Starting with this episode, we’ve switched to a transcript format for the show notes. Please share your thoughts on the new format. Are the full transcripts helpful? Would you like to see us continue then?

Jennifer: Hi Gabe, welcome to Frankly IT.

Gabe: Thanks for having me.

Jennifer: I think this is going to be such a fun conversation. We’re going to poke a couple of sacred cows, I think, and talk about the skills shortage, in particular the cybersecurity skills shortage and how there is no such thing. Tell us more about that.

Listen here


Interview With Gabe Gumbs

Gabe Gumbs, Spirion
Gabe Gumbs, Spirion

Gabe: Yeah, well, it might be a little bit of a religious bent of mind, if you would, but I happen to really dislike the concept that there is a skills shortage. When the skills shortage is often talked about, debated, or otherwise brought up in conversation, folks usually point to the number of open positions within our field as some type of proof or evidence that we don’t have enough people to fulfill all the necessary duties.

Equally, you’ll see some folks kind of poke fun at some of the requirements for being able to even apply to some of these jobs, which I think some folks poke fun at as an attempt to show hey look, maybe the requirements for these positions are ridiculous. I think I saw one recently that asked for something like eight to 10 years or more of experience working with Kubernetes containers, when Kubernetes hasn’t been around that long. So there certainly are some things like that.

But ultimately, I don’t even think it’s bad hiring practices that are mostly at fault, although I can lay a lot of blame at the feet of bad hiring practices, everything from mandatory certifications and certifications that in my opinion, don’t really prove the value of someone’s either technical capabilities or more importantly, their acumen, their ability to learn something new or to solve problems.

But I think a lot of these problems really lie squarely at the feet of those of us who create the technology that ostensibly is there to solve the challenges that our customers come to us to help them solve. Said another way and in much shorter prose, we’ve got a lot of really bad systems out there that make it really difficult for folks to approach.

Jennifer: So if I’m hearing you correctly, there’s sort of two parts to this lack of skills shortage. The first, as you mentioned, is that companies are looking for the wrong things or they’re looking for too much and they don’t need that much. But secondly, they’re throwing people at the problem when really it’s a technology problem.

Gabe: Very much so. It is very much a technology problem in more ways than a few. There are the technologies that we created that from their inception were not created with security or privacy in mind. Our recent glut of IoT devices over the last decade plus is a true testament to that at scale.

But then there are the systems that we designed to help combat the shortcomings in the other technologies we’ve created that are very difficult to operate. They create a lot of erroneous noise. They don’t interoperate well at all with other technologies. Some of that is by default, some of that is by design, that lack of interoperability.

And ultimately it’s very much a technology problem. We’re looking for the wrong people and the wrong people attempting to use really bad tools to solve those problems.

I’ll throw a third one in the mix as well, too, which is at least within my industry, I’ll poke at ourselves some more. I’m part of that. I certainly don’t mean to poke at everyone else and not point a finger back towards where I sit, is we tend to look at information security and IT in general as this very esoteric community of individuals that really can only understand these complicated systems. And frankly, that’s not true. There are certainly some systems that are very complex that require a great deal of knowledge and experience to operate. But not everything is rocket surgery, as I like to say.

Jennifer: So how do we begin to unpack this problem as an industry, I mean, we’re talking about decades of technology development, band aids thrown on top of band aids, this web of devices that weren’t made for that, weren’t made for interoperability with that. Where do we even begin to solve that?

Gabe: Well, I think first and foremost, we have to actually acknowledge that, and I don’t think we’re there. If I look at the number of new technologies that enter the market every single day, I don’t think that there’s an acknowledgment that that’s the problem. There’s a perverse incentive to throw more technology at the problem. And when I say perverse incentive, there’s no shortage of money entering the industry to propagate all of those new technologies. And there’s no shortage of consultancies around those things.

There is no incentive to solve the problem at the core and design systems differently. Getting systems to market quicker because there are so many entrants equally means that things like the user experience oftentimes gets denied any rightful attention early on. And I mean the user experience of the operators of the systems.

Jennifer: Now, I think you also believe that there are some people who are doing this the right way or what you consider to be the right way. So can you give us some examples?

Gabe: I don’t want to necessarily tacitly endorse too many, but if I look at AWS, for example, they’ve got a collection of very complicated tools that they make available for you as, say, an application developer to put together new systems. But one of the things that I think they’ve done well with some of their systems, if I point the finger directly at say AWS Amplify, is the ability to abstract some of the complexity from that toolchain so that you can get to delivering on the value proposition that you’re trying to. So ultimately solving the problem that you are setting out to solve for without having to worry about the complexity of some of the other technology components. And what that makes for is, is the deliverance of other products that are a bit more approachable by not having to be an expert in rolling out identity access management solutions.

When you use a platform like AWS Amplify, it means that I, as a user of your application, will have a pleasant experience in actually using the technology, what I’m signing up for, authenticating to those types of things. The same is true in the back end as information comes out of it. They do a pretty good job of providing you the tools to make that information a bit more approachable. To be fair, I’m talking about a collection of tools that someone with some experience and knowledge does still need to put together. But it is a very good start at doing things of that nature.

Traditionally, we’ve looked at organizations like Apple as those that have really kind of mastered the user experience and made it so that their systems are approachable by large numbers of people that don’t necessarily have to understand how the computer works. They just have to be able to understand how, for example, Photoshop works because they’re graphical designers, whatever the case may be. So there’s certainly some organizations that are doing things well from that perspective. I’m throwing out the really big names because they’re the examples that people can kind of get their heads around. But there are certainly a significant number of others that are approaching it well too.

Jennifer: Yeah, on the consumer side, we’ve seen a lot of that simplification and that user experience, Apple, as you said, leading the charge where, you know, anybody can use a smartphone, you just turn it on and press this button and you press that button. And it’s very intuitive and clear what you need to do. And you don’t need to understand anything about what’s going on behind the scenes or inside that little piece of technology. Do you think we are or should be moving towards something similar in the IT world?

Gabe: I do. I definitely do. No one has ever sat back and said there’s a shortage of people willing to buy a smartphone. Right. Smartphone adoption is not hindered by people’s ability to use them. So why should technology adoption be hindered by people’s ability to use technology? And we could argue a smartphone is a highly, highly complex bit of technology, isn’t it? So I think we should move in that direction. We should follow that model.

Jennifer: I also thought you might bring in the IBM X-Force.

Gabe: Oh, yeah, for sure. That for me is a very good example of solving for what was ultimately a problem of people at scale with a combination of people and technology, different and better hiring practices combined with technology. So an organization like the IBM X-Force was originally part of the old ISS X-Force that IBM had purchased through an acquisition years ago and their approach to solving for some of the managed security services challenges they had was to start developing tool sets of their own that ultimately simplified and rationalized all of the information they were getting from all of these other security technologies.

I think that’s a very good example of how you can, with a relatively lean team of professionals, approach a significant problem at scale and not have to then try and hire an army of those same types of professionals to solve for that same problem.

Jennifer: So this is an interesting idea at the industry-wide level. I’m wondering, at the practical level, within a company, let’s say you’re a 100 person company and you have an opening for an IT professional that you’re having trouble hiring for, what does this theory tell you about your next steps?

Gabe: It tells me that ultimately we should look at first and foremost those hiring practices, but we should spend a little bit more time identifying the problems that we want that individual to solve for. When I look at a lot of these job postings, I look at the responsibilities and they’re extremely tactical in their request or what it is they think they need. And I think the next step is to kind of turn that model on its head and think about the outcomes that we want to achieve versus just the day to day tactical items that may need to be performed to get to those outcomes.

I found over the years that someone in the right role, the right person in the right role, will find different ways to solve for the problem, namely get to the outcome that I want them to get to versus simply hiring someone who I then dictate here are the 20 steps I want you to take to get to this outcome. Lead them towards finding innovative ways to get to the outcome we desire versus being overly prescriptive in the tactical elements that we think are necessary to get there. Because if we get the right people that have that really high people IQ that high levels of empathy for solving the problem and are creative, they’ll they will solve those problems in ways that that we can oftentimes scale.

Jennifer: And when they solve them in ways … would you arm them with a software budget to say, OK, here, I’m hiring you for this outcome, I’m not going to tell you how to get there, but here is a pool of money to help you in your quest.

Gabe: Short answer is yes. I’m certainly not advocating for getting rid of technology and removing technology from solving this challenge. We do need tools at our disposal to be able to solve these problems in the same way a carpenter needs a hammer and a saw. So definitely having a technology budget is necessary.

When I look at the infosec world, though, our budgets do go up, they have gone up. There’s some areas where they’ve contracted and shrank for sure, no doubt. But ultimately, year over year as a whole, budgets have continued to go up and yet we don’t see a comparable decrease in the outcomes. And so that should really tell us something about how we are approaching solving for all these security and IT problems if we keep spending more. But we don’t see a decrease in the types of problems that we’re, again, ultimately trying to solve for.

Jennifer: Would that simply mean that the sophistication and volume of the attacks is going up, though, and so it takes more to address them? Or should there be economies of scale, as you’re saying, because you shouldn’t be solving with people?

Gabe: That’s a little bit of a red herring and that does get thrown around a bit, right? The attackers get smarter, they get faster, et cetera. That is true of a very small subset of attackers. That is true of the well-financed, motivated attacker who has a designated target in mind. That is not true, by and large, for what represents the larger number of security incidents and breaches. A lot of security incidents and breaches are a byproduct of simple user error for the most part, folks mishandling information. Another significant portion of that are crimes of opportunity, where there is automated software in the form of, say, ransomware that take advantage of misconfigurations or someone clicking on an email, you know, some type of phishing exercise, etc.

Attackers don’t typically change their attack modes and models unless they’re forced to. While they do have the luxury of time, they don’t tend to have the same luxuries in terms of economics. They don’t spend a fraction of what we do to protect systems as they do to attack them. And there’s no good reason for them to. Right. There’s no reason to change their models if they are continuing to be successful. So I do find that the argument of attack is getting more sophisticated to be a little bit of a red herring. And that’s not to take away from the sophistication of some attackers, especially the state-sponsored ones. But by and large, that’s not the problems that we’re trying to solve for day to day with an open S3 bucket that has millions of sensitive data sitting out there.

Jennifer: So you believe that IT should be getting more efficient as time goes on, more efficient in security, more efficient in general without these large increases in budget year over year?

Gabe: I think that we should be demanding greater ROI if we’re going to continue the investments in the budget. So do we need to cut them? I’m not 100% sure of that. I don’t know if I have enough data to suggest that they should get smaller. I do believe there’s enough data to suggest that the ROI should be higher.

Jennifer: Is there anything else that you want to say on this topic?

Gabe: If I can kind of highlight and leave with anything, it’s that we really should be looking at the right people because it’s a lot easier to start with looking for the right people than it is to reinvent all of the systems and or create new systems out there. There are no shortage of people that may not necessarily pass initial certification checks, et cetera, that may not still make for the right people in the right seats to solve for these problems.

Jennifer: Thank you so much for joining us today, Gabe.

Gabe: Pleasure’s mine, thanks for having me.

Listen here

Like what you hear? Listen and subscribe.