The skills gap disconnect.
Michael Madon: [00:00:00] And so what's happening is these hackers who are sophisticated are spending too much time and hitting some of those more sophisticated companies who have, like, the right systems in place. And so they're going downstream, and that's why you see an increase in the number of attacks in sort of the middle market.
Dave Bittner: [00:00:15] Hello, everyone. And welcome to the CyberWire's "Hacking Humans" podcast, where each week, we look behind the social engineering scams, phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute.
Dave Bittner: [00:00:33] Hello, Joe.
Joe Carrigan: [00:00:33] Hi, Dave.
Dave Bittner: [00:00:34] We've got some interesting stories to share this week. And later in the show, Carole Theriault returns. She's talking to Michael Madon, head of security awareness at Mimecast and formerly with the U.S. Department of Treasury. He's going to explain why he believes the skills gap is a direct and growing result of the unnecessary complexity that the security industry has introduced.
Dave Bittner: [00:00:54] But first, a word from our sponsors at KnowBe4. So how do you train people to recognize and resist social engineering? There are some things people think. Test them, and if they fall for a test scam, fire them. Or other people say if someone flunks the test, shame them. Instead of employee of the month, it's doofus of the day, or maybe you pass out a gift card to the one who gets the A+ for skepticism in the face of phishing. So how about it? What do you think? Carrots or sticks? What would you do? Later in the show, we'll hear what the experts at KnowBe4 have to say. They're the sponsors of this show.
Dave Bittner: [00:01:34] And we are back. Joe, I'm going to kick things off this week. This story was sent in by a listener named Martin (ph), who I suspect listens to a lot of different podcasts that I'm on...
Joe Carrigan: [00:01:45] OK.
Dave Bittner: [00:01:45] ...Because he's doing a little bit of trolling here and in a friendly way. He says, gentlemen, longtime listener here. And I have to say I think listening to you has made me more paranoid than I should be.
Joe Carrigan: [00:01:56] Then we're doing our job right.
Dave Bittner: [00:01:58] That's right. He says, as an example, I was recently driving through Maryland, looking for furry costumes.
Joe Carrigan: [00:02:03] (Laughter).
Dave Bittner: [00:02:05] During my trip, I had the occasion to stop...
0:02:07:(SOUNDBITE OF BELL RINGING)
Dave Bittner: [00:02:07] ...Into a national pharmacy chain. Mind you, this was not in the normal, sketchy Maryland neighborhood. He's trolling us, Joe - trolling us (laughter).
Joe Carrigan: [00:02:15] I - OK.
Dave Bittner: [00:02:16] So after I collected the items I needed, I approached the counter to check out. The store phone rang...
0:02:21:(SOUNDBITE OF PHONE RINGING)
Dave Bittner: [00:02:21] ...And the clerk picked it up. The following is the paraphrased conversation.
Dave Bittner: [00:02:25] Well, you'd have to come into the store for me to check. OK, I can do that. Nope, that didn't work. Nope, that didn't work. No, didn't work.
Dave Bittner: [00:02:40] After about six iterations of this, the clerk hangs up. Being a nosy, grumpy, old guy, I asked the clerk what that was all about, and he tells me it was someone wanting to know how many rewards points they had on their account. He continued to tell me he gets those all the time.
Dave Bittner: [00:02:54] Being inquisitive, I ask how many he might get a day - can't be that often. He told me that on that day, he had already had five calls about rewards points. I said, what do they want to know? He said the young man, a teenager, said he wanted to know how many rewards points they have on their account. I pointed out that it seems weird that they give you multiple phone numbers to check, and he mentioned that that was common.
Dave Bittner: [00:03:16] Now, I don't know what's going on, but my grumpy, old, suspicious mind got to thinking about what might be going on. First off, people are calling stores with phone numbers, trying to figure out how many rewards points are available on their accounts. Once they find an account with points, they send someone to the store to purchase an item with the available points. I noticed after I checked out that I had an equivalent of about $50. Now, I know - low pay-off - but if a person can score this five to 10 times a week, that could be 250 to 500 bucks a week or more if they resell the items on the secondary retail market.
Joe Carrigan: [00:03:49] Right.
Dave Bittner: [00:03:50] More importantly, you can use these points to purchase over-the-counter controlled items, which are consumer drugs that could be used to do things like make meth.
Joe Carrigan: [00:03:58] Right.
Dave Bittner: [00:03:58] Now, I may be letting my imagination run away with me. Either way, when I retire, this is the scam I'm going to use to supplement my retirement income once I'm in the home. So...
Joe Carrigan: [00:04:08] (Laughter) That's a good scam to supplement your income.
Dave Bittner: [00:04:10] (Laughter) There you go. Well, thanks, Martin, for sending that in. Joe, what do you make of this?
Joe Carrigan: [00:04:13] I don't doubt Martin's suspicions. I think that's exactly what this is. Why would you call and give someone four or five phone numbers? I only have one phone number that I give for all my affinity programs, which is what these reward point things are. Somebody calling for five is a red flag to me. I think Martin's spot-on in his intuition here.
Dave Bittner: [00:04:31] Yeah. It's interesting that - I guess the risk here is that using something as relatively easy to guess as a phone number - right? - in other words, if there's...
Joe Carrigan: [00:04:41] Or research.
Dave Bittner: [00:04:41] Well, but there's this - if there's a store nearby...
Joe Carrigan: [00:04:44] Right.
Dave Bittner: [00:04:44] ...I know what the likely area codes are for that store...
Joe Carrigan: [00:04:48] Correct.
Dave Bittner: [00:04:48] ...Right? So we can nail that down.
Joe Carrigan: [00:04:49] Yep.
Dave Bittner: [00:04:50] I can even get the list of prefixes...
Joe Carrigan: [00:04:51] Yes.
Dave Bittner: [00:04:52] ...The first three numbers of the phone number.
Joe Carrigan: [00:04:53] Right.
Dave Bittner: [00:04:53] So now it's not so much of a guessing game - right? - to find...
Joe Carrigan: [00:04:57] No, it's - I have 10,000 candidates for a given prefix, and I just go through the candidates until I get one.
Dave Bittner: [00:05:02] Right. That's interesting.
Joe Carrigan: [00:05:03] It's an inelegant brute force attack, but brute force is one of my favorite kind of forces.
Dave Bittner: [00:05:09] (Laughter) You know, it reminds me that - you know how when you go - here in the States, if you go to a grocery store...
Joe Carrigan: [00:05:14] Right.
Dave Bittner: [00:05:14] ...And they ask you for your phone number to get the discounts on things...
Joe Carrigan: [00:05:18] Right.
Dave Bittner: [00:05:18] ...If you don't want to use your phone number or you're not signed up at that store...
Joe Carrigan: [00:05:21] Right.
Dave Bittner: [00:05:21] ...It is almost always successful to use your area code and then 867-5309.
Joe Carrigan: [00:05:27] That's right. I do that frequently.
Dave Bittner: [00:05:27] That is almost in every single system.
Joe Carrigan: [00:05:30] Yes.
Dave Bittner: [00:05:30] I use it as well. So - all right. Well, that's my story. Joe, what do you have to share with us?
Joe Carrigan: [00:05:34] Well, Dave, this week, nobody dies in my story.
Dave Bittner: [00:05:37] (Laughter) Thank goodness - not yet, anyway.
Joe Carrigan: [00:05:40] Not yet, anyway.
Dave Bittner: [00:05:40] Yeah.
Joe Carrigan: [00:05:41] And my story comes from Justin Rohrlich over at Quartz.
Dave Bittner: [00:05:44] OK.
Joe Carrigan: [00:05:45] In 2016, there was a group of scammers operating out of this very area who scammed three companies out of $10.6 million of stuff by posing as a Navy contractor named Daniel Durnz - D-U-R-N-Z.
Dave Bittner: [00:06:00] OK.
Joe Carrigan: [00:06:01] And they used the email email@example.com...
Dave Bittner: [00:06:07] OK.
Joe Carrigan: [00:06:08] ...Which is not a military email.
Dave Bittner: [00:06:10] A real U.S. military would end in...
Joe Carrigan: [00:06:12] .Mil.
Dave Bittner: [00:06:13] .Mil.
Joe Carrigan: [00:06:13] Right.
Dave Bittner: [00:06:13] OK.
Joe Carrigan: [00:06:14] And this was hosted on Yahoo. So Yahoo was hosting it, and they were running the scam that way.
Dave Bittner: [00:06:18] OK.
Joe Carrigan: [00:06:19] They would send out fake purchase orders for equipment from this address in the hopes of receiving equipment.
Dave Bittner: [00:06:24] OK.
Joe Carrigan: [00:06:25] And of course, they would never pay for the equipment. That was the scam.
Dave Bittner: [00:06:27] They're pretending to be a purchasing officer from the U.S. Navy...
Joe Carrigan: [00:06:30] Right.
Dave Bittner: [00:06:31] ...Which is an organization that...
Joe Carrigan: [00:06:33] Buys a lot of stuff.
Dave Bittner: [00:06:34] ...Buys a lot of stuff...
Joe Carrigan: [00:06:35] Right.
Dave Bittner: [00:06:35] ...And I suspect has, you know, good credit and all that kind of stuff (laughter).
Joe Carrigan: [00:06:40] Sure. Absolutely.
Dave Bittner: [00:06:41] Right.
Joe Carrigan: [00:06:42] Here's what they made off with. They got $1.1 million in Apple iPhones and iPads from a wireless voice data company in Washington state. They got $6.3 million worth of LG televisions from an AV distributor out of Virginia. And finally, they got $3.2 million in highly sensitive computer interception equipment from a defense contractor right here in Maryland.
Dave Bittner: [00:07:03] Well, that's interesting.
Joe Carrigan: [00:07:04] That is interesting, isn't it? It's not your ordinary scam. There's something going on that is more to the story that's interesting.
Dave Bittner: [00:07:12] So when we say highly sensitive communication intercept equipment, what are we talking about here?
Joe Carrigan: [00:07:17] We're talking about some equipment that does something to intercept communications. We don't know what it is. It's probably highly classified.
Dave Bittner: [00:07:23] So this is military...
Joe Carrigan: [00:07:24] This is military-grade equipment.
Dave Bittner: [00:07:26] This isn't an off-the-shelf kind of thing.
Joe Carrigan: [00:07:27] It is not.
Dave Bittner: [00:07:28] This is a custom piece of equipment.
Joe Carrigan: [00:07:29] This equipment was on the United States munitions list, which makes it subject to arms control regulation, right?
Dave Bittner: [00:07:35] OK.
Joe Carrigan: [00:07:36] So this is not small-potatoes equipment, right? This is not some - you know, something you can buy off the shelf at all. It is regulated by ITAR, which is the International Trafficking and Arms Regulation, which - if you've ever worked for a defense contractor, you have to go through that training once a year on what ITAR is and how you have to comply with it. This equipment is so controlled that a photograph of it was covered under ITAR.
Dave Bittner: [00:08:01] Wow.
Joe Carrigan: [00:08:02] You're not even allowed to export a picture of this equipment without some kind of authorization.
Dave Bittner: [00:08:06] So unlike the iPhones and the televisions...
Joe Carrigan: [00:08:09] Right.
Dave Bittner: [00:08:10] ...This is not a situation where someone's got a bunch of stuff, and they're going to be selling it on eBay...
Joe Carrigan: [00:08:16] Right.
Dave Bittner: [00:08:16] ...Or on the street corner...
Joe Carrigan: [00:08:17] Right.
Dave Bittner: [00:08:17] ...Or anything like that.
Joe Carrigan: [00:08:18] I - there is no way you're ever going to sell this out in public. This is not something you're going to do that with. This is not a moneymaking operation. The defense contractor is only identified as Company B, and this group of scammers reached out to Company B using this Drunz email...
Dave Bittner: [00:08:33] Yeah.
Joe Carrigan: [00:08:33] ...And provided documents they represented as a Navy contract to sell - between Company B and the Navy to sell this equipment to Drunz.
Dave Bittner: [00:08:42] And so that's fascinating because if this is classified equipment...
Joe Carrigan: [00:08:48] Right.
Dave Bittner: [00:08:48] ...The bad guys would have had to have known what to ask for...
Joe Carrigan: [00:08:51] Right.
Dave Bittner: [00:08:51] ...Presumably.
Joe Carrigan: [00:08:52] This equipment is not known to the general public, right? I mean, everybody knows about flat-screen TVs, iPhones and iPads, right?
Dave Bittner: [00:08:57] Right, right.
Joe Carrigan: [00:08:58] But how did these guys get the information to ask the correct contractor for the correct piece of equipment? That information is all controlled. You have to have some kind of information about that equipment to even make the purchase order look believable, so there's some kind of espionage going on here as well.
Dave Bittner: [00:09:15] Yeah. Do they know where the equipment was sent?
Joe Carrigan: [00:09:17] Well, the equipment was sent to Chantilly, Va., to some office space in Chantilly that actually was not a Navy space. It was leased by somebody. And then it was shipped to California, and the article doesn't talk about where it went after that. I don't know where it went after that. I'd like to know. That's one of the things I'd like to know. The office space in Chantilly was leased by Janet Sturmer, and she and seven others have been indicted on 15 counts of money laundering and identity theft. Interesting the indictment does not list any espionage charges, though - not yet, anyway.
Dave Bittner: [00:09:47] Interesting - so more to come, I suppose.
Joe Carrigan: [00:09:49] I would hope there's more to come on this. There's a lot of things I'd like to know that we may never know, actually.
Dave Bittner: [00:09:52] Yeah, yeah.
Joe Carrigan: [00:09:53] You know, who is behind this? Where'd the equipment go? Did we manage to recover the equipment? Probably not. That would be my guess. I think this equipment is probably gone, sadly.
Dave Bittner: [00:10:01] Yeah, and there are some - a lot of folks who had bad days when...
Joe Carrigan: [00:10:05] Yes.
Dave Bittner: [00:10:06] ...They realized what was going on.
Joe Carrigan: [00:10:07] Yeah. The article talks about when people at Company B were informed about the fact that this Drunz person was not real. They didn't know that before the investigation was underway. I imagine that came as quite a surprise to those folks.
Dave Bittner: [00:10:20] Yeah. Time to implement some, I guess, more stringent due diligence with these sorts of things.
Joe Carrigan: [00:10:25] Yeah. I don't know about the contract that he sent over. The contract may have mimicked a valid contract. That may have looked real. There's nothing in here that tells us any of that, and there's no way for us to know it because it's probably going to be classified. So I'm just speculating here that the contract may have been a valid contract. It may not have been.
Dave Bittner: [00:10:40] Yeah.
Joe Carrigan: [00:10:40] It may have been a fraud from the beginning. There might be some opportunity here for some business process review at Company B as well as some phishing training because the email address did not come from a military email address.
Dave Bittner: [00:10:51] But whoever this was, they knew the lingo.
Joe Carrigan: [00:10:53] They knew the lingo. Right. They said things properly. The article talks about how they wrote things right, and we're seeing this a lot more in these kind of scams where these scammers are not wording emails like, you know, some Nigerian prince anymore. They're wording emails like the person you think is sending you the email. They're a lot more well-done than they used to be.
Dave Bittner: [00:11:12] Yeah. All right, well, lots going on in that one. It's time to move on to our Catch of the Day.
0:11:18:(SOUNDBITE OF REELING IN FISHING LINE)
Dave Bittner: [00:11:22] Our Catch of the Day comes to us from a friend of the show named Dave. He's sent us some stuff before. He received an email - I'm going to leave out his last name here - but the email says, dear Dave, I am Mr. Jim Bukuno (ph) from Zenith Bank Plc. I called your phone yesterday as I was mandated to call you, but I could not get you on the phone as the phone number failed to connect. So I was mandated to send a pre-formal message to you as to confirm if your email address is still valid, as the payment of your inheritance fund has programmed to be released. If you are able to read this message, please reply so we can email you full information and genuine reasons for contacting you. Regards, Jim Bukuno, international operation manager.
Dave Bittner: [00:12:06] Now, Dave, who is a security professional (laughter)...
Joe Carrigan: [00:12:10] Right.
Dave Bittner: [00:12:10] ...Responded and said, good day, Jim Bukuno. Thanks for contacting me. I was not aware that I was due to receive an inheritance. How much am I due to be paid? I have gotten myself into a bit of a mess financially. I need to sort it out by the end of this money. This money could really help. To avoid calls from debt collectors, I've had to change my phone number. I think you have my old number. Please call me on my new number, which he lists. And he says, I will be available for the next 30 minutes. I ask that you don't share my phone number with others. It will cause me a lot of trouble if the debt collectors get my new number. Yours sincerely, Dave.
Dave Bittner: [00:12:46] So Dave is trying to hook these folks and help waste their time...
Joe Carrigan: [00:12:50] Right.
Dave Bittner: [00:12:50] ...Which is good. The other funny little thing about this is Dave shared this on Twitter, which is where I saw it, and he got a response. He tagged the bank, which is Zenith Bank...
Joe Carrigan: [00:13:00] Right.
Dave Bittner: [00:13:01] ...And he tagged the bank. And (laughter) the bank replied and said, kindly be informed that the email received did not originate from Zenith Bank. Do note that the bank will not be liable in the case of any financial loss or otherwise. You are advised to ignore and delete such emails whenever you get them, as they are most likely scam mails.
Joe Carrigan: [00:13:17] (Laughter).
Dave Bittner: [00:13:18] Now, I don't - I mean, this - I want to say, this message provided by the Zenith Bank legal team, right?
Joe Carrigan: [00:13:23] Right, exactly.
Dave Bittner: [00:13:25] This is (laughter) as much of a legalese message from a bank, I think, as you'll see there.
Joe Carrigan: [00:13:31] So, Dave, I did a little research. Do you know where that number goes?
Dave Bittner: [00:13:34] Which number?
Joe Carrigan: [00:13:35] The number that our listener Dave provided to Jim. Have you...
Dave Bittner: [00:13:37] I do not. I do not.
Joe Carrigan: [00:13:39] You should call the number.
Dave Bittner: [00:13:42] (Laughter) All right.
Joe Carrigan: [00:13:53] It's a Rickroll (laughter).
Dave Bittner: [00:13:53] (Laughter) Yes, very good. Well played, Dave.
Joe Carrigan: [00:13:55] Right.
Dave Bittner: [00:13:56] Well played. I have to say I did not see that coming.
Joe Carrigan: [00:14:00] So we'll put a link in the show notes to this article that has the Rickroll numbers in it...
Dave Bittner: [00:14:04] (Laughter).
Joe Carrigan: [00:14:04] ...From New Zealand. There is an Australian number, a U.S. number, a U.K. number and a New Zealand number. And so you can just give this number out, and the people that you give it to will be Rickrolled.
Dave Bittner: [00:14:14] OK. I just want to say also that since Dave is a friend of the show, that is why I have spared him and everyone else my amazing Australian accent.
Joe Carrigan: [00:14:22] (Laughter).
Dave Bittner: [00:14:22] So - all right, well, that is our Catch of the Day. Coming up next, Carole Theriault returns with her interview with Michael Madon. He's the head of security awareness at Mimecast. He's going to be talking about the skills gap in cybersecurity. But first, we've got a word from our sponsors at KnowBe4.
Dave Bittner: [00:14:40] Let's return to our sponsor KnowBe4's question - carrots or sticks? Stu Sjouwerman, KnowBe4's CEO, is definitely a carrot man. You train people, he argues, in order to build a healthy security culture. And sticks don't do that. Approach your people like the grown-ups they are, and they'll respond. Learning how to see through social engineering can be as much fun as learning how a conjuring trick works. Hear more of Stu's perspectives in KnowBe4's weekly Cyberheist News. We read it, and we think you'll find it valuable too. Sign up for Cyberheist News at knowbe4.com/news. That's knowbe4.com/news.
Dave Bittner: [00:15:28] And we are back. Joe, Carole Theriault had the opportunity to speak with Michael Madon - he's the head of security awareness at Mimecast - and talking about a little bit of the tension that exists and creates this skills gap in cybersecurity professionals. Here's Carole Theriault.
Carole Theriault: [00:15:44] OK, so there seems to be this disconnect in the cybersecurity world. On the one side, you've got all these companies that now have to process loads of personal and private data by following much stricter guidelines. It's complicated. They want experts to help them do that. So they're looking to hire people. On the flip side, you have loads of graduates and people wanting to break into the industry that are finding it almost impossible to find the welcome mat. So I speak to Michael Madon from Mimecast to try and understand this problem from his point of view and see what his recommendations are to help the next generation of cyber experts.
Carole Theriault: [00:16:27] Thank you so much for coming on the show. You are head of security awareness at Mimecast.
Michael Madon: [00:16:32] Yes, head of security awareness and also threat intelligence.
Carole Theriault: [00:16:36] And threat intelligence - isn't that a great title?
Michael Madon: [00:16:38] It is a great title. You know, the longer the title, the less important the job. That's the trope anyway. It's pretty true.
Carole Theriault: [00:16:45] It seems that we have a growing problem in cybersecurity, and that is cybersecurity skills shortage. Break it down for me.
Michael Madon: [00:16:53] At a very macro level, the way that I see it is you have this industry that is very much on fire, right? It is growing in every way. It's growing in terms of vendors and tools. It's growing in - because to respond to the growing number of attacks. The budgets that companies are allocating to cybersecurity is growing. So you have - the attacks are growing, the budgets to address those attacks are growing, and the industry is really booming. And what that creates is kind of fault lines and stresses within any existing system. Any system would stress under this condition, and cybersecurity really is no different. People talk about complexity, and the reason for the skills gap is because of complexity. Let me just address that, and then I can go to why a graduate is frustrated about finding the cybersecurity on-ramp and why you have CISOs who are saying, hey, I need people. Where are good people that I can hire?
Michael Madon: [00:17:53] There are three reasons why this cybersecurity enterprise is complex, I think. One of them is the types and quantity of attacks are constantly changing and iterating, right? The enemy is super smart, and they're criminals, too, right? So you have state actors, and you have, like, really, either state-sponsored criminals or just really sophisticated criminals who wear suits to work every day. And they have families and they have - they go to nice restaurants. And they're sophisticated people, and they're criminals. It's really - many times, these criminal networks are a concerted effort.
Michael Madon: [00:18:28] And so as the attacks are getting increasingly sophisticated, sort of what's happening is companies that have a lot of money and resources are doing a pretty good job in protecting - for the most part, like, protecting their personal information, the information of their customers and also their crown jewels - right? - for their company. And so what's happening is these hackers who are sophisticated, they're spending too much time and hitting some of those more sophisticated companies who have, like, the right systems in place. And so they're going downstream, and that's why you see an increase in the number of attacks in sort of the middle market.
Carole Theriault: [00:19:04] So they're feeling the heat is what you're saying.
Michael Madon: [00:19:05] They're feeling the heat, and they're getting...
Carole Theriault: [00:19:06] Right.
Michael Madon: [00:19:07] And so these companies that typically would have had sort of mediocre hackers and mediocre criminals are now having really sophisticated hackers and criminals that are now attacking them because those hackers and criminals are going to where it's easiest to attack. And so you have - the types and quantity of attacks are on the rise. The next is you have all these tools and products, right? If you go to any cybersecurity conference - you take RSA, for example, or Black Hat - you have this sea of products. And it's really, really hard - admittedly hard - to sort through which tools and products do I really need, especially when you have this advent of all these startups who are coming in - right? - like Mime was - and saying, we do this one thing better than anybody else in the market. Well, when you have 15 companies all saying that, all successful, and it's just one, like, small component, CISOs are understandably lost in the sauce.
Michael Madon: [00:20:05] And, of course, there's then the skills gap, which is this perception that there aren't enough qualified cyber analysts, professionals, to - security professionals to meet the growing demand. So you have - types and quantity of attacks are on the rise. You have in abundance - right? - a deluge of products and tools that are out there, all basically claiming, many times, the same thing. And that leads to a skills gap for people who know how to use and operate all these tools. And so that's the overall environment.
Carole Theriault: [00:20:42] Yeah. OK, so you've set the scene really well here. So you've got these three points here...
Michael Madon: [00:20:46] Yep.
Carole Theriault: [00:20:47] ...The complexity...
Michael Madon: [00:20:48] Yep.
Carole Theriault: [00:20:48] ...And the skills gap and the deluge of products. And this complexity is bringing us to the problem of why newbies can't get jobs.
Michael Madon: [00:20:57] So here's a little bit of that disconnect. When we say cybersecurity gap and skills gap, I think it's important to really refine - like, what jobs are we actually talking about? And there's a huge range of those jobs. Those jobs for cybersecurity range from - at the very top end, you're looking for data scientists - right? - to look at your algorithms and improve your machine-learning algorithms to refine what you're doing. And that's not necessarily within the CISO's organization but certainly within, like, the product organization. Like, someone who's creating a product...
Carole Theriault: [00:21:37] An app developer...
Michael Madon: [00:21:37] Right.
Carole Theriault: [00:21:38] ...For example...
Michael Madon: [00:21:38] Exactly.
Carole Theriault: [00:21:39] ...Or anything - right.
Michael Madon: [00:21:40] They're going to need someone, or many, who are looking at machine learning and are familiar with natural language processing. And then at the other end of the spectrum, you're looking at an entry-level analyst - on-the-job training for entry-level SOC analyst. So there's this huge range of jobs and professions and careers that are very different from each other that require extremely different education and background and experience all within this one industry. So I do think it's important when we're thinking, like, collectively as a community, the skills gap, what do we mean? Do we mean a skills gap for data scientists, or do we mean a skills gap for the entry-level SOC analyst, the mid-level SOC analyst? So that would then help us speak to the schools and speak to the educators and say this is more of what we're looking for. And this is where I'm going.
Carole Theriault: [00:22:36] Yeah, yeah. That's an interesting point. So what you're saying then is we are kind of muddying the waters of the entire industry by saying...
Michael Madon: [00:22:43] Yeah.
Carole Theriault: [00:22:43] ...We have a shortage. And what people think in their head is, like, hacker fighters, really.
Michael Madon: [00:22:49] Sure. That's a great word. I like it. Hacker fighters, yes, right.
Carole Theriault: [00:22:53] Right? And you'd be thinking those are the smart guys that are constantly at their computer and developing and programming.
Michael Madon: [00:22:59] Right.
Carole Theriault: [00:22:59] And that's not all, right? There's a lot of people. Like, you and me fight, you know, fight these guys in our own ways.
Michael Madon: [00:23:05] Right. For example, I think that there's a dearth of program managers in the cybersecurity space. I mean, you have to be somewhat technical, but you don't have to be really technical. To be an effective product manager, you don't need a Triple E, but you do need to know enough about cybersecurity to run a product line.
Michael Madon: [00:23:21] And so I think there's this very big range of what the types of jobs and experiences that people are looking for. And if you think of cybersecurity as an entire industry, well, now it begins to make sense. Like, if you look at the pharmaceutical industry, you wouldn't say, oh, there's a pharmaceutical industry skills gap. There would be a skills gap in someone who's doing, like, maybe biomedical research. Or there's a skills gap in something else. So to paint it with a very, very thick brush, I think the problem with doing that is it doesn't allow us to solve the actual problems, right? And the problems are many.
Carole Theriault: [00:23:59] OK, Now how can those individuals that are finding it really hard to break into this industry...
Michael Madon: [00:24:05] Yeah.
Carole Theriault: [00:24:06] ...Of cybersecurity, how can they make use of this information to benefit their careers? They're looking for the door, and they can't find the front door.
Michael Madon: [00:24:14] There's two sides to this. There is the person hiring, right? And then there's the person looking for a job. So the person who is hiring has an operations center. And they're looking for an entry-level person to be an analyst. Now, typically, what this person will do in the job announcement is say a minimum of two years. Now, that person, the hiring officer, is saying that. The person in security shop is informing HR, I want this - I want a two-year minimum. And here's the crazy part about that. Often, they just say that. Like, they're not actually thinking about - do you really need someone with 24 months of experience? Probably not because the No. 1 requirement for any - in my view, biased - the No. 1 requirement for an entry-level position as an analyst at a SOC - and I've been doing this for 25 years - right? - the No. 1 requirement is an insatiable curiosity. It's curiosity, right? It's someone who geeks out in discovering stuff. That's the job, right?
Michael Madon: [00:25:20] It doesn't matter if you geek out in discovering stuff about who's attacking you or you geek out in discovering stuff because you're a really awesome archaeology, you know, student, and then you realize, wow, this cyber stuff is so cool. Instead of uncovering dinosaurs, I'm uncovering this. It's the same thing. It's so interesting. Like, it's someone who has a curiosity about life and has an enthusiasm and an excitement about discovery. That's who you want to hire as - for an entry-level position. The problem is the hiring authority, that person is, I think, willy-nilly saying two years. When you say two years, that cuts out every single entry-level person.
Carole Theriault: [00:25:59] But, hey, let's face it. All they're trying to do is trying to make some kind of structure so that the HR person can bring in candidates that are viable, right? So maybe - I get what you're saying. I think having these kind of hard stops, like a minimum of two years, may be losing some really good potential candidates to come in. Again, that's good advice for the company, but I - I'm looking for how someone who wants to break into this market, what advice do we want to give them? How can they shape and prepare to actually be taken seriously?
Michael Madon: [00:26:31] In this space, people get hired through networks. And I know this person, and this person is a, you know, a trustworthy person. And I've work with them in the past. That has an incredible amount of weight. And so yes, if you randomly throw your resume over the transom, can it get looked at? Sure. But the odds of following up that resume that you're throwing over the transom with a call or an email from someone that you know that can help you and advocate on your behalf is priceless.
Michael Madon: [00:27:01] When you're a student, your internships are critical because it's your opportunity to begin to build that network. And your professors are critical because these are ways for you to break out of your own shell and begin to network and be in environments that will then help you with your career. And then it's about finding mentors - right? - within your area of expertise that you're passionate about and having those mentors help you. You need a mentor who's in there with you, in the foxhole with you, in the grind with you saying here's how I think you should approach this. I think this would be a great opportunity, and I'm willing to pick up the phone and make a call or write a letter or an email. So...
Carole Theriault: [00:27:46] So the Infosec show, which is on in June in London - you know, I'd love to see more kids there that are either studying or wanting to study or just about to finish their studies going around and getting to know people that are on the stand - are the marketing people, are the sales people, but they're the ones that have the information and can give you insight on the company and tell you the right people to contact.
Michael Madon: [00:28:07] And, you know, that's a really good point, and I think that we as an industry need to force ourselves to be better here. I mean, I - like, why don't we have speed dating at Infosec, right? How come we don't have speed dating at RSA?
Carole Theriault: [00:28:18] Even inviting the students just to your stand and saying, look; if you're out there and you want to talk to someone, we have an educator here that will give you all the answers to your questions. You can talk to an expert, you know, in the area that you want to go into. For me, thinking of when I tried to get into the industry, you know, in my 20s, that would have been gold, right?
Michael Madon: [00:28:35] Yeah. In fact, we're doing that. So we just invited sixth-graders over to Mimecast. It was awesome. And then we invited junior high and then high school - so all three kind of grade levels - and it was incredible, you know? There was a sixth-grader who was, I mean, seemingly just as sophisticated at cybersecurity as some of the grown-ups in the room. I mean, I was blown away by the level of sophistication of these students.
Carole Theriault: [00:28:58] Michael Madon, thank you so much for talking with us today. Kids, take his advice. Get out there, and get those networks going. This was Carole Theriault for "Hacking Humans."
Dave Bittner: [00:29:10] Joe, this stuff is right up your alley, right?
Joe Carrigan: [00:29:12] Yeah, exactly. This says a lot of things I've been saying for a while. Michael calls the skills gap a perception. That is fantastic.
Dave Bittner: [00:29:20] How so?
Joe Carrigan: [00:29:21] Because he says there's this perceived skills gap. He doesn't call it an actual skills gap, and I'm with him. And he immediately goes to the same thing I harp on - hiring managers and HR people when they say, I have an entry-level position, and I want someone with two years of experience.
Dave Bittner: [00:29:36] Right, right.
Joe Carrigan: [00:29:37] Two years of experience is not an entry-level position...
Dave Bittner: [00:29:41] Yeah.
Joe Carrigan: [00:29:41] ...OK? Entry level means entry level.
Dave Bittner: [00:29:44] The other one I like related to that is when they say, we need someone with five years of experience in a technology that's only existed for three years.
Joe Carrigan: [00:29:51] Right. Yeah.
Dave Bittner: [00:29:52] Yeah.
Joe Carrigan: [00:29:52] That's a great one - or entry-level people are required to have a CISSP. I've actually seen jobs...
Dave Bittner: [00:29:57] Right, or a master's degree.
Joe Carrigan: [00:29:58] ...Right - that say that you - a requirement for the job for an entry-level position is to have a CISSP. That I don't - I haven't seen one of those recently. If I did, I'd probably call the company and go, what are you thinking?
Dave Bittner: [00:30:09] (Laughter) Sir, who is this?
Joe Carrigan: [00:30:12] Yeah. Michael's also 100% correct - right. I'm getting full of myself. I have a podcast. Don't you know who I am?
Dave Bittner: [00:30:19] Yes, that's right.
Joe Carrigan: [00:30:21] Michael's 100% about the No. 1 requirement for these candidates. It's curiosity, not the 24 months of experience. And additionally, if you're looking for someone for 24 months of experience, they're not looking for your entry-level position. Twenty-four months of experience is a good amount of experience in this industry, and it can get you around quickly.
Dave Bittner: [00:30:37] Think about how much happens in two years...
Joe Carrigan: [00:30:39] Right.
Dave Bittner: [00:30:39] ...In cybersecurity.
Joe Carrigan: [00:30:40] Exactly. What has changed in the past two years? The landscape is completely different. You know, the only way you're going to hire people and get them trained is just to put them in the situation. It's going to have to be trial by fire for everybody that comes into this industry...
Dave Bittner: [00:30:51] Yeah.
Joe Carrigan: [00:30:52] ...Right?
Dave Bittner: [00:30:52] Bring them along. When we do hiring, we'll say, we need two years of experience or an equivalent amount of real-world experience.
Joe Carrigan: [00:31:00] Right, right.
Dave Bittner: [00:31:00] So we try not to use that as a gatekeeper. In other words, if you have a compelling story to tell about your experience level that isn't reflected in jobs or education, well, let's talk about it.
Joe Carrigan: [00:31:12] Right. I have people approach me from time to time saying they're trying to get into this industry and that they can't because of this barrier they have that - it's a real, very real barrier. So I like his point on job seekers. What you need to do is network. You know, get to know people in this industry...
Dave Bittner: [00:31:28] Yeah.
Joe Carrigan: [00:31:28] ...And that can help you immensely. I think I did the math on my jobs in the tech field, and the vast majority of the jobs came from people I knew in the companies. So get to know people.
Dave Bittner: [00:31:40] I also agree with what he said about getting an internship. For me, you know, I had an internship my last year of college, and it was the things I learned in that internship and the connections that I made in that internship - those were the things that got me my first job right out of college...
Joe Carrigan: [00:31:55] Right.
Dave Bittner: [00:31:55] ...More so than - college was valuable. I learned a lot, but the actual skills that got people to say, yes, we will hire you - those came from my internship.
Joe Carrigan: [00:32:04] Right.
Dave Bittner: [00:32:05] So I think that's really good advice.
Joe Carrigan: [00:32:06] An internship is kind of experience. It is practical experience, rather.
Dave Bittner: [00:32:09] Yeah.
Joe Carrigan: [00:32:09] And the connections are not to be discounted.
Dave Bittner: [00:32:11] Right. Absolutely.
Joe Carrigan: [00:32:12] Don't do what I did in high school and goof off in an internship. When you get to an internship, work it like you're the boss, you know?
Dave Bittner: [00:32:18] Yeah, yeah. All right. Well, thanks to Carole Theriault for bringing that story to us. It's an interesting one.
Dave Bittner: [00:32:25] And that is our podcast. We want to thank our sponsors, KnowBe4. Their new-school security awareness training will help you keep your people on their toes with security at the top of their mind. Stay current about the state of social engineering by subscribing to their Cyberheist News at knowbe4.com/news. Think of KnowBe4 for your security training.
Dave Bittner: [00:32:44] Thanks to the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu.
Dave Bittner: [00:32:52] The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our editor is John Petrik. Technical editor is Chris Russell. Our staff writer is Tim Nodar. Our executive editor is Peter Kilpe, and I'm Dave Bittner.
Joe Carrigan: [00:33:10] I'm Joe Carrigan.
Dave Bittner: [00:33:11] Thanks for listening.