Alex Humphrey & Jacob Haynes - The Cyber Employee Shortage That Wasn't

Thank you all so much for coming out to our talk. Uh we love controversy and when people disagree with us, so please do a lot of that. Um cyber employees, there's a shortage, right? Everyone talks about it. We've been talking about it for a decade. There's way too many cyber security jobs or sorry, way too many cyber security openings, right? We're drowning in them. There aren't good enough people, right? N is talking about it. Dark reading. I found one from Forbes. This is all articles from the last couple of months, right? Um, you know, uh, the news is talking about it. You hear that, you go to the right news stories, you go to the right blogs,

depending on who you're reading, hey, there's not enough cyber security employees. Uh, vendors, they're going to solve all of our problems. And one of them is, hey, you don't have enough employees, right? Um, Gartner, Forester, interestingly, Gartner has backed off from this in the last like three years. They used to be all about it and now they don't talk about it as much. uh but it's still in their literature and they still reference it uh when they write new articles. Uh and the truth of the matter is is we feel it. We feel it in our bones, right? You you feel the pain and weight of Yeah, I don't have enough people, Alex, you idiot. Uh there's not nearly enough

and it's really hard to find and hire and retain good people who can solve my problems. Um well, I'm going to argue and Jake and I are going to argue today. Uh, is there really a shortage of good cyber security employees or isn't there? Uh, who are we to talk about this to tell you any of this and to say any of this? Um, my name is Alex Humphrey. I am a director of security at Solutions 2. Uh, my background I started way back in the day literally racking and stacking servers because I needed money. Uh the two things I didn't want to do uh when I graduated uh college was I didn't want to do IT and I didn't want to do sales

and now I'm a cyber security consultant. Uh but I I spent uh working on 20 years uh in cyber security and IT uh first half or so of that has been as a practitioner uh working at multinational organizations building cyber security teams and doing a lot of the things we talk about. the second half of which has been on the consulting side and working with organizations globally on a lot of these things that we're going to talk about today. And with me is >> Hey there. Uh my name is Jacob Haynes. I'm a security architect with Solutions 2 based out of the Denver, Colorado area. And I spent the first 10 years of my career in IT. Uh grew up on the help

desk, got into IT management. Uh transitioned into cyber security in 2018. And for the last four years, I've been in a consultative role where I, uh, work with our clients to help them build strong cyber security foundations for their organization. So, enough about us. Um, let's jump into this. Um, >> can you hear him? Okay. Do you need to use the mic closer? >> Yeah. Is that a little bit better? >> Yeah. Yeah. >> Let me pull this up a little bit. There we go. How about that? All right. So, why do we feel like there's a cyber security shortage? or a cyber uh sorry let me go back here real quick uh so why

do we feel like there's not enough talent out there to fill all of these cyber security roles well I think one thing we need to do first is uh let's start with this simple but critical question why does your organization exist right what mission what's its mission what's its purpose like what problem is it trying to solve in the world and I can guarantee you one thing unless your organ organization is a cyber security company. I can guarantee you that your organization doesn't exist to respond to fishing emails or to investigate security endpoint alerts. And I can also guarantee you that your organization doesn't exist to maintain a SIM or identify vulnerabilities in your information systems. It just doesn't.

Your organization exists to deliver health care to its patients or to manufacture frozen burritos or deliver a service or build widgets or whatever it is that your organization uh does. Your organization exists to deliver value and our role in security is to help it do to do just that safely, securely and without interruption. And in our opinion, there really isn't the real gap isn't a talent shortage, right? It's an organizational prioritization problem. We aren't aligning security efforts to what actually matters to the business, right? And to its mission and to its goals and ultimately to its bottom line. I see it every day with most organizations that we work with. They don't run their security programs in a way that actually

supports the business outcomes. And companies typically try to hire security professionals. Sorry, I wasn't clicking through this. Uh, typically um companies don't typically hire security uh companies are typically trying to hire security professionals who can do all of the things, right? We've all seen those job descriptions. You have to be able to implement identity and access management tools. You have to be able to stand up and manage SIMs, uh, build vulnerability management programs, respond to fishing emails, securing the cloud, etc., etc., etc., right? And that's all important stuff, but those are those are tactical those are tactical things, tactical tasks and not necessarily tied to strategic outcomes. And we wonder why there are very few entry-level cyber

security jobs out there. And the truth is, most organizations don't have the budget to hire and develop the deep expertise that's needed to manage all of these tools and processes. But there is some good news here. And the silver lining is that these gaps are solvable. And with the right approach, we don't have to do all of the things. We can do the right things that matter the most to the business. >> Absolutely. Uh so what does this look like? What are what are some things we're going to be talking about? So, how do we close this gap in hiring? Uh, three things because it's always three. You learn that in presenting 101. Build a team that understands your business.

Two, train and develop internal experts. And then three, partner to cover the basics. So, let's dive into what each of these mean and how to actually do this in real life. Um the first thing you want to do is you want to build and create a team that actually understands your business and your organization and is working alongside it. Um you know put assemble right put pull the team together bring in the right folks. Uh marketing was shocked that we started putting memes in this but we were like hey it's besides let's have fun. Uh every cyber security team is under staff because we're trying to hire people who do everything. So we need to hire

experts who have 20 years of experience across 400 different security tools and can do it effectively. That's never ever going to work. Uh so we want to start when we're thinking about our cyber security program or individual careers as cyber security practitioners uh to refocus on the things that only an internal team can do. What is that unique thing that you as a cyber security employee at this organization can do better than anyone else in the world? Because you know the people, you know the processes, you're there on the ground when things are happening. Uh you start to figure this out by asking what is the purpose of my business? I uh one of my first real

cyber security jobs was at uh Mary Kay. So if you ever seen little pink Cadillac ladies, uh I'm the reason why they didn't get hacked for several years there. Um, the purpose of that business is two things. One, they manufacture makeup. There's a manufacturing facility in Dallas and another one in China. The second thing they do is they have a website, an e-b businessiness that processes billions of dollars of transactions every year. Uh, we had a cyber security team of about 30 people around the time I left. Uh, how many people on that team do you believe were associated with protecting and securing the manufacturing environment? One one uh one too many zero. No one in the

entire security team had any priority or focus around the manufacturing environment. What about the e-business? Literally all our money is made doing this. How many people do you think we had? People are getting some more goose eggs. Some four. That's a good guess. Two. Awesome. Uh one. and he started about halfway through my tenure on the security team which was several years in. Um, and he was just a guy we sniped from the developers, right? So, most organizations I talked to have this problem. The things that are most important to their organization are not the things that they're hiring and building security teams around. And so, the first question to answer is what is the purpose of my business? Why does

this organization exist? Unless I'm, you know, Microsoft, it's not email security. Unless I'm Crowdstrike, it's not endpoint security, right? So, why does your organization exist? And then what are we trying to do over the next year and a half, right, as an organization? Are we trying to build another manufacturing facility? Are we developing apps? You know, are we expanding our services? Are we acquiring a company and changing our entire model? Like, what are the things the organization is talking about? Not just security, not just it, but organizationwide. What are the two or three things that the executive team and the board are talking about the most? And then now that you have this idea of

kind of what we do and what our major priorities are as an organization, what do you need to do for an expertise, what needs to be in place from a security perspective to help solve those those those problems that are going to be created from that? Um, once you have that in place and you have a firm idea of what you need, now you need the people who can help you, right? Employee training. There's a concept I haven't heard in quite a long time. I'm I'm uh we didn't really know how the stage was going to be set up. So, I apologize that most of my pictures are going to be hidden. Uh I'm not that

clever anyway, so you're not missing too much. Uh but training and development then is the next step. Okay, now I know what I need. Now I need people who can help me achieve those goals, help me enable the business to achieve its goals securely. And I start by hiring and training people who want to be experts in this niche. Uh a couple years ago I was interviewing uh just a brilliant woman who had been doing OT security and I was looking to bring her in as sort of a a consultant uh to support me and my team. Uh absolutely brilliant, one of the most brilliant cyber security minds in the Pacific Northwest. Uh and I'm

talking to her and she's walking me through like, well, I've been doing all this OT stuff the last six months and I'm really liking it. and this other company is making me this offer to uh basically do OT security full-time and I'm going to start going to OT conferences and giving talks and starting to introduce security concepts to that world. Um and it was amazing because she really was starting to understand the nuances as someone who came from a manufacturing background the nuances of securing that environment and the pain points there etc. So I told her I was like, "Hey, like if you want to be in consultant, come work for me. You'd be awesome. If you

want to be like the best person in OT security, you should take that job." She never worked for me. Uh, and she's phenomenal at OT security. But when you think about expertise, right, you think like, God, I need someone who has 20 years of experience in manufacturing to be beneficial. No, you don't. You need someone who can focus on a specific thing consistently for a relatively short amount of time. You can develop an expert in almost anything in six months. Now, no, you can't be a doctor in six months or whatever, but OT security, you can be an expert in OT security in like two weeks. There's not that much written on it. Um, development security, right?

Again, another thing like if you have any kind of development background at all, compsside degree, whatever. You understand the basic concepts, you can pretty quickly use that understanding of that world and six months of targeted experience. Heck, do a boot camp uh in six months. uh you can be an expert in software security, software development life cycle etc etc. So it becomes pretty easy to uh train people to be in your niche and so you want to find people who want to do that kind of work. Uh, and the interesting thing about this is since this is more associated with the actual purpose of your business, what I found in doing this myself and working with other companies to do this

is, uh, getting budget is a lot easier when I'm walking in and I'm saying, "Look, I need you to spend another million dollars next year on this new email thing because if we get fished, you've read about in the news, CEO, CFO, uh, we're going to it's going to be terrible." And they go, "Okay, maybe." Uh on the other hand, you go, "Hey, our entire business is manufacturing. Uh if we get a tax from a manufacturing perspective, we're done. I want $30,000 to train person X in manufacturing cyber security over the next two months and then uh an additional budget to start building projects to make us absolutely secure as we're doing this without impacting the manufacturing plants at

all." They're going to be like, "Yeah, here's the money. Here's 30,000. Here's half a million. Here's whatever." So get training in the budget. fight to keep it there every single year. And then if you're a leader especially, but even as an individual contributor, communicate the importance of this to the team, right? The importance of training, the importance of focus, the importance of all the work we're doing aligning very neatly to the purpose of the business. What does this lead to in my experience? Uh higher team retention. People who are doing work that matters, that supports the business as a whole, like they're happy. people people responding to fishing emails all day at a makeup company are not happy.

Been there. Uh right. But when I was given opportunities to support transition into AWS as we were moving our entire infrastructure to the cloud or as I was given opportunities to uh support developer and building a CI/CD pipeline that really takes security into account, that stuff like lit me on fire. I was so excited. I was ready to jump all in. uh people are happier making less money even if they're doing work that they feel like is matter matters and is exciting and they're influential in what's happening. It also builds crossorganization collaboration. Uh the worst thing in cyber security is everyone hates us, right? Like you ever go to a CIS admin say, "Hey, we need to

do a patch, right?" They're going to be like, "Yeah, you're going to take down my entire system with your patch." No. or again manufacturing background. Uh when we patch several if we were going to patch certain systems in a manufacturing environment, we would have to shut down the entire line for a day to do a patch that would take less than a minute to install uh just because of the nature of the machines that they were associated and how it worked. That was losing literally millions and millions of dollars for the time that that's not producing makeup. Uh, and so it becomes very very difficult for me to come to someone and go, "Hey, I need to patch this system."

And they go, "Why?" Well, because it's a 10 on the CVE score. Like it's it's got a it's got a 10. It's critical. It's important. They go, "Well, why is it critical? Is it critical to us? Does it really matter?" I didn't have answers to those questions because I didn't understand the manufacturing environment. Well, I didn't even understand this problem very well. But as I started to learn and I started to work with them and I started to be more focused on these things, I discovered uh like another thing I found walking the floor of the manufacturing environment was uh this is my favorite. I walked in on a Windows uh XP machine that was running a machine that was

internet connected and it had no antivirus on it and it hadn't been patched in like a decade and I was like we're getting rid of that immediately. So, I start raising the red flag and burning it, you know, trying to burn all my bridges to get this thing gotten rid of. And finally, someone very high up sits me down and goes, "I want to explain to you what happens if we we do this." First of all, we bought that application that's running that machine with an intended 30-year ROI and we're on year 17. So, if you cut out 12 years of ROI off of that application, uh 13 years, I guess I can't do math. Um

that's all that money is lost money to the business the way we the way we're calculating it. On top of that, um, in order to change that system, you're going to have to shut down that machine, lose, it was literally producing the equivalent of a million dollars an hour in revenue in stuff. So, the way they'd have to do it is they have to shut down that machine. They have to remove all the product that's in it, which destroys that product, by the way. Um, more losses. You have to send all the hourly people home. Now, they don't get paid for however long they're there or they're gone for. Then you do you do the

change, you switch it out, you bring it back up, calls people back. You know, it's seven, eight, 10 hours later, uh before you're back up and running. And then even better, uh no one could tell me what happened to the guy who they bought it from. He either died or retired or both. I don't really know. But they were like, "We don't even know that we could get another application that could do this. And if we could, it's going to be ungodly expensive." So, what did I do? I created a way to siphon that off from the internet, protect it, allow it to stay there. And I was like, good. We're just not going to touch this

for another 13 years. And when that ROI is done, we're going to we're going to we're going to talk again. But what I was able to do is start to build those relationships and grow them over time. And as I started to implement this idea more and more, not just for manufacturing, but working with the IT teams, working with the software teams, etc., what I started finding is instead of me walking into the room and them going, I hate you. Why are we meeting? stop ruining my life. We would walk I'd walk in and they'd be like, "Oh, here's someone who's going to help me. Yes, I might have to change some things that I'm doing, but they knew that I'm there

to help them achieve their goals. I just want to make sure they can do it securely and safely." And everybody ultimately wants that and is willing to work with you. Um, so this enables much better crossorganization collaboration because you can talk to them more effectively, you communicate with them, and you're all on the same page. So, let's say you do all this, right? You figure out your purpose. You reorient your entire security team around it. As an individual contributor, you start working on things that matter to the business, working better across teams. What about everything else? You still got to procure email. You still got to monitor alerts, right? You still got to do an insane amount of stuff,

right? What do you do with all that stuff? So depending on where you're at in your security journey, you probably have tools in place that haven't been fully operationalized, right? You're not getting the full value out of that tool. Uh or you have projects in place that are uh taking too long to get completed or that they're stuck in limbo. And why is that? Well, in my experience, the majority of that reason is because you're stuck in firefighting mode. and the day-to-day tasks that you're that that you're trying to do are keeping you from doing more important work. And partnering to cover the basics is a very effective way to accelerate the maturity of your

security program so that it can be better positioned to align with the business. So, let's take a brief moment real quick to differentiate between these one-time projects and these ongoing operational services. And I know this probably seems very obvious here, but when you're working with a partner or multiple partners, um it's really important to differentiate between these types of work. So, uh from a one-time project standpoint, you got like, uh things like identity and access management, uh MFA, implementing MFA, conditional access policies, onboard, uh automating the onboarding and offboarding processes. PAM falls under that category. You have uh email migrations um uh things like uh deploying endpoint security tools and hardening uh tuning those alerts. Uh

data security can be an extremely complex uh project uh depending on the organization. Um putting uh tools in place to do to discover where the data is, who has access to it. um being able to classify that data and based on its sensitivity levels and then putting in those guard rails so that users are only doing what they should be doing with that data and then you have things like imple simil implementations and collecting the log sources and tuning IoC's and uh threat intelligence and of course penetration testing these are things that you don't have to babysit on a daily basis you do them once and then you periodically revisit them um on the other side of this coin is the

ongoing operational services. So you have things like detection and response and vulnerability and exposure management, security awareness training. These are things that need to be done on a continuous basis and um along the way you're making iterative improvements in each and every one of those areas. >> Awesome. And and the beauty of all this is um we have uh like when you think about this again your people need to be the experts at securing your organization. And you don't need to be the experts in sock work or pen testing or email security, right? There are actually really good third party organizations that can do that now either as a one time, hey, we set up

your thing and it's humming perfectly or it's down or or we're doing it forever. Sorry. Um, how many people have implemented a product, a security product, got into about 30% of where they intended and then were immediately moved on to another task and never got to touch it again? >> Everybody. >> Yeah. If you work in cyber security, that is your story. This gets rid of that this top part. Right now, we're saying, "Hey, I'm going to deploy I'm going to deploy this thing and it's actually going to be perfect." Why? Because I'm paying someone else to do it for me who knows this stuff in and out or uh from an ongoing commoditized day-to-day task, right? Most

organizations really can't build a 247 365 sock with multiple tiers of analysts doing those investigations and responding to those things, right? There are a million MDR companies out there and there's at least a couple of them that are really good. Uh so finding partners and using this like this is how you solve those commoditized tasks. But it leads to questions, right? Partners, partners everywhere. Now we're drowning in partners and we have other problems that we need to deal with. What if my partner sucks, right? Uh well, you have to hire the right partners, right? I guess we'll do that. My picture on the other side this time and they're going to promise you the moon when they sell

you and they often won't deliver. So all partners are not created equal. There's a ton of organizations out there that are terrible that suck, right? Uh so you need to start asking you need to ask some questions when you're trying to find the right partner up front, right? Things like do they adapt to me or do they do a one-sizefits-all approach across all their clients? Now neither of these are the right or wrong answer, but for the work you're having them do, you need to understand how they're going to do this uh and if it meets what you actually need. Uh will they answer questions and provide clear feedback to the team when they need it? It's crazy

to me how many managed services especially are like yeah if you're having a P1 emergency send us a ticket and we'll respond sometime in the next five hours. You're like what? And then they respond and they're like yeah you're right that's a problem. You're like did you turn it off and turn like it's terrible. They don't answer your questions. You get someone who doesn't understand your environment and it breaks. So make sure that they can answer questions going to pro provide clear feedback to the team when you need it. uh and that they're doing it in a way that you can verify and report on. Especially with managed services, if they're saying they're going to run

something for you forever, they better be able to prove that they can do that. Not just upfront before you buy it, but every single day they're working for you. How are you going to verify and report on uh what they're doing? And then thinking through what problems they're going to solve, right? Uh are they actually solving your problem or are they twisting your problem into their solution? Right? When you're a hammer, everything's a nail. Uh and there are a million partners that are more than happy to tell you, hey uh whatever you what your problem is, we'll solve it. Most of them are lying, right? So do they actually solve your solution? Are they twisting your problem into do

they actually solve your problem? Sorry. Or are they twisting your problem into their solution? Uh and how do they actually know they can help you? Have they done any due diligence into your problem? Have they uh done an assessment? Have they reviewed? Have they had meaningful conversations with users inside your environment who would be impacted by this, right? Um there are some tools that maybe this doesn't matter as much because you know going into it, but for services overall majority of the time you need to they need to have some sort of understanding and evaluation of your environment to make sure that this is going to work. And then when they have solved your problem supposedly, how do they prove

it? So how do you actually vet partners? Right? You're asking questions. What do you actually do to actually actually vet these people and understand like if what they're doing is actually working, right? Um this isn't everything, but reputation absolutely matters, right? Gartner, love them or hate them, the upper right quadrant are usually pretty good tools in that category, right? Not always. There is an aspect of paytoplay. I don't Yeah, I don't have time to talk about this, but I have done the Gartner thing and you don't have to pay to play, but you certain or you don't have to pay to get points and to show up, but you certainly have to pay if you want to

talk to them and have a seat at the table at all. Um, so it's not everything, but it does matter. And that's not just reputation with like Gartner and Forester and others. It's like there are other people in your industry. Talk to them about the tools they're using. Ask them some of these questions. How is this working out for you? What sort of information are they doing to prove it? I can't tell you how many people I've talked to who have managed services and they go, "I love my MDR." Oh, great. How do you know you're more secure than you were before you bought them? Well, they haven't escalated anything to me in 6 months.

It's actually probably a bad sign really, like they're not even bothering you about false positives, right? So, reputation matters. Talk to people, but be smart about it. Then, clearly define SLAs's with the partner, especially in uh services capacity, in ongoing capacity. Uh contracts are real, marketing collateral is not. I cannot tell you how many organizations have an SLA and then you go and read it and the SLA is we guarantee we will do X Y and Z in 1 hour or less. And what happens if we don't do it? We'll feel so bad about it, guys. We'll say we're sorry and then you know you'll we'll we'll keep work. We'll keep doing it. We'll keep doing what we're doing.

That is bleep, right? That is garbage, right? That is crap. That is terrible. Uh SLAs's are hey if you mess up, if you don't hit this thing, the vendor feels pain, not you. Uh so make sure they have clearly defined SLAs's and that it the consequences of those SLAs are in the contract and you understand what they are. Uh meet the post sales team is another really important thing for vetting a partner, a services partner. Uh they're going to put the best people in the world in front of you, right? Those pre-sales engineers, those account managers, right? the executive team's going to walk in and then you're going to buy the thing and sometimes you're

going to get a phenomenal team who's going to support you every single day. And sometimes you're going to get a kid who is can't even spell the word computer and has no idea what this technology or service does, has no idea of what your organization does or how it works. Um, so you need to make sure you meet and understand if the post sales team can support you the way you're expecting them to. Uh, you need to understand reporting. How do you know that what they're doing is actually happening? uh you need to be able to define metrics that validate the success of the service. This is not a shade at CrowdStrike. Crowd Strike is a phenomenal solution

and their MDR is great, but a lot of people I talk to about CrowdStrike over and over and over again, I'll hear something like uh like my CrowdStrike uh security service is phenomenal. Overwatch is phenomenal. Okay, great. How do you know that it's working and they're not missing things or that they're responding in the way you intend them to? Like what are they showing you to that? And they're like, "Oh, nothing. We don't know. I just feel like it's working, right? Define metrics and that for the record, overall majority of time, it is working, right? Crossrike is phenomenal. But define metrics that validate success and and then have a way to report on them. And then if you're

doing managed services, have a one-year contract the first time. Always listen. Uh, every single one of them is going to want a three-year contract. Every single one of them is going to want a three-year contract. Some of them are going to want a 5-year contract. Uh, but the truth of the matter is, you cannot PC a service. It is not possible, right? I can PC a car, right? Test drive it, ponk the horn, hit the buttons. How do I PC a steak dinner? You can't. You either you eat because pinging it is eating the steak, right? Same thing with services. So, any sort of P or prep that you do initially, uh, testing, uh, they're either giving you

the service for free, which very few of them do anymore, or you're getting some kind of half version that's not very good, right? So your PC is that first year. So get a one-year contract, stick to a one-year contract. So a lot of this is very management focused, but what about individual contributors? What about individuals who want to do a lot of this work? >> Yeah. So if you are an individual contributor um whether you're an analyst or an engineer or whether you are um in security or you're looking to get into security if you're spending the majority of your time on these low impact very repetitive tasks then you are going to get burned out. Trust me I've been

there. Alex has been there. It sucks right? And the worst part about that is you're not providing any real value to the business and that means you're invisible to them. But if you can learn and understand all the ways that the business makes money and you can tie those security initiatives to business outcomes, then all of a sudden you're not just the security guy or gal anymore, right? You become a business leader with security expertise. And when you're able to translate the technical risks into business impact and you can show how security supports the speed and innovation and uh resiliency, then you begin to shift the business's perception of you and that's how you get

buy in, right? That's how you get promoted or that's how you land that next opportunity. And if you want to do these types of things, this these types of commoditized work, you know, like red teaming or tier one, tier two alert triage or managing vulnerabilities, there's absolutely nothing wrong with that, right? Um find a vendor or an MSP that you can work for and you can do that work all day long. Sorry. Um and you can do that work all day long. Um, again, there's nothing wrong with that, but if you work for a company whose business is not security, then offloading a lot of these tasks will give you the space and freedom to focus

on what truly matters to the business. Yeah. And I think pentesting is such a great example of this because very few organizations nowadays have an internal pentesting team. You get above a certain size or you're in a certain niche, you absolutely have a pentesting team. Uh, but that's that's rare. That's not common. That's not the focus of most organizations. And so when you start to extrapolate that, why do we do that? Well, because having the internal expertise for a pentesting team doesn't make sense for the organization, but it does make sense to pentest regularly, right? Uh then you start to build, you can build out these other things. And so if you want to do pentesting, if you

want to hack things, go find a red team company and work for them. You're going to be a lot happier, be much more wellunded, and you're going to learn a lot more than if you do it internally in an organization. So some closing thoughts right now. The problem with cyber security, the reason why we think that there's a shortage is because we're trying to build cyber security teams that can do everything. And we're trying to hire teams that can solve that can be experts in a hundred different technologies and services and ideas. Uh and we have two people to do it and it just will never work. Uh it's too broad of a category and it's setting us up for

failure. Uh this leads to burnout, right? People get burned out, they get frustrated, they leave for greener pastures. I mean, I can't tell you how many organizations, even in my own career, where I've done the thing where like you go work somewhere for a year or two. You can go make, you know, 20 $30,000 more down the street and be just as miserable there, but making more money, right? And you you see these people on their LinkedIns like they jump from job to job to job every year or two. Why? Because they're being offered more money because those people are feeling the same problems, but they're also miserable and they run into the same issue at every single job

they go to. Um, so we need to solve these problems. uh moving from a do everything mindset to an enable the business to achieve its goals securely mindset helps solve this problem. I've done it myself. I've seen it in multiple organizations. Um security is a enabled to accomplish a lot more. You achieve so much more. Uh and the business cheers you on for it instead of fights you every step of the way. Uh your people start to stick around because they're happy. They're doing interesting work. Their careers are growing and developing. uh and they feel like they have more support and as an individual contributor your career will go much faster uh if you're focusing on these things. It's

one of my favorite things to see is when you find a niche and you find a focus that supports the business as a as an engineer or an architect or whatever what happens very quickly. Uh I have time for this story. Um I I I met met a guy who he started this is more on the um sort of devops side but he started as one of the lowest tier guys on like a database team and then he just started like finding things other people didn't want to do in the organization like I'll do that I'll do that and they kept promoting him not as a manager but like okay you're a junior engineer on the

database team now you're like a full engineer on this other team oh now you're kind of an engineer that sits between these other two teams. Oh, now you're a senior engineer. Now you're an architect. By the time I left that organization like he was the o, this was back before co he was the only remote employee in the entire organization. Why? Because he decided he wanted to leave Texas and move to um uh Colorado to be closer to his family and uh because his father was sick and he wanted to take his kids there and be around his family for the last couple years. And so he turned in his notice because he knew the company does not do

remote work at the time. No. Hard no. Always. He not only got remote work, he got like a significant raise for leaving. Uh not because he was moving to Denver, but because they're like, "No, no, no." Like, "Please stay. Here's some more money. We'll absolutely make remote work." Uh and they did it. Careers develop faster and you'll have more support. Uh the more you're able to focus and show the business that what you're doing matters and aligns to what they're doing. Uh and then for all the other stuff partner right you have to uh we can't do it all anymore internally. Uh there's a million commoditized things that cyber security teams are wasting hours and

hours and hours. Most of I think a lot of cyber security engineers and analyst time is absolutely wasted because they're doing things that don't move the business forward. They're doing things that just hold the line and they're doing probably a third of what they could be doing because there's one of them doing it when there should be 10, right? Uh, and so we have to partner. We have to offload these commoditized tasks to organizations that that's their entire job. That's all they do. MDR companies, all they do is sock, right? Pentesting companies, that's all they do. Uh, it doesn't make sense for me to try to get my people to do those things because the business will never fully

support it. Uh, this ultimately saves money uh, and creates a more secure organization overall because now the commoditized tasks are being done better, more efficiently, faster than they ever have before. uh they're doing it for cheaper than you could ever do it in house. You're usually paying for less than one person or maybe one and a half people total uh to get these services depending on organization size and complexity. They're getting further than they've ever done. And now all these things that you've always been worried about but kind of ignored that are important to the business are suddenly being solved by your people internally doing the work that uh they were never able to do

before. Oh, and one more thing. It's actually three more things. Uh this is a process and it takes time. uh it took me four years uh once I kind of had this revelation at my first organization to start to put these things into play. Now some of that was I was not a leader or a manager. I was an individual contributor. So I had to use the what I had influence over sort of manage up to my leadership in order to have some of these conversations and make these changes. But I was I did it uh and it was extremely extremely valuable. But it does take time. Even if you're a CISO who has complete authority

over everything in your organization, you can't go in tomorrow and say, "Hey, we're assigning these five partners and all four of you are doing different work now and blah blah blah." Like, no, you got to figure these things out. It's a process. It takes time. There's transitions. Uh individuals can do this. If you're if you're low man on the totem pole, you're an engineer, junior engineer, and you're like, "Well, this doesn't matter to me." It absolutely does because when you start having conversations in this way, couching things around what moves the business forward, asking for tasks that help solve some of these problems for the business, uh people will start saying yes to you, see what you're

doing, and you will have more influ in influence with your leadership to start to make some of these changes. Uh and then some vendors just suck. Sometimes you're going to partner with someone, you're going to pay them a lot of money, and it's going to be absolutely garbage. You're going to hate every second of it. They're going to do none of the things they promised. The people are going to be awful. Uh, and you're going to regret it from the moment you sign the contract to the moment they're gone. That's why you sign a one-year contract to start because otherwise, we're in trouble. So, if you get a vendor that sucks, don't worry about it. I mean, do worry about it. It

sucks. But like, understand that it will end soon. move on, fail fast, get out of it as quickly as you can, and then keep going. Uh, so that's it. So, thank you all. Uh, and now we'll do some Q&A. >> Any questions, >> or you can just challenge us and say we're wrong. >> Ch uh questions, challenges, complaints, grievances thoughts opinions or otherwise. Not that I've ever rehearsed that phrase. Oh, here we go.

Hey, great presentation. I do um I understand most of what you've said. I'm I'm in a principal engineer type role and sometimes I feel like I'm just like a glorified like implement of technology, right? Uh and I end up being a CIS admin on a lot of those things. Where does that type of work fall into the scale? cuz it's not quite the commoditized stuff that you guys discussed, but like for just straight tool implementations, is that something that you're recommending partners for or does it depend? Uh everything always depends always unfortunately. But that being said, I think some of that work is absolutely partner work. It depends what it is though, right? Uh conditional

access policies and Entra ID is a phenomenal example of this, right? Uh there are Microsoft is terrible to partners, but what it's great at is with service partners and there's a million people and Microsoft's a weird crazy beast. They change their stuff every 30 seconds, right? But there are people out there who actually understand it. And so when you're setting up conditional access policy as an individual engineer, you have to become a Microsoft expert, a condition an identity expert, a conditional access policy expert on top of everything else that you're doing, right? Or you can spend 5 10 grand as a company and have someone come in and in a week your conditional access is better

than it's ever been and maybe you know you know enough about it check on it periodically. Maybe you have them come back once a year to validate if anything's changed, right? Um so there are things like that that absolutely you need to hand off. That being said, there are other tools that maybe matter a lot to the business. Like if I'm a manufacturing company, firewalls and network security matters a lot to me, right? because that is the security of my OT environment. Um, I can't put endpoint agents on there. I can't monitor it like I would normally do a sock and all the stuff in there is unique to my organization, how it works, etc. No third party is ever going to be

as effective at that. So, if I'm implementing firewalls in general for standard I, you know, IT company or whatever, uh, I probably don't want to waste my people's time managing and working and running those. If I'm doing it in an OT environment, I probably want my people on that managing it. So, it just it it does depend and it goes back to that purpose question. Yeah. >> Any other questions?

>> Thanks for hanging out at the end of the day, y'all. It's It's warm in here, too. Yeah, I'm ready to drink. >> What? You've not started yet? >> I uh Man, they wouldn't let me before the talk. Sorry. So, that's interesting. I've heard something very similar like in the software development field like years ago. I came up the software development track towards that and they said was elevate your process to like think about wider because what's going to happen is everybody's going to get outsourced overseas and you're not going to have a job and you can the best thing you do is understand the business and be able to talk to the people that are going to

actually be building the things. So it's a similar context. How do you see like convincing the business that like, you know, I'm not paying anybody to do this now, but I need a vendor to handle this thing that we're not doing? >> Yeah. Um, the easiest way I found is a lot of times you are paying someone to do it. You're paying the CIS admin, you're paying the security engineer, the CISO is doing it, right? Um, and it's not going well, right? It's probably 20 30% of what it should be. and there's this black hole over here that no one is paying attention to. Um, now what I found is a lot of especially security

leaders don't want to talk about the black hole because they don't know how to solve that problem either, right? But what's easy to solve is, oh, I know endpoint security because there's a million webinars on it and tools and so if I hire people and focus on this, I can show how I'm effective over here. How do I secure this other thing over here that's the foundational business? That's scary because that's something I have to figure out and my team has to figure out. So what ends up happening is is you is you start as you go through this process and you start to for the the beginning is rough because you're not getting support from the business.

But as your language starts to change, other business units start to see you as an ally instead of an enemy, you actually start accomplishing things that move the business forward securely. Um then you can start asking for things. You can go like, "Hey, we've achieved X, Y, and Z. We're we could achieve this much more if this person wasn't focused on this. We're paying this person way too much money to do this when they could be doing this. This other part of the business that brings in all of our revenue is suffering because my people aren't doing this. So why don't we budget a little bit of money to put a service here, solve this problem and

free up these resources now for less than the cost of one person. I have a third party that I can hold accountable that I can have SLAs's against, etc. doing this work and the people that we're paying are now doing work that's better to the business. most organizational leaderships like will at least listen to that conversation and be interested and it becomes much much easier to get budget for those kinds of things uh than for just saying hey we need an MDR because Gartner said so right um so that that's been my experience and it doesn't work all the time right some places don't care no matter what uh and those are great places to leave because you know

everyone says there's a cyber security shortage and you can uh you can go you can go work for another company and make more Any other questions? Okay. Well, thank you very much. That was definitely a a top right quadrant uh take. Uh so thank