Hyperspecialization in cybersecurity

Chris Sienko: Welcome to this week's episode of the Cyber Work with Infosec podcast. Each week I sit down with an industry thought leader and we discuss the latest cybersecurity trends, how those trends are effecting the work of infosec professionals while also offering tips for those trying to break in or move up the ladder in the cybersecurity industry. John Wheeler's our guest today. He's the VP of Security at Topcoder, a tech network and on-demand digital talent platform with 1.5 million gig economy technologists in 190 countries. Prior to Topcoder, John, spent four years in consulting, helping clients migrate cloud based technologies and solutions. His background is in enterprise and carrier grade technology, having worked in the telecom industry for more than a decade. He has a BS in electrical engineering from Purdue University and an MS in information technology from Northwestern University and holds a CISSP certification. We're gonna be talking today through several topics, but in particular, the concept of hyperspecialization in cybersecurity and coding. John, thank you for doing this today.

John Wheeler: Thanks for having me today, I appreciate it.

Chris: So tell me a bit about your security journey. We talked about some of your past jobs, but how and when did you first get interested in computers and security and technology.

John: I had an opportunity when I started to work for US Cellular to actually take on security there. It was traditional perimeter security, firewalls, AAA systems.

Chris: What year would this have been roughly?

John:  I started with US Cellular in 2005.

Chris: Okay.

John: And then prior to that, I had an opportunity in leadership before that, but that was really the transition for my individual trigger to roll into just purely leadership. And what I think about in terms of security journeys is all of the things that I touched prior to that. When I worked for other coding manufacturers, having an opportunity to look at networking, software development, and I think that that was the first time I would classify myself as somebody who's in security, but I think all of the experiences that I had leading up to that also enabled me to be effective in that role.

Chris:  Okay, how has the cybersecurity landscape changed, do you think, directionally or procedurally since when you first started versus now?

John: You know, I think that there's a number of things that have changed, but I think one of the things that really stands out to me is privacy, how much privacy has changed and it's become something that individuals and companies, and customers are interested in. Two decades ago, from a security perspective, people were combating viruses and worms, various nefarious activities that people could wield in a network and now it's trying to ensure that the information that they manage and control is handled in a secure fashion and follows good security practices. So I think that the biggest thing that's changed from my perspective is that that they will focus on privacy.

Chris: Did you get the sense that users are more savvy in this regard, that they're asking more of their online experience than they did back then?

John: That's a great question. I don't know that they're asking much more. I can tell you from my own personal experience. It's something that, as I've taken on this role, I've definitely become more aware of. But I think we probably aren't as aware of our own privacy as we probably could or should be. I'm certain that there's apps on my phone that are tracking things that I'm unaware of.

Chris: Oh, yeah.

John: But I think the thing that's most visible is data breeches where information escapes from an enterprise. And that's why I say that I think privacy's the thing that's changed the most. And that's in addition to the compromises that Trojan horses and worms in an hour can have.

Chris: Yeah, yeah, you're looking at it from two different ends now. There's the thing that attacks me, but then there's also that feeling of being compromised from the things that you actually want on your computer.

John: Yeah, like I said, it used to be that you would just have to worry about your enterprise and protecting your enterprise. Now you have to worry about your enterprise and your data and information. And I don't know that that's necessarily completely new, but I think it's become visible to the public now.

Chris: Oh, for sure, that's definitely the conversation we're having now. So let's start with the company we work at now as it fits closely, I think, into our discussion for today. So Topcoder is a digital teleplatform employing technologists in specific countries to take on specific one time projects, I believe. How does this style of security problem solving come about?

John: Yeah, so the Topcoder platform enables both members and customers to engage and be part of the global talent on-demand. One thing I would say is that though some projects are short-lived, some are very long in duration. We have projects have that have lasted over a year, but the thing that really differentiates the Topcoder platform from other vehicles or methods of delivery is the focus that we have on our process both through technology as well as through people. The Topcoder process enables you to leverage humans which are probably the most effective at this point in detecting some types of security and vulnerabilities, but also technology. We use industry best-in-class tools to equip both our customers as well as members or individual contributors to understand the code that they're writing, to understand what implications of code that they have on their overall security posture, give them an opportunity to refactor or upgrade that code to be more compliant to a security standard. So I think we can provide an environment both for customers and for members to improve their overall security posture.

Chris: Okay, one thing we've been talking about a lot in the past year or two is the cybersecurity skills gap. Does this play at all into that? We hear a lot about not having enough qualified professionals to fill existing positions. So is a system like Topcoder aimed at solving problems that might exist when you don't have, say, the right professional talent to work for your company in your town?

John: Yeah, I think companies are gonna begin to realize that the gap is just based on their sourcing mechanisms. I will say that every business needs to spend time and energy and effort in trying to recruit and retain the best talent pool they can have. The reality is that the smartest people are probably not inside your four walls and trying to leverage that community globally is what Topcoder provides. So having the ability to have access to that talent pool, we don't see the gap that others see. We have an elastic community that responds to the types of work that people are interested in. This kinda speaks to the hyperspecialization. We have folks that globally want to focus on very specific things, wanna become the best at those things whether it's data science, design, or QA. So having a community available and asking that community. And there's really gonna be this shift or change in the businesses. We're seeing it already. Fortune 100 companies are embracing crowd based solutions because they've recognized that they're not gonna be able to do those within their four walls.

Chris: Okay, can you give me some more examples of some of these hyperspecialization areas that people are getting into. You mentioned data science and so forth, but what are some of these, I wouldn't say titles, necessarily, but what are some of the skills that you see people really drilling down into.

John: Yeah, and when I talk about hyperspecialization, especially when I talk to customers, I always ask them are there things in your job that you'd like to do and would you prefer to do those things because we all have jobs that there's things we like to do and things we don't like to do. An example from my perspective of the hyperspecialization is we'll see people that wanna just focus on a skill or ability that they're proficient in or they understand really well. Maybe it's a design in building APIs. Maybe it's front-end development, designing and building a front-end. Maybe it's the integration between the two that can be just ETL. We have people that just specialize in building the algorithms for image recognition. We are people that just focus on the AI. So they become experts in those things and that doesn't mean, I don't know that there are mutually exclusive. I don't know that you can be hyperspecialized and not have some generalization.

Chris: Right.

John: What I do think is that in, again, in your career, you may not have the ability to specialize in something because the expectation is that you have this generalist capability and that's what the talent on-demand community provides is access to those people that want to be the best at whatever skill that you're trying to solve.

Chris: So this supplants, or not supplants, but this augments your current position. You have to be a generalist in your day job, but you can be a hyperspecialist on these specific projects. It sounds to me like, you know, I used to work for physicians and you'd have certain types of medical specialists that work on a certain type of vein and do that all day long, but I would say they still have some generalist background.

John: Well, yeah, the analogy that I always use is that when you're building a house, you get a general contractor because the general contractors is the one person that needs to understand how to talk to the guy that pours the foundation, the guy that does the electrical, the guy that does the plumbing, but he probably doesn't do those skills. He lends them out to other people that are experts in that and that's why I think that a part of what Topcoder provides that truly differentiates from competitors is that you have access to this hyperspecialization that you otherwise wouldn't have access to and it's a passion economy. If you go through traditional methods of trying to find skills and abilities, you may get a laundry list of buzzword bingo on your resume that fits your overall need, but when you're finding people in a passion economy, you're finding people that are the most interested in solving that particular type of problem. That's what's a true differentiator.

Chris: So as these gig economy projects and outsourcing projects become part of the everyday landscape for even the largest of companies, what in your opinion is safe for organizations to outsource and what is not? So for example, how can an enterprise protect their IP and verify product quality when working with an external team of developers like this?

John: Yeah, the protection of IP is probably the most critical thing, the question that I get asked the most with respect to how to engage a crowd and what I'd say is we have built over the last 20 years a number of different methodologies to assist customers in protecting their intellectual property from things like building synthetic data, to be able to master manage their existing data building translations to be able to translate their data into a different domain to building a scaffolding of their existing infrastructure. Customers will say, "Well, wait a minute, "I have my own authorization system that's "a little bit different, how am I "gonna be able to use that?" So we'll build up mock systems. This isn't actually that dissimilar from what most companies already do if they have a development environment. If you have a development environment, you don't take your production data and put it in your development environment. Because from a security perspective that's something you shouldn't be doing. And so it's not that much different than what they traditionally do. I think the thing that customers are better understanding is that this just looks more and more like what they're already doing, it's just how they're engaging at work. So and in this perspective I'd say whatever policies you have internally, those policies can be mirrored with leveraging and using the community, it's a matter of understanding and adapting those policies to how the community interacts. So if there's data that's required how do we either sanitize or obfuscate that data to be able to use that community. If it's code, how do we stub things out so that we can interact with the systems that are required for them to interact with, but do it in a manner that better represents a scaffolding or a mocked up system.

Chris: So I'd like to talk a little bit about Topcoder's ranking system for coders. I looked at the page explaining how the figures are calculated and someone who's eyes tended to glaze over a bit as soon as a stigma gets introduced, I got a little lost. Could you tell me about how the calculation system was devised, what it's built to emphasize, and what the complexity of the formula is aiming to remove from the equation. IE people who might try raising their scores by getting involved in as many projects as possible without doing any work for them.

John: Yeah, I think the shortest answer is that our scoring system is based on traditionally chess metrics, how you would score a chess master, but in its most simplest terms, the folks that engage in a passion economy or a crowd economy, they want to be able to understand how they relate to their peers in that economy. And so providing a transparent mechanism of scoring and ensuring that they can see how effective their outcomes look compared to others is an important aspect of engaging that community and making sure that they're interested in the types of works that you do and also giving them feedback into how their performing. One way of thinking about it is if you're in a competition and you're competing against people that don't know as much as you, the expectation is that if you're more knowledgeable, you're going to win. And so what we want to encourage people to do is try to compete against the best and that's what the scoring system helps do is, it reflects when you're competing against the best, the metrics of the individual members.

Chris: Okay, have you seen any evidence that people were able to leverage their ranking level as a calling card for jobs. They might wanna jump into a high security level job due to various machinations around the skill gap, they might not be able to show off their real world HR skills to people who are only looking for research or job titles.

John: Yeah, there's a couple of different, I think, avenues for that. I think first and foremost we do see members reference their skills and abilities in a CV or resume. In addition to that, it's well known that both Facebook and Google will omit first round interviews based on code qualification interviews if you have a certain ranking within Topcoder. I think another place that it's important is one of the things that is effective in building and managing a community is rewarding that community and recognizing that community. Annually, Topcoder has something called the Topcoder Open, TCO, and every year we gather together the best and brightest from the globe and we have a competition for a few days and it's actually coming up here in November. And we host those members and only the best are able to come and compete, and so it's the world championship of software design, development, and data science. And it gives them the ability to not only meet folks that are in their vocation, but also gives them bragging rights as a result of that competition. They'll be able to say they were the best for that year. So I think that's representative of how they can use those scorings.

Chris: Okay, to the other side of that, do you have a sense for HR people or employers, how do you read a number? What sort of translatable skills will they see in someone that has, I don't know, a high number of 1,200 or something like that. Are you seeing, is it showing accuracy, is it showing quickness, is it showing problem solving skills, what are--

John: Yeah, I think it's probably all of the above. I think to effectively compete in a community, they need to be able to work within a team. Part of our platform enables members to work with each other. We have processes in place to ensure that as members are submitting solutions those solutions get verified, so they work with folks called reviewers that are part of the platform. They work with co-pilots, so they exhibit teamwork, they exhibit individual contribution, they exhibit the ability to receive feedback. Often times when members submit they may be scored on something and they may not understand that, so they have to work with their peers to be able to understand what their perspective was on that. So I think it's all the above. I think the reason why I would struggle to put it into a box that fits well into HR is that typically with HR, you're looking at a CV or resume and one of the things that, if you go onto our website and you look at a challenge you can see the interactions that members have and you can see the real world problems that they're solving. I think it's really hard to do that from a staffing perspective.

Chris: Sure.

John: What somebody's done other than through their own lens.

Chris: Okay.

John: As a competitor you could say here's the 15 competitions I competed in last year, here's the 25. It's much, much easier, right? And much more transparent to be able to show a potential employer the things that you're proficient in and how you've been able to perform all of those tasks.

Chris: Can you, I meant to ask this before, but can you tell me a bit more about these competitions versus the specific projects. So you have these challenges that are aimed to show proficiency that would maybe make you more qualified to take on the projects that people are requesting of you?

John: Yeah, so the model itself is based on a competition model and it basically is each one of the problem statements is presented as a challenge, but the problem statements are broken down into small enough chunks. We often to refer to it as atomized. It's not really that dissimilar from a traditional agile approach. If you have a scrum master that's managing a work stream and he has a number of stories, he has to figure out is this story gonna be multiple tasks, am I gonna break it up over a sprint? Those same types of activities go on when you leverage crowdsourcing or a community to engage members of our community to solve those problems. So those same types of skills that you would use to break down enterprise work streams are the same types of skills you would use on the community platform.

Chris: Okay, so I wanna go back to hyperspecialization as a career choice, I guess, maybe, is what I'm looking for. I think you already explained it very well in the sense that you're not, I came into this thinking that the idea was that everyone was just gonna do one thing and be really good at it to the exclusion of all else, but you're saying people wanna be hyperspecialized in certain things so that they can get those kind of jobs while still retaining general knowledge. So tell me about the benefits of hyperspecialization for the average cybersecurity professional, in using this universal skillset, apart from getting these specific projects, what will they gain? And I guess, what will the entire cybersecurity ecosystem gain by going deep into these specific areas of expertise.

John: Yeah, and I'll maybe use a specific use case, so if we have a challenge that's either re-crafting or designing a front-end, often times you'll get exposed to OWASP top 20, or top 10 types of things you need to be aware of, especially for validation. And so by running through that type of challenge from a software development perspective the individual contributor can understand and see how their solution best meets the needs of the problem, but also ensures that it supports security best practices. But that doesn't limit them to just working on front-end types of development. And so they may find that that's not something that they wanna do, they wanna be proficient in, maybe they wanna stay in APIs, but gives them an overall exposure. And I think back to when you first asked me about my security journey, I think each one of the interactions that I've had has helped me figure out where I want to focus my efforts and then where I have gaps as well. I think in the passion economy people can go try things that they may not have otherwise tried. The reference case that I always use is we have a lot of folks that compete part-time in the platform. They're still trying to figure out what they wanna do and they have an opportunity to use spare time to work on the platform. And so maybe their day job is working on SAP, but they really wanna learn Node. They want to get a job in Node and there isn't a way for them to do that otherwise, and so for them to be able to use those skills, they can take traditional classes or schooling, but to be able to prove those skills is another thing. So they use Topcoder as a platform to be able to do those things. So they may specialize in SAP and running SAP, but they're aspirations are not all outside of that so they can specialize in something that gives them skills and abilities to again potentially compete full-time on the Topcoder community or use Topcoder to find another vocation.

Chris: So these challenges and so forth, these can almost act as a second school.

John: Yeah, absolutely, and we see that often. Not only in terms of the types of competitors you see, but also just in the engagement of the community itself and the questions that they ask.

Chris: Okay, so to relay a point, we discussed a few different topics prior to this interview. One of them was, I wanted to talk about your idea of moving the DevSecOps tool chain closer to the developer and enable more real time secure code practices. You describe multiple stages of verification in order to ensure that your company is practicing "defense in depth." What would need to change in most development departments to make this possible? Is this a skills gap issue, a bigger budget, or just a procedural change that's more of an issue of time an attention than allocation of resources.

John: Yeah, I would say that all enterprises have an aspiration of moving the tool chain closer to developers and it's a matter of not only instrumenting the tool change can be time consuming and costly, identifying the right technologies. The same can be time consuming and costly, but providing that the skills and abilities to their developers and one of the things that we do that I think really opens an executive's eyes to what crowdsourcing can do is we've moved that closer and closer to the developer. Again, by using tools like standard code analysis, like software composition analysis and enabling those post-challenge to be able to influence how the next co-challenge may be run. What our desire to do is to move that all the way to the developer so that as their developing during the submission process, much like a developer checking into GitHub repo and kicking off CICD tools, they would be able to get feedback and give them an idea of how close their code is coming to the mark prior to any submission happening. Again, I think that enterprises are starting to embrace more of the DevSecOps and having that closer and closer, it's just a matter of how mature they're at on their digital transformation and where their tool chain was at. But we have the ability now to be able to reflect where a developer is at the conclusion of a challenge and moving that closer I think is what everybody's aspirations are.

Chris: Okay, so where do you see the role of DevSecOps in the next five years? If your prescriptions are widely put into place, how does that effect not just the safety of the code and the products, but the job force, the skills gap, and the way that people prepare for careers in the cybersecurity force?

John: Yeah, I think once we're able to have that real time feedback and enable the developers to make good design and development decisions, you're gonna start to reduce not only your overall deep threat period, but have a better impact on your overall security posture. I believe that we're close to those things. I think the tools, we're actually in the process of evaluating some tools at this point and it's interesting that some of the tools have higher maturity in their ability to deliver their services over APIs than others. You're also starting to see some of the tools consolidate. You're also starting to see some of the same things that have happened at SMTP or email delivery now happened to software delivery. So GitHub, and GitLab, and Bitbucket are all starting to integrate these things into their tool change and make it easier for consumers or their services to be able to manage that overall security pipeline. Now it's a matter of making these things proactive so that things don't get into the lifecycle with nefarious code or with code that doesn't take into consideration good security practices, pushing that again along with developer. And again, I think that the end result, you asked about where this is gonna go for security. I think the end result will be what security professionals want which is security is really worn by everybody. It's not a department or we didn't need this insurance security, it's everybody's responsibility.

Chris: Great.

John: But by pushing that out all the way to the developer gives them the equipment to be able to do their job effectively, but also doing the secure mail.

Chris: Okay, so to pull things back into terms of training and learning, and career development against your specific challenges to the projects and the hyperspecialization model, what are your thoughts on current learning platforms certifications? What certs if any are most important at the moment? What are some general advice you have for people who might wanna go deep, but still need that general cloak of knowledge? What do you recommend in that if anything?

John: Yeah, I think it's important understanding what you like and take an opportunity to focus on some of those things. Thinking back to my career, I've jumped to a number of different things. I actually started in software development and realized that I wasn't very good at software development, but I wasn't terrible, but I recognized the people that were really good.

Chris: Yeah, because that's usually where you spark.

John: Well, yeah, they knew the libraries backwards and forwards.

Chris: Right.

John: And they could code Without having to consult a manual which unfortunately I still do to this day, but I'd say figure out what you like and what you wanna do. And in terms of certifications, I think there's a plethora of ways to verify your capabilities. I just recently took and passed the CRSSP and it is a compendium of information and I'm grateful for the background that I have because across so many domains from network to systems, but at the same time it's a challenging certificate to go obtain. So I think it really depends on what you wanna do. Topcoder's a cloud based company so we use a lot of AWS and I think a lot of the cloud based senders, whether it's Azure or Heroku, or AWS are great places to get some level of certification. In addition to that, I think that networking is something that is and software by network means something that's foundationally changing. I think it changes how we think about how we manage and monitor our networks. And so specializing in that, I think there's lots of opportunities, but I think first and foremost, find out what you like to do. I ran across that in one of my career opportunities that I really enjoyed systems. I had an opportunity to do networking. So I've always gravitated towards systems and it's been what sparked my interest in security here as well.

Chris: Yeah, that's great advice because you're able to try a lot of different things and see what you like, and not necessarily chase the money or whatever, just find the thing that you can do, like you say, without a book and without looking at the cheat sheets, or whatever and then you're on your way.

John: Yeah, my son is pursuing his degree and he'll come in and he's living with me, and he'll come in here and look over my shoulder and he'll say, "I still marvel at "the things that you type into a command line "and how you came up with those things." And so just having a passion about what you do and chasing that and pursuing that in terms of security, I think is the most important thing.

Chris: Okay, so to wrap up things today, do you have any one last piece of advice for young people who are considering cybersecurity or coding as a career and course of study, and what would that be?

John: Who's to say, that's a good question. Like I said, my son's pursuing that. I'm not sure what's available in terms of course of study. I would say that I had an opportunity to get exposed to security and the number of different ways through my career computer science is, I think, a good place to start. Even the folks that I knew that went into networking, they generally started somewhere else and they went into networking before they then jumped into security so that some of my very good friends that are security professionals, they started in networking and then they ended up in security. I'd say that trying a few different things. So an almost antithesis to the hyperspecialization, try a few different things to figure out where you want to specialize in. I think that's probably the best advice because it's hard to know until you try and do some of those things and figure what's important to you.

Chris: Okay, and to wrap up at long last, if people wanna know more about Topcoder or John Wheeler, where can they go online?

John: Topcoder.com, I always encourage people to register and if nothing else, just see what the competitions are that are there and you can always find me on LinkedIn.

Chris: Great, John Wheeler, thank you so much for your time and insights today. This was really fascinating.

John: Thank you so much for your time. I appreciate it.

Chris: Okay, and thank you all for listening and watching today. If you enjoyed today's video, you can find many more on our YouTube page, just go to youtube.com and type in "Cyber Work with Infosec" to check out our collection of tutorials, interviews, and past webinars. If you'd rather have us in your ears during your workday, all of our videos are also available as audio podcasts, just search "Cyber Work with Infosec" in your favorite podcast catcher of choice to see the current promotional offers available to listeners of this podcast go to infosecinstitute.com/podcast. One of our big pushes for 2020 is to learn more about election security and if you want to use our free election security training resources to educate co-workers and volunteers on the cybersecurity threats that they may face during the election season please visit infosecinstitute.com/IQ/election-security-training or click the link in the description. Thank you once again to John Wheeler and thank you all for watching and listening. We'll speak to you next week.