Venture in Security

Share this post

Venture in Security
Venture in Security
If we can’t produce enough security practitioners with an engineering mindset, let’s bring them from other countries
Copy link
Facebook
Email
Notes
More

If we can’t produce enough security practitioners with an engineering mindset, let’s bring them from other countries

Looking at what it will take to solve the cybersecurity talent shortage problem, and why India has the potential to become the world's supplier of new-generation cybersecurity talent

Ross Haleliuk
May 30, 2023
11

Share this post

Venture in Security
Venture in Security
If we can’t produce enough security practitioners with an engineering mindset, let’s bring them from other countries
Copy link
Facebook
Email
Notes
More
2
Share

Welcome to Venture in Security! Before we begin, do me a favor and make sure you hit the “Subscribe” button. Subscriptions let me know that you care and keep me motivated to write more. Thanks folks!

Thanks for supporting Venture in Security!

Learn how your company can sponsor Venture in Security: Sponsorship.

The need for an engineering mindset in security

Cybersecurity of the future is going to look a lot like software engineering. I have discussed the merits of this approach and the factors that make it inevitable before, in a dedicated piece titled The rise of security engineering and how it is changing the cybersecurity of tomorrow. 

For those who haven’t had the chance to read it, here is a short recap: 

  • Until recently, security was seen as a tool selection problem: if you buy the “right”, “next-gen” security product from a top vendor, you will be “safe”. Now, after many years of seeing how this approach failed to deliver on its promise, we are starting to understand that security is a process, not a feature.

  • Software engineering offers a great set of tools, concepts, principles, and mental models that are sharing the cybersecurity of tomorrow. 

  • Security of tomorrow will be security-as-code. With policies-as-code, infrastructure-as-code, privacy-as-code, detections-as-code, etc. - we can deploy, track, and test the changes to the organization’s security posture, and roll them back as needed. 

  • Security of the future will be based on continuous monitoring, continuous deployment, and frequent iterations. A second after a security assessment is done, the threat landscape as well as the company’s environment would have changed dramatically. Engineering gives us answers as to how continuous changes can be tracked, tested, and managed. 

  • Security of tomorrow will have to do things at scale, in an API-first manner, and integrate with CI/CD pipelines. It is no longer a reasonable expectation that security teams will log in into tens of tools to fine-tune some configurations daily, and manually deploy security solutions. 

  • Commercial security tools will coexist and tightly integrate with the world of open source. While this has been the case for software development for a while with all commercial software engineering tools leveraging open source libraries and components, in cybersecurity open source is often seen separately from the vendor market. For this change to happen, security products will need to be built in ways that make them interoperable, testable, scaleable, accessible, and engineering-centric. 

  • Taking an engineering approach to security means focusing on improving processes for the continuous delivery of defense instead of checking compliance boxes. In other words, we must adopt a security-first mindset instead of the currently prevalent compliance-first one. 

I have been saying it before and I will say it again: no magic tools nor great frameworks alone will help us defend our infrastructure. Skilled security practitioners are the only way to achieve an advantage over the adversary. 

The future is already here. It’s just not evenly distributed yet

William Gibson once said: “The future is already here. It’s just not evenly distributed yet”. Nowhere is this phrase as accurate as in security. 

When I talk about the engineering-centered approach to security, I sometimes get the “Duh” reaction from people that work for cloud-native tech enterprises, Silicon Valley startups, select boutique consultancies, and managed detection and response (MDR) providers. They are right to disagree that these ideas are “the future”: for them, that’s the present-day reality. 

“Companies that fall into this category include Amazon, Netflix, Uber, Chainalysis, Google, Recon Infosec, Microsoft, CrowdStrike, Soteria, Dropbox, Snowflake, and the like. They understand the importance of adopting an engineering mindset to security, leveraging the advances of DevSecOps and integrating security with CI/CD pipelines, crafting custom detection coverage, doing proactive threat hunting, and even building their own security tooling when needed. Security practitioners from these companies often go on to launch their startups, and have little issue raising capital when they do; security leaders working there tend to have a strong background in engineering, incident response, or a mix of both.” - Source: Ross Haleliuk, a guest post on Frankly Speaking

Our challenge, therefore, isn’t to invent what is needed to strengthen the security adoption, but to take the approaches that are known to be working, and help them to gain mainstream adoption. Today, the percentage of security teams with engineering mindset that have the right talent, know-how, and the levels of support necessary for them to do their work, is probably a single digit in the US, and nearly zero if we look globally. 

Solving the talent shortage problem

The need for technical security talent

First of all, let me state this clearly: I am not going to suggest that I have a recipe for solving the problem of a security talent shortage. What I do have is a perspective on this talent shortage in the context of engineering-centric security. This narrow definition is critical for several reasons: 

  • While it is true that security as an industry has roles for people of almost any background and skill set, it is also true that we need more engineers, people who understand how the code works, how it can be subverted into doing what it wasn’t designed to do, and how to prevent it. 

  • Since security is no longer a “tool problem”, we need to shift our training and hiring efforts from valuing experience with specific tools to emphasizing the importance of foundational, hands-on knowledge of programming, penetration testing, detection engineering, and other critical areas.

  • Although compliance is an inevitable part of doing business, it is not the same as security. To adopt a security-first mindset, we need to have enough technical security practitioners, not just compliance analysts.  

All this is to say that while we do need people with an understanding of business, psychology, business domains companies operate in, and other skills and backgrounds, this piece focuses on trying to answer one specific question: “How do we get enough engineers in security?”. 

There are no easy answers, but ideas are plenty. 

Fostering the next generation of security practitioners through education

The most obvious area to look at first is education. We must acknowledge that formal cybersecurity education has not been keeping up with the rapidly changing demands of our time. In the past several years, motivated by the never-ending conversations about the talent shortage in cybersecurity, a long list of diplomas and master's degrees sprung up to supposedly fill the gap. The issue is that the vast majority of these programs do not provide students with the level of technical skills needed to perform technical cybersecurity roles. Instead, they focus on policy, leadership, and other non- or less technical paths which are still needed, but the shortage of which is less acute. 

There are practical, actionable programs such as those offered by SANS Institute but they are not always affordable, and they are still a minority in the large scheme of things. 

To address the gap, we need educational programs that focus on the blend of software engineering and cybersecurity: 

  • Acknowledging that most educational programs in cybersecurity do not currently provide the necessary depth in software engineering, we should be looking for ways to change it. People studying information security need to develop a deep understanding of how products are built. In other words, we need more security professionals to become software engineers. 

  • As an inverse of the former, acknowledging that most educational programs in software engineering do not currently provide the necessary depth in security, we should be looking for ways to change it. While security used to be seen as a non-functional requirement, now it is becoming a functional requirement. People studying software engineering and computer science need to develop a deep understanding of how products can be built securely. In other words, we need more software engineers to become security professionals. 

  • Provide more growth and educational opportunities to working professionals. This means looking for ways to provide the necessary knowledge of software engineering to those working as security practitioners, and vice versa. 

There is a lot more that can be said, but since this is the area that is being discussed quite a bit, I will instead move to the solutions that don’t get enough attention. 

Hiring people based on their hands-on knowledge

We need to start looking beyond education and certifications in our hiring processes. 

There is a lot of talk in cybersecurity about the need to adopt the attackers' mindset. It is indeed an important shift that changes the way we view security and prioritizes what matters. Bad actors don’t care if a company is SOC or FedRAMP certified, or if it’s up to date with the latest version of the NIST framework: they are looking for gaps that can be exploited to achieve their goals. 

We need to extend the idea of adopting the adversarial mindset to hiring. Attackers don’t care if an applicant ever went to college, and if they did - if they have a bachelors in creative writing or information security. Moreover, they place no value on security certifications and other credentials. What makes bad actors so hard to beat is that they are purely goal-oriented while defense teams are so often process- and procedure-focused. We need to start hiring people based on their skills, practical knowledge, and their attitude. In cyber defense, having a beginner’s mindset, the desire to learn, and the willingness to do whatever it takes to succeed will set people up for success much more than any certificate. 

“All this is a long way of saying that today’s best security professionals do not come from universities, and neither from what it appears will come tomorrow’s. People who become leading-edge professionals in security engineering come from hands-on jobs in penetration testing, military, NSA, and other governmental institutions with strong offensive components. They come from mature security teams at cloud-native enterprises that treat security seriously. They are self-taught in front of their computers, at CTF (capture the flag) competitions, and at events like Open SOC, Black Hat, DefCon, and the like.” - Source: Venture in Security

Hiring people based on their hands-on knowledge is the ultimate definition of the adversary mindset, and there is no way around it. The good news is that cybersecurity doesn’t need to reinvent the wheel: this is exactly how we’ve been hiring software engineers for over a decade. No sane company will hire a software developer because they have experience working with Jira and GitHub; it’s the foundational knowledge, the ability to solve hard problems, and write quality code that gets people the job. 

Designing targeted immigration programs

If after changing the hiring process, it becomes apparent that there is still not enough talent in the country, and we cannot wait for nearly a decade until the new generation of security talent becomes trained and experienced, it would make sense for the government to bring qualified people from other countries. 

Developed nations all around the world have a history of designing temporary work permits and immigration programs to attract people of professions where there are not enough people. The United States is not an exception: it previously had a work authorization program for nurses deemed to be in shortage, and it now offers a wide variety of programs for both temporary and permanent workers. 

Source: USCIS

By carefully forecasting the demand and developing pathways for foreign talent to come to the United States, the nation can bring highly qualified, educated, and experienced cybersecurity practitioners to help defend its digital and physical infrastructure.  

Looking for security talent abroad

Advantages of bringing world-class security talent to the United States

Given that the United States is currently experiencing a shortage of technical cybersecurity talent, looking at attracting top security practitioners from other countries could be a smart way to help solve the problem. There are many advantages to taking this path: 

  • People in developing countries often do not have access to fancy degrees and diploma programs. Instead, they rise to the top of their field by putting in the hands-on work - through bug bounty programs, capture the flag (CTF) competitions, participating in free training, and staying active in online channels and communities. 

  • While it can take a decade or longer to develop the new talent in-house, immigration programs can be rolled out much faster, and have the criteria designed in a way that brings highly experienced security professionals quickly. 

  • Training technical cybersecurity practitioners isn’t just time-consuming but also quite costly. Hands-on educational programs such as those of SANS Institute can be prohibitively expensive for those who cannot get their employer to cover the cost of their education. 

  • Given that attackers live all over the world, the diversity of the security teams truly matters. To design higher-quality defensive measures, it is critical to have people with different perspectives, different cultural backgrounds, and different opinions.  

  • By carefully selecting the right talent, the country would get highly motivated and enthusiastic professionals willing to go the extra mile to get the job done. 

It doesn’t take long to understand that the benefits of creating immigration programs designed to address the talent shortage of security practitioners with an engineering mindset could be enormous. 

India as a potential main supplier of security talent globally

When most people think about places with a high concentration of mature security talent, the two countries that come to mind are the United States and Israel. A lot has been said about the important role Israel plays in the global cybersecurity ecosystem. Instead of repeating a lot of these great discussions, I would like to look at regions that typically don’t get as much attention. 

There's a popular quote typically attributed to Leila Janah: "Talent is equally distributed, but the opportunity is not”. The global cybersecurity landscape is both a great illustration that it is indeed the case, and also an example of how technology is changing access to opportunities. Nothing shows these changes better than bug bounties. 

Bug bounties - hunting for bugs and vulnerabilities in code and getting compensated for disclosing them to companies via bug bounty programs have become a way for many people to make a living. Although the compensation model can get quite complex, and different platforms acting as the middleman have their own rules, what matters here is that bug bounties make it possible for people to make money by using their security and engineering skills for good. 

Since bug bounties are typically paid in US dollars, those in countries with low costs of living are best positioned to put their abilities to good use and earn compensation that can be considered solid by local standards. In India, for example, even a beginning bug bounty hunter with pretty average skills can earn good compensation. And, over time, even the most junior people will master their craft. As the Google Bug Hunters Leaderboard shows, the top Google bug hunter is based in India; others on the top 10 list include people from China, Taiwan, Morocco, and the United Kingdom. 

Source: Leaderboard - Google Bug Hunters

Bug bounties (the ability to make money) coupled with free online courses, accessible discussion forums, Discord communities (the ability to study at no cost), and open source projects (free tools), have played the role of catalysts of the cybersecurity talent globally. Although, indeed, the rest of the world outside of North America, Europe, Australia, and Israel doesn’t have the same level of security maturity, there is a lot of great security talent that doesn’t live in these regions. 

Let’s now go back to the problem of talent shortage. If more and more security will be built into the stack, and if security as a discipline will look a lot like software engineering, it means that we need more software engineers and computer scientists familiar with the code, DevOps, and the advancements of CI/CD, to start working in security. Where could they come from, if it’s not a secret that relatively few software developers are interested in security? 

To answer this question, let’s look at the countries with the highest number of software engineers - the list which includes India, China, and Russia. Although all three have incredibly talented engineers and security practitioners, India stands out the most for two reasons: 

  • It doesn’t have the reputation of an adversarial state

  • Engineers in India have more opportunities to become fluent in English and therefore do not face the same language barriers

India was projected to become the world’s leading country in the number of software engineers by 2023. The law of large numbers makes it clear that even though not all university graduates in India have the skills necessary to write good-quality code, there are more than enough of those who do. As software engineering becomes more and more competitive, it would make sense that many quality software engineers will start moving into security. 

The shift is already underway. Having accumulated solid experience working in open source and making money on bug bounties, India’s security practitioners are gaining more and more recognition in the industry globally. While in the past, India was primarily a destination for low-skills, Tier 1 SOC analyst outsourcing, it has now become a place where many global, and in particular - American players go to find the top cybersecurity talent. Companies such as the big four, McKinsey & Company, Infosys, Zscaler, Trellix, FireEye, and many others are hiring security engineers, senior researchers, security architects, and other senior cybersecurity talents in India. Cybersecurity product companies, consultancies, and service providers alike are going to India not because it’s cheaper but because the quality of talent is high. 

Moreover, we are starting to see a new generation of companies started in India by security practitioners who got experience by doing hands-on bug bounty work and offering security services. A case in point is PingSafe, a cloud security company now backed by Sequoia. The CEO & founder of the company, Anand Prakash, used to do bug bounties, after which he became a founder of a security services firm, and ultimately - PingSafe, a product company supported by one of the world’s top VCs. 

India isn’t the only place fortunate to have accumulated many senior security professionals. China, Russia, Ukraine, Indonesia, Taiwan, UAE, Belarus, Brazil, Dubai, and many other countries have a lot to offer to the world. Ukraine, in particular, deserves a special mention here given that it has been under constant cyber attacks from Russia since 2014, and even more so - since February 2022. In this environment, the country has no choice but to up its security defenses which creates the potential it can eventually develop security warfare comparable to that of Israel, a country where cyber maturity also emerged because of a necessity. 

Closing thoughts

For the security industry to mature, we need to evolve our recruitment practices to start putting hands-on skills over degrees and certifications, curiosity and the desire to tinker with technology over knowledge of specific vendors, and an engineering mindset over the “let’s buy a tool” mentality. We need to change our educational systems accordingly, and if that doesn’t help fast enough - design immigration programs to bring the top security talent from other countries. 

If you like my blog, please subscribe & share it with your friends. I do this in my free time, so seeing the readership grow helps me to stay motivated and write more. I don’t send anything except my writing and don’t sell your data to anyone as I have better stuff to do. If you are a security practitioner, check out & spread the word about the VIS Angel Syndicate. If your company is interested in sponsoring Venture in Security, check out Sponsorships. Thank you!

Share

Share Venture in Security

11

Share this post

Venture in Security
Venture in Security
If we can’t produce enough security practitioners with an engineering mindset, let’s bring them from other countries
Copy link
Facebook
Email
Notes
More
2
Share

Discussion about this post

Infinity Ben
May 30, 2023Liked by Ross Haleliuk

You hit the nail on the head. I am 45 and going back to school for Cybersecurity full-time. I plan to aim for my AS and BS.

Expand full comment
Reply
Share
1 reply by Ross Haleliuk
1 more comment...

No posts

Ready for more?

© 2024 Ross Haleliuk
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great culture

Share

Copy link
Facebook
Email
Notes
More