, some companies combine onshore and offshore security operations center teams, said Chris Petersen, CTO, senior vice president of R&D and co-founder at Boulder, Colo.-based LogRhythm.
This strategy will become more difficult if it gets harder to bring people into the U.S. for extended periods.
"This could result in either a cut back on their SOC capabilities, or reduction of other cybersecurity initiatives," he said. "Either way, overall cybersecurity posture could be negatively impacted."
Those whose SOCs are either fully or partially outsourced may see a decline in effectiveness if the offshore teams can't work alongside their onshore counterparts, he added.
"This could also increase the likelihood of a damaging cyber incident," he said.
Then there's the impact on research and development, an area where many companies use offshore staff to achieve an overall lower cost of development.
"If these companies are forced into an onshore-only staffing model, the result will most likely be decreased R&D capacity," he said. "This would, in turn, decrease their pace of innovation and threaten the security industry’s ability to keep up with rapidly evolving global threats."
As an alternative, some companies may move their entire research and development projects outside the country, said Jack Morgan, CIO at Boston-based Anaqua, which provides intellectual asset management software and services.
"Clients are rethinking their R&D center structure to align with where the talent is," he said.
Historically, foreign workers at U.S. companies have received a disproportionate number of patents, he added, and losing them will disrupt our country's innovation pipeline.
Possible motivational upside
Right now, many Americans hesitate to enter the cybersecurity field because of fears of losing their jobs to foreign workers, said Philip Lieberman, president at Los Angeles-based Lieberman Software.
"The arbitrary displacement of US citizens out of their jobs in favor of low-cost off-shore temporary labor, with no significant advantages other than short-term cost has caused those in IT to rethink their investment in a career in IT," he said.
Would-be IT professionals need to see that the entry-level rungs are stable enough to allow them to build their careers.
"Rampant outsourcing of IT has caused an entire generation of US citizens to discard IT careers as too unstable and unpredictable for a lifetime decision," he said.
Lower numbers of foreign workers could also result in higher wages for infosec professionals, said Byron Rashed, vice president of global marketing at Scottsdale, Ariz.-based InfoArmor.
That will make infosec careers more attractive.
"It may spur a greater interest among students to major in cyber security," he said.
CipherCloud's Berman agreed.
Women, in particular, might develop more interest in cybersecurity fields, he said.
"Competition for cybersecurity skills will increase, making professionals in this space a hot commodity for the foreseeable future," he said.
But while the industry waits for a new generation of workers to get trained, the jobs still need to be done, said Sam Curry, chief product officer at Boston-based Cybereason.
"And if they can’t hire locally or import it, the jobs will leave," he said. "What matters is that the right policy exists to give Americans a chance to train in the skills they need and have access to jobs without hamstringing companies who can’t wait for those skills."