Breaking is Bad: Why Everyone at This Conference Will Be Unemployed

my name is my tarnish I'm the CEO of great castle security I'm seeing some familiar faces out here hoping to open a few minds I've got two things that I really want to cover today one is some career advice based on my experience and having been in cybersecurity for a little bit of time at this point and then secondarily a couple of tips if you decide to ignore my advice and we'll see where it goes from there so great castles to get them we start green castle security we are one of the largest cyber security consulting firms we're headquartered in Troy New York we have an office here we are opening offices in Boston and Philadelphia in

the next nine months or so and one of the things we do is pen testing and that term is probably familiar to this crowd here it's a small part of what we do largely because of where the industry is and based on client demand and a whole bunch of other things which I'm going to talk about today we've learned a couple of things about this pen testing is not what we all think it is I think for our clients when they hear pen testing it sounds sexy very James Bondy they don't always get out of it what they expect to and so there are questions about that yet there is a roomful of people here

who are interested in in pen testing and my guess is that everyone who's not in this room here at this conference is probably interested in pen testing also but they've read the title and decided it was a waste of time so what I'm here to do today is I'm hoping to provide a little bit of career advice in the sense that there's a lot outside of pen testing in cybersecurity in fact what I'd argue is if I look at what we do for our clients 150 active clients we have clients in every state it's uh things are going well very few of them benefit from a pen test now that's not necessarily to demonize pen testing

itself because it is a valuable practice but the reality is where we are today we're in build mode we're not in break mode we're already broken and so I'm gonna provide a few of my thoughts around pen testing and where I think you guys should probably consider I'm hoping you'll consider largely because we're hiring things I'll hope you consider when you leave this room so the first is this as I mentioned the vast majority of our clients today do not benefit from a pen test well I think that is they already know it's broken so us coming in and making Swiss cheese of a network doesn't add a whole lot of value in fact we know that if we conduct

a pen test in one week the results may be completely different than next week following week and the following week because it's a very organic process it also depends on their people their process who's called in sick that day the applications the data who they're maybe potentially connected to temporarily there's a lot of things that go into a pen test to make it as real as possible unfortunately making it as real as possible means very little today because it's only real and for a point in time secondarily most of them not invested in a cybersecurity program to the point where it's worth testing right so if I come and smash your mailbox tonight and you wake up in the

morning and it's smashed and I say hey I smashed your mailbox last night what are you gonna say you might because I lied I knew you could smash my mailbox you're just sitting out at the end of my driveway I don't watch my mailbox I don't care about my mailbox so I'm telling you something you already know and that's what happens today in the vast majority of pen tests is you get to the results so if you're working backwards from results you hand them a finding stock you may talk about vulnerabilities that were exporting you talked about the people who fell to social engineering you talk about which assets were compromised go through a whole list of really detailed and

interesting things the problem is when they look at the findings they say well yeah no kidding I knew all that there's just not a whole lot new because they've probably already been compromised whether it was ransomware or some intrusion or loss of data lost stole laptop they've already had these problems and they know that they're vulnerable to them and they know that these things are impactful and they might even know how impactful in some cases so this now the question becomes well if this doesn't work if this isn't helpful what do we do and so I'm asking you guys that question number two right everyone in this room wants to be a pen tester today what

happens right this is economics not cybersecurity what happens when there's more of an oversupply to the demand well the price goes down and then beyond that commoditization right if you were to go out and buy a toilet today I mean this seriously if you were to go out and buy a toilet today which toilet would you buy yeah you don't care you don't care about toilet buy it's a toilet it does the same thing that every other toilet does now I believe that there are probably deluxe toilets out there somewhere but they're hard to find because it still looks like a toilet I'm encouraging you to think about your future right think about your career if

you want to add value if you want to make money if you want to be in demand well don't go where the supply is go somewhere else right go to where the demand is high and the supply is low now you could argue in the cybersecurity there is no supply and I would at least temporarily agree with you in the sense that there are I think I have a million open cyber security jobs in this country right now some of those are pen testers no doubt people are looking for pen testers and you can get a job today in three years where do you think that's going to be well I see a roomful of pen

testers here and probably not a single risk Assessor where do you think the demand is going where anything the supplies go so think about that the next is this ok let's try a little experiment I'm going to give you 10 seconds to name as many famous pen testers as you can I'm going to give you four or five of them Tyler writes it he's not famous I'm kidding had nakki Kennedy right Johnny Law I mean the list goes on and on we could all name a dozen famous pen testers today okay here's the real experiment name me one famous risk Assessor or a famous awareness trainer right or a famous hiya sell go ahead you can't well

if you want Fame if you want to make a name for yourself if you want a brand well don't you're not gonna go into pen testing cuz that's done like those those guys are already established Nickerson and etc it's not I mean senator it's not I mean we all know who they are and I'm not saying they're good or bad or have anything to do with this presentation what I'm saying is that Fame is not in pentesting anymore we're already doing that we're already breaking stuff we're breaking stuff we've been breaking stuff for a long time if you want to make a name for yourself if you want to create a brand and create value around you and

your career do something else there's plenty of pen testers here's another problem is that there are no accepted standards and pen testing and that's the serious reality you can argue listen fledgling startups out there that provides some some structure around active testing and social engineering and those kinds of things but the reality is there's no standards you check NIST you can check sad you can check the Google there just aren't any even pts it's like who's using that today it's a great attempt at something that is completely unstandardized today what the problem is but that is if there's no finish line if you can't define the race how do you know who won how do you know what's faster than the

other runners right how do you know your pen test was more valuable or more effective than someone else's if you can't measure if there's no measurement there's no winning there's no success and so now you're sort of behind that you're doing to do a pen test for a client or for your own organization and now you're already struggling to figure out well how do i how do I explain this to a CEO or CFO is paying my my invoice about what I just did and the value that I created and he says well you know what's this thing worth to us what does what does it mean try explaining that now compare that to reductions in human

behavior you know people risk susceptibility risk I mean these things are have been standardized since the 60s or 70s like we understand them now you could also argue that therein lies the opportunity right is that the standards aren't created so I'm gonna go standardize them and I say absolutely go for it but today there's very little measurement consistent measurement in pen testing and so it's hard to hard to win it's hard to even finish sometimes here's another one is that so without exposing too many details I just came from a client not too far from here who is currently suffering one of the largest ransomware attacks in ransomware history it's an it's national news they

are a major organization thousands of employees and I spoke with the CEO two hours ago and he said you know what kind of kind of tired of this but people have been working 24/7 for weeks now I've got regulators calling I've got auditors calling I just want to get back to business he's tired of being afraid so this is a little bit of an abstract concept in the sense that if you are out selling pen tests and pen tests make CEOs afraid do you think they want to buy your stuff even if they need it do you think they're gonna buy your stuff it's like it's like exercise I go to a doctor my doctor tells me I'm ten pounds

overweight ate too many burgers don't get enough exercise and he says you need to live a healthier lifestyle that's going to reduce the risk of heart attack for you what do you think I do when I leave his office yeah I hit the Wendy's drive-through because I got a lot of work to do I was just in his office for two hours and now I got to go catch up so I go sit on my desk for the rest of the afternoon and the reason I don't get on the treadmill is because I know I can't get off I know that being healthy is a lifestyle change I know that it it's never done and that's just like

cybersecurity and it's just like fantastic it's never done and so when you introduce a human being to something that's difficult misunderstood maybe a little painful at times even though the the the benefits are well understood they're not immediate right the immediate reaction is pain right I'm tired I'm winded I got sore quads whatever it is and that's the same thing CEOs are getting a little bit tired it's like they're scared enough by auditors and hackers today they don't need to be scared by you it's like they're just they're done there's a little bit of fatigue going on right now inside and pentesting because people are tired of being afraid they're tied up even if you what you present to them is

really quantified information on vulnerabilities and exploits and pivoting and all all that stuff is good but it doesn't matter because they don't want to see it they don't want to hear it they're tired of the treadmill we're seeing a number of a lot of CEOs today not even wanting to have that conversation because they're just sick of it they're human beings and that's just the nature of of this and so if you were on the side of or part of your job is selling pen tests and scary things you're going to have a much more difficult time doing that so who can remember the first thing we did in cyber right so when cybersecurity became a term probably well maybe eight

years ago 10 years ago max what was the first thing that we jumped on as a service provider as the thing that we wanted to the thing that we did to sort of prove an organization's risk or lack you know lack of risk well what do you think we did we do risk assessments what do we do when we started breaking more stuff I started doing pen testing so here's the thing today all of you watch the Kardashians you follow them on Twitter you so my today my wife watches the Kardashians she follows them on Twitter she just listens to their podcasts their snapchats etc in two years she's going to forget about the Kardashians because

she's a human being and we as human beings we need constant stimulation and that's just the way it is we have a very short attention span well what we did first was pentesting so what do you think is gonna fall off the list the exciting list first well the Kardashians I should hope the first thing that's gonna fall off this list of interesting important things is pen testing because we've been doing it a long time how many you are actually bored of pen testing yeah it's happening okay that's one more than it would have been last year we're getting bored of pen testing and so are our clients by the way it's like one more thing it's gonna come in expose

vulnerabilities give them a list of things to do scare the CEO it's like it's just getting kind of boring contrast that now with things that we have made very little progress in you know you want to be awesome go figure out how to meaningfully and in a lasting way change user behavior somebody in the audience figures out how to get people to stop clicking links or opening attachments or even reporting mistakes that they've made you guys will be rich I promise you and you'll be famous and CEOs will want to talk to you but meanwhile right now pen testers come in and we're they're trying to sell their stuff and they're being relegated to IT

because it sounds very technical right and meanwhile the risk Assessor is out playing golf with the CEO right that's just the nature of this and this has nothing to do with pen testing this has to do with the fact that we're all human beings and we have a short attention span there's another thing is that because it is or it's not but it appears to be technical or I mean if someone talks about pen testing first of all they don't even know the difference between that of ulnar ability scan typically but it all sounds very technical to me and so I have a very small audience so what are you going to sell pentest to a top-20 bank or to a level 1

trauma center or you know a major university you want to sell Penn Tesco oh you should talk to IT well no I don't want like the hooked IT pentesting is actually a business solution and this is a business problem but the perception is that pen testing is very technical right and so meanwhile the risk Assessors who were talking about compliance or the awareness trainers who are talking about thousands of employees and they're talking to HR and risk and compliance and the executive team about buying stuff well guess who writes checks any and it8 the IT director they don't write checks another reason to get out of pen testing it into something else is this right if you want long-term lasting

careers or invoicing so to speak you're gonna have to look outside pen testing because right now at least temporarily you're being relegated to an audience that is much smaller and to has no purchasing power it just they can't do it generally speaking the last point is this and probably the most important is that of those 500,000 open jobs most of them are in something other than pen testing because this is an asymmetric issue right offense is way easier than defense it's the same reason that you know the bills games don't end in 0 to 0 ties every time it's because sorry the fact is that it's easier to score than it is to stop a score and so smart

people who are motivated and challenged by this industry and want to come up with new solutions and make some money and maybe get a little famous on this they're going to do something that's hard right something that hasn't been a problem that hasn't been solved yet well I would argue that even though some of these things have been standardized right mm-hmm some of the new standards for even building an awareness program or assessing risk in an organization continue to evolve there you'd argue there they're actually easier to do in some ways because of some of the history behind these things the reality is though that organizations today have a lot more fixing and building to do

than break so think about this we're back to economics 101 supply and demand if I've got lots of supply of pentesters in less demand but I've got huge demand in things that are outside pen testing what do you want to do right now you may get into pen testing because you think you're a better pen tester than everyone else like Tyler the inside joke sorry it's expecting a few more chuckles but the reality is is that we need smart people like you motivated people like you solving other problems right now every business in America is broke they're already broken and so issuing them another findings report on other stuff that's broken is not so helpful

right now we need people who can build stuff and fix stuff right we need people who can help with prioritization like helping organizations even even start I talked to CEO CFO CEOs every week every day almost and most of them say I'm not even sure where to start I don't even really know what to do in cybersecurity I've got a budget and I think I've got some resources and I know I've got pressure from my board and I'm tired of being a headline I'm just not sure what to do well a pen testing a pen test doesn't help them it just gives them more things to do but it doesn't it doesn't tell them exactly what

necessarily it certainly doesn't tell them and what order but those definitely doesn't tell them how much right we need to be answering those questions we need more people who can literally explain in a way that executives and businesses understand that you need to do cybersecurity how many of your businesses or schools or whatever you do today are doing enough are doing the right things anybody yeah no nobody okay there's always one nobody knows what they're doing they don't know what to do and they don't know how much to do we need people to solve that problem all right lastly is this we got plenty of pen testers we got a world-class pen testing team but we need risk Assessors we need

people who are part security guru and part psychologists that really understand the cognitive biases in the human brain it can help us figure out how to change behaviors in end-users we need people who are experts in taking a program and applying that in different industries health care higher ed retail manufacturing we don't need pen testers we got tons of pen testers and we get tons of pen testers apply we need people who do other things at great castle security I'm guessing we look very much like every one of our competitors in terms of our resources is that we fill our pen testing position real early because we found resources right and we were able to satisfy the demand for

those those services today we cannot keep up we have four open positions we hired six people in January we hired three in February I think three in March we still have four open positions for everything but pen testers you want a career you're gonna have to go somewhere else at least temporarily until pen testing sort of catches on maybe we standardized it maybe we figure out how to do this better or maybe organizations finally build a program and controls that are worth testing so that when you get to findings and results and you slap that on the CFO's desk you say oh yeah I get that I understand that that's gonna help me budget for next year today we're not

there you want a career if you're starting a career or building your career the next three to five years pen testing is not the place for you that's my story I'm sticking to it I'm sure you a golfclap appreciate I'm happy to take questions I'm sure most of you have counter points let me have let's start out at that assumption as I see it I think that you're right that if someone may be more penetration tester just walks up to CEO and says hey here you want a pen test and then just give them a paper on it it's not gonna work but I think that part of being a pen tester would be developing the social skills to

help people that aren't fantastis understand what these results are and what they need to do with them so I feel like this solution isn't necessarily to not be a pen tester but to be a different kind of pen tester that would be able to help people who aren't pen testers to understand that I am interesting interesting claw and I don't disagree I will by the way before I leave this room admit wholeheartedly the pen testing is a can be a valuable service to the right client at the right time under the right conditions so let's get that out of the way it's just that everything else around it today is points in a different direction

sometimes the other departments like finance and HR and stuff demonize IT and they don't want us and we're in their process because they think we're just gonna make it time to that as maybe pentesting doesn't need to be a technically classified field but maybe there just needs to be more of that collaboration between the non-technical and the ITT and there are good pen testers out there that are doing good things that if you sell a pen test the right way you've already established and this is a business solution for a business problem this is not an IT thing let's face it there are plenty of hacks out there too that just just want to pop a firewall

yep let me ask a couple questions about that so one when you first look at that findings document did you have anything to compare it to to know if it was good or bad so did they okay so they just ran masses or two so here's another problem we the security industry have done an absolutely horrible job educating people on the difference between an exploit and a vulnerability right which is really the key difference in repenting between the vulnerability scan or something else another assessment but there any business they only have five things worth protecting were those five things in a visit in the report like this is what we were going after this is what we

compromised here's the impact probably not but any business only has five fix money you got a bank account you got something worth protecting you have n identities yeah people worth protecting you have credit card information do you have a reputation and do you have intellectual property if your pen test if someone asks you to do a pen test or if your pen test today is going after anything but those five then you're wasting your time because it's not meaningful to the business those are the only things that a business cares about losing now maybe you do something targeted and you may have a smaller scope where you're going after an application or something more more atomic but the reality is you've

got to be able to translate that into one of those five things or the impact the potential impact to one of those five things otherwise it's meaningless to the business because if if the business is smart and they're building an effective cybersecurity program those are the only five things they're protecting they don't care about iPhones and networks and firewalls that stuff is they're just hammers they could be egg timers there are hamster wheels it doesn't matter all we care about is data so we got to make sure that you know we understand that that's what a pen test is about yeah

oversaturated the people who are doing it really really good wholesale sort of

yeah so we we do compete absolutely we compete with pen tests that come in on a fax machine 2,500 bucks for a pen test that happens our clients are seeing the same things now I would argue that in a capitalist market that there's nothing wrong with that if someone can sell a pen test for 2500 bucks and make money on that god bless you the issue is is that where the industry is so young and we haven't yet defined there's not like an established standard about what a pen test should be and so if I if I have a $2,500 pen test and an $18,000 pen test and I don't know the difference I'm gonna save my money I'm gonna buy the

2500 that's not really the fault of anyone it's just that this industry so immature right now we just we don't have a way to compare those two and so you can't make a an educated decision here yes sir well he had his hand raised I don't know if he's gonna pass to you it's whatever you guys want to do okay all right sure because we can let him go no all right so assuming that we do everything you say to heart and we want to and we want to start right today switching to risk assessment assessment what transferable skills do we have what can we do to make that pivot and what would we need to do you know to get into

it get into that new mindset so 33 percent of an organization's cyber sturdy control cybersecurity program is technology if your background is technical you're already off to a good start in that area risk though is a simple math likelihood and impact it's not like pen testing where there's a whole pile of technical skills and you got to understand scripting you got to understand there's a lot of things that go into that risk assessment I would say at the surface at least is actually a simpler simpler function because it's it's basic math now obviously being a good risk Assessor means you understand frequency versus volume and you understand the difference between a vulnerability based risk assessment and a an asset based so

there's a lot more there's a lot more to it than just likelihood and impact but your skills transfer almost directly at least partially but isn't learning part of the fun doing something new and by the way the fact that if it if it is hard to go from pen testing the risk assessing that just means that fewer people are going to do it the value of those individuals who do accomplish that is going to go up because there are fewer of them and so it's continues to be a good story oh yeah that tall guy in the back so so first testing very nebulous term let's talk more about offensive security not go away because

there are operational issues and so I'll give a very very simple but and this you analyze the physical security system that you have in place people at the end of the day of Sunday yep absolutely and I completely agree one more question

obviously this was intentionally provocative because I want to it's partially God it's all these other things too but certainly if you if you want to actually manage risk at an entity you're gonna need some money you need some resource you need some time and if you can't demonstrate value if you can't sell this thing then you're not gonna get any of those things and then we've all lost so thank you very much appreciate your time

[Applause]

[Music]