Episode Transcript
Transcript is AI generated and should not be considered authoritative. It has errors (just look at our names!) and we recorded in a busy restaurant, so it's especially bad this time. Do not trust it.
[00:00:00]
David: Welcome to the Security of Serengeti Podcast. We're your hosts David Swinger and Matthew Kiener.
Stop what you're doing and subscribe to our podcast and leave us an awesome 5 star
review
and follow us at SerengetiSec on Twitter.
Matthew: We are here to talk
about cybersecurity and technology news headlines and hopefully provide some insight, analysis, and practical applications that you can take into the office to help you protect your
organization.
David: And as usual, the views and opinions expressed in this podcast are ours and ours alone and do not
reflect
the views or opinions of our employers. We
Matthew: would
like
to announce our retirement from cybersecurity. We are leaving to start a farm.
David: Dairy
farm.
Matthew: FYI apologize in advance for any weird audio. We are recording again
in a restaurant. I swear to God, like 15 minutes ago, wasn't it kind of quiet? Yeah. Like, I was just sitting here listening. I was like, oh right, this will be the perfect time to
start.
David: Well,
and then they
seated [00:01:00] people on opposite sides of us
Matthew: too. Yeah, and there's like a herd of people that came in.
There's
no
David: no. what time is
it? And this is past the lunch hour.
Yeah, like
Matthew: there's like 120.
I
would have expected it
to start slowing down,
but,
oh well. Alright, today we have three articles that all basically say the same
thing. There is no cyber security job
cap, job gap,
in security right now. At least, not the kind that can be addressed by colleges and boot camps. Instead what we have is a skills gap around certain
specialties.
The Venture in
Security article calls out that engineers, folks who can build things, specifically software, are in high demand and salaries are still high.
What he calls quote unquote operators are not in high demand. These are the folks who may have the job title engineer but don't build, they administer, and this also includes risk analysts, SOC analysts, that
type of
thing.
So, why are we
saying there's not a gap when there clearly is? There are millions of blog posts and news articles complaining about the gap.
It's obvious it exists.
David: In
the,
[00:02:00] Cyber is Full article the author claims that cyber
security As an industry is oversaturated with
practitioners, maybe mainly due to boot camps,
universities and certification factories
that have produced too many.
No, I kind of agree with
this. What they, what, but what they've really produced is a promise, not actual
cybersecurity professionals.
So you have folks
who want to, or cybersecurity
professionals.
Not that they actually become them after attending these boot
camps
or certifications or
even the
university.
And the author claims that the,
the chief drivers of this are
running schools and
boot
camps and trying to generate a market
for their own product.
Matthew: So I
actually fell for this. I was encouraging my son last year to take a programming boot camp versus going to college. I assumed that it was going to be more of a trade school thing, which I
think
programming
probably is more of a trade school thing than a college thing, but maybe I was
wrong.
David: Yeah, I still think
HVAC
would
be
Matthew: be better.
I don't disagree, actually. Like, that is not going to go away with,
[00:03:00] AI.
David: No, you've got to have a person
there. You do HVAC, then you
do electrical, plumbing,
Matthew: basically. You do A little bit of everything. A little
David: bit of everything.
So, even if you don't have an HVAC
job position, you could do electrical work, or you could
do
plumbing work.
Matthew: The main number
used for the GAP what's being thrown around a lot is 4 million or 4. 8 million, is generated by the ISC2, which is a certification organization. There's no conflict of interest there, a certification org saying that they need to get more people certified to get hired for these
jobs?
David: What, you know, it's not for ISC squared. well, maybe it's just the, the
CISSP that has the five year requirement.
Matthew: Yeah,
so yeah, you can get like the
associative CISP with us, and they've got another one that's like got a 2 year requirement
that nobody pays
attention to.
David: Well,
I think,
you know, they start off with
The CISSP
with that five
year
requirement, and now since, they've added on these
Matthew: entry level
stuff
David: to get other people in the door.
So,
But because before with the
CISP there was no [00:04:00]
Matthew: incentive
David: really for people
who weren't already in
the industry to get the
certification. So now they've got these other
ones which are now incentivizing people
to get into the industry.
Matthew: It's been such a, I mean, we talked about certifications like three years ago at
this point, but there's been such an incredible proliferation of certifications. And you can get. Dozens and dozens. If you wanted to
try and do that.
David: Yeah, I love
seeing people's signature blocks that have a list of their
certifications in there. Makes me really trust
them more as far as their qualifications go. I
Matthew: I think I told you once we, I interviewed somebody
and I asked him
what his goals for like learning were, and he just told me a list of certifications he wanted to get, like for him, certifications were learning, like they were saying, well, they were the same thing
and There's an
overlap there, but it's not
the
same thing.
David: Wow, those are very
Ephemeral, really. The knowledge that you acquire through the
acquisition of
Matthew: enough to memorize to take the test. Right.
Yeah.
David: Really, you're going
to
maintain that for a couple of months, [00:05:00] a couple of
months
maybe.
Matthew: Yeah.
you
David: really learn
from,
you know, practicing
versus, you know, studying or whatever.
Matthew: What's interesting about that is that Companies will send you to a training course, and they'll expect you to
but then
they don't give you the
chance to practice, to, like, drive those skills in.
They'll just send you to kind of a course, and frequently it may not be a course that's even related to your job know, we'll talk more about the training stuff later, but we're doing a terrible job at it.
David: But
Matthew: the
David: gap
between the active workforce and what ISC squared
says is the perceived
unmet need for cyber security grew 19 percent to 4. 8 million jobs
globally.
So the new cyber security job postings in the U. S.
declined. 5. 4 percent over
a year as of May, according to the according to LinkedIn.
Matthew: So
David: the gap
between how many people
we think we
need versus the number of actual positions [00:06:00] is what we're
talking
about.
Matthew: So,
how does how does
ISC Squared come up with the number they
think we
need?
David: Oh, well, you ask any, you
ask
any,
so, you know, how many people
do you need?
Matthew: They're going to
David: say, you know, what
their dream count
is versus what the actual number of open billets
they
have are.
Matthew: three or four thousand
should get us there.
David: Yeah, well, for every elementary
school, three or four thousand
should cover it.
Matthew: So
additionally, the author
points out that since security is technically optional, our jobs tend to be a lot more inconsistent than someone who's producing something the
company can make money on. Some companies take a chance and for many years they draw into the straight and never get a breach.
David: Yeah, I mean, the bottom line is cybersecurity is overhead.
And there are a lot of unqualified people that are
claiming to be cybersecurity professionals, attempting to fill a shrinking pool of
cybersecurity jobs. In
the venture insecurity article, the author addresses the difficulty that many entry level cybersecurity folks
have when
face that
[00:07:00] they face when trying to break
into the industry. Apparently there are Influencers
Matthew: Influencers is such a cancer.
David: is, it's ridiculous, but they're shouting that
the industry is gate
keeping them out.
But, you know, why would anybody.
Be influenced by such a
moronic concept.
Matthew: Yeah, he agrees that the major part of the disconnect has been created by colleges and boot camps trying to sell that fantasy of the starting six figure job.
Which exists, but it exists in very small
quantities. I
David: very niche
Matthew: not in cyber security.
Like, we work in the D. C. area. I don't think you start off in the D. C. area
making six figures anywhere. I've heard 80, 000 to 90, 000, which is
close,
but
Well,
David: I don't know of any hiring manager
who would take someone off the
Matthew: Fresh out yeah, fresh out of college.
Yeah.
David: It just seems like
the return on investment there is pretty low.
Matthew: The same thing happened with MCSEs in the late 90s. I was in college at the time, and I remember my freshman year in college, everybody was talking about, you gotta get that IT degree, you gotta get that MCSE, and then you'll be making that six figure job right out of [00:08:00] college.
Happened with lawyers in the early 2000s.
There's a gap. Then some industry gets word of the gap, and they try and spin up to try and sell folks on filling that gap, Which then floods it and drives down salaries. Just supply and
demand.
David: Yep.
Matthew: And
David: having worked with MCSEs in the early
2000s, they were not pumping out high quality
folks in that
time frame
either.
Matthew: He calls out that
getting a job in cybersecurity shouldn't be an entry level role, it should be a specialization down the road after some number of years in IT, developing that prerequisite knowledge. I've interviewed personally a number of folks for entry level. I used to manage a SOC. I've interviewed a bunch of people for entry level SOC positions.
And I've generally been disappointed. There have been very few, I can count them on one hand, that I've been impressed with after the interview and been like, yeah, this guy is going to be a great
sock analyst.
David: Yeah. Well, back in the, back in the early days of cybersecurity, you know, in the late 90s, early 2000s, that's where all the
cybersecurity people actually came from,
is IT, because there was no industry, there was no, I mean, you had the [00:09:00] CISP, which started in the late
90s.
But,
you know, that was not something that someone got in order to break into cyber security. That's something someone who'd been doing cyber
security, you know, got
in order to validate
their qualifications. But most cyber
security people came from IT back in
the day.
Matthew: And I mean, even myself, I didn't get into cybersecurity until 2011.
And even then,
that was after three years working in I. T. role. And I knew I wanted to get into cybersecurity in 2008 when I decided to career change. And I knew that I had to get an I. T. job first. I didn't try to get into cybersecurity
first. Yeah,
David: well I guess
I'm the exception then, 'cause I start in security and then switched into cybersecurity
into doing
Matthew: T.
David: stuff.
Matthew: that's still
kind of like you came from a '
security
background. I feel like that still is kind of,
you just, you just
don't like, you didn't start off like fresh out of getting out of the military, although in the military they do teach you things. So that's still
not.
All right. anyway,
So there
are actual shortage in cybersecurity, as we mentioned at the beginning, but they're not in the entry level position.
They're in the
specializations.[00:10:00]
So according to Ben Rothke the jobs that are in high demand include engineers who can actually build
Not implement
something, not administer something. Those are both valuable, but they are less valuable than people that can build something from nothing. There are a ton of folks who have the engineer job title, and these days it seems the engineer job title is more for salary differentiation than for actual job
responsibilities. Yeah,
We've
David: talked about
this before where you go
from
analyst 1, 2 to engineer. There's not an
analyst 3, 4, etc.
Matthew: my job title is engineer, and I am I am implementing things, but I'm not building
things from scratch. Like I'm in charge of projects where we implement a service, which is more valuable than maybe just administering the service, but it's less valuable than someone who can actually like build a product
from scratch. Right. Yeah.
Other things that are in demand, anyone in security, you can code worth a damn, so I'm out and that's funny. Cause we've, we've both tried this. You tried this before I did trying to get analysts to code. is [00:11:00] impossible if they don't want
to code.
David: Well, what's
ridiculous is, I
actually
taught
a class Introduction to
Python.
And it was a
voluntary
class.
Analysts went to
the
class,
Matthew: and
David: then after the class was
over, I gave them a
task.
Actually at, you know, analyst task
Matthew: work,
David: to use the programming that they
learned in the
class to analyze a
problem.
And they simply refused, literally refused.
to use Python in order to analyze this problem.
They used Excel
instead.
And it
Matthew: was,
David: I was
upset.
Matthew: Yeah.
David: Because it was just ridiculous.
Matthew: And what's interesting about this is that everybody has learned that if you're asked about coding in a job interview you have to have something. Like everybody that I've ever asked, like, oh do you code, they're like oh I Python.
But then when you hire them they inevitably don't use it as a problem solving method in their job. Which I kind of understand, I've tried to do that myself.
And part of
it
is because,
well, at least in my case, I'm [00:12:00] unpracticed,
and it's difficult finding the time in the job where you can be like, all right, I'm going to take three times as long to perform this
task
because I'm going to do it in Python, but that's going to pay dividends, because the next time it's only going to take me two and a half times, and then the next time it's only going to take me two times, and then eventually I'll get more efficient.
But it's interesting,
we seem to be very bad as an industry about, like,
investing
time in that way. It's like, no, get it done now, get it done now, get it done now,
David: Yeah, I mean, we're very good at accumulating technical debt, which is really what we're
talking about.
Matthew: You know, versus I'm just doing stuff manually over and over again because it's faster right
now.
But yeah, right.
Other items that are in demand application and product security specialists,
senior incident response forensic folks, and I didn't see on the list, but I have to imagine cloud security is probably in fair demand
these days.
David: Yeah, that was
actually
mentioned, Venture and Security
Matthew: Venture
security.
All right, So, Ben Rothke didn't, but then all right. So, and you can't solve these gaps with bootcamps. You solve them by
taking experienced employees and developing them deliberately. But who does that
[00:13:00] anymore?
David: who has the time.
Matthew: one has the
time.
Yeah. Another item that I saw was
ghost jobs. The
author mentions hearing from a recruiter who contacted a CISO for recruiting contract.
The CISO told him that the open roles were fakes. I don't know that that actually happened,
David: I don't know. What
CISO would admit to that?
Matthew: Yeah. Yeah. But there has been a lot of
talk around ghost jobs recently where a company posts a
job it's not hiring for in order to
pull resumes they've already hired someone but left the listing up, they're trying to show investors they're growing.
I saw that called out in an article where hedge funds are trying to get ahead of stock announcements by checking the number of open rolls at a company and see if the number of open rolls is increasing or decreasing so they can decide whether to short
the stock price or not.
David: do they see that over time?
They must be querying these
things on a regular basis.
then. That might be an opportunity
Matthew: for
David: some organization
to keep track of that over time.
Matthew: And sell it to people so they didn't have to, you know. Or trying to scare current employees into producing more. I don't know about that last
one.
David: That doesn't make sense
Matthew: It was mentioned in the article, but
yeah.
David: [00:14:00] I mean, if your, if your company opened another job
position. you'd be like, Oh, no, they're going to hire
another position. Would that
Matthew: on if the job description matches your job exactly. you're like,
I don't know.
So, but this seems like a lot of work for not a lot of return.
This was from a Stack Overflow blog that'll be linked in the job,
in the, in the show notes. But, they even said that they're interviewing candidates for these ghost jobs, which is such a
waste of time.
David: Well, it's not
only a waste of time for the
candidate, but it's a waste of time for the
company. Why would they spend
hours interviewing people that they're
never gonna hire?
That's a waste of
money.
Matthew: waste of money. I
guess the question is, what
level is it a ghost job? Did, like, the VP decide, like, okay, we can Because I can see another reason for it, is
you Make the team happy because they're like, oh, we've got too much work going on. They're like, all right, we'll hire somebody and they put up a job that
they don't have.
This still seems like so
much work.
David: so weird.
Yeah. Because if you post that on
LinkedIn jobs
Matthew: it costs money
and takes time to
do that, too. It was mentioned that HR is incredibly unsuited to find
cybersecurity talent.
David: they're
unsu suited for a lot of [00:15:00] things.
Matthew: Kushner, a recruiter
interviewed by Ben
Rothke, states that most HR departments do
not actually understand the jobs that they post.
And they use certs as a stand in for actual knowledge, and that's why, that, that and that and the College
diploma. I worked at a job that did not require
more than a high school, not even a high school level worth of knowledge. Like I could have done it in high school.
And they
required you to have a college degree.
Just because the hiring manager said. I'm not hiring anybody unless they have a
college degree.
David: degree.
Well I think that's, that's,
this is some place where I think AI could be very
helpful in doing that
screening instead of
HR.
Matthew: Doing tests, like having
people show their knowledge.
David: And then having the A. I. evaluate
the output. Oh, you could
Matthew: it
David: also
to screen the
candidate resumes to begin with,
Matthew: too. yeah, yeah, yeah, no, yeah, that's what I
thought you were talking about.
David: The second article from CrankySec, they bring up that a company's security team is a
symbol of an untruth that the company
thinks cybersecurity
is important, so others will believe that the
company thinks it's
important.
Matthew: [00:16:00] Marketing.
Messaging.
David: Now, the other two articles also mention that cybersecurity is
a cost center and is frequently cut or
limited in budget due
to this.
Now, I partially agree with
this.
It kind of relates to what Bruce Schneier said years ago, that security is both a thing
and a feeling. You can be secure without
feeling
it,
Matthew: and
David: you can
also feel secure without
being
secure.
and I think this goes too far though in saying that cybersecurity team is only a
token. When most teams do actually, do actual concrete things that protect
people and
property. But because
this is imperfect, does that mean that they're not valuable or that the company does not really
care if they are secure or
not?
Matthew: not? I would wager
this varies from company to company. I imagine like regulated
companies like Fortune 200
companies or
500 companies are probably pretty serious about security because they have to like do the SEC reporting and stuff.
But I imagine a
lot
of smaller companies just
don't care. But they probably can't afford it
anyways.
David: Well, you're
also starting to see the lawsuits,
Or the [00:17:00] regulatory action in saying
that cybersecurity statements by companies and executives
are promises
that
they're
not actually
fulfilling, which is, they're determining as
fraud.
Matthew: Yeah, that is
interesting. So, and
also, of course, this is a deliberately inflammatory blog that I think just says outlandish things
to get a response and kind of
is like rage
catharsis. So I
would take them as generally serious, but not a hundred percent true statements.
David: Yeah. I mean, the author seems to
be
Matthew: think
David: that you know, corporate
failures are not punished sufficient, to a sufficient
degree
that he would like, and individuals whose data is
stolen are not adequately reimbursed.
Matthew: And
David: And he also seems to feel unappreciated
and undercompensated.
Matthew: Which is funny, because I look at
how much security folks are paid,
And then I look at how much, like, teachers and garbage
men and cops are paid and firemen are paid, and I'm like, huh, who's being overpaid here? Who's being underpaid? But
Sure.
David: sure. Yeah. Who's underappreciated?
[00:18:00] Yeah.
But I personally see this, you know, the market is a miraculous thing. You know, if left to its own devices, it will price
things very close to their
value. That includes cyber security
services.
I mean, you can disagree.
Matthew: Yeah. I think the market has shown that cybersecurity really isn't
worth
much. What's interesting to me is that doing
it correctly. With correctly patching, and quickly patching, implementing least privilege, et cetera, would reduce cyber security vulnerability and breaches by, I don't know, maybe 90%.
But the business has also decided that it's not worth that
either. Right.
So they would rather
pay an additional security team to try and secure what IT did wrong, than pay IT to do it
correctly.
David: Yeah, well I think this goes back
to just the
general high time
preference that virtually everybody seems to
be Too Right. High time preference is really what
causes
technical
debt
and everybody
seems to be guilty of
this time, time,
high, high time
preference. and I'm not sure if
this
is something that would've been better in the
[00:19:00] past.
And I'm not sure what needs to change in order to lower
that time preference, but that's, that's essentially the problem that
we're dealing with is high time, time
preference across both IT
and security.
Matthew: And I mean, there's
always the fact that a breach typically only means a momentary blip of your stock and some consultant in overtime costs. Unless you're SolarWinds.
have
you
David: checked
their
stock price lately? I
Matthew: I was just thinking that. I
David: haven't.
I think the last time I looked it
was at 10 bucks or something,
Matthew: Which is down
It's not a buying opportunity. which is
David: down
from like 36, I think it was at the high.
Matthew: They were twelve eighty six. I don't know.
David: Okay, Not completely going under yet.
Matthew: I mean, their high
was, yeah, their high was like 25.
Okay.
Back in
2021.
so
David: they're
still down over
50 percent
from
before.
Matthew: It's on the way back up.
Goodbye.
David: really got to zoom in on
Matthew: to
David: to see it go back
Matthew: was under 10 for a while. It was like 8 for a while. So it's up
50 percent from that. Jeez.
Yeah, I like
David: you said, that was 2021, so that's [00:20:00] been three years
that they've been
punished for this.
Matthew: Look at CrowdStrike.
It's going back up too. Like, it took a hit. It went down from nearly 400 to 200 and some. It went down almost 50 percent, but it's up 21 percent this
year. I mean,
David: that's kind of
Matthew: Wow,
that actually is
wild. I mean, it was all, it was just over, it was like 250 at the beginning of the
year. So it's still up overall for the year.
Because it was so low at the beginning of this
year.
So they lost
almost all their progress from this
year.
That's very interesting.
David: SolarWinds. And what's interesting about that whole thing is
that
CrowdStrike and SolarWinds are both very good at what they do.
And yet CrowdStrike
is
not being punished to the to the
level
that that service or
Matthew: It did take 50
wins was because solar winds, it took off
75 percent of their stock 20 like mid twenties to
eight
is like 75
David: and
Matthew: CrowdStrike lost almost 50 percent but they're bouncing back a lot
[00:21:00] faster.
David: Yeah. And the
thing is that I
think
from my perspective, I think CrowdStrike was
more in the wrong than solar
Matthew: because
David: they
were not doing
industry best practices as
Matthew: far as testing rollout
David: rollout
and testing where
solar
winds,
Matthew: they just
David: got, You know, they got compromised, you know, and not necessarily through their own
Matthew: By an actual advanced actor. Right. Not just
some script kid. And
not gross negligence. And
not gross
David: And yet they are
being punished way more than CrowdStrike.
Matthew: interesting.
David: But I partially, I partially agree with the compensation for folks that have
been who have had their data stolen and then used then that data was then used to cause
harm for them.
The problem is that
most people's data
is
Matthew: is
David: stolen or not harmed by it, at least not in ways that are
apparent. Many people's data that has been lost or stolen so many times that who do
you
punish?
Or forced
Matthew: pay. And if your data was leaked three times, like which one was the one the attacker picked up? you
have no
idea.
David: no idea.
Like, I Like, I, I
was caught in the OPM
breach.[00:22:00]
you know, so the Chinese know pretty much everything about me.
But they're not,
But also I
Matthew: was
David: in
Matthew: the
David: what was
that creditor
Matthew: one?
Experian. Experian.
David: You know, this latest, the latest one with that data
broker.
so you know, who, who, do
you, who do you force to pay when everybody's data has been, been lost or
stolen
so many
Matthew: times?
Yeah. I like the
framing of this as an externality. I think that's how companies consider it. It seems similar to kind of pollution. Like you blow smoke up a smokestack and it's not your problem anymore. It's someone else's problem, maybe. Like, was it that particular, you know,
plant, the pollution that caused grandma's cancer?
Probably not.
So same with
the data breaches like they just happen and now there's somebody else's
problem.
David: Yeah, well,
I think I have a workable
idea, but I'm not sure exactly how it would be
implemented. You know, maybe through an insurance
company I'm not sure, but here's the
idea.
any company who has lost or stolen data
who has lost or stolen data must pay into a [00:23:00] fund based
on what was lost and how much of it
was lost. And maybe this could be an annual
fee. Like a membership or
something like
that.
Matthew: the Costco of insurance? Maybe.
David: So anyone who can show harm, you know, with
ID theft or
something
like that,
From from data
loss, can then make a claim against
that fund and be adequately compensated for the harm that
they occurred. That happened to
them due to that, that data theft.
Matthew: Yeah, I see this.
You're, you're having everybody pay into the
same pot, and then when you have a ID
theft, you're getting paid out of that same pot, so you don't have to deal with a specific company. You don't have to go to Experian and be like, Experian, you caused this, because it doesn't matter.
Right.
David: You say that collectively, because those organizations
lost data, they're collectively at
fault.
And then they pay into this fund in order to
recoup
people from that. Then the manager of
this
fund, Right. We'll
go through some kind of process to evaluate the claim and then pay the victim their restitution for
the degree to which they were
harmed. I
Matthew: that the only way to correct this
is to make companies pay
because that's the
only thing
that companies [00:24:00] understand. Because if you hit their, you have to hit their profit. Ideally, I would like for them to pay the amount of money that represents the impact accurately, but that's impossible. So, I think your idea makes more sense as an actual workable
solution.
David: Yeah. You can say that,
you know, that's the,
the thing
is that it's
it's kind of
like
an
average. You know, the more you
lost, the greater detail that was lost,
the more you you have to pay into the
Matthew: fund. And if they had an amount of money that they had to pay for identity loss, then the
company can make some actual business decisions on how much to spend to
protect
David: Right. Yeah, exactly. So that
also
benefits them because then they can calculate
the risk.
Matthew: this database is lost, it will cost
us this
many millions of dollars. To pay into
David: this fund. Right.
Matthew: Exactly.
David: I met
Matthew: a company,
at Black Hat
that does something like that.
They, Look at all
the published costs of data breaches.
And then they like map out all of your data and they list it out by like, you have, you know, 20 million PHI records. The average cost per PHI record for a [00:25:00] settlement is this many dollars. So they allow you to kind of estimate that, but it's done through settlements in previous, which people sometimes inflate and
it's not always accurate, but
yeah.
David: But that's only telling
them,
you know, this could happen
Matthew: Yeah.
Yeah. So, if you lose this
database, this will cost you 5, 000, 000. Therefore, spending 500, 000 to protect
it might make sense. Right. I don't know, 10%, 1%, whatever they
decide.
David: Or you could say that, you know,
if you lose this database, you are going to have to
pay into this fund.
period,
this amount.
Matthew: happening.
Alright, one item you didn't mention that bugs me a
bit
is not actually
about information security.
It's
about the
There's a comment in this article about engineers working on ad campaigns that make half a million a year. And I was reading another blog discussing kind of the parasite culture, not the parasite economy.
I looked up parasite economy, that's a different thing. That's like a libertarian thing. The parasite culture, about how many of the biggest tech companies don't actually create anything of value.
[00:26:00] They create a marketplace and then skim off the top. Example, TikTok. TikTok doesn't create anything, it just provides you a place for
David: influencers
Matthew: Influencers to create stuff. Airbnb, they don't build anything, they just have a marketplace for you to share what you already have. Uber and Lyft, they just create a marketplace where you connect
people. it's like a platform
as a service. platform
as a
service. And I think that's deserving of money. I just don't
know if that's deserving of the like 30 to 70 percent
they take off the top. Like Uber takes like 70 percent of what you pay, and then gives the driver like 20 percent of
it. Yeah. That's
David: And I'm wondering what the
problem is whether it's regulatory, or it's cost,
Matthew: what
How can they be taking in so much money and not
make money?
David: Well, the thing is
that, you know, If they're taking in that much, why are we not seeing more competitors to bring in a platform that is
charging less? That's what I'm trying to figure
out.
Matthew: There are, but
they're small and
regional.
David: if it really is, if it is overvalued, why is the market not
bringing that cost
down?
Matthew: I actually talked with a driver I don't
remember if this was in Chicago or somewhere, I was on a business trip and he mentioned there was a different ride sharing app [00:27:00] that gave the drivers more and I was like, Oh, that sounds amazing.
Like I should look into that.
But it was
only for like Chicago. So like you had to know, it's like for a traveler who's flying in, you wouldn't know. Right. So apparently there are some smaller regional ones. I don't know how
common they are, but.
David: Well you got to
hope that that
regional one is going to get
it.
Matthew: get big enough to expand. to
David: be able to
expand.
Matthew: So, but that's a different
conversation for a different
podcast. So. There are a number of other interesting comments in the Venture and Security article that aren't directly related to the skills shortage, although they're tangential and they're echoes many of the things we've already mentioned, but are more kind of related to the business of cyber.
So, for example, the comments in most incidents happen not because of some, quote, grand strategic miscalculation, unquote, but instead bad IT. Misconfigs, unpatched volumes, tools and controls that don't work the way you think they do. And I hate to say I told you so, but if only you had some way to automatically test those controls across the environment in a consistent
way.
David: Man, if someone just invent
Matthew: If someone just invent that tool, that. would
be amazing.
At least [00:28:00] two of the articles mention
the point about how a company doesn't
actually know if it's tools and employees are good. Because if you're not breached, that could be because you're doing great
work. Or it could
be because
you got lucky this year.
Like they didn't get you this
year.
David: Yeah, you
happen to blend into the background.
Matthew: Yeah,
Yeah, you
just didn't stand out and nobody hit you. But the opposite side is
you could have great controls over 90 percent of the
environment, but that cloud environment that somebody stood up,
could still get
popped and your sisso could still get fired.
David: Right.
Matthew: Yeah.
You
David: the other gazelle are frozen in the tall
grass and you
Matthew: You
know? And
David: that's that's it.
Matthew: that's,
it.
He also mentions that feedback loops tend to take years, so it's difficult to tell if a decision made today was good or bad until years go by. And in comparison to manufacturing, if you're working on the line, you can see if someone's doing a good job almost immediately.
Like, they're going through the line, and the next guy keeps throwing stuff back for quality defects. Like, you know, you're like, alright, you're an idiot, get off the line. Right. You're fired. Although, of course, larger [00:29:00] items like airlines can still take, or airplanes, can still take a few years. Boeing? Boeing?
He talks about some other broken talent pipelines. Three of them he gives examples of are product managers. Similar to security engineers, it's not an entry level job, requires knowledge of a lot of areas, it's a high risk hire. If you hire a bad product manager and drive your product into the ground, that's a problem.
Venture capital, there's a mismatch between supply and demand. Venture capital firms tend to stay very lean. He actually mentioned that apparently most venture capital firms are only allowed to spend one percent a year or something like that on their expenses.
So
even if it's like a 5 million dollar fund or a 50 million dollar fund, they only have like 500, 000 dollars a year to spend on expenses.
And it turns out that doesn't hire very many people. Like, that doesn't pay very many travel
expenses.
David: I was thinking on
the other side about how many things
they
invest
in versus the risk, the return on those. Yeah. too. Yeah.
Matthew: some stuff they invest in just doesn't, doesn't actually
work. Well, isn't
David: well, isn't it like
10 to
one or something like that?
They
Matthew: Yeah, they
David: 10 investments for every
one, one,
return.
Matthew: in addition, very long feedback [00:30:00] loops. It may take five or ten years to figure out if your investment was good.
Software engineering.
Tech companies have cut hiring by over fifty percent. The interest rates increasing has forced them to stop expanding so fast, stop hiring.
And it usually takes six to twelve months to get an entry level engineer up to speed. Also similar to cyber security. The main difference is software engineering. Hiring more software engineers leads to you making more money, potentially. Whereas hiring more cyber security
engineers
David: Yeah, they're not a
call
center.
Matthew: Yeah. Yeah.
Part of the broken pipeline is training and development
aspect.
Seems like almost no company
has like a development program for cyber security. For example many companies have defined plans where you identify folks who are going to be business leaders
and you
give them a business rotation.
They spend 6, 12, 18 months in finance. A year or two on the manufacturing floor. You get over to marketing. You get a broad knowledge of business.
Us
and I've never seen this for
security.
David: Well, that's something that I is actually
mentioned in the
Phoenix
project.
You know, the
main character of that [00:31:00] story
goes into one of those programs at
the
end to eventually become
the
CEO or with the expect expectation
that he will eventually
become the CEO. And they have this at multiple levels. I've heard of
Matthew: this being done at like entry level, where you come out of college. And you spend a rotation doing around stuff. And then I've also heard it when you're identified as like a up and coming manager in your twenties or thirties and like they see executive potential in you and they do a different but similar
type of program.
So
there's always the impact of automation that'll reduce manual tasks and entry level rules first. So even less entry level rules. But we've talked about that a lot, so I'm not going to go into any detail
there.
David: Well, I mean, it's like the promise of automation has been around for
how
long now.
Matthew: It's
been
seven years since
sore came out, and then there was always the coding stuff
before that.
So the
fact, yeah, it is interesting. We haven't talked about it yet, but there's been this big thing recently called about sore is dead
on how sore is a feature, not a product, and it's being folded into a bunch of other stuff.
Yeah,
David: Yeah, it's [00:32:00] like the sim is starting to pull.
It's like a
black
hole. It's just pulling in
more and
more
other
parts
Matthew: and sore.
It's just, It's always been way more complicated
than they sell it to you. As they sell, oh, It's
a
low, no code, you can, you know, your analyst can put it together.
And
that has
never turned out to be true.
Poor employee retention. We just mentioned part of this, but companies do a terrible job at keeping employees.
Most people seem to rotate jobs every one to two years, and it takes up to 12 months to learn a job.
Like.
David: I mean,
Matthew: I
David: I, can't believe that people are switching jobs
that
quickly though.
Matthew: So the article
said
most, I think.
But I don't think it's most. I would say that maybe a quarter to a third of the resumes that I see
are like
rapid job switchers.
So I think
there's like a core group of people that are I think that makes more sense in the beginning of your career too and less sense the more and more senior you get.
David: Right. Well, I mean, that also kind of
negates the whole conversation we're
having
here [00:33:00] about, In fact there are no
openings.
If there are
no openings, would it be
that easy to switch that rapidly? don't
Matthew: that it
is anymore. So one of the things that
I was actually thinking about looking at this is, I think that the way the environment is now, I don't think it's, I think that like five years ago, two years ago, it was very easy for senior people to
switch.
And I
think now
it's gotten
a lot harder. So, I don't know. So I'm curious why companies are so bad about this. There's been a ton of research about this. How to keep employees and the benefits of keeping employees, but companies either don't seem to care or they've done their own cost benefit analysis or research and determined that the research is wrong.
It's
maybe it, maybe it actually is fairly low impact to constantly have to retrain folks and absorb the gaps in employment.
David: Well, I mean this is also related to what we just talked
about a little bit ago with the high
time
Matthew: preference.
David: You know, it's just that we're,
Matthew: Do it now. yeah,
I'm worrying about the long term prospects of
David: anything.
Including, you know, employee
retention. [00:34:00]
Matthew: Yeah, maybe. So in conclusion, there is a cybersecurity skills gap, but it's for senior and specific roles, not for entry level. Schools and boot camps are preying on young people's desire to get a comfortable, well paying job and lying to them about the availability of that job.
David: and I think
eventually this is going to flush out.
And, just like the MCIS, the MCSE.
Matthew: Yeah, now the average lawyer
apparently only makes 50, 000. like there are definitely high paid lawyers at well paying law firms, but like, the vast majority of them
don't make much.
David: Yeah, I mean, but every, every,
well, maybe
not
every,
but a lot of the the folks who go into law school think they're gonna think they're gonna, they're gonna come out
Matlock,
And not better call salt.
But that's all the articles we have for today. Thank you for joining us. And follow us
on Twitter
and subscribe on your favorite
podcast
app.
[00:35:00]
