There are millions of cybersecurity jobs open. Over time, that number has just been growing. What we’re doing now does not seem to be working. So what’s it going to take to fill all these jobs quickly?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our guest is Rich Gautier, former CISO for the U.S. Department of Justice, Criminal Division.
Got feedback? Join the conversation on LinkedIn.
HUGE thanks to our sponsor, Brinqa
Full transcript
[David Spark] There are millions of cybersecurity jobs open. Over time, that number has just been growing. What we’re doing now does not seem to be working. So, what’s it going to take to fill all those jobs quickly?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark, I am the producer of the CISO Series. And joining me, you know him very well, his name is Steve Zalewski. Steve, say hello to our friendly audience.
[Steve Zalewski] Hi, friendly audience. How you doing?
[David Spark] That’s Steve Zalewski. Just want you to get familiar with that voice. Our sponsor for today’s episode is Brinqa, and Brinqa orchestrates the entire cyber risk life cycle across all security programs, including understanding the attack surface, prioritizing vulnerabilities, automating remediation, and continuously monitoring cyber hygiene.
More about Brinqa and just that later in the show. But first, let’s get to the topic at hand. Steve, Chris Hughes, the CISO and co-founder of Aquia, posted an article by Jennifer Riggins on The New Stack, that she wrote it for The New Stack, and it was about how to get millions of cybersecurity jobs filled.
And Chris summed up the problem to poor job descriptions, antiquated hiring and workforce practices, a lack of diversity, not selling the purpose of the field, and increasingly complex systems and environments and a steep learning curve. I think that’s just a shortlist of what is a much longer list.
Yes, Steve?
[Steve Zalewski] Oh, yeah. I think this is a great list to start with, but the more systemic challenge is what we’re going to talk about.
[David Spark] Yeah, so our goal here is not to beat on the problems although we’re going to beat a little bit on it, but to look for aggressive – and I’m going to use the term you use all the time – maverick ways of tackling this problem. So, it’s a situation I will say I don’t think anyone on any side of this problem likes the situation.
Everyone hates it and everyone wants a new solution. So, I think everyone’s sort of eager to hear for this conversation. Yes, Steve?
[Steve Zalewski] Well, whether they’re eager or not, we have to have it. How about that?
[David Spark] Better way to put it. Well, let’s bring our guest who I met at Black Hat last year and thrilled to have him on this show. He is now very recently the former, by his choice, former CISO of US Department of Justice Criminal Division, Rich Gautier. Rich, thank you so much for joining us.
[Rich Gautier] Thank you for the invitation, David.
What are they doing wrong?
2:36.866
[David Spark] Jesse Hazel of NORC at the University of Chicago said, “I saw a job description yesterday for a position and role I used to work for with the infamous ‘need 10 years’ experience and CISSP.’ I definitely served in that role without those two things, so you’re just cutting yourself short with job descriptions like that.” Jesse goes on to say, “Job description requirements is what is partially holding back the industry from tapping into greater diversity of expertise, thought, compassion, expertise, experiences, and doctrines.
If everyone has to have requirements, you’re not tapping into talent, you’re pigeonholing yourself and establishing a mediocracy.” That’s an interesting point, why we push for diversity. And Ivan Radusinovic of Lockheed Martin said, “I see a lot of postings that are asking for someone to be overqualified but not adequately compensated.
This in turn empowers the informal method of ‘who do you know’ to get a job. Not saying that’s terrible but can miss out on great talent.” So, essentially both Jesse and Ivan talk about the narrowing of trying to find talent, and I think when I see this stuff there’s a lot of, “We’ll let’s shoot high to see what we get, and then if we have to, we’ll loosen restrictions.” Do you see this behavior, Steve?
[Steve Zalewski] Yes. But that’s really indicative of an industry where there’s not enough resources, and so therefore how do you differentiate, and your own principles. “Oh, we want the best of the best and so therefore we’re going to interview 25 people and pick 1. So, therefore there’s cachet. It’s what we were talking about.
All of those things come into play when you’re considered rare and unique.
[David Spark] Good point. Rich, what do you think of this? And by the way, Jesse and Ivan, this is just one of sort of many ways that companies narrow the field in the hopes to get a winner right out of the gate.
[Rich Gautier] I think one of the challenges that leads to that, David, is staffing numbers. A company can only hire so many people, and they’ve got a budget that they have to match. And overcoming those staffing numbers when you can’t even fill the positions that you have open, going to leadership and saying, “Well, actually, I’d like to hire more people, but if you’re only going to give me one then I’m going to try and hire the racehorse.”
[David Spark] Right.
[Rich Gautier] Would you rather hire a racehorse or would you buy three foals and rather train them to be racehorses? So, you run into this dichotomy of problems you’re fighting – your organizational budget versus what’s available.
[David Spark] And I hear this problem all the time, Steve, about this issue of head count versus budget. I feel – and correct me if I’m wrong – that budget is easier to get than head count. Yes?
[Steve Zalewski] Yes. Because budget can go away, it’s annual. Head count is forever, right? Think about it. Once it’s in, it’s really hard to get rid of headcount, so people are very, very careful with that baseline headcount, the opex versus capex play.
[David Spark] And Rich, could there ever be a situation that’s like can we transfer – because again, it goes to the capex/opex play – can we move some of this budget into head count? But when I hear that comment like, “If I’ve just got one or two slots, I’m sorry, I’m not going for the green person.
I’m going to get the best thing I can get.”
[Rich Gautier] Well, I think the maverick play there, David, is to take a look at contractors, right? Rather than hiring employees, a lot of organizations or the organizations I’m familiar with will turn to contractors to fill the roles and essentially say, “Well, you know what? Let’s just have an annual contract that has a yearly renewal for the three bodies that I need.
Have somebody else solve the HR problem of how do I hire them and make them responsible for it.” So, it’s essentially taking that risk of not being able to fill your personnel requirements and putting that risk on someone else and then paying for that privilege.
Why is this so darn hard?
6:54.379
[David Spark] Dan Rooney of Accenture said, “The people element is ever so more important. Organizations are increasingly building more complexity into their model with new technologies and ways of working. We have cloud ops, AI ops, multiple platforms – SaaS, etc. – OT and IoT, changing op models and legacy.
Having the right skills, organizational talent, and perhaps most importantly, the soft skills to drive the right type of change, all of this is key to transforming safety at pace and scale. So, Dan’s just sort of posting that even if you had a pool of talent, that talent need is constantly changing and it’s growing, it’s changing and growing.
Like nothing saying like, “Oh, we need less skills now,” is there, Rich?
[Rich Gautier] No. As a matter of fact, part of the transferring that risk to the contractors or to MSPPs, for example, is the idea that, “Well, when I no longer need this skill, I can now go to a different company with that other skill.” Although this problem of complexity kind of just brings back the desire to how do we simplify things, right?
I had the opportunity to play as the temporary CIO in my last role, and I can definitely see the problem of the growing complexity and the desire of the business to bring in unique technology solutions on a continual basis. We also have to fight that urge to just bend over backwards to do anything the business wants the way they want it and instead try to solve their problems in a resilient way.
[David Spark] Steve, Rich brings up a good point about shifting a lot of the burden over to contractors, and I can see some of the pros and cons. What are your thoughts here?
[Steve Zalewski] I think the model, the underlying model is broken, right? Which is contractors and everything we’re talking about. So, as you like to say, let’s go maverick for a minute.
[David Spark] Please.
[Steve Zalewski] And so the first thing I’ll say is let’s acknowledge we should be hiring by aptitude, not by knowledge. Hiring for your aptitude is groundbreaking because it means you may know a bunch of stuff, but that’s not what I care about. I care about your aptitude and willing to learn, not for your knowledge.
That’s groundbreaking if you start there. Second thing I’ll say is so let’s hire only on aptitude and let’s get back to building Model T’s and stop thinking that everything is a Rolls Royce and has to be custom built. Okay? So, let’s get back to you hire for basic aptitude, you bring in a lot of people, and you build it like a Model T.
I have level one analysts; I have level two analysts. They do not need much. We off source them today. Bring them in. Get them in from high school, make it a form of program as a junior in high school that if you have the aptitude, you can go ahead and take some courses and come out doing that as opposed to being a mechanic for a car.
Rethink the fact that it’s a four-year degree. Rethink that we’re building the phantom Rolls Royces and everything has to be custom and it’s beautiful and it all fits too. We got to get to Model T. We just got to be repetitive and good at getting a huge funnel and not thinking that all of this is a $250,000 job and incredibly difficult.
Let’s just put it on its edge, take it upside down, and go, “We’re going to create a giant funnel in the top and we’re going to be brilliant at the basics and we’re going to automate, automate, automate. And let’s just start bringing the bodies in and we can pay them less and they can be very satisfied with what they do.
But stop thinking about this as a complex phantom Rolls Royce.
So Rich, devil’s advocate, okay? I’m building a Model T and I decide that I’m going to go from an automatic transmission to a manual. Do I have to go rebuild a new car or do I take the transmission and I just figure out with those guys how to make it different. Right? So, instead of trying to make it complex, that’s what I’m getting at, which was why don’t we just go back and realize we’re making incremental changes to very simple mechanisms and not starting with the, “Oh, it’s got to be complex because I have to rebuild the transmission, which means I need a new engine, which means I need a new gearbox, which means I need bigger tires.” So, what do you think if we tried that way?
What would it look like for you?
[Rich Gautier] So, Steve, I’m definitely a believer in keep it simple theory. Keeping it simple is very, very important to have effective IT, and you don’t want to overcomplicate things. So, absolutely, get the point of simplifying things and try to run it down to their basics. However, like you just said, if you were going to go from an automatic to a manual transmission, now you need somebody who understands how manual transmissions work.
Very likely the people that are working on that Model T may not have that knowledge. Which kind of gets to the point that I think that David was trying to make in that you may need expertise at a moment’s notice, so therefore need to hire it, and that that could lead to the problem of needing to hire the people.
So, that may be the problem that we have to solve.
[David Spark] But that, like what you said earlier, Rich, I think in those instances you really should be leaning on contractors if it’s an expertising that need to be dealt with immediately. Steve?
[Steve Zalewski] Yeah. And so now I’m looking at let’s just say IT versus OT, right? Or industrial control systems, right? That’s the I have one transmission; I need a different one. Okay? Because it’s just fundamentally I have a different requirement. I can build it myself; I can go out to a contractor and I can potentially bring him in for 30 days or 90 days in order to get the design right and teach my current engineers how to then be able to build it.
Right?
[Rich Gautier] Absolutely. And if those engineers have the right skills and abilities, not the knowledge, so the whole nice framework is based on the KSAs – knowledge, skills, and abilities. If like you say, we hire for skills and abilities and worry less about specific knowledge, we’ll be able to fill more positions.
[Steve Zalewski] And that’s aptitude. See, that’s what I’m getting at, which is don’t use words like skills and knowledge because then you’re going to want degrees. It’s what’s your aptitude. How can I know what you’re foundationally good at that when I put it in front of you, you want to be able to do it because it’ll come easier than something that you’re not normally aligned towards?
Sponsor – Brinqa
13:55.379
[David Spark] Before we go on any further, I do want to tell you about Brinqa. You remember I mentioned them at the beginning of the show? Brinqa? Well, more was supposed to be less. Do we remember this? Yes, one cybersecurity tool after another after another, an ever-growing arsenal to keep up with increasing risk exposed by rapidly expanding attack surface.
More tools in order to bring about less risk. But that’s not what we got now. Instead, more tools have only led to more complexity, more incompatibility, more silos, more pieces to the puzzle, more time trying to understand security posture to see what’s what, and more hurdles to take effective action.
What we need now is more precision, more laser-targeted action.
Now, to manage assets and their vulnerabilities across all security tools, programs, and the entire attack surface; to know who owns what, to get a single source of truth; and surgically eliminate critical risk; this is exactly what Brinqa provides to those charged with navigating the relentless chaos of securing their business.
The Brinqa SaaS platform cuts through security complexity and empowers precise action, tuned for specific environments and business outcomes. See clearly, act precisely with Brinqa. Learn why companies like Adidas, Whole Foods Markets, and Coca-Cola trust Brinqa. Visit their site brinqa.com to learn more.
Make sure you check them out.
There must be a better solution
15:41.721
[David Spark] Chuck M. of Fortress SRM, I’m going to read a quote that I’ve actually read before on a previous time because I like this quote so darn much, and Chuck points out, “The military will take an 18-year-old and turn him or her into a soldier in 16 weeks. They will continually train that soldier over the course of their employment.
You can improve job descriptions and shore up your hiring process all you want. But if you hire, train, culturally integrate, and reward that person, you’ll be far better off. Turnover will decrease, pay will normalize, and productivity will increase.” Chuck summarizes it as, “Hire, train, reward, win.” And Sebastian Rohr of umbrella.associates GmbH said, “This is why I just started to offer cross-training junior consultant/trainee positions for anybody who has a decent IT/admin or infrastructure knowledge.” So, I’m throwing this to you first, Rich.
We hear this all the time from people wanting to get in, “Please train us. We beg of you. Train us.” And it seems that’s the solution but it requires a institutional process kind of like the military has, which Chuck points out.
[Rich Gautier] So, being ex-military, I actually love this quote. At the risk of angry emails from some vets, each armed force seems to approach problems in a different way. And for the Army it’s, “Let’s throw lots of people at the problem and see what happens. Throw 1 sergeant and 20 or 30 soldiers at a hill and that hill will be taken.” We don’t have adequate train-to-perform positions in the field.
The work needs to be rescoped. Instead of to one super talent, you throw three beginners in the mix, you create a competitive yet also a teamwork situation. There’s a lot of desire out there to get started, but the knowledge gap for cyber positions is great. And I hear this from students that I teach – we have to focus more on the essay part of the KSAs as I had mentioned earlier.
New bodies, bring them into the field with the skills and abilities to pick up the knowledge over time. Not one of us started our cyber careers knowing anything, sometimes even to a cringeworthy level. Even expecting any enterprise IT experience might be even too much. Give me someone who mines bitcoin as a hobby.
This is going to get you unique ideas, diversity of thought, and a challenging atmosphere.
[David Spark] Steve.
[Steve Zalewski] Let’s stay with the military for a minute, okay, and with what Rich said, which was here’s the challenge – we’re not taking a sergeant and 20 privates and saying, “Take that hill.” We’re not offensive. We’re defensive. What we’re saying is, “Take that sergeant and those 20 privates and hold a six-mile line of defense against 50,000 attackers.” That’s what we’re trying to do.
So, we have got to get not 20 for that guy, right? We got to get thousands, and we have to give them basic training and aptitude to be able to do that. But we’re a defensive- but not an offensive-based approach, which creates a real limitation for us, which is why we’re so heavy in automation and so heavy on defense in depth.
So, what I’d say is find a better solution, why I keep coming back to the go with aptitude. Bring a bunch in, hire three instead of one, realize the approach that you’re trying to do so that it becomes a Model T type of be brilliant at the basics; automate, automate, automate; and just don’t deviate from that.
And therefore transition all the reasons why you got to have the perfect person.
The other thing I’ll say is it takes us, what, eight years to build an aircraft carrier now, one every eight years. And yet in a war, we were cranking them out one every six months. There’s a lot more efficiency that comes when you put more bodies at it and you focus on the problem. And that’s what I think too is let’s refocus on the fact we need to build Model Ts and we need to defend, and just simply say, “And it’s aptitude,” and force us to rethink a lot of the traditional processes that we use when we hire everybody like for every other position.
What is everyone complaining about?
20:05.920
[David Spark] Malia Mason of Corvus Insurance said, “Sigh. And how many of us are filling the role of three to five security people in one? I agree with the other comment – the number is in reality much higher.” So, millions, even millions more, believes Malia. “Burnout plus steep learning curve will keep adding to the problem.” So, we keep seeing this number going up.
It could be exactly what Malia is saying – the burnout, the steep learning curve which we also pointed out. I think maybe some of this maverick thinking has to do with how do we make this a job that people want to join and stay in. Steve, yes? Because how is the PR for working in cybersecurity going?
What do you think?
[Steve Zalewski] Not so well. Because what we say is we’re going to take the best and the brightest and we’re going to overwork you. And that’s what we keep getting back to which was, yes, that’s a great position to be if you’re one of those, but that’s not doing what we as a security village need to do as a shared responsibility to defend our companies against that huge perimeter.
And so when I see this type of stuff, and I’ve been there and I’ve seen it, that’s why I’m kind of passionate on this, to be able to say brilliant at the basics, simplify it down, okay? It starts with us to know what’s good enough and don’t set the bar too high too early and see what we can do.
[David Spark] The thing that I see again and again, Rich, is there’s so much social media and content out there of like, “How to get a job in cybersecurity,” and tons of companies are saying, “We’ll give you the certification for such-and-such.” And then these people who really have all the good intentions and really want a job in cybersecurity because they see mostly because how well it’s paying right now, finish these different things and then when they get to the real world, it doesn’t turn out per what you’ve been saying earlier – I need the best of the best, not the person who scored top in their class, but the person who’s actually had X years of experience.
Rich, what do you say to this group of people? Because what we’d love, if there’s a way to get that flood of people who are waiting to get in to quickly get into the industry.
[Rich Gautier] Well, you said what would I say to the students themselves, and I think it’s more of what I would say to industry as a whole.
[David Spark] Actually, yes.
[Rich Gautier] Hiring more at the lowest level is the way to go precisely for these reasons – burnout and resilience. Instead of searching for one person that cost me 150,000 a year, maybe I stretch my budget just a little bit, hire three people at 55,000 a year. I get vacation coverage, I get weekend coverage, three compadres and a great work environment, a desire for all three to learn as quickly as they can because they’re going to compete with the others.
And of course, I’m going to make them slave to document everything that they learn, but that benefits both of us because when they cycle out for that mid-tier job, I’ve got the documentation and they have the experience that they built doing it.
[David Spark] Seems like a pretty nice formula. That’s some pretty good maverick thinking. Steve?
[Steve Zalewski] Yes. Well, and that gets back to are we here to secure the company or protect the business. We’re not here to be perfect, we’re not here to be at maturity level five. We’re here to acknowledge that humans make mistakes, that we are being attacked, and that when we throw bodies at the problem, it’s correspondingly better for the same reason.
You have more aptitude and more people and you’re not telling them to solve the entire problem. Break it down, keep it simple, what’s good enough. And that’s why that maverick thinking of it flies in the face of a lot of folks that we’ve had this conversation. They’re firefighters. They want to come in, right, or policemen, they want to solve the problem, they want to be heroes, and therefore they take it all upon themselves and not realize that what they need to do is just put the fire out as efficiently as we can and move on.
Closing
24:27.526
[David Spark] Well, that is a very good place to end this conversation. This has been great. I think there’s some very good maverick ideas. I think we’re all kind of onboard of let these young people in who really want in and create some training for them.
Now we come to the point of the show, Rich, where I ask you, which quote was your favorite and why, and I think your quote is my favorite quote. So, which quote is your favorite?
[Rich Gautier] I think that all three of us really enjoyed the quote from Chuck M. I’m a vet so the military taking me in and training me up made me a lot of what I am today. So, I’m a firm believer in that quote just because it reflects life.
[David Spark] Well, and also he points out that like when everyone says, “Well, we need someone already experienced,” he points out, he goes, “This is already being done. People with no experience. It can be done. It just needs to be sort of formalized, like what the military does.”
[Rich Gautier] Oh, we all wish that we had DoD’s budget.
[David Spark] Yeah, that too. That would be nice. Steve, your favorite quote and why.
[Steve Zalewski] Oh. So, this is going to be complementary. Sebastian Rohr from umbrella.associates GmbH, “This is why I just started to offer cross-training junior consultant/trainee positions for anybody who has a decent IT/admin or infrastructure knowledge.” What did he just do? “You have an aptitude for it?
You’re hired, then I’ll figure out what to do with you.” There you go. So, we talked about maverick thinking today and we really did push it. And for the folks that are listening, I really tried to get out there on the edge to do this, and that’s why I think the Chuck and Sebastian are the, “Hey, look.
This is what we have to do. These are actual ways of just moving forward, to stop whining about the problem, and let’s go ahead and get our defense built out and start doing something about it.”
[David Spark] All right. Well, that brings us to the very end of the show. I want to thank our guest, and by the way, Rich, I’m going to let you have the final word here in just a second, but I also want to thank our sponsor Brinqa. Brinqa orchestrates the entire cyber risk life cycle across all security programs including understanding the attack surface, prioritizing vulnerabilities, automating remediation, and continuously monitoring cyber hygiene.
You can learn more about them at brinqa.com. Mr. Steve Zalewski, any last thoughts on today’s topic?
[Steve Zalewski] To the audience – this episode was designed to be inflammatory, very maverick thinking. Get out of the way we’re thinking about the problem, and by doing that, hopefully, we start to look at some of our own biases. So, I want to thank the audience for the opportunity to really look outside the box and see what’s happening and just put some ideas out there to create more thinking.
[David Spark] I’m onboard. All right. Rich, any last thoughts? I’m not saying are you hiring because you have left the US Department of Justice Criminal Division, but I’m assuming there are, if someone else wants to go work there, are there positions open?
[Rich Gautier] I believe that there is a position or two open there, yes.
[David Spark] All right. Well, go take a look. You’re no longer there. What are you doing with your time now that you have left the US Department of Justice? Are you just essentially bumming around?
[Rich Gautier] So, at the moment, I’m teaching cybersecurity courses…
[David Spark] Awesome.
[Rich Gautier] …at a bunch of different universities, so I hear these how do I get into cyber questions quite often. And then on a personal level, having just retired from federal service, I’m really looking at new opportunities, either a new green field or a restructuring position to help an organization re-envision or create its security program, or maybe a grant or fellowship where I can perform some passioned research, like creating an easy-to-use unified security architecture approach.
[David Spark] Awesome. Very good. If someone would want to learn about where you are teaching, where would they go?
[Rich Gautier] Well, I’m on LinkedIn and I’m fairly plugged into that, so that’s the easiest way to reach me.
[David Spark] Okay. So, we will have the link to Rich’s LinkedIn profile on the blog post for this very episode. Thank you very much, Rich. Let me remind everyone – that was Rich Gautier who is the former CISO for the US Department of Justice Criminal Division. And you know Mr. Steve Zalewski, who’s just this clown who joins me every now and then on this show, right?
[Steve Zalewski] Right.
[David Spark] Thank you, everybody. We greatly appreciate your contributions and for listening to Defense in Depth.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday and Cyber Security Headlines Week in Review. This show thrives on your input. We’re always looking for more discussions, questions, and “What’s Worse?” scenarios.
If you’re interested in sponsoring the podcast, check out the explainer videos we have under the sponsor menu on CISOseries.com and/or contact David Spark directly at David@CISOseries.com. Thank you for listening to Defense in Depth.