the cyberwire logoNov 3, 2023

Solution Spotlight: Is there really an information security jobs crisis?

Solution Spotlight: Simone Petrella and Rick Howard sit down to speak with Ben Rothke, Senior Information Security Manager at Experian about if there really an information security jobs crisis.


Simone Petrella: We spent a lot of time on this segment talking with experts about ways they're addressing the cyber talent crisis, but today I want to attack all the issue; is the talent shortage really as bad as we think? To have this discussion, I'm joined today by Rich Howard, the "CyberWire's" Chief Analyst and Ben Rothke, Senior Information Security Manager at Experian. Hi gents, thanks for joining.

Ben Rothke: Hello,

Rick Howard: Hey, Simone. Thanks for doing this.

Simone Petrella: Alright. Well, let's just jump right in. Ben I know you've tackled this question, so is there really a cyber-job shortage?

Ben Rothke: Yes. You know, but I think, you know, with a caveat. I mean, a lot of the -- there's a lot of reports, you know, press releases etcetera about millions of cybersecurity jobs. So, the short answer is yes. It's definitely, it's a great career path. There's a lot of openings, but it's not that people can take a crash course and get a high-paying job in information security.

Rick Howard: Darn. I would.

Ben Rothke: Companies need people.

Rick Howard: Really? I'm shocked -- shocked I say [brief laughter].

Ben Rothke: Oh. Yeah, I mean I would say, you know, I think I wrote an article about it, you know, a month ago and it got a -- it reverberated you know quite well and pretty much I get calls you know weekly from parents, from people want you know they've got college-aged kids, there's other people in IT that want to get into information security, and it's a great career. There's a lot of opportunity, but once again, it's not this magic bullet where you could you know take a boot camp and companies are going to be desperate for your services. I think that's the difference. So, is there a lot of openings? Yes. But companies are quite judicious you know in their hiring. Rick and I have a friend, Helen Patton. She wrote a book about getting into the field, and she says that you know there is no such thing as an entry level information security jobs. And for the most part, that is correct is that, you know, companies you know want people who are experienced even in entry level job you know requires a lot, and I think one misnomer is that is, you know, thinking you could just do information security; information security is built on top of IT. So, if you don't understand networks, if you don't understand protocols, servers, if you don't understand risk, yeah, you know, some could take a course and they could do you know run scripts and do stuff, but they're not going to be a valued part of the information security team.

Simone Petrella: Yeah.

Ben Rothke: In some ways, information security is like a medical specialty. First you internal medicine then you do your specialty [multiple speakers].

Simone Petrella: You're doing an analogy. I've used that analogy for years Ben [inaudible 00:03:02] on that one. I want to get back to the entry level piece. But before we do, I thought you brought up something really interesting, which is that like the numbers are endemically over-reported and it's something I have noticed in some of the things that we've seen in the datasets that are available and cited, and something that's always struck me, my background is in the defense contracting space. So, I know even when I think about the amount of federal cyber and defense cyber jobs that are being bid in the DMV alone, you know, I think about every contractor that's putting out reqs for the same job postings. If we're using that as the data point, I'm like we just quadrupled counted, because everyone's putting up postings for the same singular role, it's just getting replicated four times.

Rick Howard: Yeah, I think the number is, the last time I looked was 3.5 million job openings right? And it seems to grow every year, okay, and you're right Ben, I -- these are not entry level jobs [inaudible 00:04:01], but I think that's our fault. Okay, we're the security professionals here and for years we've insisted that we're not going to hire newbies for a specific task, you know, not the overarching you got to be an expert in DevSecOps or Chaos engineering or whatever it is, okay, but and we've insisted that these new employees have, you know, 20 years' experience and 17 certs and, therefore, we don't hire them. And I'm wondering that you think about that, is that we could be very judicious here; if we were smart about hiring newbies coming off the street and give them very specific things to do and I'm wondering if that fixes the problem.

Ben Rothke: Yeah, I mean it's -- I think it's a -- there's a lot of you know issues, a lot of things involved that's not, you know, it's not like you know my -- I've got a leak in my car tire, you know, patch it and it's done. You know, there's a lot of issues and even getting back to that number, you know, I heard a figure of you know a million job openings in the U.S. And if you think about it, you know, that would mean almost like 1% of Americans are in information security. But I think there's a lot of things, you know, going on is that there is -- the short answer is there is no quick fixes. Information security is it's broad, it's deep, and you know, 30-40 years ago, one of the classic books you know "The Mythical Man-Month" was written and when it comes to software development, you know, just throwing people at a problem not only will not make a software development project end quicker, it complicates things. So, there is a lot of things going on. It's just there is the supply, there's the demand, there's training aspects, and so there's a lot there. So, anyone -- and we've got this problem even in Wall Street, you know, one bad quarter could sink a company. They're thinking far too short-term, you know, companies need to think that longer term and a lot of bigger companies are doing that. They're creating programs to train existing IT staff, bring them you know into their you know security groups, you know, City Bank, you know, JP Morgan, Boeing, a lot of the big you know the Fortune 1000's are doing that, but you know, whatever you know 80% of American companies are on the small side and when you're a 100-person operation, you know, they don't have the budgets to you know create an internal training program. So, some of it can be done holistically internally, but you know for a lot of the companies you know they don't have the wherewithal to do that. I think another issue is, as I said, you know just good actuarial numbers about the job openings doesn't exist. A lot of it is done being, you know, done being I found by surveys; a lot of things are predictions quoted as you know actuarial numbers, so that adds to it. But yeah, I think there's a lot of different sayings going on and there is no one thing to fix this shortage.

Simone Petrella: Right. I'm curious though, because I -- it really sticks with me too in the work we've done around this idea of the like short-term realities and companies that kind of focus on "here is what I need yesterday and so I don't have the advantage or the luxury to invest in those training programs and those upscale programs versus the reality that if we don't do those things, there is no way to ever grow this pool of talent regardless of what the actuarial number of shortfall of jobs is. So, what has to happen culturally and I assume these large companies, they've got to lead the charge from my perspective.

Ben Rothke: I think it's, you know, a bit of a - I once remember I got a bill you know in the old days when you used to pay bills with in an envelope, from the triple A. their envelope said, I think you know, "Auto safety doesn't cost, it pays." I think so too with information security, it doesn't cost it pays, it is an investment and you know there was a [multiple speakers].

Rick Howard: We don't treat it that way as an industry. I, you know.

Ben Rothke: Yeah, it's.

Rick Howard: Because, you know, with my experiences, when we train employees, existing employees, we never do it with the idea that we're going to improve the team. That's not the primary consideration, right? It is.

Simone Petrella: Yeah.

Rick Howard: We're going to -- it's usually a perk, you know, Kevin he did a great job last year on that project. We're going to send him out to Black Hat as a reward to further his career. But what it really should be is the security leadership deciding, we're going to improve how well the team performs on our particular strategy and that's a culture shift for all of us, because none of us do it that way.

Ben Rothke: Yeah, as I said, you know, there's a lot -- I mean, when you invest in the people you need to invest in the products and the technology, in processes in all of these. I mean, the -- I mean, the reason Caesars' hack, you know, the numbers are going to be a 100 million; it will probably go up and the end it will probably cost some you know half a billion dollars. But I think you know it's sort of the mindset of a lot of things are, is you know people don't focus in that long-term, meaning, you know, even you know health insurance you know they'll pay for years of dialysis you know, but they won't pay to you know have this person you know see a nutritionist in their teen years. So, you know, as I said, I think information is good in some ways, is really you know not that different from IT from society as whole, but as I said, it's gotten to that point you really can't ignore it anymore. I mean, it used to be you know you would read these information is getting horror stories, you know, once a quarter, you know now it's -- it's weekly and there's -- I mean, in the last week, I mean, there's Clorox, there's Caesars, there's MGM, so companies are slowly getting it. But it's like the proverbial aircraft carrier, you know, these things are huge and big and you know you want to make a change and a turn, you know, it does take a while. But even with the new SEC guidance, that's changing things significantly. So, in some ways information is going to be more inherently, you know, we always you know focus on risk and you always see you know the dangers and everything, so I think there is a lot of good things going on. Information security is now at the board level. There's a lot of investment, but you can still [multiple speakers].

Rick Howard: Yeah, but the -- you can take.

Ben Rothke: You can take a while to fix.

Rick Howard: The culture change though Ben that I'm talking about, right, is that when you have a budget for training and it's mere-mark for you know career progression, okay that's the first thing that gets cut when times get short and when times get tough. But.

Simone Petrella: Yeah, and.

Rick Howard: Yeah, go ahead.

Simone Petrella: No, and Rick I think you really said an operative word. It's what -- how is it tied to a strategy?

Rick Howard: Yeah.

Simone Petrella: Just having a bunch of -- it's easy to cut a budget for training when it's a perk, because that's what it's used as.

Rick Howard: Yeah.

Simone Petrella: A perk and so you take away the perk because you do that, if it's not tied to a talent strategy, a people's strategy, then I think.

Rick Howard: Or a, you know, not to toot my own horn, but a first principle cybersecurity strategy.

Simone Petrella: Yeah.

Rick Howard: Right? So, if you're strategy is, I don't know resilience, like it is here at the "CyberWire" okay, we need people to know how to do resilience and I can take a bunch of decisions, resource decisions to the, you know, to Simone my boss, and say "you spent $3000.00 on this. I can buy down risk with that," right? As opposed to, you know, it's Kevin getting a you know a pat on the back because he did a good job last week.

Ben Rothke: Yeah, I think that gets you know into the -- another issue, you know, it is creating the you know return on security investment, you know, that is a challenge, you know, as it is getting real you know getting back you know actuaries are great you know they're able to do what they do. If you're familiar with FAIR, Factor Analysis of Information Risk, you know, that's a great method to show and quantify that, but even getting those good numbers, you know, getting really good metrics, you know, that's an effort in and of itself, but yeah, a lot of things can't be cut, but you know, in office buildings you know no one says "Hey, times are tough" you know "we've got to cut back on electricity." You know, we've got to cut back on plumbing, because you know you can't do that. And so, [inaudible 00:12:38] information is going to be really is no different, I mean uh.

Simone Petrella: Right. But, you know, it's -- but it's a really good point when you think about the amount of budgets that's spent on especially the operating budget spent on head count. That is by far the largest amount of budget spent. It's ultimately on people. And yet we have this fixation with calculating return on investment on technology and process improvements. It's hard to capture metrics. There are ways to try and capture metrics, but its very core you can breakdown the cost differential of what it takes to invest in someone, train them up versus what it costs to either make a decision to hire very experienced expensive talent or, you know, identify outsource providers, like those are numbers that exist that you can.

Ben Rothke: Yeah.

Simone Petrella: Make comparatives against.

Ben Rothke: Right.

Rick Howard: So, Simone and I have been batting around an idea called Money Ball for Workforce Development, right, this is basically Billy Beane deciding that he's going to buy three players for $200,000.00 whose first principle metric is get on base versus Jason Giambi that they paid $7 million dollars for who was an all-star player in all areas, and he basically realized you can replace Giambi in aggregate with three cheaper players and that's what we're suggesting here, is that you can bring in newbies from you know recently college graduates or even transitioning government employees who are looking for a new career who have no experience, but a hunger to learn something new, right, and train them on one or two things that are essential to your info sec program and demonstrate the leadership that you can buy down risk with that approach and that might go to filling the gap in all those open jobs we were talking about.

Ben Rothke: Yeah, I think there is you know there's a lot of you know a lot of good ways you know to address it. I mean, there is you know scores of different ways and I think one of the you know one of the you know one of the things about security is you know there's a lot of people who actively want to get in this field, you know, there's a lot of people in IT who are transitioning and so the good news is there is a lot of people who are interested, but it is, you know a lot of companies you know want someone who could do it today, not you know three-six months from now and it does take that forward thinking. You know, they want their Jason Giambi who could, you know, sellout stadiums today, you know, bring in the crowds, do all of that, but it's a calculation. It does take a forward thinking leadership approach and it is a challenge; on one side you have to have a long-term approach and strategy on the other side, you know, you have day-to-day, you know, day-to-day operations. So, I mean, no -- it's a challenge. It's juggling and you know the company's going to do the best they can.

Simone Petrella: Right. Well, so let me ask the really tough question here, because there is so much national executive branch level attention on this issue. The White House issued their strategy on cybersecurity workforce, think tanks like the Aspen Institute have been focused on creating cybersecurity workforce working groups all around kind of the talent shortage overall. Ultimately when we think about this conversation around the big companies, who's investing in these long-term approaches, how do you balance the short-term day-to-day needs versus this long-term? Who ultimately bears the burden? Because I think that's one of the things I really struggle with. If we're looking at this as a national security level type of priority and then we look to companies or independent you know private organizations to self-select into creating good strategies, which is a completely you know free market capital type of societal approach, but it hasn't been working for us so far. So, like who are we're going to put the -- who are we going to pin the rose on here?

Rick Howard: That's a great question [brief laughter].

Ben Rothke: I think of.

Simone Petrella: I stumped us all.

Ben Rothke: I think someone said, you know, a lot you know going into information you got to realize that CSO stands for Chief Scapegoat Officer [brief laughter], and even I mean, even there's a thing called Spaff's law, Eugene Spafford from Purdue University. You know, said this 25 years ago. To the degree, is you know if your job is in information security but you know that, but Google it so you can know exactly, but it's -- but if you don't have budget to hire staff or get new products, you know, you're -- normally organizations take the blame when things go wrong.

Rick Howard: It defaults to that bottom layer, right?

Ben Rothke: Right. You know, at the end you know ultimately the buck has to stop with senior management and, you know, for the longest time companies -- and you know, every question goes back to hey you know there's a lot of issues in play, it's not just the one you know leaky hole in your tire. As you know, the tenure of a lot of chief security officers is so short because they're putting in impossible positions, but you know, it's gotten to the point you know the SEC is getting involved and we're saying, you know, information security is no longer you know just this back off this issue, it can affect national security. It could affect you know bottom line, it's affecting critical infrastructure. So, it's slowly turning, you know, into a board issue and so ultimately it's going to be the CEO who is going to bear that responsibility.

Rick Howard: Well, let's talk about that because that's a -- that's a culture change, right? Because.

Ben Rothke: Yeah.

Rick Howard: What Simone was talking about traditionally those decisions rested with the CSEL, okay, and by the way, shared with the HR Department because they're the ones trying to hire these people. But I think that's wrong, right? What you said Ben is right, this is a senior executive team decision. So, we need to arm the security leaders with the ability to show how we buy down risk with this approach, then the senior leaders of the company can make those decisions along with all the other business risks they have to deal with and it gets it right in their lap and I -- that's the culture change that has to happen I think.

Simone Petrella: Yeah. Well, and but the reality too is that every role within, I mean, every company has evolved into some form of a tech company whether that's their core business operations or not. We're just so ingrained and so I always kind of chuckle to myself when you go into an organization even our own office and you know, the IT desk is literally in a room like a fishbowl with like a door that covers it because there is sequestered problem on the side and you're going, "Why?!" Like, this is not just one little enclave of the organization, it's actually kind of everything we do is reliant on it. So, just culturally like we actually physically sometimes partition them.

Rick Howard: Yeah, that's right. Put them in a fishbowl. I like the way you said that. We're not allowed to talk to those people, okay.

Simone Petrella: We're preppy. [ Laughter ] Just feed them a little bit of food and like [multiple speakers].

Rick Howard: That's right. It's like close the door.

Ben Rothke: You know that kind of thing, you know, it really you know every you know every company now is an IT company. I mean, even you know is, you know, when systems got I mean, in hospitals for example, you know, IT goes down. I wouldn't say hospitals are going into the dark age, but you know, we're so overly reliant on it which is, you know, countless benefits, but you know, there's you know significant risks also and I think one of the issues with you know IT also is that it's so easy to build things and do things; security is often brought in at the end, you know, no one builds a you know 50-story office building without you know architectural review, permits, etcetera-etcetera, but you know, how many companies have rolled out you know the equivalent of a you know a 50-story office building without you know due diligence? It is so easy to do especially with Cloud computing, you can get it out there but you don't understand you know these problems until much later and it's like the you know Millennium Tower, you know, that you know that with the foundation you know that's a perfect example, you know. That poor foundation is affecting the lives of a lot of people and it was something that could have been fixed early on, but now you know once the skyscraper is up, you know, trying to redo the foundation is extremely expensive, you know, on a lot of different levels.

Rick Howard: You were talking about how IT has infiltrated every company, you know, like the cement company or like the MGM studios with this recent hack. I was listening to an interview this week, two women who weren't in Las Vegas because of the casinos, they were there for shopping and other things, but they took a stroll through the casino during all of this and you know it was empty, right? Because nothing worked and they're saying, "Oh, isn't this quaint?" Okay, it's so beautiful. But none of the services actually worked there. You know, and these guys are ostensibly a gambling casino, but all their IT services were turned off, so that's right.

Simone Petrella: Yeah, well I.

Ben Rothke: Yeah, I think you know Bruce Snider wrote about, you know in the old days you know you would, a farmer would buy a tractor, he would buy a John Deer and do his work. I mean, now when you buy a John Deer piece of equipment, you know, you're buying a computer with these farming equipment and these computers now have licensing as, you know, and user licensing agreements, there's updates and there's a lot they can and can't do. So, it's so embedded literally and figuratively and you know every aspect that relies on IT and.

Rick Howard: So, that's the culture change right? It's sort of like Simone said, these folks should not be the fish in the fishbowl, right? They are integral to how well the business is going to do.

Ben Rothke: Sure.

Rick Howard: And then we need to treat it that way.

Simone Petrella: Yeah. Well, so I want to leave us with this parting question; I'll give you both a chance to kind of answer it. As a takeaway, if you were to identify one thing in the sort of the low-hanging fruit that could start to change this culture paradigm and start to focus the industry on the long-term solutions; what would be your first starting point?

Rick Howard: I know what mine would be, but Ben what do you think?

Ben Rothke: Oh, [brief laughter] just -- I mean, I would just say you know stop and you know figure you know really understand you know what your IT issues are, you know, what your needs are, what your goals are and understand how to you know get security involved in that.

Rick Howard: So, I'll piggyback off that right. I would call that decide what your strategy and tactics are. But the first step in solving this problem I think is being able to assess your current workforce on how good they are at pursuing those strategies and tactics, so you can make a decision about training resources in the future. That's what I would do.

Ben Rothke: Yeah.

Simone Petrella: That's great. Well, Ben, Rick thank you so much for joining for this discussion, always a ton of fun.

Rick Howard: Thanks Simone. That was fun.

Simone Petrella: Good.

Ben Rothke: Thank you.