Complete all three challenges, download your certificate of completion, upload it to LinkedIn and tag InfoSec for your chance to win a $100 Amazon gift card, an InfoSec hoodie, a one-year subscription to InfoSec skills, so you can keep on learning and a whole lot of bragging rights with your friends. Just go to infosecinstitute.com/challenge and show us what you can do.
[00:00:52] CS: Today on Cyber Work, author of the Cybersecurity Yearbook, Richard Stiennon is my very special guest. Richard talks about creating the first ISP in the Midwest in the 1990s, the role of the cybersecurity yearbook and telling the history of cybersecurity and the best place to start your cybersecurity career. Hint; it’s not necessarily with the big firms. Coming up on Cyber Work.
[00:01:16] CS: Welcome to this week’s episode of the Cyber Work with InfoSec Podcast. Each week, we talk with a different industry thought leader about cybersecurity trends, where those trends affect the work of InfoSec professionals and offer tips for breaking in, or moving up the ladder in the cybersecurity industry. Richard Stiennon is Chief Research Analyst for IT-Harvest, the firm he founded in 2005 to cover the 2,615 vendors that make up the IT security industry.
He has presented on the topic of cybersecurity in 31 countries on six continents. He was a lecturer at Charles Sturt University in Australia. He is the author of Security Yearbook 2021, a history and directory of the IT security industry. He published Curmudgeon: How to Succeed as an Industry Analyst in 2020. In 2019, he published Secure Cloud Transformation: The CIO’s Journey. He also wrote Surviving Cyberwar from 2010, and Washington Post bestseller, There Will Be Cybe War.
He writes for Security Boulevard and The Analyst Syndicate, which is where we heard about him. He is a member of the advisory board at several technology startups and sits on the board for Anitian. Oh, boy. There’s a new one for me. Stiennon was Chief Strategy Officer for Blancco Technology Group, the Chief Marketing Officer for Fortinet, Inc., and VP Threat Researcher at Webroot software. Prior to that, he was a research VP at Gartner. He has a BS in aerospace engineering and his MA in war in the modern world from King’s College London.
As you imagine, we wanted to talk to Richard today about his work with the Security Yearbook. Richard, thank you very much for joining me today. Welcome to Cyber Work.
[00:02:49] RS: Oh, it’s awesome to be here. Thanks, Chris.
[00:02:52] CS: We like to start by getting the story of our guest’s cybersecurity journey in their own words. Your resume and background show that you go all the way back to 1994. You’re a founder of rust.net, one of the first ISPs in the Midwest. I’m pretty sure, a friend of mine from college was on rust.net. I remember that name. You are also the director of the first managed security service provider, Netrex Inc., bought by ISS, now IBM in the 90s. We’re working on pentesting rules for Price Waterhouse Cooper, all the way back in the dawn of pentesting, 1996. After a career of study 10 years earlier in engineering, what was the drop from computers and security in the mid-90s?
[00:03:30] RS: It was really, first, I discovered the Internet. Like back then, everybody did. News I could tell, 11 months before Bill Gates had his eureka, “Ooh, this Internet thing is going to be great.” Everybody had that experience. You go, “This is fantastic.”
[00:03:46] CS: Look at this. Yeah.
[00:03:47] RS: Right to the people. You can get all this information. I started my ISP, practically the same month that Mozilla first came out; the first free version of it. It was such a learning curve, is I went from automotive engineer startup that I had then with 25 employees, and those using the Internet to manage them around the world. We had stuff going on in Munich, we had stuff going on in Australia. I realized, everybody needs the Internet.
Started the ISP, and over the next 12 months, got my networking education. Not very much security, but the story of my life is I do startups and then somebody comes in and steals everything from me. That’s exactly what happened. Back to the drawing board then. Yeah. I went to a essentially, a competitor here in Michigan called Netrex that was starting an ISP, except they had this crazy idea to provide secure access to the Internet.
[00:04:59] CS: Pretty well crazy at that point.
[00:05:01] RS: Yeah, it was crazy. It was well before its time, because they actually sold clean pipes. They’d sell T-1. I was director of the automotive sector, so I sold them to Ford and the automotive. The T-1 would connect to our network to our data center, which was a closet in our offices. Then, we’d have Solera machines running checkpoint and Cisco gear and firewalls and stuff.
[00:05:33] CS: Were most of your clients for Netrex, was that mostly enterprise things, like Ford and the auto industry?
[00:05:39] RS: Yep. Across the board. Then, I went to PwC to get into the bigger enterprise engagements. That was my first exposure to SunTrust Bank and BNSF Railroad. We did a pen test of Dell’s e-commerce website at the time. It was great to see it from the perspective of a big five auto company. Now big four, I think.
That just gave me all those practical experience. I ran their firewall labs. I got to try a bunch of firewalls and set them up and try and configure them and stuff. When Gartner needed somebody to backfill for John Pescatore as an analyst to cover the space, they interviewed me. They actually didn’t take – I didn’t accept their first offer, because it was just, seemed low-balled and something going off, doing some other entrepreneurial thing. I can’t remember what. Back then, it was still the tail end of the dotcom boom. There’s still a whole bunch of founders that thought they’re going to go places and all that, so I was working with all them.
Luckily, Gartner called me back and said, I was the best candidate, so I took that job. That was a great job, because it was the first time, other than the drive to do entrepreneurial things, which I’ve done 24 times, and obviously, I’m not good at it. I won’t be working. I did discover that being an industry analyst is a perfect job for me, because it’s research, learning, talking to people. This is great.
[00:07:22] CS: I’m excited to jump into that in just a moment. I am a little curious, because you were a pen tester in 1996, which to me seems like, even the Precambrian Dark Ages of pen testing. We just had Gemma Moore on, and she was talking about what pentesting was like around 2000, which was just how limited the tool sets were and how different it was. Can you talk about what pentesting systems was like in 1996, compared to now?
[00:07:46] RS: Yeah. There were some awesome tools. Cyber Cop was one we use. Then, we also use Internet Security Scanner from ISS. They’re much like today’s tools. Just point them at an IP address range, scan all 64,000 ports, get all the vulnerabilities. Then you’d have to essentially, be a script kitty and say, “Oh, there’s a vulnerability. How do I attack that?” Then you move around, until you found some way to do it and break in. There’s some things that we don’t do very much anymore. We would war dial the company headquarters, or whatever office they want to look at. We war dialed MasterCard.
[00:08:30] CS: Can you describe what war dialing is?
[00:08:33] RS: Yeah. You just run a little Linux box with some scripts in it, and you call every phone number in the office. You’re looking for computers that answer with a modem. If you get that particular call, the war dialer will actually try and finish the handshake and get a prompt. For the prompt, it can tell if it’s a Windows machine, or a Unix machine, or an IBM mainframe.
Then, now you got your list of targets and now you just go and try and login and guess passwords. Some of them don’t need passwords. While you’re war dialing you also discover conference phones and voice message systems. Then hackers used – back then used to, especially with a conference room phone, they would break in, the password of always be 000, or something simple, and nobody’s monitoring. You just try everything. I mean, nothing. This is, you’re punching on a phone deck.
[00:09:41] CS: Yeah. There you go.
[00:09:43] RS: Once you got in, it would walk you through the instructions for forwarding the phone. People would break in and forward the phone back to their home country, Egypt or whatever. Then, they tell all their family, if you want to call home, just call this number first and [inaudible 00:10:01]. People would lose tens of thousands of dollars a month from people abusing that access.
[00:10:10] CS: Wow. Okay. That’s a pretty cool war story there. I always like to hear about that, because it is so different now. Going back to what you said. Between your four years at Gartner, 2000-2004 and VP of research, two years at VP – threat research at Webroot software and your decade as Chief Research Analyst at your own company, IT-Harvest, as well as authoring the book Up and to the Right, helping technology marketers and execs make it to the leaders Quadrant. You said, research analyst is clearly the main hat you wear. For our listeners who are trying on their own different career hats, can you walk us through the work of a research analyst? How do you learn what you do? What is your day-to-day job and work like?
[00:10:52] RS: Sure. First of all, the qualities of a good analyst, or somebody who’s cut out for the role has fascination with the technology and a desire to learn everything in the world that you can. The ability to speak publicly, and the ability to write. If you’ve got those things, so this isn’t your typical developer. Quite often, they’re like me, when I started in the automotive industry, I couldn’t write a coherent sentence.
It takes some time to develop those skills, as well as your technology specialty. If you’ve got a specialty, then your day-to-day is talking to the vendors of that technology, basically getting briefed. It’s a little difficult. I would need 10 people in my firm in order to cover the now 2,680 vendors that I track. That would be 200 hour-long Zoom conferences every year. Which is I used to do that many at Gartner. It’s doable, and it’s exhausting.
[00:11:56] CS: Exhausting. Yeah.
[00:11:57] RS: But you love it, because you’re learning so much. You become an expert in all the available solutions. Then, that makes you able to advise the end user organizations on who they should be looking at, who they should be talking to, and help them with their product selection choices. In security, you tend to help them with their architectures as well, their layers of defense and all the rest.
Briefings are one thing and you don’t make any money doing briefings. You have to turn that into published research. Then, quite often, vendors will reach out to for their own go-to market messaging. You could consult with them on that. You can do strategic engagements with them, or simply doing webinars. Until 2020, most of my income was public speaking. People had hired me to travel the world and speak at conferences. It was easily an enjoyable part of the job. I’ve had to revamp that entire model in the last 18 months.
[00:13:03] CS: Yeah. Is this a type of job, where I mean, shy of working for Gartner, is this the thing where you hang your own shingle out? Is it mostly a freelance thing? Or are a lot of research analysts part of organizations, or larger firms?
[00:13:19] RS: Yeah. The easiest path is to go to one of the big organizations. Gartner, Forrester, OVAM. Because that gives you the credentials, and it gives you the podium to speak from, and people start recognizing your name and stuff. It’s a little bit like, being in any professional services, a lawyer or something. You should start at a firm to learn all the ins and outs, while you hate working at the firm, before you start your own.
Unlike law firms, where the lawyers take their clients with them when they leave, that doesn’t really happen with being an analyst, because they usually have non-competes that don’t allow you to do that.
[00:14:05] CS: Right. Got you. Go ahead. Sorry.
[00:14:09] RS: Yeah. People used to treat the being an analyst, especially at Gartner as a good retirement job. When you’re done with your 20 years at IBM, or whatever, you join Gartner.
[00:14:21] CS: Right. Then you cash in on all the knowledge that you’ve acquired automatically or whatever. Okay.
[00:14:27] RS: Exactly. Well, not cash in, because the working as an analyst doesn’t pay as well as VP of something.
[00:14:33] CS: Right. Transition to your next stage, or whatever.
[00:14:37] RS: Yeah. Yeah, exactly.
[00:14:39] CS: Got you. As mentioned with above with Up and to the Right, you’ve also authored several other books, I want to talk briefly about, including 2010’s Surviving Cyberwar and 2015’s There Will Be Cyberwar. You mentioned that you have a master’s degree in war in the modern world. Can you talk about how this Cyber War landscape changed since you authored those books? Where and how are the threats coming from in 2021 and beyond? How do these tactics need to change, or update to counteract them?
[00:15:12] RS: Yeah. The single business, their single biggest change was right as I went to press with Surviving Cyberwar, US Cyber Command was stood up, as they say, May 21st, 2010. That institutionalized using cyber by militaries. I’m very particular about defining what cyberwar means. To me, it’s when militaries use cyber means to project force in any way of – Ideally, a war would be when both sides are using cyber means during a battle.
Not the Cyber Pearl Harbor, where if somebody y takes down the US power grid. That’s as cyber 9/11. Big, big difference. Now, we know that there have been plans, especially by Israel to massively bombard Iran with a cyber-attack, before they launched missiles to take out their nuclear capability. That would be cyberwar for sure. That’s perfectly logical, because cyberwar is about as effective as air warfare, which has never ever been a successful thing. In warfare, does not win wars. You have to have boots on the ground.
When I wrote Surviving Cyberwar, I was relying on my amateur military historian predilection and I realized I wasn’t very, I probably would not be viewed as very academically rigorous, and writing that. That’s why I went back to school, King’s College, to study war at the, I think, the most respected school for that. Out of that came my master’s thesis, the revolution in military affairs, and how that is playing out into the next revolution, which is using cyber means. That’s when I wrote, There Will Be Cyberwar.
[00:17:19] CS: Got you. Yeah, we’ve had several guests on now who have been – whose area of expertise is security infrastructure and talking about just the anchors of unsecured municipal water supplies, electrical grids, and things like that, and how – I’m of the opinion that people getting into cybersecurity now should all go to their local municipality and say like, “How can I tighten up my City Hall and things like that?” And so forth.
When you start thinking about the scope of it, as Emily Miller said, it’s hard not to drink while you’re reading, because it’s just so scary, and so endemic, and so massive. Yeah, the cyber 9/11 aspect, as you said, it seems very real once you start reading about it.
[00:18:09] RS: Yep. The next level on that maturity curve first, you understand just how poorly everything is protected. The final level of maturity is to accept that and live with it. Think about what you can do to recover.
[00:18:25] CS: Find other aviation methods. Yeah.
[00:18:27] RS: Yeah, exactly.
[00:18:29] CS: I just wanted to jump into that sideways there a little bit. Our main discussion for today, obviously, is your magnum opus, shall we say, the massive Security Yearbook, first undertaken in 2020, and now massively updated in 2021. As you recently said, “Security Yearbook has become my life’s work. It is a full-time job. Just keeping up with the space in this book, I incorporate everything I have learned in 25 years of being part of an industry that grows over 24% every year.” Does that makes you the Robert Carroll of cybersecurity? Is this going to be an endeavor that you predict will be your primary work from now on?
[00:19:04] RS: It’s definitely my primary work from now on. I would never compare myself to Mr. Carroll. But hey, it’s probably closer to the mark than somebody calling me the Herodotus of cybersecurity. Those are, okay, now that’s going too far.
[00:19:21] CS: Yes. Right, right, right. Exactly. Yeah, I’m always fascinated with people who, yeah, who find one thing and it’s like, this is for the rest of my life, this is what I’m going to do. I think, I wanted to mention before – I’m sorry, I don’t want to cut you off. As far as security analysts, or research analysts, and so forth, it seems like, this would be a really good job for people who I have a natural predilection to know every single thing about one thing. Like, to completely control a world like this. I imagine, that is in your brain when you’re working on these yearbooks is like, “I know, every inch of this map.”
[00:19:58] RS: Yeah. That’s true about industry analysts in general. Also, true is that they’re interested in everything. They have as much trouble focusing as anybody else. Fortunately, sometimes you’ll see them just all of a sudden, pontificate on something that they don’t know everything about. You got to be aware of when they’re doing that. Just because they’re respected in their field, doesn’t mean they’re experts on –
[00:20:24] CS: Goes [inaudible 00:20:24].
[00:20:25] RS: Evacuated from Afghanistan, for instance.
[00:20:29] CS: Sure, sure sure. Tell me about the research process of the yearbook, and especially, how the first one came together in 2020. I mean, it’s such a massive and unprecedented undertaking. Had you done any other projects on this scale before? Did you have research assistants? Or did you personally comb through every profile and analysis yourself?
[00:20:50] RS: Well, the process was started 10 years ago, when I started collecting just a spreadsheet of all the vendors, so I could get a feel for the space. My goal was to get to the point where I could do a bottom-up market sizing analysis. Because when Gartner Forrester tells us how big the security industry is, they’re just guessing. It was a guess. I realized when they predicted – when I was at Gartner, we said the security industry was two and a half billion-dollar industry. That was begging, middle of 2000.
By 2013, Gartner was saying, it was a 180-billion-dollar industry. In the ensuing years, it never once predicted growth of more than 8% for the industry. If you do the reverse calculation, going from two and a half to 180 in 10 years is 34% compound annual growth. I knew that there’s something going on here that the analyst firms aren’t talking about. Even the Wall Street analysts should be aware of this as well. I talked to Wall Street analysts and private equity a lot.
They get all excited about a company that they’re saying, “Hey, we’re looking at security. We see that checkpoint grew 6% last year.” That’s so much better than the REITs and the oil and gas industry that we’re totally in. I’m like, “Hold on a second. The industry is growing at least 24%, possibly 34%.” Checkpoint is losing market share in the firewall space, and they have been for a decade. Keep that in mind. If you want to buy their debentures, fine. They’ll be able to pay the interest on it. No problem. If you’re looking for tapping into the growth of the security industry, look for the companies, like Palo Alto for the net Z scaler that are growing at 30% to 40% year over year. Even when I launched IT-Harvest, the name of IT-Harvest was I was going to harvest all the data and use it for my analysis. Inspired by Olive Oil harvest, that I went to that winter.
[00:23:11] CS: Think the detail there.
[00:23:14] RS: I actually built a subscription service way back then, where you buy a subscription and get access to my data. Three marketers bought into it. I just didn’t see the appetite for that. I kept my list, and updated it pretty much every year, but it’s a real effort. Let me tell you, going through the list, we always went through it alphabetically and just check to see if companies still there, and if they’re still doing the same thing, if they’ve been acquired.
You get to the S’s, it just take a week to get through all the S’s, because that’s all security companies, they’re named Security something. Though, cyber is catching up. Any CY beginning.
[00:24:02] CS: CY. Yeah.
[00:24:06] RS: Anyways, by the time I realized, I went to RSA 2019, and just bumped into so many people. I was signing the cloud transformation book, and people are coming up and saying, “Yeah, my employer hired me two weeks ago, and they sent me to this conference to learn about the industry.” I was thinking, “This is the last place you want to go to learn about the industry.” I need to write a book to tell people what’s gone before
I combined the two. I had to write the history of the industry, but then, I also included the directory in the back. Then, how do you add to that every year, so it’s truly a yearbook? If you bought Security Yearbook 2021, the current one, you would get all the content from 2020, except that the directory is completely updated. Snapshot in time of all the vendors in the space last year. Then, I added the Delta in headcount for each vendor, because I track that on a quarterly basis.
Now, you can immediately see if a vendor is growing or shrinking. That’s fairly valuable information. At first, blush, when you’re doing vendor selection. I partnered with America’s growth capital partners to get all of M&A activity each year. CISOs agreed to let me publish all the serious cyber breaches for the year. There’ll be a record of those. You could go, “What year was that, whatever OPM breach?” Then all the fundings as well. I capture that from CrunchBase
I do outsource the data gathering for headcount, for instance. I outsource that to a team in India. They can look at every single company and record the headcount in a day. I don’t know how they do that. They claim they’re doing it by hand. There must be 20 of them doing it. Yeah. Anyways, so I’m just adding to it every single year. This coming year will be the first time I have an in memoriam section, where I have to do – which I’m going to struggle with. I have to write about all of the people we’ve lost in the previous year, just to give them some record.
You can see, I’ve got big plans for it. It’s something I can continue to do. My goal is to make it just something everybody in the industry has to have, and it’s sitting on their desk top. They refer to it as often as I do. Because I use it for my own resource. Of course, I’ve got an advantage. I’ve got the original data sitting in front of me in a big database, which I use constantly. That’s next phase, will be republishing that as a subscription service. Things have changed in the last 15 years, so should be easier to do.
[00:27:18] CS: Okay. Is there anything you would have wanted to do differently with the 2020, or 2021 yearbook? Was there any stories, or profiles that didn’t make it under the published deadline that you regret having to cut, or just any things that you learned during 2020 that you incorporated in 2021?
[00:27:34] RS: Well, luckily, I can always ask, schedule the interviews for the next year. This year, I still have to get Eugene Kaspersky’s story. I’ve tried to stick in the last century for the pioneers of the interview to get those early stories. Now, pretty much exhausted those, and now I’m looking to the first decade of 2000s, where some of the huge companies we’ve got today were founded back then.
[00:28:12] CS: Is there going to be a point, where just as you said, in the 2021 update, you’re going to be getting everything in 2020, plus all the new stuff? Is there going to be a point where it gets prohibitively large, and you’ll have to start paring things out? Or is it just going to keep getting bigger and bigger each year?
[00:28:28] RS: No, there’ll be points where it pairs out. This year, I plan on a complete rewrite of the history. Then start to break out histories and descriptions of each of the sub-segments. I’ve been covering the major buckets. There could be a history of deception. Because there are still people who start and do deception vendors. They don’t know what went before. It’d be great if they had a book to refer to, so they know some of the history.
[00:29:00] CS: Let’s talk about that. In the PR Newswire piece that I read about your book, noted, Security Yearbook 2021 is not a summary of technologies. This is a book filled with the rich histories of the vendors and the people behind the companies, the misfits, and the pioneers that have built today’s 300 plus billion cybersecurity industry. What is the importance of looking at cybersecurity as a series of histories and stories? People with an interest in history of all kinds will obviously love it. In terms of people in the industry, or especially people getting into the industry, how do these personal stories help one to make sense of cybersecurity?
[00:29:33] RS: Yeah. For instance, if I had written about this, the how, between Netscape and VeriSign, they created something called client-side certificates. There were a bunch of startups that use them for authentication. Then when you hear about beyond identity, starting up with a 150 million dollars A round last year, you’d scratch your head and you go, “Oh, that sounds a heck of a lot like the old stuff.” If you see any of the zero-trust, the access control vendors, they look exactly like web single sign up, because they are.
It’s good to understand the context for the new buzzwords and just know where they came from. As an analyst who want to, or somebody who’s buying the stuff, you understand what changed? Why is it now possible, or a hot thing to use client-side certificates? What changed is every single piece of new silicon has a secure enclave onboard, where you can store the certificate securely.
[00:30:45]CS: It makes sense. Yeah. In your book, you noted that “There were two notable failures of funded startups added to the chapter and failures.” That 271 vendors received new funding for a total of 10 billion in new investments. Did you see any patterns in these new investments? What are investors investing in? What do their investments suggest about where they see the industry going? Based on what you’ve read, do you think they’re making the right call about where they think things are going, where they’re putting the money?
[00:31:15] RS: The ones that the ones that are making the right calls and putting their money in a good place. Other ones that are making investments that we barely see. 10 million, 20 million dollars. They fall way down below. The ones are making 150 million and such are just financial bets. They’re pushing everything under the past line at the craps table. They’re doing it. If they’re financial savvy, they see the beyond identity got X. These guys, maybe they think they can beat them in the market. They got a better go-to market strategy. Let’s put 200 million in them, and play out that game and get the company public, or sell it to another private equity company, once you’re making revenue.
That’s the biggest shift that we see going on is in the old days, early 2000s, the big acquires were Symantec, McAfee and Cisco. They would just buy the hottest company and each new sector, and try and make it work. Today, you’ve got Palo Alto doing a little bit of that. You have companies getting into security, like VMware, that are doing a bunch of acquisitions. The real change is the activity from private equity. You’ve got new private equity firms that got billions of dollars at their disposal, getting into security, and they make a big bet with that 100, 150-million-dollar investment.
[00:32:49] CS: Can you contrast that with the small, but targeted investments, the 10 millions, as you say? What is the research? Or what is the mindset? I mean, is it just with companies with less to spend, or are they of the opinion that like, “I know exactly what I’m going to get with this 10 million, rather than the blast furnace of a 150 million dollars thrown at a problem?”
[00:33:12] RS: Yeah, in my experience, the VCs putting the smaller figures in, they know what the 10 million is going to be used, for products, grow the company to a 100 people, before the next round is needed. They’ve decided that the product, or service is unique, differentiated and able to scale. They’ve made that evaluation. Quite often, they don’t even talk to industry analysts. They do talk to CISOs about their needs and what problems they’re having.
They’re experts in the security industry. They all have databases, like I do, of all the vendors. They know all the ones that are out there looking for money. They talk to each other. They usually form consortiums to limit their exposure. It’s the ones that want to sit on the board and help guide the company that have the most vested interest.
[00:34:07] CS: Yeah. Now, you also noted that the “impact of COVID-19 slowed growth for many vendors as they expected demand to drop.” The move to work from home increased demand for technology to protect newly distributed organizations. That zero-trust networking and SAIC solutions saw tremendous growth in 2020. Can you give me some examples of companies that rather than playing safe and slow down during these uncertain times, managed to grow and take advantage of the demand?
[00:34:35] RS: When I sampled the market, talked to a vendor last July, so after six months of COVID, asked them, “Why did you actually fall in employment?” They said, “Well, we don’t know what’s going to happen.” Sequoia is telling everybody, this is just 2008. Bet down the hatches to try and weather the storm with your funds. Yet, they tell me that the business increased. Because people are getting inundated with ransomware attacks and security in general has a big push. They all caught up in the last half of 2020. They’re hiring. Kind of demand, people were probably overworked, so he started hiring dramatically. The ones that just doubled down and plowed ahead, of course, were the ones that got huge fundings early in the year.
[00:35:36] CS: They can afford to take the chance.
[00:35:38] RS: Yeah. They’ve got a longer-term view. They got a three, or four year run rate with the funds that they’ve got on hand. Just get into it.
[00:35:49] CS: Yeah. As I mentioned at the top of the show, Cyber Work is aimed at people who are trying to move up the ladder in cybersecurity, people feeling stuck in their current job, trying to make the leap something new within cybersecurity. Again, to your – the PR Newswire piece, it’s noted by the yearbook that, “The industry is subdivided into 16 different sectors, including network, endpoint data security, GRC, MSSPs, new sectors, such as security analytics, threat intelligence and deception will be of particular interest.”
Have you heard about people interested in getting into the cybersecurity industry who have focused their area of interest in study based on researching around different sectors of your book? Would that be a viable thing? Or is that something that you do when you’re already inside?
[00:36:33] RS: Yeah. That’s certainly what I encourage people to do. I’m reaching out to colleges and universities, trying to get them to distribute the book. Unfortunately, colleges are still completely fixated on getting people to pass their Certified Ethical Hacking exam. If that’s your predilection, if you just love breaking into stuff and going for it, you don’t need a certification to do that. You just go ahead and do it and learn all the tools. If you’re looking at it as a professional career, then you should look at learning tools. Learn the big tools, how to manage them, how to deploy them, how to update them, all the rest, and you can do that. You can take classes directly from the vendors. You can probably find a cyber low tech, such as yourself, I’m sure, and get experience in those tools.
That immediately, you put that in your resume, then all the resume filters that you’ve ever submitting to will pick up on that, and you’ll go to the top of the list. They’re not going to be able to find enough cybersecurity generalists. It’s not like mechanical engineering. When I got a degree, I could take any job in the engineering field, because the hire knew they’d have to train me about my case, car seats, and same way, but you can’t give somebody a deep enough cybersecurity knowledge for them to fit in anywhere. Learn specific tools, if you want to work at a company.
There’s a little problem with that, because you got the best jobs and the highest paying jobs are horrible, boring companies. Citigroup, JPMorgan, Chase. Do you want to work at a big bank that has 6,000 developers and 2,000 security people? You’ll be a cog in a wheel.
[00:38:39] CS: Very small cog. Yeah.
[00:38:42] RS: Yeah. All it takes is time to be expert in your particular area. If you can write, then you blog about it. Then pretty soon, you’re writing your own ticket. That’s great. If you’re just starting out, and you’ve got an undergraduate degree in something technical, or you just like computers, I highly recommend going to work for a vendor. They go through websites. They have hundreds of job openings. Some of them aren’t directly insecurity. If you can be a sales engineer, that’s an awesome job. All you do is go around and you demo the products and become an expert with it.
[00:39:27] CS: There you go.
[00:39:28] RS: You usually work with a management hierarchy of sales engineers, so you get to impact the product, because you say, “Hey, every time I demo this, people say, you should do this and you feed that back up.” You get an impact on the product. Then you’re working closely with a sales team in region, and you get part of their commission structure. You get a nice salary. If you happen to be in a good sales team with a product that is selling well, you could do extremely well. You’d never have to be a salesperson, because who wants to be that?
Not to denigrate sales. If you can do sales, then you should just go right into sales. No question. I’ve known here, in Michigan, I’ve known as a sales engineer who’s just good at it. He’s worked at every company as it comes along. He has to wait until he got a big enough structure that they need his talents and –
[00:40:34] CS: Ready for his expert level skills there. Based on your extensive research of the industry via growth companies, failure companies, trends and movements from year-to-year, can you give any advice for listeners who are just starting their cybersecurity journey now, who are trying to future proof their skills? Where do you see the need for cybersecurity professionals going in the coming years? Of the job and industry role types you highlight in the yearbook, which ones are the fastest-growing? Are there any that have a declining number of jobs? Because I think, we get so many comments from people who are just getting started.
There’s always this feeling of like, what if I choose the wrong thing, then I’m cursed for life? I think, everyone wants to know like, what’s the fast track? What do you see is on the – what’s on the on the rise, and what’s on the fall? If you were to be a betting person, where would you bet that the job roles in the industries are going in the coming years?
[00:41:31] RS: The lucky thing is you can’t bet wrong.
[00:41:34] CS: Really?
[00:41:35] RS: Every single sector of the security space is good to get into. It could be, if you’re totally into risk management. Least favorite category, right? But you like government policies, and lining up with them, and ISO certification and all that, then you go into that, and you’ll never have to – now, you still have to work, but –
[00:42:03] CS: You won’t sweat where your next job is coming from. Yeah.
[00:42:06] RS: That’s right. You’ll always be employable. Then, if you want to be more of a system administrator type, there’s anything in that space. It’s definitely going to be cloud-focused going forward. If you are a Windows NT expert, maybe that would be a time where you’d have to lift and shift yourself. Right now, all that said, I would definitely get all the skills with AWS and Azure and GCP.
GCP, if you’re going to work in higher education, or state and local government, because they tend to go for free, or cheap. AWS is where all the cool kids go. Azure is where all the big company people go. That’d be a Microsoft. If you’re a Microsoft fanboy, perfect place to be, and just be understand Azure. I mean, every single month, Azure has a different thing. There’s lots and lots to learn. You had to leapfrog the skill sets of everybody jumping on the thing they just announced, and digging into it and learning all about it, and spinning up something that they let you do. It’s just exciting, exciting time.
[00:43:29] CS: Thanks. Do you keep up at all with – I know, you said you were a pen-tester in the 90s. Do you keep up at all with current pentesting trends at all? Or is that just in your past now?
[00:43:39] RS: No, no. Yeah. I watch it all the time. Because, I mean, to me, the most fascinating research reports I can read are the things that the, either the phone researchers are doing, or the people developing the exploit kits. Yeah. Super important to keep up on that. The methodologies are still completely the same. It’s just the tools for going deeper.
[00:44:08] CS: Tools are faster and better.
[00:44:10] RS: Faster and better. Much more sophisticated. Somewhat automated now. It might be, if you’re a standalone pen tester, I mean, when I left PwC, that was one of my options, right? At PwC, we would charge $90,000 for a pen test of a very limited sector, headquarters-only at BNSF railroad. You then go to a local expert, and get that for $20,000. That expert would be very happy to get the $20,000, because –
[00:44:46] CS: I think, sure with anybody.
[00:44:48] RS: I didn’t get anything extra from doing a bigger engagement. I just had a job. I used to advise people later when I was at Gartner. Look, if you want a real pen test, if your goal is to find your vulnerabilities, and how people could get in, hire the local expert, because they’ve been doing it for the longer time. If you hired PwC, or Coopers Lybrand, and maybe it’s not the case anymore, but back then, you would get a whole bunch of MBA guys that had spent two years learning how to do pen testing. It’s all new to them, every single time.
[00:45:23] CS: Yeah. Interesting.
[00:45:26] RS: Yeah. Still for an independent job, it’s still great. I would tell you, the thing to get into right now is instant response.
[00:45:36] CS: All right. That’s what everybody want to hear. Okay.
[00:45:40] RS: Every security consulting company I talk to that does incident response is just, look solid. There’s one company and in my hometown, Madison, Wisconsin, that says, they’re going to do 1,200 engagements this year. They grew from 35 to a 100 people. Those are all responses to ransomware incidents. They’re highlighted and brought to them by the insurance companies that are looking at paying the big bucks. The incident response is formulaic, right? You deploy EDR, every device that you can reach on the network, figure out what went on, the forensic side of it, and then clean up all the machines and get the attackers out. Sometimes do the data recovery if it’s possible. That’s huge, huge industry. Obviously, we know that, because we’ve seen Mandiant being so successful at it for a decade now. 13 years since the 51 report came out.
[00:46:40] CS: Yeah. I think, also, as we are moving towards that understanding that you’re going to be breached. It’s just a matter of time. Then obviously, the old incident responses is more important as we stop engaging in the magical thinking of well, if we build the wall high enough, they’re not going to get through.
[00:46:57] RS: Yeah. Or I think, somebody said, if you think you haven’t been breached, you’re just wrong. You’re probably breached right now.
[00:47:04] CS: Right now. Yeah, exactly. Going back again, to for listeners who want to learn how to become a research like analyst yourself, can you tell me about where you get started learning that? What are the first steps that someone watching this, like if they’re doing – they’re in a they’re in a help desk right now, or they’re like, “Oh, that sounds great. I really want to do that.” What’s the first thing that they can do tonight to get their first foot on the path?
[00:47:31] RS: Read my book. [Inaudible 00:47:32]. I had contributions from six or seven of analyst syndicate. Those guys all have 20 years’ experience at Gartner, whereas I only had four. They really know this business. It gives a feel, too, for the day-to-day. It’s not a book that says, “You too, can retire to a beach.” There’s nothing like that. It’s more like, you too can never retire, because you’re just in such demand.
[00:48:06] CS: You’ll be too busy doing the thing that you like doing to notice that your bank isn’t growing at all.
[00:48:13] RS: Yeah. You can do this, as I presume, as long as my eyesight and my voice and my fingers work, I can do this when I’m 80.
[00:48:19] CS: There you go. Okay. As we wrap up today, can you tell me about what’s up next for you? Obviously, Security Yearbook 2022. Do you have any big changes, or upgrades that you’ve got planned for that?
[00:48:31] RS: The biggest change is turning it into a digital version that you can subscribe to. Kind of flip-flop, I think, I’m hoping the model. Now, the book will just be a teaser about the data that’s available. Turn me into, I have a SaaS company and then I can go reinvest in hiring analysts and doing research to enrich those datasets all the time.
In the meantime, I’m still climbing the hill to get – This book should sell 50,000 copies every single year. Now, think of this number of students, the number of – I mean, there’s the potential market is 2 or 3 million people. Out of that, there must be 50,000 people who read and thinking.
[00:49:23] CS: They’re thinking ahead, too.
[00:49:25] RS: They’re thinking ahead and want to have all that knowledge available to them as quickly. The cool thing about republishing the same book every single year is all the work I did during RSA 2020, which was a week before the shutdown, marketing the book and all the buzz that I generated carries over. Now, if you come out with a completely different book every year, which I’ve done for 10 years, you’re starting from scratch every single time. Now, people are going to go – next year they’ll go, “Oh, you know, I meant to buy the 2021. Not one. I just buy the 2022.”
[00:50:06] CS: Of course, if you’re a collector, you’re like, “I got to have them all.”
[00:50:09] RS: Yeah. Definitely. There will be collectors pants, assuming I don’t sell out, because I’m not going to – if I do sell out, I’m not going to do a print run, unless it sell out this month, and then I’ll do a print run to tie it over.
[00:50:22] CS: All right, one last question for all the marbles. Where should our listeners go online to learn more about Richard Stiennon and the Security Yearbook?
[00:50:29] RS: Best place is go to – you can either go to security-yearbook.com. Or you can go to it-harvest.com, and that’s my main website. Eventually, that’s where the data from the yearbook will be published.
[00:50:42] CS: Okay. Any Twitter sites, or LinkedIn that you want to promote?
[00:50:47] RS: Sure. You can always find me on LinkedIn. Just Google my name. There’s only six Stiennon’s, I think. Twitter, I’m @Stiennon and @cyberwar.
[00:51:01] CS: Perfect. Richard, thank you so much for joining us today and for all your great insights on the industry. Really appreciate it.
[00:51:08] RS: My pleasure. Thanks, Chris.
[00:51:09] CS: As always, thank you to everyone listening at home, listening at work, or listening to us at work from home. New episodes of the Cyber Work Podcast are available every Monday at 1 pm central, both on our YouTube page and on audio wherever you find podcasts are downloaded.
Complete all three challenges, download your certificate of completion, upload it to LinkedIn and tag InfoSec for your chance to win a $100 Amazon gift card, an InfoSec hoodie and a one-year subscription to the InfoSec skills platform, so you can keep on learning. Just go to infosecinstitute.com/challenge and accept the challenge today.
Thank you once again to Richard Stiennon. Thank you all so much for listening and watching. We will speak to you next week.