Thought Leadership

The Cybersecurity Labor Shortage is a Population Problem

Written By
Published On
Sep 7, 2022

Informal security chat with Beyond Identity's CTO Jasson Casey and Reece Guida on how a declining population impacts cybersecurity jobs.

Transcription

Reece

Hello, everyone. Welcome to another episode of "Cybersecurity Hot Takes" with me, your host, Reece Guida, and...

Jasson

I am Jasson Casey. I am the CTO of Beyond Identity. And apparently, I remembered how to do the intro this time.

Reece

Yeah. I think that was the best one yet probably because there was only one "and" that needed to happen. So, yeah, everybody, it's just me and Jasson today, and we're gonna talk about something that everyone in this industry is certainly aware of and I'd say that the everyday person is aware of it too. There's a cybersecurity labor shortage. And, you know, the hot take for today is that that's a population problem more than anything. So, Jasson, do you wanna unpack how declining population impacts cybersecurity jobs?

Jasson

More of a musing than a direct connection, but, yeah, I think the cybersecurity job shortage is a tech job shortage, which is probably related to just a worker job shortage. And a couple of thoughts get me there, number one, if we just think about demographics, right, the bulk of the demographic that's leaving the workforce over the next 10 years is larger than the bulk of the demographic entering the workforce or that exists in the workforce, right? So, that's gonna create scarcity. That's gonna create just an imbalance of, if we're really just trying to do a one-for-one replacement, there's clearly not enough people, right? So, that's kind of one thread to keep in your mind.

The second thread to keep in your mind is the world is being eaten by technology, right? There's almost no job where you don't have to use technology or create technology. Every job is basically a tech job, which requires a certain skill set that not every person entering the workforce comes with, right? And then if we peel back the onion one more bit, which I think is more of, like, the industry and domain-specific problems, every tech job is not the same, right? There are tech jobs where your job is to use technology, there are tech jobs where your job is to integrate technology, and there are jobs where your role is to kind of create it. And even within technology creation, there's striations, right? So, there's, am I building an application that just has to think about a domain, or am I building a system that's a more complex kind of multi-domain thing?

So, you know, the skills, the principles, your abilities, and experience necessary to be successful at all of those things is different. You can kind of think of it as a pyramid, right? It might be, the systems might be the hardest, the application may be the next hardest, and then the usage is probably the easiest. And when I say hardest and easiest, I just mean kind of requisite skills coming into the equation. That would also assume that for equal capable folks going through some sort of training program, they're going to kind of layout across those three areas really based on compensation and pay and really kind of what the market supply and demand is deciding those things are worth. And if it's harder to do one thing, in theory, you know, the comp is gonna be larger than the next. And if that's harder than the next, in theory, the comp is gonna be larger.

With that said, it's not necessarily true with what's going on right now. What I mean by that is a lot of application creation and system creation, at least in the US, happens within the startup ecosystem. And the startup ecosystem, by definition, doesn't have the pockets of a large company. So, the immediate compensation is certainly not equivalent to what a Google or a Facebook or a Microsoft would pay for their version of system creation. So, the way the startup compensates is really the way it always is compensated, which is trying to...number one, trying to find people that are passionate about the area and view the ability to work on the things they really wanna work on as opposed to just compensation as meaningful work.

And then the second part of it, or I should say the third part of it is meaningful ownership in what's being created, right? So, like at a startup, everyone is given stock or really options and ability to own a piece of the company over a period of time. Whereas at large companies, usually, you just get RSUs, which is just another form of cash payment. And if the startup goes well, and granted most startups don't, but if a startup does do well, you know, the person is rewarded outsized compared to if they were to go to another company. So, I think, you know, there's these macro trends, which is replacement and loss, right, out of whack. The second is the world is being eaten by technology, which means for everyone entering the workforce who's not capable of working on technical problems, the number of jobs that don't have technical problems is diminishing. And then just within the systems and applications creation world, there's always been this imbalance of compensation. So, supply and demand by itself doesn't solve the problem if we're being kind of short-term focused.

Reece

Yeah.

Jasson

But if we're being longer-term focused, it tends to work itself out.

Reece

I think that the market is going to recognize the importance of secure systems and the people who build them. One thing that's just occurring to me that didn't come up in those three points you mentioned, which, again, were related to population, software eating the world, and the different kinds of technology users in the workforce and technology builders. We didn't mention AI. And I wonder how that factors into things when it comes to the job shortage.

Jasson

I guess it depends on what you mean, right? So, AI is... The...

Reece

But there's just general fear, right, that people are afraid of AI, like, you know, from South Park, "They terk my jerb." That kind of thing. I don't know how that curve ball, you know, enters this debate.

Jasson

Yeah. So, I don't know if AI is taking a person's job so much as in order to supply what the world needs, the jobs themselves have to change. And it's about people entering the job market being able to...and people who are in the job market being able to kind of handle that change. So, most AI is really about trying to provide... Now, I'm gonna flub my words. This auto... Most AI is kind of about simplistic automation and better algorithms to really execute these things called decision problems. Is this a cat? Obviously, you know, we can use it in a lot more interesting ways than is this a cat? But...

Reece

That sounds pretty interesting to me.

Jasson

But, yeah, most of what AI gives us is solutions to decision problems using interesting heuristics. It's not going to eliminate the need for skilled knowledge workers. It is going to present more of a need for skilled knowledge workers, again, to be able to create as well as to be able to integrate as well as to be able to use.

Reece

Yeah. So, I guess AI would fit into the third point that you made, which is the different kinds of technology users, AI being a tool that they can deploy when building systems that they can share.

Jasson

If technology is eating the world, then there's almost no job in the world that's not gonna include some flavor of AI. And from a work perspective, we're gonna require workers who understand, obviously, at the bottom of the pyramid, how to create it, in the middle of the pyramid, how to integrate it, you know, right, because systems are always complex integrations of things, and at the top of the pyramid, how to use it. Maybe it's an inverted pyramid, right? Because we clearly are gonna have a lot more users than integrators, and we're gonna have more integrators than creators, but we still need to produce people in the workforce that can kind of operate at those three levels, whether it's AI or whether it is formal trusted systems, right, which is, you know, a different branch of CS and computer engineering around, how do I know this thing is actually true?

Reece

Oh, yeah. And speaking of CS and computer engineering, I had this conversation with a doorman in my building, and his son is 19, starting out at college, and he's at that age where he has to pick a major. And his dad really wants him to go into cybersecurity, but the son is just not interested at all. And I was thinking about ways to get him interested because, like you said, a passion for the work is really important to joining startups knowing that you're taking a risk and putting most of the value in that risk paying off in the form of stock options. So, I don't know if the university his son is attending has a cybersecurity program, right? Maybe people would be inclined to say, "Hey, a way to solve the job shortage is to put cybersecurity programs in universities." Do you see that as being a fix or do you think that existing disciplines like math, physics, engineering kind of cover that ground already?

Jasson

So, there's a lot of things there. So, I guess, number one, when you're 19, you don't know anything in terms of what you wanna do with your life, right? You've never been on your own, you've never made decisions outside of the context of your parents helping. You don't know what you're gonna like, right? And so generally...

Reece

I mean, what did you like when you were 19? What did you wanna study?

Jasson: So, I wanted to study... What did I like when I was 19? So, aside from the normal things of a teenager, I loved physics, and I had no practical use for it. I loved physics because it explained the world in a way that made sense. Math was a tool to make physics understandable. And ultimately, electrical engineering was a path on my journey in that I knew that eventually I had to get a job, that job needed to be able to pay me so I could have, you know, a lifestyle similar to what I'd experienced as a child. And it wasn't obvious to me that a physicist was able to get work, but it was obvious to me that electrical engineer could, and it was obvious to me that electrical engineer was pretty damn close to a physicist at least in the curriculum that you got to study in school.

So, that's kind of how I got there. But back to your bigger question, you know, if you don't know anything when you're 19, like, the advice I typically give people is study something that you're actually interested in and just keep your mind open and try and go somewhere where you have optionality. I think college is great and necessary for a lot of the jobs that we talked about a minute ago. It's not necessary for everyone and it's not necessary for all jobs. Also, it's not necessary that you go to college when you're done with high school, right? I've got a lot of friends that just for whatever reason, and this is not a judgment, right, just for whatever reason where they were in their life at that point in time they needed something else. And until they got that else, they weren't really ready to be successful in a collegiate environment. But for a systems creator or an application creator, I do think there are fundamental skills. Think of it as a mental toolbox that you get from education, not from training, right?

Reece

Yeah. And what would, like, some of those skills be?

Jasson

So, the STEM toolbox is kind of the deductive reasoning toolbox combined with this construction through composition toolbox, right? So, if I'm a math major, right, and I start learning, like... So, when I'm a math major, when I first start studying math, I'm really just told how, here are how all these theorems and formula work, and when you see this problem, use this and use this and use this. But as you evolve in your curriculum, you then start to take courses that really beg the question, "Yeah, but why does that work? How do we know it really works? Are there constraints and when it will or won't work?" Right? And so then you start trying to prove these things or you see...

Reece

And that's super important, those questions, when it comes to cybersecurity. You need to be able to prove them.

Jasson

Well, that's important, but the next part of it is even more so, right? You often can never prove the thing in first go. So, you have to take the problem and you have to break it down into sub-problems.

Reece

That's kinda like what we talked about in our last episode about zero trust and the assumptions that underlie it.

Jasson

Zero trust is a...in my mind, it's a way of saying taking sound engineering principles and reapplying it to a security problem, right? So, just like in math, right, we don't try and do a big thing, we try and break a big thing into a series of small things, make progress with those small things, and then prove that when we bring those small things together, we get something that's slightly larger until we get to our end result. In engineering, it's no different. A good engineer approaches a problem, a large problem, and tries to break it down into a series of sub-problems, right? A good physicist does the same thing. They don't try and solve the problem for the cow. They start with saying, "Assume a spherical cow," and then they solve the problem for a sphere, right?

And this is a mental toolbox and really the difference between education and training in my mind, right? A STEM education builds your toolbox on how to decompose problems, find solutions for the small problems, know why they work and when they work, and then know how to bring those things together in a safe environment. Training is how do I apply my toolbox to a domain, right? So, cybersecurity is a domain, but so is aviation flight control systems, right? But the principles of proving that my software is correct in the auto-lander for my airplane versus the secure boot proof that my bios boot loader and operating system has not been modified by an adversary. The toolbox is the same. The domain is what's different. So, tying it back to your original premise, like, cybersecurity, in my mind, is more about training. And, you know, colleges can certainly have training programs, right? You can think of it as, like, the finishing program, like, if you wanna go in this area, we'll give you a class to introduce you to some of the domains of this particular area and kind of get you moving there. I do think it's on companies more so than universities to...

Reece

I would agree. They have to incentivize workers.

Jasson

And part of the problem that I have, and this is definitely kind of a counterpoint, right? I know most people have the opposite point. Companies complain that universities aren't producing workers that actually can get work done. And I think from a company's perspective, that's a bit shortsighted. And what I mean there is if they put enough pressure on the universities to where the students stop graduating with that toolbox of skills, they're going...it's certainly easy to train them on the domain quickly, right? But the domain without the toolbox of skills is gonna equal a lot of solutions that actually don't work, that don't have the properties you think they have, and that ultimately you're going to have to replace that don't have longevity, that won't survive the test of time.

Reece

Because the foundation is lacking in terms of the thinking of how to build those things. Yeah, I can see what you mean by how that's dangerous.

Jasson

Yeah, short-term versus medium-long-term, right? So, think of it as the impetus of the product manager. The product manager wants to see daily, weekly, monthly progress on a customer's business problem, and they don't care about anything else, right? It's not their problem on whether the engineers have the toolbox or don't have the toolbox. The thing that's most apparent to them is do they have the domain or do they don't have the domain? The problems of building a product without the toolbox but with the domain typically don't show up till months 18 to 24 to 36 to 48. And based on job hopping in our industry right now, how many product managers do you think survive long enough or stay long enough to suffer the consequences of their choices, right?

Reece

That is deep. And I would say not many.

Jasson

So, this is why I was saying, like, over the long-term, these things will all work themselves out. Unfortunately, we all live in the short term and have to solve problems in the short term. And so there's not a lot of short-term pressure incentivized around building things that can survive around, like, actually, I don't know, hiring people with the right skill sets with that mental toolbox and then the domain training because the reality is, like, we all want that quick serotonin squirt.

Reece

Oh, yeah, we do.

Jasson

And the job shortage is, you know, certainly opens the door for quick salary increase by just hopping around. But if I, as an engineering leader, a staff engineer, a product manager never suffer the consequences of domain-based decisions without informed by my mental toolkit, clearly, then I'm never gonna develop that muscle, right?

Reece

So, let's just say you were, like, the overlord of cybersecurity, and you had the power to magically fix this in the short-term, what are a couple of things you would do so that people are more incentivized to, you know, kind of stick around, deal with their consequences, you know, or conversely, before they even have the chance to get there, have the tools necessary to build the systems that the world needs right now?

Jasson

So, I mean, the simplest answer is, you know, I don't have an easy answer. We're still struggling with wrapping our hands around these things too, but, like, the...

Reece

Fair enough.

Jasson

The things that we try to do, right? So, you know, compensation at a startup is really important, and long-term incentives are important. So, we try and handle that with stock, right? You don't just get stock when you join, but stock vests over time. We try... And we don't always do a great job, but we try and hold up a mirror in that if we're doing our jobs right as managers in a startup, every individual is contributing to a product and contributing to a customer's success. And so holding up the mirror and making sure all of those engineers get to see their work help another human, another person, another group, it is fulfilling, right, even if it's in a small way, and that sort of counts.

Other things to try and promote people to stick around in the long time is teamwork, right, in terms of, like, not everyone, but a lot of people, part of their work enjoyment is do they enjoy working with their team, right? And enjoying your team really just means, you know, you kind of know your team, you have time to spend time with your team, so we try and kind of promote that sort of environment, which is certainly hard during COVID, but, you know, we do what we can. A lot of it also comes down to employee selection. And that's also hard, right? There's no perfect hiring. There's really kind of trying to... You're rolling the dice, so how do you bias the dice to come up more often in your favor than not. But how do you hire people that have the properties that you think are going to make them stick around? Right?

So, have they stuck around in their previous jobs is a good indicator. It's not perfect, but it's an indicator. Do they have a clear, long-running passion in their work history from X to Y to Z? Right? With younger workers, you never have answers to those questions, and so you're just rolling the dice. And like I said earlier, right, like, when you're 19, you don't know anything in terms of, like, what you're gonna like and not like. And so I don't know if this number is still true, but, like, back when I was a hiring manager, I used to not...I used to assume my fresh grads would never stick around for more than two years. And half of them would split at two years and go to a different industry, right?

Reece

Wow.

Jasson

Like, they'd go to business school and get an MBA or they'd switch or go back to school and get a legal degree or switch and join a finance or something like that. And, you know, honestly, I think in some scenarios like those scenarios, that's not a... It's not really a fault of anyone. You just kind of have to plan for it because, again, when you're 19, you've experienced this much of the world, so how do you really know what you want, right, out of life? But, yeah. Getting people to stick around, there's no easy answers. The best I can hope for is trying to find people who have work experience who have stuck around before that are really kind of invested in certain types of problems that have good chemistry with the team and then...

Reece

And want to see their work do good in the world.

Jasson

Yeah.

Reece

Yeah. So, we would be remiss to talk about a problem without trying to pose a solution, right? So, I think we're hiring right now, right, Jasson? What's a job or two that you'd like to feature for listeners of this podcast who may be interested or may know someone who has those qualities you talked about?

Jasson

So, we got a ton of jobs. So, one of the most pressing jobs right now, actually, is someone to run the IT function for the company. It's a New York city-based job. We have an office in New York with about 80 people. Those people are... There are people in the office every day of the week, but Tuesday through Thursday is really when the majority of them are in. It's very much kind of a young company, bullpen style environment. That's where a lot of our inside sales is happening. That's where a lot of our marketing and certainly where all of our execs are. So, getting someone to actually lead that function who's New York-based who's comfortable coming into the office and wants to come into the office to kind of help train others and learn what it's all about. We have a penthouse, 41st floor next to the Empire State Building, beautiful views. We got a great deal because of COVID.

Reece

And we have a fully stocked kitchen that I use every day.

Jasson

What else? We've got support engineering jobs based in Dallas, Texas. So, again, this is great for kind of, like, folks earlier or mid in their career who like the idea of doing systems integration, back to that kind of middle tier, the pyramid that I was talking about earlier.

Reece

Yeah.

Jasson

There's a bunch of engineers that live in that area with backgrounds in telco and big systems. And then, of course, we're always hiring, you know, software engineers that are... I used to... I like to say principally trained, but what I mean by that is, doesn't necessarily have to be degreed, but it has to be obvious that they acquired the skills that you would acquire through going through a degree program.

Reece

Yeah. They have the toolkit.

Jasson

Of that mental toolkit, right? They understand decomposition of software. They understand that when I'm looking at a large-scale system, the first thing I have to think about is the domain model of that system and the life cycle of that domain model. And then when I sub-compartment that domain model, the microsystems or the microfunctions, if you will, then start to emerge. We're always hiring people like that. In terms of specialties, anyone in the data science, data analytics, ML, I don't like to say AI realm. We're hiring people there who understand how to build and integrate, not how to use. How to use is not enough for the types of problems that we work on. You have to kind of understand, why is this problem convex? Why is this problem amenable to a logistic regression versus not? When should I use tool X versus tool Y based on the problem and how we prove the problem is X? And then on the trusted computing side, we're looking for folks that have experience with formal systems, so, like, using F* to prove something, using Coq to prove something over a piece of software that's solving, like, a systems problem like a TLS implementation or a secure measured boot, those sorts of things.

Reece: Well, no wonder there's a labor shortage. You just listed a lot of jobs. So, listeners, if that sounds like it's up your alley, don't hesitate to apply. And don't hesitate to listen to our next episode. We'll see you then. Thanks for tuning in today. And smash the Subscribe button. Bye.

Get started with Device360 today
Weekly newsletter
No spam. Just the latest releases and tips, interesting articles, and exclusive interviews in your inbox every week.

The Cybersecurity Labor Shortage is a Population Problem

Download

Informal security chat with Beyond Identity's CTO Jasson Casey and Reece Guida on how a declining population impacts cybersecurity jobs.

Transcription

Reece

Hello, everyone. Welcome to another episode of "Cybersecurity Hot Takes" with me, your host, Reece Guida, and...

Jasson

I am Jasson Casey. I am the CTO of Beyond Identity. And apparently, I remembered how to do the intro this time.

Reece

Yeah. I think that was the best one yet probably because there was only one "and" that needed to happen. So, yeah, everybody, it's just me and Jasson today, and we're gonna talk about something that everyone in this industry is certainly aware of and I'd say that the everyday person is aware of it too. There's a cybersecurity labor shortage. And, you know, the hot take for today is that that's a population problem more than anything. So, Jasson, do you wanna unpack how declining population impacts cybersecurity jobs?

Jasson

More of a musing than a direct connection, but, yeah, I think the cybersecurity job shortage is a tech job shortage, which is probably related to just a worker job shortage. And a couple of thoughts get me there, number one, if we just think about demographics, right, the bulk of the demographic that's leaving the workforce over the next 10 years is larger than the bulk of the demographic entering the workforce or that exists in the workforce, right? So, that's gonna create scarcity. That's gonna create just an imbalance of, if we're really just trying to do a one-for-one replacement, there's clearly not enough people, right? So, that's kind of one thread to keep in your mind.

The second thread to keep in your mind is the world is being eaten by technology, right? There's almost no job where you don't have to use technology or create technology. Every job is basically a tech job, which requires a certain skill set that not every person entering the workforce comes with, right? And then if we peel back the onion one more bit, which I think is more of, like, the industry and domain-specific problems, every tech job is not the same, right? There are tech jobs where your job is to use technology, there are tech jobs where your job is to integrate technology, and there are jobs where your role is to kind of create it. And even within technology creation, there's striations, right? So, there's, am I building an application that just has to think about a domain, or am I building a system that's a more complex kind of multi-domain thing?

So, you know, the skills, the principles, your abilities, and experience necessary to be successful at all of those things is different. You can kind of think of it as a pyramid, right? It might be, the systems might be the hardest, the application may be the next hardest, and then the usage is probably the easiest. And when I say hardest and easiest, I just mean kind of requisite skills coming into the equation. That would also assume that for equal capable folks going through some sort of training program, they're going to kind of layout across those three areas really based on compensation and pay and really kind of what the market supply and demand is deciding those things are worth. And if it's harder to do one thing, in theory, you know, the comp is gonna be larger than the next. And if that's harder than the next, in theory, the comp is gonna be larger.

With that said, it's not necessarily true with what's going on right now. What I mean by that is a lot of application creation and system creation, at least in the US, happens within the startup ecosystem. And the startup ecosystem, by definition, doesn't have the pockets of a large company. So, the immediate compensation is certainly not equivalent to what a Google or a Facebook or a Microsoft would pay for their version of system creation. So, the way the startup compensates is really the way it always is compensated, which is trying to...number one, trying to find people that are passionate about the area and view the ability to work on the things they really wanna work on as opposed to just compensation as meaningful work.

And then the second part of it, or I should say the third part of it is meaningful ownership in what's being created, right? So, like at a startup, everyone is given stock or really options and ability to own a piece of the company over a period of time. Whereas at large companies, usually, you just get RSUs, which is just another form of cash payment. And if the startup goes well, and granted most startups don't, but if a startup does do well, you know, the person is rewarded outsized compared to if they were to go to another company. So, I think, you know, there's these macro trends, which is replacement and loss, right, out of whack. The second is the world is being eaten by technology, which means for everyone entering the workforce who's not capable of working on technical problems, the number of jobs that don't have technical problems is diminishing. And then just within the systems and applications creation world, there's always been this imbalance of compensation. So, supply and demand by itself doesn't solve the problem if we're being kind of short-term focused.

Reece

Yeah.

Jasson

But if we're being longer-term focused, it tends to work itself out.

Reece

I think that the market is going to recognize the importance of secure systems and the people who build them. One thing that's just occurring to me that didn't come up in those three points you mentioned, which, again, were related to population, software eating the world, and the different kinds of technology users in the workforce and technology builders. We didn't mention AI. And I wonder how that factors into things when it comes to the job shortage.

Jasson

I guess it depends on what you mean, right? So, AI is... The...

Reece

But there's just general fear, right, that people are afraid of AI, like, you know, from South Park, "They terk my jerb." That kind of thing. I don't know how that curve ball, you know, enters this debate.

Jasson

Yeah. So, I don't know if AI is taking a person's job so much as in order to supply what the world needs, the jobs themselves have to change. And it's about people entering the job market being able to...and people who are in the job market being able to kind of handle that change. So, most AI is really about trying to provide... Now, I'm gonna flub my words. This auto... Most AI is kind of about simplistic automation and better algorithms to really execute these things called decision problems. Is this a cat? Obviously, you know, we can use it in a lot more interesting ways than is this a cat? But...

Reece

That sounds pretty interesting to me.

Jasson

But, yeah, most of what AI gives us is solutions to decision problems using interesting heuristics. It's not going to eliminate the need for skilled knowledge workers. It is going to present more of a need for skilled knowledge workers, again, to be able to create as well as to be able to integrate as well as to be able to use.

Reece

Yeah. So, I guess AI would fit into the third point that you made, which is the different kinds of technology users, AI being a tool that they can deploy when building systems that they can share.

Jasson

If technology is eating the world, then there's almost no job in the world that's not gonna include some flavor of AI. And from a work perspective, we're gonna require workers who understand, obviously, at the bottom of the pyramid, how to create it, in the middle of the pyramid, how to integrate it, you know, right, because systems are always complex integrations of things, and at the top of the pyramid, how to use it. Maybe it's an inverted pyramid, right? Because we clearly are gonna have a lot more users than integrators, and we're gonna have more integrators than creators, but we still need to produce people in the workforce that can kind of operate at those three levels, whether it's AI or whether it is formal trusted systems, right, which is, you know, a different branch of CS and computer engineering around, how do I know this thing is actually true?

Reece

Oh, yeah. And speaking of CS and computer engineering, I had this conversation with a doorman in my building, and his son is 19, starting out at college, and he's at that age where he has to pick a major. And his dad really wants him to go into cybersecurity, but the son is just not interested at all. And I was thinking about ways to get him interested because, like you said, a passion for the work is really important to joining startups knowing that you're taking a risk and putting most of the value in that risk paying off in the form of stock options. So, I don't know if the university his son is attending has a cybersecurity program, right? Maybe people would be inclined to say, "Hey, a way to solve the job shortage is to put cybersecurity programs in universities." Do you see that as being a fix or do you think that existing disciplines like math, physics, engineering kind of cover that ground already?

Jasson

So, there's a lot of things there. So, I guess, number one, when you're 19, you don't know anything in terms of what you wanna do with your life, right? You've never been on your own, you've never made decisions outside of the context of your parents helping. You don't know what you're gonna like, right? And so generally...

Reece

I mean, what did you like when you were 19? What did you wanna study?

Jasson: So, I wanted to study... What did I like when I was 19? So, aside from the normal things of a teenager, I loved physics, and I had no practical use for it. I loved physics because it explained the world in a way that made sense. Math was a tool to make physics understandable. And ultimately, electrical engineering was a path on my journey in that I knew that eventually I had to get a job, that job needed to be able to pay me so I could have, you know, a lifestyle similar to what I'd experienced as a child. And it wasn't obvious to me that a physicist was able to get work, but it was obvious to me that electrical engineer could, and it was obvious to me that electrical engineer was pretty damn close to a physicist at least in the curriculum that you got to study in school.

So, that's kind of how I got there. But back to your bigger question, you know, if you don't know anything when you're 19, like, the advice I typically give people is study something that you're actually interested in and just keep your mind open and try and go somewhere where you have optionality. I think college is great and necessary for a lot of the jobs that we talked about a minute ago. It's not necessary for everyone and it's not necessary for all jobs. Also, it's not necessary that you go to college when you're done with high school, right? I've got a lot of friends that just for whatever reason, and this is not a judgment, right, just for whatever reason where they were in their life at that point in time they needed something else. And until they got that else, they weren't really ready to be successful in a collegiate environment. But for a systems creator or an application creator, I do think there are fundamental skills. Think of it as a mental toolbox that you get from education, not from training, right?

Reece

Yeah. And what would, like, some of those skills be?

Jasson

So, the STEM toolbox is kind of the deductive reasoning toolbox combined with this construction through composition toolbox, right? So, if I'm a math major, right, and I start learning, like... So, when I'm a math major, when I first start studying math, I'm really just told how, here are how all these theorems and formula work, and when you see this problem, use this and use this and use this. But as you evolve in your curriculum, you then start to take courses that really beg the question, "Yeah, but why does that work? How do we know it really works? Are there constraints and when it will or won't work?" Right? And so then you start trying to prove these things or you see...

Reece

And that's super important, those questions, when it comes to cybersecurity. You need to be able to prove them.

Jasson

Well, that's important, but the next part of it is even more so, right? You often can never prove the thing in first go. So, you have to take the problem and you have to break it down into sub-problems.

Reece

That's kinda like what we talked about in our last episode about zero trust and the assumptions that underlie it.

Jasson

Zero trust is a...in my mind, it's a way of saying taking sound engineering principles and reapplying it to a security problem, right? So, just like in math, right, we don't try and do a big thing, we try and break a big thing into a series of small things, make progress with those small things, and then prove that when we bring those small things together, we get something that's slightly larger until we get to our end result. In engineering, it's no different. A good engineer approaches a problem, a large problem, and tries to break it down into a series of sub-problems, right? A good physicist does the same thing. They don't try and solve the problem for the cow. They start with saying, "Assume a spherical cow," and then they solve the problem for a sphere, right?

And this is a mental toolbox and really the difference between education and training in my mind, right? A STEM education builds your toolbox on how to decompose problems, find solutions for the small problems, know why they work and when they work, and then know how to bring those things together in a safe environment. Training is how do I apply my toolbox to a domain, right? So, cybersecurity is a domain, but so is aviation flight control systems, right? But the principles of proving that my software is correct in the auto-lander for my airplane versus the secure boot proof that my bios boot loader and operating system has not been modified by an adversary. The toolbox is the same. The domain is what's different. So, tying it back to your original premise, like, cybersecurity, in my mind, is more about training. And, you know, colleges can certainly have training programs, right? You can think of it as, like, the finishing program, like, if you wanna go in this area, we'll give you a class to introduce you to some of the domains of this particular area and kind of get you moving there. I do think it's on companies more so than universities to...

Reece

I would agree. They have to incentivize workers.

Jasson

And part of the problem that I have, and this is definitely kind of a counterpoint, right? I know most people have the opposite point. Companies complain that universities aren't producing workers that actually can get work done. And I think from a company's perspective, that's a bit shortsighted. And what I mean there is if they put enough pressure on the universities to where the students stop graduating with that toolbox of skills, they're going...it's certainly easy to train them on the domain quickly, right? But the domain without the toolbox of skills is gonna equal a lot of solutions that actually don't work, that don't have the properties you think they have, and that ultimately you're going to have to replace that don't have longevity, that won't survive the test of time.

Reece

Because the foundation is lacking in terms of the thinking of how to build those things. Yeah, I can see what you mean by how that's dangerous.

Jasson

Yeah, short-term versus medium-long-term, right? So, think of it as the impetus of the product manager. The product manager wants to see daily, weekly, monthly progress on a customer's business problem, and they don't care about anything else, right? It's not their problem on whether the engineers have the toolbox or don't have the toolbox. The thing that's most apparent to them is do they have the domain or do they don't have the domain? The problems of building a product without the toolbox but with the domain typically don't show up till months 18 to 24 to 36 to 48. And based on job hopping in our industry right now, how many product managers do you think survive long enough or stay long enough to suffer the consequences of their choices, right?

Reece

That is deep. And I would say not many.

Jasson

So, this is why I was saying, like, over the long-term, these things will all work themselves out. Unfortunately, we all live in the short term and have to solve problems in the short term. And so there's not a lot of short-term pressure incentivized around building things that can survive around, like, actually, I don't know, hiring people with the right skill sets with that mental toolbox and then the domain training because the reality is, like, we all want that quick serotonin squirt.

Reece

Oh, yeah, we do.

Jasson

And the job shortage is, you know, certainly opens the door for quick salary increase by just hopping around. But if I, as an engineering leader, a staff engineer, a product manager never suffer the consequences of domain-based decisions without informed by my mental toolkit, clearly, then I'm never gonna develop that muscle, right?

Reece

So, let's just say you were, like, the overlord of cybersecurity, and you had the power to magically fix this in the short-term, what are a couple of things you would do so that people are more incentivized to, you know, kind of stick around, deal with their consequences, you know, or conversely, before they even have the chance to get there, have the tools necessary to build the systems that the world needs right now?

Jasson

So, I mean, the simplest answer is, you know, I don't have an easy answer. We're still struggling with wrapping our hands around these things too, but, like, the...

Reece

Fair enough.

Jasson

The things that we try to do, right? So, you know, compensation at a startup is really important, and long-term incentives are important. So, we try and handle that with stock, right? You don't just get stock when you join, but stock vests over time. We try... And we don't always do a great job, but we try and hold up a mirror in that if we're doing our jobs right as managers in a startup, every individual is contributing to a product and contributing to a customer's success. And so holding up the mirror and making sure all of those engineers get to see their work help another human, another person, another group, it is fulfilling, right, even if it's in a small way, and that sort of counts.

Other things to try and promote people to stick around in the long time is teamwork, right, in terms of, like, not everyone, but a lot of people, part of their work enjoyment is do they enjoy working with their team, right? And enjoying your team really just means, you know, you kind of know your team, you have time to spend time with your team, so we try and kind of promote that sort of environment, which is certainly hard during COVID, but, you know, we do what we can. A lot of it also comes down to employee selection. And that's also hard, right? There's no perfect hiring. There's really kind of trying to... You're rolling the dice, so how do you bias the dice to come up more often in your favor than not. But how do you hire people that have the properties that you think are going to make them stick around? Right?

So, have they stuck around in their previous jobs is a good indicator. It's not perfect, but it's an indicator. Do they have a clear, long-running passion in their work history from X to Y to Z? Right? With younger workers, you never have answers to those questions, and so you're just rolling the dice. And like I said earlier, right, like, when you're 19, you don't know anything in terms of, like, what you're gonna like and not like. And so I don't know if this number is still true, but, like, back when I was a hiring manager, I used to not...I used to assume my fresh grads would never stick around for more than two years. And half of them would split at two years and go to a different industry, right?

Reece

Wow.

Jasson

Like, they'd go to business school and get an MBA or they'd switch or go back to school and get a legal degree or switch and join a finance or something like that. And, you know, honestly, I think in some scenarios like those scenarios, that's not a... It's not really a fault of anyone. You just kind of have to plan for it because, again, when you're 19, you've experienced this much of the world, so how do you really know what you want, right, out of life? But, yeah. Getting people to stick around, there's no easy answers. The best I can hope for is trying to find people who have work experience who have stuck around before that are really kind of invested in certain types of problems that have good chemistry with the team and then...

Reece

And want to see their work do good in the world.

Jasson

Yeah.

Reece

Yeah. So, we would be remiss to talk about a problem without trying to pose a solution, right? So, I think we're hiring right now, right, Jasson? What's a job or two that you'd like to feature for listeners of this podcast who may be interested or may know someone who has those qualities you talked about?

Jasson

So, we got a ton of jobs. So, one of the most pressing jobs right now, actually, is someone to run the IT function for the company. It's a New York city-based job. We have an office in New York with about 80 people. Those people are... There are people in the office every day of the week, but Tuesday through Thursday is really when the majority of them are in. It's very much kind of a young company, bullpen style environment. That's where a lot of our inside sales is happening. That's where a lot of our marketing and certainly where all of our execs are. So, getting someone to actually lead that function who's New York-based who's comfortable coming into the office and wants to come into the office to kind of help train others and learn what it's all about. We have a penthouse, 41st floor next to the Empire State Building, beautiful views. We got a great deal because of COVID.

Reece

And we have a fully stocked kitchen that I use every day.

Jasson

What else? We've got support engineering jobs based in Dallas, Texas. So, again, this is great for kind of, like, folks earlier or mid in their career who like the idea of doing systems integration, back to that kind of middle tier, the pyramid that I was talking about earlier.

Reece

Yeah.

Jasson

There's a bunch of engineers that live in that area with backgrounds in telco and big systems. And then, of course, we're always hiring, you know, software engineers that are... I used to... I like to say principally trained, but what I mean by that is, doesn't necessarily have to be degreed, but it has to be obvious that they acquired the skills that you would acquire through going through a degree program.

Reece

Yeah. They have the toolkit.

Jasson

Of that mental toolkit, right? They understand decomposition of software. They understand that when I'm looking at a large-scale system, the first thing I have to think about is the domain model of that system and the life cycle of that domain model. And then when I sub-compartment that domain model, the microsystems or the microfunctions, if you will, then start to emerge. We're always hiring people like that. In terms of specialties, anyone in the data science, data analytics, ML, I don't like to say AI realm. We're hiring people there who understand how to build and integrate, not how to use. How to use is not enough for the types of problems that we work on. You have to kind of understand, why is this problem convex? Why is this problem amenable to a logistic regression versus not? When should I use tool X versus tool Y based on the problem and how we prove the problem is X? And then on the trusted computing side, we're looking for folks that have experience with formal systems, so, like, using F* to prove something, using Coq to prove something over a piece of software that's solving, like, a systems problem like a TLS implementation or a secure measured boot, those sorts of things.

Reece: Well, no wonder there's a labor shortage. You just listed a lot of jobs. So, listeners, if that sounds like it's up your alley, don't hesitate to apply. And don't hesitate to listen to our next episode. We'll see you then. Thanks for tuning in today. And smash the Subscribe button. Bye.

The Cybersecurity Labor Shortage is a Population Problem

Phishing resistance in security solutions has become a necessity. Learn the differences between the solutions and what you need to be phishing resistant.

Informal security chat with Beyond Identity's CTO Jasson Casey and Reece Guida on how a declining population impacts cybersecurity jobs.

Transcription

Reece

Hello, everyone. Welcome to another episode of "Cybersecurity Hot Takes" with me, your host, Reece Guida, and...

Jasson

I am Jasson Casey. I am the CTO of Beyond Identity. And apparently, I remembered how to do the intro this time.

Reece

Yeah. I think that was the best one yet probably because there was only one "and" that needed to happen. So, yeah, everybody, it's just me and Jasson today, and we're gonna talk about something that everyone in this industry is certainly aware of and I'd say that the everyday person is aware of it too. There's a cybersecurity labor shortage. And, you know, the hot take for today is that that's a population problem more than anything. So, Jasson, do you wanna unpack how declining population impacts cybersecurity jobs?

Jasson

More of a musing than a direct connection, but, yeah, I think the cybersecurity job shortage is a tech job shortage, which is probably related to just a worker job shortage. And a couple of thoughts get me there, number one, if we just think about demographics, right, the bulk of the demographic that's leaving the workforce over the next 10 years is larger than the bulk of the demographic entering the workforce or that exists in the workforce, right? So, that's gonna create scarcity. That's gonna create just an imbalance of, if we're really just trying to do a one-for-one replacement, there's clearly not enough people, right? So, that's kind of one thread to keep in your mind.

The second thread to keep in your mind is the world is being eaten by technology, right? There's almost no job where you don't have to use technology or create technology. Every job is basically a tech job, which requires a certain skill set that not every person entering the workforce comes with, right? And then if we peel back the onion one more bit, which I think is more of, like, the industry and domain-specific problems, every tech job is not the same, right? There are tech jobs where your job is to use technology, there are tech jobs where your job is to integrate technology, and there are jobs where your role is to kind of create it. And even within technology creation, there's striations, right? So, there's, am I building an application that just has to think about a domain, or am I building a system that's a more complex kind of multi-domain thing?

So, you know, the skills, the principles, your abilities, and experience necessary to be successful at all of those things is different. You can kind of think of it as a pyramid, right? It might be, the systems might be the hardest, the application may be the next hardest, and then the usage is probably the easiest. And when I say hardest and easiest, I just mean kind of requisite skills coming into the equation. That would also assume that for equal capable folks going through some sort of training program, they're going to kind of layout across those three areas really based on compensation and pay and really kind of what the market supply and demand is deciding those things are worth. And if it's harder to do one thing, in theory, you know, the comp is gonna be larger than the next. And if that's harder than the next, in theory, the comp is gonna be larger.

With that said, it's not necessarily true with what's going on right now. What I mean by that is a lot of application creation and system creation, at least in the US, happens within the startup ecosystem. And the startup ecosystem, by definition, doesn't have the pockets of a large company. So, the immediate compensation is certainly not equivalent to what a Google or a Facebook or a Microsoft would pay for their version of system creation. So, the way the startup compensates is really the way it always is compensated, which is trying to...number one, trying to find people that are passionate about the area and view the ability to work on the things they really wanna work on as opposed to just compensation as meaningful work.

And then the second part of it, or I should say the third part of it is meaningful ownership in what's being created, right? So, like at a startup, everyone is given stock or really options and ability to own a piece of the company over a period of time. Whereas at large companies, usually, you just get RSUs, which is just another form of cash payment. And if the startup goes well, and granted most startups don't, but if a startup does do well, you know, the person is rewarded outsized compared to if they were to go to another company. So, I think, you know, there's these macro trends, which is replacement and loss, right, out of whack. The second is the world is being eaten by technology, which means for everyone entering the workforce who's not capable of working on technical problems, the number of jobs that don't have technical problems is diminishing. And then just within the systems and applications creation world, there's always been this imbalance of compensation. So, supply and demand by itself doesn't solve the problem if we're being kind of short-term focused.

Reece

Yeah.

Jasson

But if we're being longer-term focused, it tends to work itself out.

Reece

I think that the market is going to recognize the importance of secure systems and the people who build them. One thing that's just occurring to me that didn't come up in those three points you mentioned, which, again, were related to population, software eating the world, and the different kinds of technology users in the workforce and technology builders. We didn't mention AI. And I wonder how that factors into things when it comes to the job shortage.

Jasson

I guess it depends on what you mean, right? So, AI is... The...

Reece

But there's just general fear, right, that people are afraid of AI, like, you know, from South Park, "They terk my jerb." That kind of thing. I don't know how that curve ball, you know, enters this debate.

Jasson

Yeah. So, I don't know if AI is taking a person's job so much as in order to supply what the world needs, the jobs themselves have to change. And it's about people entering the job market being able to...and people who are in the job market being able to kind of handle that change. So, most AI is really about trying to provide... Now, I'm gonna flub my words. This auto... Most AI is kind of about simplistic automation and better algorithms to really execute these things called decision problems. Is this a cat? Obviously, you know, we can use it in a lot more interesting ways than is this a cat? But...

Reece

That sounds pretty interesting to me.

Jasson

But, yeah, most of what AI gives us is solutions to decision problems using interesting heuristics. It's not going to eliminate the need for skilled knowledge workers. It is going to present more of a need for skilled knowledge workers, again, to be able to create as well as to be able to integrate as well as to be able to use.

Reece

Yeah. So, I guess AI would fit into the third point that you made, which is the different kinds of technology users, AI being a tool that they can deploy when building systems that they can share.

Jasson

If technology is eating the world, then there's almost no job in the world that's not gonna include some flavor of AI. And from a work perspective, we're gonna require workers who understand, obviously, at the bottom of the pyramid, how to create it, in the middle of the pyramid, how to integrate it, you know, right, because systems are always complex integrations of things, and at the top of the pyramid, how to use it. Maybe it's an inverted pyramid, right? Because we clearly are gonna have a lot more users than integrators, and we're gonna have more integrators than creators, but we still need to produce people in the workforce that can kind of operate at those three levels, whether it's AI or whether it is formal trusted systems, right, which is, you know, a different branch of CS and computer engineering around, how do I know this thing is actually true?

Reece

Oh, yeah. And speaking of CS and computer engineering, I had this conversation with a doorman in my building, and his son is 19, starting out at college, and he's at that age where he has to pick a major. And his dad really wants him to go into cybersecurity, but the son is just not interested at all. And I was thinking about ways to get him interested because, like you said, a passion for the work is really important to joining startups knowing that you're taking a risk and putting most of the value in that risk paying off in the form of stock options. So, I don't know if the university his son is attending has a cybersecurity program, right? Maybe people would be inclined to say, "Hey, a way to solve the job shortage is to put cybersecurity programs in universities." Do you see that as being a fix or do you think that existing disciplines like math, physics, engineering kind of cover that ground already?

Jasson

So, there's a lot of things there. So, I guess, number one, when you're 19, you don't know anything in terms of what you wanna do with your life, right? You've never been on your own, you've never made decisions outside of the context of your parents helping. You don't know what you're gonna like, right? And so generally...

Reece

I mean, what did you like when you were 19? What did you wanna study?

Jasson: So, I wanted to study... What did I like when I was 19? So, aside from the normal things of a teenager, I loved physics, and I had no practical use for it. I loved physics because it explained the world in a way that made sense. Math was a tool to make physics understandable. And ultimately, electrical engineering was a path on my journey in that I knew that eventually I had to get a job, that job needed to be able to pay me so I could have, you know, a lifestyle similar to what I'd experienced as a child. And it wasn't obvious to me that a physicist was able to get work, but it was obvious to me that electrical engineer could, and it was obvious to me that electrical engineer was pretty damn close to a physicist at least in the curriculum that you got to study in school.

So, that's kind of how I got there. But back to your bigger question, you know, if you don't know anything when you're 19, like, the advice I typically give people is study something that you're actually interested in and just keep your mind open and try and go somewhere where you have optionality. I think college is great and necessary for a lot of the jobs that we talked about a minute ago. It's not necessary for everyone and it's not necessary for all jobs. Also, it's not necessary that you go to college when you're done with high school, right? I've got a lot of friends that just for whatever reason, and this is not a judgment, right, just for whatever reason where they were in their life at that point in time they needed something else. And until they got that else, they weren't really ready to be successful in a collegiate environment. But for a systems creator or an application creator, I do think there are fundamental skills. Think of it as a mental toolbox that you get from education, not from training, right?

Reece

Yeah. And what would, like, some of those skills be?

Jasson

So, the STEM toolbox is kind of the deductive reasoning toolbox combined with this construction through composition toolbox, right? So, if I'm a math major, right, and I start learning, like... So, when I'm a math major, when I first start studying math, I'm really just told how, here are how all these theorems and formula work, and when you see this problem, use this and use this and use this. But as you evolve in your curriculum, you then start to take courses that really beg the question, "Yeah, but why does that work? How do we know it really works? Are there constraints and when it will or won't work?" Right? And so then you start trying to prove these things or you see...

Reece

And that's super important, those questions, when it comes to cybersecurity. You need to be able to prove them.

Jasson

Well, that's important, but the next part of it is even more so, right? You often can never prove the thing in first go. So, you have to take the problem and you have to break it down into sub-problems.

Reece

That's kinda like what we talked about in our last episode about zero trust and the assumptions that underlie it.

Jasson

Zero trust is a...in my mind, it's a way of saying taking sound engineering principles and reapplying it to a security problem, right? So, just like in math, right, we don't try and do a big thing, we try and break a big thing into a series of small things, make progress with those small things, and then prove that when we bring those small things together, we get something that's slightly larger until we get to our end result. In engineering, it's no different. A good engineer approaches a problem, a large problem, and tries to break it down into a series of sub-problems, right? A good physicist does the same thing. They don't try and solve the problem for the cow. They start with saying, "Assume a spherical cow," and then they solve the problem for a sphere, right?

And this is a mental toolbox and really the difference between education and training in my mind, right? A STEM education builds your toolbox on how to decompose problems, find solutions for the small problems, know why they work and when they work, and then know how to bring those things together in a safe environment. Training is how do I apply my toolbox to a domain, right? So, cybersecurity is a domain, but so is aviation flight control systems, right? But the principles of proving that my software is correct in the auto-lander for my airplane versus the secure boot proof that my bios boot loader and operating system has not been modified by an adversary. The toolbox is the same. The domain is what's different. So, tying it back to your original premise, like, cybersecurity, in my mind, is more about training. And, you know, colleges can certainly have training programs, right? You can think of it as, like, the finishing program, like, if you wanna go in this area, we'll give you a class to introduce you to some of the domains of this particular area and kind of get you moving there. I do think it's on companies more so than universities to...

Reece

I would agree. They have to incentivize workers.

Jasson

And part of the problem that I have, and this is definitely kind of a counterpoint, right? I know most people have the opposite point. Companies complain that universities aren't producing workers that actually can get work done. And I think from a company's perspective, that's a bit shortsighted. And what I mean there is if they put enough pressure on the universities to where the students stop graduating with that toolbox of skills, they're going...it's certainly easy to train them on the domain quickly, right? But the domain without the toolbox of skills is gonna equal a lot of solutions that actually don't work, that don't have the properties you think they have, and that ultimately you're going to have to replace that don't have longevity, that won't survive the test of time.

Reece

Because the foundation is lacking in terms of the thinking of how to build those things. Yeah, I can see what you mean by how that's dangerous.

Jasson

Yeah, short-term versus medium-long-term, right? So, think of it as the impetus of the product manager. The product manager wants to see daily, weekly, monthly progress on a customer's business problem, and they don't care about anything else, right? It's not their problem on whether the engineers have the toolbox or don't have the toolbox. The thing that's most apparent to them is do they have the domain or do they don't have the domain? The problems of building a product without the toolbox but with the domain typically don't show up till months 18 to 24 to 36 to 48. And based on job hopping in our industry right now, how many product managers do you think survive long enough or stay long enough to suffer the consequences of their choices, right?

Reece

That is deep. And I would say not many.

Jasson

So, this is why I was saying, like, over the long-term, these things will all work themselves out. Unfortunately, we all live in the short term and have to solve problems in the short term. And so there's not a lot of short-term pressure incentivized around building things that can survive around, like, actually, I don't know, hiring people with the right skill sets with that mental toolbox and then the domain training because the reality is, like, we all want that quick serotonin squirt.

Reece

Oh, yeah, we do.

Jasson

And the job shortage is, you know, certainly opens the door for quick salary increase by just hopping around. But if I, as an engineering leader, a staff engineer, a product manager never suffer the consequences of domain-based decisions without informed by my mental toolkit, clearly, then I'm never gonna develop that muscle, right?

Reece

So, let's just say you were, like, the overlord of cybersecurity, and you had the power to magically fix this in the short-term, what are a couple of things you would do so that people are more incentivized to, you know, kind of stick around, deal with their consequences, you know, or conversely, before they even have the chance to get there, have the tools necessary to build the systems that the world needs right now?

Jasson

So, I mean, the simplest answer is, you know, I don't have an easy answer. We're still struggling with wrapping our hands around these things too, but, like, the...

Reece

Fair enough.

Jasson

The things that we try to do, right? So, you know, compensation at a startup is really important, and long-term incentives are important. So, we try and handle that with stock, right? You don't just get stock when you join, but stock vests over time. We try... And we don't always do a great job, but we try and hold up a mirror in that if we're doing our jobs right as managers in a startup, every individual is contributing to a product and contributing to a customer's success. And so holding up the mirror and making sure all of those engineers get to see their work help another human, another person, another group, it is fulfilling, right, even if it's in a small way, and that sort of counts.

Other things to try and promote people to stick around in the long time is teamwork, right, in terms of, like, not everyone, but a lot of people, part of their work enjoyment is do they enjoy working with their team, right? And enjoying your team really just means, you know, you kind of know your team, you have time to spend time with your team, so we try and kind of promote that sort of environment, which is certainly hard during COVID, but, you know, we do what we can. A lot of it also comes down to employee selection. And that's also hard, right? There's no perfect hiring. There's really kind of trying to... You're rolling the dice, so how do you bias the dice to come up more often in your favor than not. But how do you hire people that have the properties that you think are going to make them stick around? Right?

So, have they stuck around in their previous jobs is a good indicator. It's not perfect, but it's an indicator. Do they have a clear, long-running passion in their work history from X to Y to Z? Right? With younger workers, you never have answers to those questions, and so you're just rolling the dice. And like I said earlier, right, like, when you're 19, you don't know anything in terms of, like, what you're gonna like and not like. And so I don't know if this number is still true, but, like, back when I was a hiring manager, I used to not...I used to assume my fresh grads would never stick around for more than two years. And half of them would split at two years and go to a different industry, right?

Reece

Wow.

Jasson

Like, they'd go to business school and get an MBA or they'd switch or go back to school and get a legal degree or switch and join a finance or something like that. And, you know, honestly, I think in some scenarios like those scenarios, that's not a... It's not really a fault of anyone. You just kind of have to plan for it because, again, when you're 19, you've experienced this much of the world, so how do you really know what you want, right, out of life? But, yeah. Getting people to stick around, there's no easy answers. The best I can hope for is trying to find people who have work experience who have stuck around before that are really kind of invested in certain types of problems that have good chemistry with the team and then...

Reece

And want to see their work do good in the world.

Jasson

Yeah.

Reece

Yeah. So, we would be remiss to talk about a problem without trying to pose a solution, right? So, I think we're hiring right now, right, Jasson? What's a job or two that you'd like to feature for listeners of this podcast who may be interested or may know someone who has those qualities you talked about?

Jasson

So, we got a ton of jobs. So, one of the most pressing jobs right now, actually, is someone to run the IT function for the company. It's a New York city-based job. We have an office in New York with about 80 people. Those people are... There are people in the office every day of the week, but Tuesday through Thursday is really when the majority of them are in. It's very much kind of a young company, bullpen style environment. That's where a lot of our inside sales is happening. That's where a lot of our marketing and certainly where all of our execs are. So, getting someone to actually lead that function who's New York-based who's comfortable coming into the office and wants to come into the office to kind of help train others and learn what it's all about. We have a penthouse, 41st floor next to the Empire State Building, beautiful views. We got a great deal because of COVID.

Reece

And we have a fully stocked kitchen that I use every day.

Jasson

What else? We've got support engineering jobs based in Dallas, Texas. So, again, this is great for kind of, like, folks earlier or mid in their career who like the idea of doing systems integration, back to that kind of middle tier, the pyramid that I was talking about earlier.

Reece

Yeah.

Jasson

There's a bunch of engineers that live in that area with backgrounds in telco and big systems. And then, of course, we're always hiring, you know, software engineers that are... I used to... I like to say principally trained, but what I mean by that is, doesn't necessarily have to be degreed, but it has to be obvious that they acquired the skills that you would acquire through going through a degree program.

Reece

Yeah. They have the toolkit.

Jasson

Of that mental toolkit, right? They understand decomposition of software. They understand that when I'm looking at a large-scale system, the first thing I have to think about is the domain model of that system and the life cycle of that domain model. And then when I sub-compartment that domain model, the microsystems or the microfunctions, if you will, then start to emerge. We're always hiring people like that. In terms of specialties, anyone in the data science, data analytics, ML, I don't like to say AI realm. We're hiring people there who understand how to build and integrate, not how to use. How to use is not enough for the types of problems that we work on. You have to kind of understand, why is this problem convex? Why is this problem amenable to a logistic regression versus not? When should I use tool X versus tool Y based on the problem and how we prove the problem is X? And then on the trusted computing side, we're looking for folks that have experience with formal systems, so, like, using F* to prove something, using Coq to prove something over a piece of software that's solving, like, a systems problem like a TLS implementation or a secure measured boot, those sorts of things.

Reece: Well, no wonder there's a labor shortage. You just listed a lot of jobs. So, listeners, if that sounds like it's up your alley, don't hesitate to apply. And don't hesitate to listen to our next episode. We'll see you then. Thanks for tuning in today. And smash the Subscribe button. Bye.

The Cybersecurity Labor Shortage is a Population Problem

Phishing resistance in security solutions has become a necessity. Learn the differences between the solutions and what you need to be phishing resistant.

Informal security chat with Beyond Identity's CTO Jasson Casey and Reece Guida on how a declining population impacts cybersecurity jobs.

Transcription

Reece

Hello, everyone. Welcome to another episode of "Cybersecurity Hot Takes" with me, your host, Reece Guida, and...

Jasson

I am Jasson Casey. I am the CTO of Beyond Identity. And apparently, I remembered how to do the intro this time.

Reece

Yeah. I think that was the best one yet probably because there was only one "and" that needed to happen. So, yeah, everybody, it's just me and Jasson today, and we're gonna talk about something that everyone in this industry is certainly aware of and I'd say that the everyday person is aware of it too. There's a cybersecurity labor shortage. And, you know, the hot take for today is that that's a population problem more than anything. So, Jasson, do you wanna unpack how declining population impacts cybersecurity jobs?

Jasson

More of a musing than a direct connection, but, yeah, I think the cybersecurity job shortage is a tech job shortage, which is probably related to just a worker job shortage. And a couple of thoughts get me there, number one, if we just think about demographics, right, the bulk of the demographic that's leaving the workforce over the next 10 years is larger than the bulk of the demographic entering the workforce or that exists in the workforce, right? So, that's gonna create scarcity. That's gonna create just an imbalance of, if we're really just trying to do a one-for-one replacement, there's clearly not enough people, right? So, that's kind of one thread to keep in your mind.

The second thread to keep in your mind is the world is being eaten by technology, right? There's almost no job where you don't have to use technology or create technology. Every job is basically a tech job, which requires a certain skill set that not every person entering the workforce comes with, right? And then if we peel back the onion one more bit, which I think is more of, like, the industry and domain-specific problems, every tech job is not the same, right? There are tech jobs where your job is to use technology, there are tech jobs where your job is to integrate technology, and there are jobs where your role is to kind of create it. And even within technology creation, there's striations, right? So, there's, am I building an application that just has to think about a domain, or am I building a system that's a more complex kind of multi-domain thing?

So, you know, the skills, the principles, your abilities, and experience necessary to be successful at all of those things is different. You can kind of think of it as a pyramid, right? It might be, the systems might be the hardest, the application may be the next hardest, and then the usage is probably the easiest. And when I say hardest and easiest, I just mean kind of requisite skills coming into the equation. That would also assume that for equal capable folks going through some sort of training program, they're going to kind of layout across those three areas really based on compensation and pay and really kind of what the market supply and demand is deciding those things are worth. And if it's harder to do one thing, in theory, you know, the comp is gonna be larger than the next. And if that's harder than the next, in theory, the comp is gonna be larger.

With that said, it's not necessarily true with what's going on right now. What I mean by that is a lot of application creation and system creation, at least in the US, happens within the startup ecosystem. And the startup ecosystem, by definition, doesn't have the pockets of a large company. So, the immediate compensation is certainly not equivalent to what a Google or a Facebook or a Microsoft would pay for their version of system creation. So, the way the startup compensates is really the way it always is compensated, which is trying to...number one, trying to find people that are passionate about the area and view the ability to work on the things they really wanna work on as opposed to just compensation as meaningful work.

And then the second part of it, or I should say the third part of it is meaningful ownership in what's being created, right? So, like at a startup, everyone is given stock or really options and ability to own a piece of the company over a period of time. Whereas at large companies, usually, you just get RSUs, which is just another form of cash payment. And if the startup goes well, and granted most startups don't, but if a startup does do well, you know, the person is rewarded outsized compared to if they were to go to another company. So, I think, you know, there's these macro trends, which is replacement and loss, right, out of whack. The second is the world is being eaten by technology, which means for everyone entering the workforce who's not capable of working on technical problems, the number of jobs that don't have technical problems is diminishing. And then just within the systems and applications creation world, there's always been this imbalance of compensation. So, supply and demand by itself doesn't solve the problem if we're being kind of short-term focused.

Reece

Yeah.

Jasson

But if we're being longer-term focused, it tends to work itself out.

Reece

I think that the market is going to recognize the importance of secure systems and the people who build them. One thing that's just occurring to me that didn't come up in those three points you mentioned, which, again, were related to population, software eating the world, and the different kinds of technology users in the workforce and technology builders. We didn't mention AI. And I wonder how that factors into things when it comes to the job shortage.

Jasson

I guess it depends on what you mean, right? So, AI is... The...

Reece

But there's just general fear, right, that people are afraid of AI, like, you know, from South Park, "They terk my jerb." That kind of thing. I don't know how that curve ball, you know, enters this debate.

Jasson

Yeah. So, I don't know if AI is taking a person's job so much as in order to supply what the world needs, the jobs themselves have to change. And it's about people entering the job market being able to...and people who are in the job market being able to kind of handle that change. So, most AI is really about trying to provide... Now, I'm gonna flub my words. This auto... Most AI is kind of about simplistic automation and better algorithms to really execute these things called decision problems. Is this a cat? Obviously, you know, we can use it in a lot more interesting ways than is this a cat? But...

Reece

That sounds pretty interesting to me.

Jasson

But, yeah, most of what AI gives us is solutions to decision problems using interesting heuristics. It's not going to eliminate the need for skilled knowledge workers. It is going to present more of a need for skilled knowledge workers, again, to be able to create as well as to be able to integrate as well as to be able to use.

Reece

Yeah. So, I guess AI would fit into the third point that you made, which is the different kinds of technology users, AI being a tool that they can deploy when building systems that they can share.

Jasson

If technology is eating the world, then there's almost no job in the world that's not gonna include some flavor of AI. And from a work perspective, we're gonna require workers who understand, obviously, at the bottom of the pyramid, how to create it, in the middle of the pyramid, how to integrate it, you know, right, because systems are always complex integrations of things, and at the top of the pyramid, how to use it. Maybe it's an inverted pyramid, right? Because we clearly are gonna have a lot more users than integrators, and we're gonna have more integrators than creators, but we still need to produce people in the workforce that can kind of operate at those three levels, whether it's AI or whether it is formal trusted systems, right, which is, you know, a different branch of CS and computer engineering around, how do I know this thing is actually true?

Reece

Oh, yeah. And speaking of CS and computer engineering, I had this conversation with a doorman in my building, and his son is 19, starting out at college, and he's at that age where he has to pick a major. And his dad really wants him to go into cybersecurity, but the son is just not interested at all. And I was thinking about ways to get him interested because, like you said, a passion for the work is really important to joining startups knowing that you're taking a risk and putting most of the value in that risk paying off in the form of stock options. So, I don't know if the university his son is attending has a cybersecurity program, right? Maybe people would be inclined to say, "Hey, a way to solve the job shortage is to put cybersecurity programs in universities." Do you see that as being a fix or do you think that existing disciplines like math, physics, engineering kind of cover that ground already?

Jasson

So, there's a lot of things there. So, I guess, number one, when you're 19, you don't know anything in terms of what you wanna do with your life, right? You've never been on your own, you've never made decisions outside of the context of your parents helping. You don't know what you're gonna like, right? And so generally...

Reece

I mean, what did you like when you were 19? What did you wanna study?

Jasson: So, I wanted to study... What did I like when I was 19? So, aside from the normal things of a teenager, I loved physics, and I had no practical use for it. I loved physics because it explained the world in a way that made sense. Math was a tool to make physics understandable. And ultimately, electrical engineering was a path on my journey in that I knew that eventually I had to get a job, that job needed to be able to pay me so I could have, you know, a lifestyle similar to what I'd experienced as a child. And it wasn't obvious to me that a physicist was able to get work, but it was obvious to me that electrical engineer could, and it was obvious to me that electrical engineer was pretty damn close to a physicist at least in the curriculum that you got to study in school.

So, that's kind of how I got there. But back to your bigger question, you know, if you don't know anything when you're 19, like, the advice I typically give people is study something that you're actually interested in and just keep your mind open and try and go somewhere where you have optionality. I think college is great and necessary for a lot of the jobs that we talked about a minute ago. It's not necessary for everyone and it's not necessary for all jobs. Also, it's not necessary that you go to college when you're done with high school, right? I've got a lot of friends that just for whatever reason, and this is not a judgment, right, just for whatever reason where they were in their life at that point in time they needed something else. And until they got that else, they weren't really ready to be successful in a collegiate environment. But for a systems creator or an application creator, I do think there are fundamental skills. Think of it as a mental toolbox that you get from education, not from training, right?

Reece

Yeah. And what would, like, some of those skills be?

Jasson

So, the STEM toolbox is kind of the deductive reasoning toolbox combined with this construction through composition toolbox, right? So, if I'm a math major, right, and I start learning, like... So, when I'm a math major, when I first start studying math, I'm really just told how, here are how all these theorems and formula work, and when you see this problem, use this and use this and use this. But as you evolve in your curriculum, you then start to take courses that really beg the question, "Yeah, but why does that work? How do we know it really works? Are there constraints and when it will or won't work?" Right? And so then you start trying to prove these things or you see...

Reece

And that's super important, those questions, when it comes to cybersecurity. You need to be able to prove them.

Jasson

Well, that's important, but the next part of it is even more so, right? You often can never prove the thing in first go. So, you have to take the problem and you have to break it down into sub-problems.

Reece

That's kinda like what we talked about in our last episode about zero trust and the assumptions that underlie it.

Jasson

Zero trust is a...in my mind, it's a way of saying taking sound engineering principles and reapplying it to a security problem, right? So, just like in math, right, we don't try and do a big thing, we try and break a big thing into a series of small things, make progress with those small things, and then prove that when we bring those small things together, we get something that's slightly larger until we get to our end result. In engineering, it's no different. A good engineer approaches a problem, a large problem, and tries to break it down into a series of sub-problems, right? A good physicist does the same thing. They don't try and solve the problem for the cow. They start with saying, "Assume a spherical cow," and then they solve the problem for a sphere, right?

And this is a mental toolbox and really the difference between education and training in my mind, right? A STEM education builds your toolbox on how to decompose problems, find solutions for the small problems, know why they work and when they work, and then know how to bring those things together in a safe environment. Training is how do I apply my toolbox to a domain, right? So, cybersecurity is a domain, but so is aviation flight control systems, right? But the principles of proving that my software is correct in the auto-lander for my airplane versus the secure boot proof that my bios boot loader and operating system has not been modified by an adversary. The toolbox is the same. The domain is what's different. So, tying it back to your original premise, like, cybersecurity, in my mind, is more about training. And, you know, colleges can certainly have training programs, right? You can think of it as, like, the finishing program, like, if you wanna go in this area, we'll give you a class to introduce you to some of the domains of this particular area and kind of get you moving there. I do think it's on companies more so than universities to...

Reece

I would agree. They have to incentivize workers.

Jasson

And part of the problem that I have, and this is definitely kind of a counterpoint, right? I know most people have the opposite point. Companies complain that universities aren't producing workers that actually can get work done. And I think from a company's perspective, that's a bit shortsighted. And what I mean there is if they put enough pressure on the universities to where the students stop graduating with that toolbox of skills, they're going...it's certainly easy to train them on the domain quickly, right? But the domain without the toolbox of skills is gonna equal a lot of solutions that actually don't work, that don't have the properties you think they have, and that ultimately you're going to have to replace that don't have longevity, that won't survive the test of time.

Reece

Because the foundation is lacking in terms of the thinking of how to build those things. Yeah, I can see what you mean by how that's dangerous.

Jasson

Yeah, short-term versus medium-long-term, right? So, think of it as the impetus of the product manager. The product manager wants to see daily, weekly, monthly progress on a customer's business problem, and they don't care about anything else, right? It's not their problem on whether the engineers have the toolbox or don't have the toolbox. The thing that's most apparent to them is do they have the domain or do they don't have the domain? The problems of building a product without the toolbox but with the domain typically don't show up till months 18 to 24 to 36 to 48. And based on job hopping in our industry right now, how many product managers do you think survive long enough or stay long enough to suffer the consequences of their choices, right?

Reece

That is deep. And I would say not many.

Jasson

So, this is why I was saying, like, over the long-term, these things will all work themselves out. Unfortunately, we all live in the short term and have to solve problems in the short term. And so there's not a lot of short-term pressure incentivized around building things that can survive around, like, actually, I don't know, hiring people with the right skill sets with that mental toolbox and then the domain training because the reality is, like, we all want that quick serotonin squirt.

Reece

Oh, yeah, we do.

Jasson

And the job shortage is, you know, certainly opens the door for quick salary increase by just hopping around. But if I, as an engineering leader, a staff engineer, a product manager never suffer the consequences of domain-based decisions without informed by my mental toolkit, clearly, then I'm never gonna develop that muscle, right?

Reece

So, let's just say you were, like, the overlord of cybersecurity, and you had the power to magically fix this in the short-term, what are a couple of things you would do so that people are more incentivized to, you know, kind of stick around, deal with their consequences, you know, or conversely, before they even have the chance to get there, have the tools necessary to build the systems that the world needs right now?

Jasson

So, I mean, the simplest answer is, you know, I don't have an easy answer. We're still struggling with wrapping our hands around these things too, but, like, the...

Reece

Fair enough.

Jasson

The things that we try to do, right? So, you know, compensation at a startup is really important, and long-term incentives are important. So, we try and handle that with stock, right? You don't just get stock when you join, but stock vests over time. We try... And we don't always do a great job, but we try and hold up a mirror in that if we're doing our jobs right as managers in a startup, every individual is contributing to a product and contributing to a customer's success. And so holding up the mirror and making sure all of those engineers get to see their work help another human, another person, another group, it is fulfilling, right, even if it's in a small way, and that sort of counts.

Other things to try and promote people to stick around in the long time is teamwork, right, in terms of, like, not everyone, but a lot of people, part of their work enjoyment is do they enjoy working with their team, right? And enjoying your team really just means, you know, you kind of know your team, you have time to spend time with your team, so we try and kind of promote that sort of environment, which is certainly hard during COVID, but, you know, we do what we can. A lot of it also comes down to employee selection. And that's also hard, right? There's no perfect hiring. There's really kind of trying to... You're rolling the dice, so how do you bias the dice to come up more often in your favor than not. But how do you hire people that have the properties that you think are going to make them stick around? Right?

So, have they stuck around in their previous jobs is a good indicator. It's not perfect, but it's an indicator. Do they have a clear, long-running passion in their work history from X to Y to Z? Right? With younger workers, you never have answers to those questions, and so you're just rolling the dice. And like I said earlier, right, like, when you're 19, you don't know anything in terms of, like, what you're gonna like and not like. And so I don't know if this number is still true, but, like, back when I was a hiring manager, I used to not...I used to assume my fresh grads would never stick around for more than two years. And half of them would split at two years and go to a different industry, right?

Reece

Wow.

Jasson

Like, they'd go to business school and get an MBA or they'd switch or go back to school and get a legal degree or switch and join a finance or something like that. And, you know, honestly, I think in some scenarios like those scenarios, that's not a... It's not really a fault of anyone. You just kind of have to plan for it because, again, when you're 19, you've experienced this much of the world, so how do you really know what you want, right, out of life? But, yeah. Getting people to stick around, there's no easy answers. The best I can hope for is trying to find people who have work experience who have stuck around before that are really kind of invested in certain types of problems that have good chemistry with the team and then...

Reece

And want to see their work do good in the world.

Jasson

Yeah.

Reece

Yeah. So, we would be remiss to talk about a problem without trying to pose a solution, right? So, I think we're hiring right now, right, Jasson? What's a job or two that you'd like to feature for listeners of this podcast who may be interested or may know someone who has those qualities you talked about?

Jasson

So, we got a ton of jobs. So, one of the most pressing jobs right now, actually, is someone to run the IT function for the company. It's a New York city-based job. We have an office in New York with about 80 people. Those people are... There are people in the office every day of the week, but Tuesday through Thursday is really when the majority of them are in. It's very much kind of a young company, bullpen style environment. That's where a lot of our inside sales is happening. That's where a lot of our marketing and certainly where all of our execs are. So, getting someone to actually lead that function who's New York-based who's comfortable coming into the office and wants to come into the office to kind of help train others and learn what it's all about. We have a penthouse, 41st floor next to the Empire State Building, beautiful views. We got a great deal because of COVID.

Reece

And we have a fully stocked kitchen that I use every day.

Jasson

What else? We've got support engineering jobs based in Dallas, Texas. So, again, this is great for kind of, like, folks earlier or mid in their career who like the idea of doing systems integration, back to that kind of middle tier, the pyramid that I was talking about earlier.

Reece

Yeah.

Jasson

There's a bunch of engineers that live in that area with backgrounds in telco and big systems. And then, of course, we're always hiring, you know, software engineers that are... I used to... I like to say principally trained, but what I mean by that is, doesn't necessarily have to be degreed, but it has to be obvious that they acquired the skills that you would acquire through going through a degree program.

Reece

Yeah. They have the toolkit.

Jasson

Of that mental toolkit, right? They understand decomposition of software. They understand that when I'm looking at a large-scale system, the first thing I have to think about is the domain model of that system and the life cycle of that domain model. And then when I sub-compartment that domain model, the microsystems or the microfunctions, if you will, then start to emerge. We're always hiring people like that. In terms of specialties, anyone in the data science, data analytics, ML, I don't like to say AI realm. We're hiring people there who understand how to build and integrate, not how to use. How to use is not enough for the types of problems that we work on. You have to kind of understand, why is this problem convex? Why is this problem amenable to a logistic regression versus not? When should I use tool X versus tool Y based on the problem and how we prove the problem is X? And then on the trusted computing side, we're looking for folks that have experience with formal systems, so, like, using F* to prove something, using Coq to prove something over a piece of software that's solving, like, a systems problem like a TLS implementation or a secure measured boot, those sorts of things.

Reece: Well, no wonder there's a labor shortage. You just listed a lot of jobs. So, listeners, if that sounds like it's up your alley, don't hesitate to apply. And don't hesitate to listen to our next episode. We'll see you then. Thanks for tuning in today. And smash the Subscribe button. Bye.

Book

The Cybersecurity Labor Shortage is a Population Problem

Phishing resistance in security solutions has become a necessity. Learn the differences between the solutions and what you need to be phishing resistant.

Download the book

By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.