Eric Hanselman

Welcome to Next in Tech, an S&P Global Market Intelligence podcast where the world of emerging tech lives. I'm your host, Eric Hanselman, Principal Research Analyst for the 451 Research arm of S&P Global Market Intelligence. And today, we'll be discussing technology hiring.

It's an area that I think most organizations are challenged with. And when we think about one of the most problematic areas, information security, it's something where organizations have been working hard to really sort out how they can manage skills, capabilities that are needed in an area of technology that is very specialized is evolving very rapidly and presents a whole set of challenges in terms of both hiring, building and retaining staff that have got the skills they need to keep their organization secured. Something that surprisingly is near and dear to all of our hearts these days.

And to discuss that with me, I have Megan Goodwin, who's a Research Analyst from our Information Security team. Megan, welcome to the podcast.

Megan Goodwin

Thank you, Eric, for having me. It's truly an honor to be here.

Eric Hanselman

Well, you are a relatively recent addition to the InfoSec team. And I wanted to get your take, both on some of the data that we've got, some of the background and also some of the ways in which as an organization, we've looked to be able to tackle some of this, some of your experiences around this. I think you've got some interesting insights in terms of where this fits.

Dan Kennedy has talked about a lot of the Voice of the Enterprise data and some of the challenges that get represented by the respondents' views and some of the hiring decisions and paths and strategies they're looking for to fill positions. You've had a run at this data, what can you tell us about some of the aspects that are being reported for hiring and directions that organizations are taking?

Megan Goodwin

Well, I can tell you that the majority, actually, over 43% of organizations tend to lean towards training existing employees or make use of contractors and managed services like MSSPs. We know this because of 451's own Voice of the Enterprise data, which not to rattle off stats back-to-back-to-back, but illustrates about 37% of respondents say that they have plans to hire from outside of the organization and over 60% actually report that they're hiring for mid-level employees. So that's a pretty interesting point there considering that there's a shortage in the skills that might be in the existing employees, but there is a reluctance to hire from outside of the organization.

Eric Hanselman

Well, it's an interesting problem when you think about sort of what organizations are wrestling with. Here, they've got a definite need. They've got this urgency to be able to get there. And the other thing that's behind the data, it's -- there's skills gaps for everything that's new. It's -- I think last year, for the first time, cloud infrastructure topped the list of InfoSec skills that were the most necessary and had the largest gaps. And so it's this tough thing, as you're saying, it's really this difficult challenge to try and figure out how you cover this in ways that you're actually going to be able to cover this with the especially the challenges in hiring at the same time because there's also still reporting that it's challenging to hire and retain too.

Megan Goodwin

Exactly. We know there's an overall shortage in skills. In fact, we've actually observed that it's a multiyear trend. I mean there's high burnout rate among existing staff. And as illustrated by the Vote data, it's not a first instinct to hire externally. Most would rather build upon what's already there.

Eric Hanselman

Well, and I think also maybe in InfoSec, we also get that -- the constant story that hiring is just really, really hard. So I think a lot of organizations just expect that they're not going to be able to hire externally because finding people is difficult, salaries are astronomically high. And it is, I think, one of the things that also drives the increase in consideration around using managed services. I think that represents a chunk of that population that's decided that, well, maybe they need to go out of house for a service. But for some organizations, they need to have internal staff to manage these capabilities, and those are things that they can't hand off to others.

Megan Goodwin

Right. But that's a great example of where existing staff has the opportunity to strengthen their resolve and their skill sets.

Eric Hanselman

Well, and if we think about the kinds of things that you can do with internal staff, I think we see in a lot of other studies, concerns about effort required to go retrain. There's certainly a lot of intent, but I think many organizations really stumble on the path for how do you actually get that done and how do you do that effectively. And I think the normal path for InfoSec employees to follow isn't something that always leads to long-term retention either, is it? I mean, what's -- if you think about what that journey is, that can be a difficult and complex path normally, right?

Megan Goodwin

Right. Absolutely. I mean it's pretty intensive. We typically imagine internal growth from the beginning, Tier 1. So starting with log monitoring in SOC, which is for the listeners who might not know, is a security operations center, where employees basically watch logs, scroll by them and hunt for flaws similar to how someone might look for a flawed bottle on a conveyor belt coming out of a bottle plant. So it's really glorious and tedious stuff. And from that...

Eric Hanselman

I don't know if I'd go with glorious there, but yes -- but to your point, it's a fairly intensive, eyes-on-screen, strong focus kinds of -- kind of work.

Megan Goodwin

Yes, I agree. That's usually where many employees get their hands dirty, but also have the chance to gain initial industry experience. It gives the opportunity to become more fluent and gain aptitude and therefore, can result in the ability to pinpoint and escalate more high-quality data up to the next tier, which is Tier 2.

Then after a while, Tier 2 says, "Hey, wait a minute, this person is doing really well and recognizes those individuals and offers the ability for those people to be brought up to them. Once there, they usually have the chance to work with [ SOAR ] and gain additional context, et cetera. One of the keys here is to reduce the dependence on IT, so eventually moving up to incident response is easily feasible. Then basically rinse and repeat until you're apt enough to do pen testing.

Eric Hanselman

And that's a path that if you think about -- that's really slogging through the trenches for a while.

Megan Goodwin

Right.

Eric Hanselman

It's something where it's a lot of time spent doing a lot of the heavy lifting, that front-end work, slowly marching your way up through various sets of capabilities. And you'd identified that burnout is one of those things that is a constant concern in InfoSec more broadly. That's something that -- these are exactly the kind of things that have a tendency to burn people out.

Megan Goodwin

Absolutely. So it's really prolonged exposure and broad content instead of the alternative, which is either a boot camp or a certification program, which is concentrated exposure in multiple different areas. So it's condensed into a much shorter amount of time, but you still get to dip your toes in each pool that someone is spending all of that time in any of those areas would normally do.

Eric Hanselman

Well, that's an interesting angle. If we think about the kinds of things that organizations are trying to sort out in terms of how they upskill teams to be able to manage it. I mean, the certification path is certainly one. That's something where we think about how organizations are trying to manage a lot of those capabilities. But certification tends to be a little more drawn out and usually a little broader, but you're mentioning boot camps and in some of the targeted approaches that potentially used to be able to get directed knowledge into the appropriate team members at that point of use.

Megan Goodwin

Yes. There are some boot camps that are more full stack offerings, but the majority of them are targeted directly to, say, front or back-end development. Either way, it's like you said, still a directed knowledge.

For instance, in my personal experience, I decided to go with the full stack route in order to gain familiarity with the command line, but the majority of programs still offer the opportunity to build skill sets through hands-on exercises, both in individual and in team settings. As a general overview in skill sets, many programs cover network analysis using tools like Wireshark for packet analysis, using systems like Linux and Windows and Ubuntu, which is very important for those who haven't had prior experience. Offering program and scripting practice using things like Bash and PowerShell, the chance to implement admin techniques and in a cybersecurity sense, students are exposed to secure network design and architecture as well as risk management, cryptography, vulnerability assessment and cloud security, which to your point earlier, is definitely in demand. So they get to work directly with the cloud and deploy their own containers and then monitor the activity there.

Many boot camp programs also teach ethical hacking using tools like Metasploit, Hashcat and Burp Suite and other web vulnerability security tools and techniques like SQL injection and XSS. There's also the chance to learn about identity and access management, which is very important in terms of achieving the view of the adversary. Students have the chance to demonstrate the skills gained by pen testing on the student's very own projects, which harnesses the "outside-in perspective." And we know that these tools are all about that.

Eric Hanselman

So you mentioned aspects of career perspectives. And those are areas that can identify specific roles that the staff can fill in new and interesting ways for organizations.

Megan Goodwin

Yes, absolutely. So the boot camps really prepare people for, for instance, digital forensic investigation or vulnerability assessment or security operation and analytics roles, but also pen testing and the ability to perform active and passive recon. So that's the ability to do what I know 451 talks a lot about, which is the outside-in assessment. I mean that's what these tools are really concentrated on.

Eric Hanselman

It's one of Scott Crawford's favorite hot buttons, absolutely. So we'll give Scott a quick shout-out here, but yes, being able to understand your infrastructure in ways that are going to look similar to the way that an attacker is going to look at them and what are those critical aspects of ensuring that you really have an understanding of what the outside view looks like. And where your posture -- or your security posture fits, what your attack options are and where you need to invest to ensure that you're more carefully protected.

Megan Goodwin

Absolutely. And having somebody who's had the visual of all those different points of view is pretty valuable.

Eric Hanselman

Well, to your point, that's something where if you've got folks who've grown up inside an organization, their focus naturally is going to be on the internal systems, a lot of the controls that you've got, a lot of the systems that you've got and may not be thinking about what those externally facing vulnerabilities happen to be. And I guess the thing that we're sort of heading towards is the potential to be able to have something like this allow staff to really leapfrog some of those long slogs that normally are necessary to be able to build skills and to get the kind of exposure that might otherwise take a significant amount of time to gain.

Megan Goodwin

And not only do programs like these maximize the use of time, but many of these boot camps also offer career prep, whether it be for an entry-level position or for somebody building more skill sets. These kinds of programs are actually designed to help prepare people for roles like network or system administrators, analyst positions in vulnerability assessment, cybersecurity or incident response as well as roles for SOC analysts.

In my experience throughout the program independence is truly fostered to help illustrate what the real-world scenarios might be like and to encourage students to use their resources, whether that be class nodes or the Internet or even each other. It's also not unusual for programs like this to be topped off with some kind of feedback from individuals who are already in the field as a part of their career preparation.

Eric Hanselman

Yes. So it's really targeting specific skill sets that are really focused on the kinds of things that an individual job or an individual role the team would require and then really giving people a deep enough dive to be able to get what they need to be able to get their jobs done.

Megan Goodwin

Right.

Eric Hanselman

So if you think about where this starts to fit with some of the Vote data, and this is really saying is there's the opportunity to overcome a lot of those challenges of finding senior staff, even though organizations are saying that they expect that they're going to be hiring senior, we know that that's going to be a real challenge. So -- because what was the number? It was like I was just looking back at it, 60% are saying that they're going to be hiring for mid-level -- and with the environments we've got today, organizations need to figure out how to be able to get folks who have got sufficient levels of skills and then get them up to the levels that they need to be able to really do those jobs. And that seems like this is a way in which we can really solve that difficulty and really those conflicting imperatives to be able to get these kinds of roles filled.

Megan Goodwin

Exactly. Yes. And something that's interesting about the mid-level positions is that the boot camps actually are tailored to either specific areas or they can be like a full stack boot camp. So you can have something that's designed specifically for a front-end development role or back-end development role, but you can also have somebody who's got a bit of experience and expertise and skills in each area. So that really addresses a lot of the 60% -- that 60% that you're talking about, it could fit in many different areas.

Eric Hanselman

So a lot of different ways to be able to handle that.

Megan Goodwin

Right.

Eric Hanselman

Well, I think a lot of organizations tend to think of training as being a significant time out of position so that in order to do this, and I know certainly, if you're going for full certification paths, that can sometimes be a lot of time outside of the role. But some of this is something -- and actually, you've got some experience with this -- these are things that at least if you manage it well, are things that you can do while still integrated with your current role.

Megan Goodwin

Yes, absolutely. So really, this is a big investment of both time and money. So for anybody looking into a boot camp, there's really a need to do research on both the programs and the university at which the boot camp is hosted just to make sure you're really getting what you want to achieve out of the program. But in terms of time, boot camps usually go for 12 to 16 weeks in duration, but vary per program. It's usually standard across the board for the boot camps to recommend attendees to devote a minimum of 20 extra hours per week.

So if you're working already, you have to make sure that you have an available 20 hours minimum to devote to the program. And it's also not uncommon to give a grace period or a test run in the beginning of the boot camp just to make sure that students are prepared for the workload and willing to significantly limit their external life or outside activities in order to succeed and really get as much as they possibly can out of the experience. So it's definitely a large investment of time, but it's also a very good investment of time.

Now in terms of cost, programs range from anywhere around $10,000 to $20,000. Again, that varies per program and also per location and can also depend on duration. There's usually a down payment to confirm the spot and then payment plan options like your typical monthly installments for the duration of the boot camp or split over the course of 24 months, and there's also the availability to pay upfront. It really depends on what the individual's preference is. But again, it's a really good investment.

Eric Hanselman

Individual or organization, so hopefully, it's also a path that organizations see as something that is a reasonable investment in that individual staff member so that they can actually get them up to a higher level of performance. But I guess in terms of that balance, this is something where you're saying a 20-hour a week commitment, that's something where, especially if you're in the trenches in InfoSec, you may already be at a relatively high hour burn rate in terms of where that fits. I guess organizations have to figure out how they're going to balance that and how their -- whether or not they can actually carve out that kind of time for individual staff members.

Megan Goodwin

Right. I think it really is about a balance of priorities. And in my experience, it's 3 days a week, but the programs out there can vary from 3 to 4 days a week, and it's only about 2 to 4 hours per class session. So again, in my experience, it's 3 days a week, 2 of the days are 3-hour sessions, usually in the evening of the weekdays, but the remaining day is a 4-hour session mid-morning on a weekend. So it sounds like a lot when you say 20 hours, but in reality, it's split up over the course of each week, and it's pretty manageable. So you devote quite a few hours of different class sessions and then a few hours out of that for homework and studying and getting to know your colleagues inside the class, but it's manageable and it's definitely a worthwhile experience.

Eric Hanselman

And in terms of balancing it with your day job, it's one of those things that it sounds like as long as you've got the flexibility to really break up what you're doing, it means that you're not completely out of pocket for 3 or 4 days in a row, you get the ability to at least sort of check-in, be plugged in on some level and then balance that.

And -- but I think it does mean that organizations -- if they're going to make this sort of investment, they've also got to ensure that they're going to carve out the time that the staff member needs who is actually in the program to ensure that they're able to spend enough time, that they're getting the most out of the course while this is all going on.

Megan Goodwin

Right. And especially breaking it up over different days throughout the week, it feels much more manageable once you're actually doing it. So for organizations who are considering having somebody participate in one of these boot camps, it's manageable when you have a few hours every single day or every other day.

Eric Hanselman

So you're still able to get back, it's still possible to not be totally disconnected. Although again, it's, I think, up to the organization to ensure that it's not something where it's the job plus whatever additional training they happen to be doing at the same time.

Megan Goodwin

Right.

Eric Hanselman

So I wanted to ponder sort of organizations. So we've talked a lot about where organizations are really heading, what they could do, and certainly what their needs are, but what do you think about how organizations can really address hiring challenges? We talked about some of the basics, but I think it's something where the point that you're making originally, which is to really rethink where that focus is, how they expect to find the staff and the skills they need in order to really meet what are a set of challenges that are going to be more challenging as we keep going forward.

Megan Goodwin

Yes. I think, first and foremost, being more open to somebody who's had something like a boot camp experience because it gives you such a well-versed experience in so many different avenues that it can qualify somebody for a specific role, also being open to having existing employees broaden their skill sets by taking something like a boot camp.

Eric Hanselman

Well, so is your thought, and I guess sort of what's underneath one of the things you're mentioning is that there is sometimes some reticence to look at folks who haven't been through the trenches and haven't got screen tans from spending so much time looking at logs and following all this. And that really -- I think there's this, I don't know, I guess I see it as the same thing in a lot of professions. And you have to have done the hard work in order to have actually gotten the scars to be worthy to be able to get there. But realistically, those are attitudes that the people got to get over, if, in fact, they're really going to get not only folks who are going to meet the skills they need, but are up to date with the capabilities that they need. And that, to my mind, is one of the biggest issues.

Megan Goodwin

Yes. It's also -- it's an alternative to the more traditional way of going through the years and going through all those experiences. It's like jumping ahead, and you also are harnessing the ability to do something virtually. Many of these boot camps are offered virtually. And as we know from the pandemic, a lot of things have shifted to a more virtual standpoint. So it's also harnessing that technology and the ability to use or take advantage of knowledge from around the world potentially.

Eric Hanselman

And really being able to take a look at what is the latest and greatest in terms of skills. And I think one of the things we often suffer from in the InfoSec world is a this is how we do it, this is what our tool set looks like, these are the kind of things that we have. Again, because we wind up being so specialized and have needs for very specific kinds of capabilities that it can also be a door to newer technologies, newer processes, ways to actually attack and operate problems in ways that are better.

I mean, you talked a little bit before this about automation and some of the things that I think some organizations are considering how automation is going to start helping them to scale, looking for force multipliers for the existing teams. And hey, automation is great. And I think as you're moving to cloud-scale, absolutely mandatory but you've got to have people who understand the automation. And that's one of the things we were talking about earlier because cloud infrastructure skills are topping that list in InfoSec gaps because people are heading towards automation, and they don't have people who've got those skills yet.

Megan Goodwin

Exactly. And even if you're able to have the automated tools to help handle a lot of those either excess alerts or what have you, you still need the people who have the expertise to either filter through what is prioritized by those automated tools or help manage those automated tools. So you still need some kind of personal aspect.

Eric Hanselman

We're still not yet to the point at which Skynet really understands enough to be able to do it all for us. So we're not yet ready to flip that big switch.

Well, Megan, thank you very much for being on the podcast. This is great, and it's stuff that is such a key part of what's challenging organizations as they're trying to figure out how to approach what has been a chronic problem in information security. But it's great to get your experiences also in terms of have you worked through this and some of the aspects and perspectives about what you've seen as being successful.

Megan Goodwin

Thank you, Eric. Again, it's truly an honor to be here.

Eric Hanselman

Well, thank you very much. And that is it for this episode of Next in Tech. Thanks to our audience for staying with us. And we hope that you will join us for our next episode where we're going to be discussing data and its delivery. A lot of the challenges in terms of figuring out, okay, you want to be a digitized organization, how do you get the data you need, how does it get delivered, and what mechanisms are actually there to be able to fuel what are those analytical engines, the AI/ML that you really need to go inside. Hope that you'll join us then because there is always something Next in Tech.