RSA 2020 Special with David Meltzer and Tim Erlin from Tripwire | The Talent Gap and Sourcing the Right Candidates
In this episode of the Cybrary Podcast we sit down with David Meltzer the CTO of Tripwire, and Tim Erlin the Vice President of Product Management and Strategy at Tripwire. Speaking with myself Thomas Horlacher the Head of Creative Services at Cybrary, David and Tim give me their thoughts on the talent gap in the Cybersecurity industry.
Share it with friends now!
There is a talent gap in the cybersecurity industry which is deteriorating as time passes. The survey by Tripwire confirms that the difficulty of hiring and retaining cybersecurity talent is greater compared to last year. To address this challenge, organizations have adopted in house skilling up programs and outsourcing the labor intensive tasks of managing security products. Outsourcing enables the effective utilization of available skills by a group of organizations. The cybersecurity skills requirements have also evolved due to the emergence of Machine Learning and Artificial Intelligence. Previously, organizations required a lot of people with mostly system administration skills to manage security products, but there has been a shift to security orchestration and automation which has reduced the number of people required but increased the level of expertise required. The skills in demand include tools automation, scripting, and programming. Developing the expertise required requires access to technology hence organizations have to invest in training although they face the risk of training and the employees leave the company before the company can get a return on investment. Adopting an aggressive hiring program for fresh graduates and early career candidates helps to build a pipeline and address the shortage because it provides the opportunity to learn on the job. When an organization invests in the growth of the early hires, it improves the employee retention rate and promotes a better work environment. The Tripwire team also recommended internship programs and community educational events.
The major highlights from the RSA conference in 2020 include the notable growth of the managed security services and concern over the impact of Corona. The managed security services mainly address the administration of security products to free the internal resources to address the more challenging security tasks. Corona has resulted in a drastic increase in remote working, which introduces additional risks that CISO’s should take cognizance of. In addition, it may also result in reduced travel for vendors.
Thomas Horlacher: Invest in yourself today with our Insider Pro product, which gives you the career path to reach the next step in your cybersecurity journey. Join today on Cybrary.it using the discount code podcast. In this episode of the Cybrary podcast, we sit down with David Meltzer, the CTO of tripwire and Tim Merlin, the vice president of product management and strategy for Tripwire. Speaking with myself, Thomas Horlache, the head of creative services for Cybrary, David and Tim, give me their thoughts on the talent gap in the Cybersecurity industry. All right, we are here with another RSA podcast with Cybrary today. I'm speaking with David Meltzer from Tripwire and Tim Arlin from Tripwire. Thank you guys for sitting down with me. I appreciate it, so we are speaking about the talent and skills gap in the industry. Just wanted to get your thoughts on that.
David Meltzer: Yeah, thanks for having us today. We have over 2 million job openings in the information security field, and it's a really difficult challenge for people. We actually recently did a survey and Tim was quoted in that survey talking about some of the challenges that the employers are having. You want to talk about that one Tim?
Tim Merlin: Yeah, I'm happy to. It's actually a similar survey to the one we did last year, so we can get a little bit of trending data. But not surprisingly, we found out that from those respondents, their perception of, the skills gap or the talent shortage in cybersecurity is that it's getting worse. That it's going to continue getting worse. I think the, you know, 83% of them said that it's harder to hire and retain folks now than it was last year and we definitely see that in our customer base, in addition to the, the actual survey respondents.
Thomas Horlacher: Yeah. Um, I'm wondering if you are seeing with now with the hiring gap, and everything kind of widening, are you seeing a trend of more people trying to bring in lower level people and then skill them up? To kind of make them maybe fit a role that you're looking for, or is it still just, you're looking for that perfect person that's gonna automatically fit your role and you can just roll them right into, you know, your team.
Tim Merlin: Yeah, anecdotally, I generally hear the complaint that there, there aren't enough, enough talented people to hire. Like they have trouble finding qualified candidates. I haven't heard a lot of folks saying that they're changing those requirements and then trying to train people up. But I don't know, Dave, if you have seen other experiences?
David Meltzer: One trend that I am seeing as I've been out talking to CISO’s over the last year is the requirements of the kind of people we're trying to hire is changing. I think those requirements are actually getting more complicated as security gets more complicated. I think if you went back a couple of years, a lot of security had to do with like basic administration. People had a lot of products. They were very manual intensive products. You needed a lot of people to do that. Now, CISOs are looking for people who can automate tools, who can do some scripting, maybe they know some Python. And so as you raise those skill levels, it gets harder and harder to find that talent pool.
Thomas Horlacher: Yeah. So, I mean, with the rise of AI, machine learning, I mean, are you seeing that. That is causing an issue with the talent gap. I mean, now you can automate people out of jobs, but now you need more expert level people who know what the automation is doing and actually how to secure it. So you're kind of raising the bar for the people that you need, even though you need less of them now.
Tim Merlin: And some of those skills, the higher level skills are harder to train for when you don't have access to those tools and technology. So it would be really hard to, to step into cyber security. You know, with expertise in AI and machine learning, you know, for that industry without ever gaining that experience and are in a real world scenario.
Thomas Horlacher: Yeah, yeah. Without ever, you know, doing it or anything like that before. I mean, are there kind of. Are you seeing any trends? Is there like small things that people can do or companies are starting to do that are starting to help with the gap that you're seeing?
Tim Merlin: So, the two things that we saw in our survey that are driving improvements, there are programs around training and retention. So the goal being to skill up the people you have, that's one option and the other is outsourcing. So if you can outsource some of that, basic administration for the tools in place, you can save the people you have for the more difficult challenging problems within the organization that also helps with retention.
David Meltzer: Yeah. And I'm certainly seeing that trend around managed services growth, as well as you have multiple customers aggregating to that central point, you can get more efficient with how many people you need. So as an industry, as we move to more managed services, we get more efficient with operating that and using the talent we do have across the industry.
Thomas Horlacher: Yeah, I mean, every now and then you hear the horror story of, Oh well, you know, we're going to train, we're going to spend all this money, training our employees, they're going to gain all these skills and then they're going to leave and go somewhere else. I mean, is that something that you think is, TRUE?
Tim Merlin: But what if you don't, if you don't train them, they're going to leave and go somewhere else as well. So you're kind of stuck there. Yeah.
Thomas Horlacher: Stuck with people who can't, who aren't learning at all. And, you know, they're just kind of stuck.
David Meltzer: Yeah. I mean, just from my personal experience, having hired and having worked with a lot of people, at the kind of junior intern first. First hire out of college, out of college perspective, you know, you really, you want them to do that. You want them to gain those skills, become more valuable and people who are really aggressive about hiring. Early career people, college graduates, and even our company, we have a whole program around early career leadership to try and bring those people in. You know, they, they will spread and you won’t be able to keep them all in and that's okay. What you really need to do is keep that funnel going. You need to keep hiring those people and then move it back a step to the community and education. And make sure as a security community we're supporting education and outreach and getting more people involved in the community.
Thomas Horlacher: Yeah. I mean, that's something great that you guys are doing. I mean, I, myself started at a startup company and was put on an engineering team. I had no engineering background or anything. I was just kind of the IT person. And then after we were acquired, I was actually an engineer. And I just learned on the job from all the people that I worked with. And I was just given the time to learn everything, which, you know, luckily I was given that chance, but not everybody kind of gets that. So it was just a great experience to be able to kind of be given that chance and be given the tools that I needed to learn instead of just being like, no, you can't do it like you're done.
David Meltzer: Yeah, absolutely. Now, one of the proud things I have at tripwire is I have a small team of the office of the CTO. And over half the team started as interns for me, including the engineering manager, the principal software engineers on those teams. When you are able to bring people in early, it creates a really dynamic culture for the company as well. Yeah, it was great to have that talent.
Thomas Horlacher: Yeah. And then, you've had people who've been there a long time and, you've invested in them and it makes them more invested in the company. It makes for a better work environment as well.
David Meltzer: Yeah, absolutely.
Thomas Horlacher: I mean, as we go, I mean, is there anything that you've seen at the show or anything that is exciting you about RSA that you've seen this year?
Tim Merlin: There has, I have seen a trend around managed services as we were talking about. I think that's a growing area. More organizations are considering how they can outsource or offload some of the burdens that they have now around the tools so that they can help address that talent shortage. Other than that, I haven't seen the usual sort of, technology trend or buzzword trend that sort of seems to take over everybody's booth all at once. I haven't seen that this year,
David Meltzer: The trend that has really been the undercurrent of this conference, at least in my conversations with a lot of people has been the Corona virus and, not just, the conference and shaking hands and bumping fists, but also what will be the impact to our industry. And what should we be thinking about doing. As the virus may propagate and as we have to deal with things like, are we gonna have to work from home more? Are we not going to be able to travel as much as vendors? And how should we adjust to that in the industry?
Thomas Horlacher: Yeah, I mean, yeah. Luckily being in tech, most people have the ability to kind of work from anywhere. So working from home as something, one of our, one of my colleagues was telling me today that zoom had listed that they had sold more accounts in the last two months than they did all of 2019, probably because people are effecting, be like, Oh, I'm going to be able to work from home, something like that.
Tim Merlin: But increasing the number of people you have working from home dramatically, especially if it's not already part of your organization's culture, it changes the attack surface as well. So there are new risks that show up, new concerns that you might have about. Who has access to which devices and what they do with those devices. So I think there are some changes for cybersecurity there to pay attention to.
Thomas Horlacher: Yeah. That's interesting to, yeah. To think that, yeah, not, everybody's going to be now at your office on your network or, you know, under kind of your umbrella. They can be anywhere on their home and you know, who knows what they're logging into and stuff like that.
Tim Merlin: Yeah. Interesting.
Thomas Horlacher: yeah. I mean, any closing thoughts or anything as a B go out as the end of RSA is coming up.
David Meltzer: I think RSA should be a two day event. The third day feels like it's just a little bit too much. Maybe that's my closing thought. I think we could get it done in two days.
Tim Merlin: I think that might be the last big conference that happens in San Francisco this year possible could be well, yeah.
Thomas Horlacher: Thank you guys for taking the time. I appreciate it. It's always good to talk to you, David. So thanks you guys, next time. Thank you. Thank you. Hey, this is Thor. Thanks for listening to the Cybrary podcast and make sure to check back next Wednesday for our newest episode.