The Talent Shortage That Doesn’t Exist

[00:00] Intro: This is the Cloud Security Today podcast, where leaders learn how to get Cloud security done. And now, your host, Matt Chiodi.

[00:15] Matt Chiodi: How many of you know Ross Haleliuk? Do you know that name? I invited Ross on the show because I love the way he writes. He's written in TechCrunch, VentureBeat, Forbes, Dark Reading, HackerNoon, Security Weekly. He writes a lot, and I love the way he thinks, and what I really appreciated about Ross, and I say this a little bit during the interview, is that he does long-form writing. That is so rare these days. Most of the time, if you read blogs, even the ones that I've written, they're typically a maximum of maybe 1200 words, and you can only go so deep into a topic when you are limited to 1200 words, but Ross, when he writes, will often go into the 5000-plus-word category. Now, I know if you're busy, you're thinking, I don't have time to read that, but if you really want to understand an area within cybersecurity, you need to follow Ross. He does an amazing job. Some of the things he's written about recently are things around that cybersecurity talent shortage, and we are going to cover that in depth, specifically, on today's podcast, but he's also written about cloud security, factors that make it unique. He's written about the great CISO resignation, things like that. I love Ross, and I hope you enjoy this interview.

Now, Ross has got a great background, and what I also appreciate about him is, he's not a lifelong cybersecurity person, and maybe you're thinking “well, why would you have him on the show if he's not a cybersecurity practitioner, per se?” I think what we need more of in cybersecurity is that outsider view. Someone who can bring a multi-disciplinary approach to cybersecurity and help us to do things differently. Ross comes from a financial background. He's currently head of product at LimaCharlie, so he has been all over the place. It has really gone deep into cybersecurity these last few years. I hope you enjoy the show.

Ross, thank you for coming on the show.

[02:16] Ross: Thank you so much for the invitation, Matt. Happy to be here.

[02:19] Matt: I'm really excited to do this. So, let's just jump right into it. You've worked as a product manager in several industries, before focusing on cybersecurity as Head of Product at LimaCharlie. I always love asking this question. What motivated that transition to cyber, and how have your experiences influenced how you think and approach cyber?

[02:44] Ross: That is a fantastic question. So, yes, you are right. I was fortunate to work across a variety of different industries before ending up in cybersecurity. I was in e-commerce, wholesale, retail, financial technology, both on the B2C and B2B SaaS side, and, frankly, I ended up in cybersecurity by accident. A good friend of mine reached out and was like, “hey, we are building this this amazing startup, and we are looking for somebody to lead product. Would you join?” and I had a great conversation with the founders, the opportunity made sense, the market made sense, and what ended up happening after I went home, I started digging into the fundamentals of the industry, I started going on YouTube, going on Google. At the time, there was no ChatGPT, so trying to leverage whatever resources I had available, and very quickly, I came to realize that cybersecurity is such a complex space that I ultimately ended up giving a call to my friend and I said, “you know what? I don't think I can do this. This is insane,” and his response was like, “Oh, my God, what do you mean? Of course, you can do it,” and the part that confused me, and the part that scared me at the time was just the the number of abbreviations. For somebody coming from another space into cybersecurity.

You see, I've worked in financial technology, and as a product leader, I could always wrap my head around the problems that the financial technology was solving. I could wrap the problems around getting a mortgage or getting an investment instrument, but then in cybersecurity when you look at the number of abbreviations, and it's all from MBR, DR, SIM, SOAR, DSPM, CSPM, and on and on, and on. It was just so incredibly overwhelming that my first reaction was just confusion, but then obviously when I pivoted into security and ultimately ended up joining LimaCharlie, I surrounded myself with everything I could around cybersecurity, so I started going to events, I started reading a lot, networking with people, and in general, trying to stay active in the space, and in the first several weeks, it felt like cybersecurity is an absolutely unique field, and over time, I started to look at the industry from the perspective of the broader tech market, and then it clicked that fundamentally, cybersecurity is a technical discipline, very similar to software engineering, QA, or any other parts of the tech space, and although there are many different, such as the implications of national defense, and the fact that there is there is an active adversary trying to break in and trying to tamper with this, whatever the security team is doing. At its core, it's all about ensuring the security of the infrastructure, and when I came to realize that, I started to see a lot more parallels between cybersecurity and fields like software engineering, QA, and I started to see the commonalities between practices, such as pentesting in QA, between continuous testing and continuous deployment of code, and continuous testing in cybersecurity, between version control of the code and version control of detections, and on and on, and on, and I also came to see that a lot of the problems in cybersecurity are not unique to the space, and many of those problems have been, if not fully solved, but at least somewhat addressed by other fields before.

For example, when we talk about the fact that cybersecurity practitioners need to understand the business, and the business needs up, we can look at the software, and we can see that well, the reality is that most backend engineers don't talk to customers, most frontend engineers don't want to talk to customers, either. People become software engineers because they want to focus on code, and obviously, we want them to care about the business goals, but we don't necessarily want to make their jobs all about talking to business. That's why we've introduced the practice and the role of product management, which sit between software engineering and the customer. A role that is, for example, in my view, missing in cybersecurity. So, I started to look at a lot of device cybersecurity as an industry functions, and I came to realize that, well, it is a fairly unique and a fairly fascinating space, but fundamentally, there's so many commonalities that if you look at it from the first principles, even if you're new to the industry itself, as long as you've been in the tech space, you can make sense of it and shape some sort of perspective of the industry.

[07:51] Matt: I love how you gave that example of when you look at building products, product managers. It reminded me, I don't know if you've ever seen the movie, Office Space? Have you seen that? It's a cult classic. I take the specifications from the customers and give them to the engineers, I'm a people person, I have people skills. So, you immediately brought that to mind when you when you brought that up, but I think you said, if I heard you correctly, that that role of product manager is missing in cybersecurity. Did I hear you correctly? Well, how do you see that?

[08:28] Ross: The way I think about it is that you cannot expect that every security practitioner is going to become an expert on the business model, an expert on the way the company operates. Obviously, to a certain degree, you want them to understand it, because it shapes their job, and it enables them to contribute at a higher level, in the same way you want software engineers to know what problems their users experience, what are some of the pain points they're facing on a day to day. That said, you also recognize that there are going to be limits to their interest and you want to supercharge their ability to contribute at the highest level by introducing the role that fills in the gap. That is what you have done in software engineering, in cybersecurity, in my view, in smaller organizations, that is really the job that a CISO or a Head of Security plays to a certain degree, building relationships with different departments across the company, understanding what the business is and how organization makes money, and what do different workflows look like, what do different people use, how do they go about accomplishing their daily tasks? Each of those daily tasks can introduce risks, but at the very large organization, if I'm not mistaken, there is also this role of BISO.

[10:00] Matt: A complex organizations have BISOs. Healthcare is a big one. You have BISOs.

[10:08] Ross: And then you have all the other companies where there is a security leader, and there are different layers of management, and then there are different types of security practitioners and security teams, but what, in my view, is missing, based on some of the observations I made looking from the outside in, is that that individual who would act as the glue between the practitioners and the business, who would help to prioritize what are some of the risks that we should be tackling? For example, although looking at the latest Zero Day may be the most exciting technical thing, but the chances are probably higher that an organization is going to get compromised, because Brian, from the sales team just texted his password to Jessica, who also needed to log into a CRM. So, understanding all of those workflows and how people operate, in my view, is critical, and having somebody like a “product manager,” obviously, I use the word product manager in quotations, but having a person who bridges the gap between the technology and the business needs could be useful.

[11:24] Matt: I think the BISO role, my experience with that, largely working at an extremely large company, I won't say the name of which one, but we had almost 300,000 people in the company, and we had BISOs, and their job was to intimately know that line of business. That was their job. They were to be the business liaison to the cybersecurity team, just the way you're describing. That's exactly the way it worked. In some cases, they owned the risk register for that line of business. They were the primary risk owner, and it was also their job, then, to advocate for the appropriate level of investment, to buy down that risk inside of, let's say, their risk portfolio that they were managing. So, I think you're right. Some of the listeners always email me after episodes, so I'd love to hear from the listeners. Are you seeing that BISO role, business information security officer? Are you seeing that BISO role outside of the extremely large, like I said, multi-100,000-person organizations? Do they exist in the 10,000-person organization, which is still a large organization? Do they exist? Sounds like, Ross, from what you're saying, that is a little bit of that role that you see missing largely, in cybersecurity that exist in other disciplines.

[12:42] Ross: That is exactly what I'm saying.

[12:46] Matt: So, let's switch gears a little bit. You do a lot of writing, and I follow you very closely, and there's a couple of things I enjoy about your writing, but the one thing I love is that you do long-form writing, which is very rare these days. Most people, they write a blog, it's 800, maybe 1500 words, and that's long, 1500. Your writing is much longer than that, and I appreciate that, because you take the time to really go extremely deep into a topic. In fact, I would say that most of the time when you cover a topic, you cover it exhaustively, which is awesome. Sometimes, I read the whole thing. Sometimes, but you did one a couple months ago on, well, I call it the SIM one, but you said it wasn't just about SIM. It was about data and whatnot. That was great. So, listeners, if you want an exhaustive coverage of that market, go read what Ross wrote on it, but recently, you wrote an article talking about an extremely hot topic in cyber, and that is the “talent shortage,” and interestingly, you refer to that as a qualitative issue. So, first of all, I would love to hear what do you mean by qualitative? How is it a qualitative issue? And then maybe we can go off from there.

[14:05] Ross: Yeah, I would definitely love to talk about it. Before we do, let's first try to define the problem of talent shortage. I would like to share my perspective on it, simply because I feel like, unless we do it, we may be talking about very different angles, or potentially even very different problems. So, I look at this statement that it is incredibly hard to find an entry-level job in cybersecurity, and almost everybody this day in the industry, talks about the fact, just how hard and how much effort people have to put in, how many hoops they have to jump through, how much “gatekeeping” there is in the industry, and I empathize with people who have to go through all of those challenges. That said, again, haven't seen how different industries operate. I must say that it is difficult to find an entry-level job in the technology space, whether we are talking about software engineering, whether we are talking about QA, whether we are talking about design, user experience, user interaction, whether we are talking about data, data engineering, data analytics. Regardless of which field you take, it is hard to find that entry-level job, and I remember when I was looking for a product job, same story.

It is incredibly hard to get into product, and in my view, there are three reasons why that is the case. One, is the cost. So, training new people takes time of the senior employees, and thus, it ends up costing quite a bit to get the new new person on board, to provide them with the level of of expertise and skills and experience they need to be able to do their job well, and that's the time that, realistically speaking, could be spent on delivering value and building or doing something useful and generating revenue for the company in other areas. The other reason why I think that is the case is the cost of mistakes. See, if an inexperienced person assembling a stool, or any other piece of furniture, makes a mistake, what could be the worst outcome? Well, what could it look like? Well, a customer may get a low-quality product, they're probably going to file a claim, and in an absolutely extreme case, they might sit on the stool, and end up falling, breaking their neck, and suing the company for damages.

So, all of the things that are possible, but fundamentally, in fields like cybersecurity, when a person makes a mistake, that could cost a company a month of their revenue, or longer, or shorter, depending on the size of the mistake and how somebody else chooses to exploit it. In product management, very similar story. You could have a product leader making strategic decisions that seemingly make sense in certain circumstances, only to see the company go out of business two or three years later. We've seen that happen with Blackberry, and amazing product. Where is it now? It's gone, and I think companies like Blackberry, and companies similar to BlackBerry, have had the best talent they could find. It's just that the accumulation of mistakes and the inability to see the bigger picture have led them where they are today.

Obviously, last one, the speed to market. The competitive pressure forces companies to focus on delivering more, moving faster, and they need to compete, and in order to compete, they hire people who can hit the ground running from the day one. So, to me, those three are the reasons why we have created a system that incentivizes hiring senior people. It is particularly seen in the technology space, where the competitive pressure is so high, but that's also the case in other areas. So, when we talk about the talent shortage, I think it's important to recognize that there is a shortage of senior talent, because everybody wants to hire senior people, but then there is also an oversupply of junior talent, of people who are trying to break into the industry, and I think, as soon as they start talking about the problem from this angle, the solutions that we can brainstorm start to look different. It is no longer about saying, “Oh, my God, there is a talent shortage. Let's get everybody into boot camps. Let's get everybody interested in cybersecurity.” I feel like we've got a decent number of people who are interested. We've been doing that part of the job quite well. We have so many talented, diverse, incredibly smart and educated, and passionate people interested in getting into the industry. What we struggle with is accommodating the number of people and actually getting companies to hire these junior people, but also, we are struggling to get people who are already in cybersecurity to move to the next level. Would you agree that this is more or less the state of the talent shortage problem, in your view?

[19:43] Matt: Yeah, in my view, that is absolutely it, and I think you're right, in terms of that this isn't just a cyber problem. This is a technology problem in general. Technology, as we see it today is still a new discipline. I always compare things to disciplines that have been around for 100-plus years, like accounting. It's been around for very long, much longer than 100 years. Hundreds, maybe 1000s of years, and when I look at the way we're struggling in cyber, specifically, a lot of it has to do with just how new it is, as a discipline. So, yeah, I completely agree with you, and I'd be curious, I’ll bring this up, we didn't talk about this beforehand, but in trades, especially over in Europe, there's the whole concept of apprenticeships, and that is something that existed in the United States with trades up until probably 40/50 years ago. I've spoken with some security leaders who have essentially built that. Now, these are usually security leaders with large programs, who have resources, and they specifically have new-hire programs where they hire people directly out of universities, and they pair them up with a senior resource, and it's not just like, “hey, it's Ross's first day of work. Make sure you work with them.” It's a formal program, and it takes time and investment, and it's not usually a three-month program. It's usually a year, minimum. So, they've built that apprenticeship model in, but I know from my own experience, and companies I've worked for, and from my colleagues, there's not always that willingness to be able to make a program out of it. Yes, they'll do onboarding, but that's totally different. That's an HR thing. Not true investment. Most companies will give some type of training budget, but that's table stakes, but really pairing them with somebody who is going to answer a lot of questions, that seem very junior and sometimes stupid. “Why would you ask this question?” I say this because this was my experience.

So, my first job out of university was at Johnson and Johnson. Great company, and I had the opportunity, 20-plus years ago, I was 20 years younger than everybody else on my team, and I had the opportunity to sit with people who were extremely senior and ask really dumb questions for three years. So, to me, that was a benefit because J&J was willing to bring somebody on who was right out of college, had no practical experience, but was able to then surround me with people who were very senior. Now, some of it is just culture, how they hired the individuals, their openness, and their willingness to pour into me, to answer questions, and I knew. I could tell sometimes, I would be like, “Okay, I asked Jane enough questions this week. I'm going to go to somebody else.”

So, anyway, it's a long way of answering your question, of saying, “Yes, I agree with that fundamental premise.” There's a lot of senior talent, and there's a ton of interest. We've done, from a US cybersecurity perspective, cybersecurity is cool. It is cool. 10 years ago, not cool. It is very cool now.

[23:57] Ross: By the way, on the topic of the apprenticeship programs, whereby a senior leadership and senior talent can can help nurture the next generation of security practitioners, again, drawing the parallels between our discussion and something that I have seen before in other fields. Again, product management. Let me state it this way, it is incredibly hard to find the job as a junior PM, and the reason that is the case is really the impact of the decisions people make, and also the fact that the outcomes of those decisions are going to be unknown for a very long time to come. So, in some fields, you're a software developer, you've shipped a piece of code, it has bugs, somebody else caught it, fixed it. To me, software development is an example where this form of apprenticeship exists without being called that way, but if you look at product foods for a second, there are programs, there is the Google APM, Google Associate Product Management Program, there is Uber APM. Same idea, whereby those companies, they take new graduates, mostly from either Stanford or some other top tier universities. Some of them come with a background in computer science, others come with backgrounds in business, or other disciplines, but the important part is that they all receive support, they will receive mentorship, there is a fairly semi-structured program, where you do your job during the day, then you might be attending some events and some workshops hosted by different leaders within and outside of the company, and so on, and so forth.

So, those programs do exist, and frankly, I think there is a lot of value in those, and there is a need for them. The reality is that it's a very small and very niche way of solving a problem. In my view, see, if companies currently struggle in hiring Junior talent and providing them this simple onboarding experience and having a senior person to ask one question per day, how likely is it that the same companies tomorrow will invest their time and effort into building a formal, well-structured apprenticeship program, and getting people funneled through their doors? I think the chances of that are, well, let's be honest, it's zero. So, to me, the solution isn't necessarily to try and reinvent the wheel and go into looking for tools that have been used 200 years ago in trades.

To me, the solution is to look at how other technical disciplines solve the same problem of talent shortage today, and I think the only difference between software engineering and cybersecurity, when it comes to the talent shortage problem, is that in both disciplines, it's equally hard to find an entry-level job, but because more companies hire software engineers than companies that hire security people, it's naturally easier to find somebody who will take a chance, and you will pay a fairly low compensation for a year or two, and then you're going to be able to double your comp and find a better job somewhere else, but I think, if I'm not mistaken, there is currently an estimate of about, what is it? 700,000 or a million people who are “necessary,” who need to join the industry in order for us to solve the talent shortage. That number is somewhat insane, and to me, see, I think, as an industry, what's quite fascinating is that we are not just talking about the talent shortage. We are taking some steps to potentially solve it.

There are now a ton of bootcamps and university programs. So many public and private universities have launched Masters in cybersecurity, most of which are focused around policy, but nonetheless, there are so many Masters programs, there are so many Bachelors programs. The challenge in my view is that I see talent as a pipeline. You need people to become interested in security to choose it as a career path, then somebody needs to help them to turn this interest into knowledge sufficient for them to get an entry-level job. After they're hired, somebody needs to help them learn and level up, and get into the mid-level tier, and later on, they have to find the way to grow into senior practitioners. So, I see several issues there. One, most security programs at traditional institutions, they're outdated on the day they're released, but most importantly, their quality depends on the instructor. If somebody is still deeply connected with the industry or is potentially even working somewhere as a practitioner or a security leader, obviously they’re going to be able to provide their students with much more relevant information and much more relevant skills and knowledge than somebody whose interest in cybersecurity is purely academic, and who have not really worked in the industry for decades, if ever.

Then there is the challenge around the fact that most educational programs are focused on giving people basic knowledge, and that's incredibly useful, but if you're already a security practitioner looking to get to the next level and go deeper, and potentially specialize in fields like incident response, or cloud security, or anything else, the courses and the education around those needs are rare and incredibly expensive. They're prohibitively expensive. Look at SANS courses. They're probably the best in the industry, but at the price tag of 10 grand, how many people can afford it?

[30:35] Matt: And they run over the weekends, which I never liked. Often, I don't know if they still do. I'm in the morning on time, but I remember going through them a couple of times as a practitioner and not liking to have to give up my weekends for for studying. Sorry to interrupt.

[30:50] Ross: I guess, going going back to the original question around the qualitative versus quantitative talent shortage, the question I'm asking myself is, what are the chances? Well, let me restate it. The numbers, the estimate for the number of security practitioners we need, are based on the assumption that we are not going to be changing the way we approach security, and what we're going to be doing is hiring more and more security analysts and people to look at dashboards and deal with this triaging the alerts and the findings provided by the vendors, but what if the answer to solving the talent shortage lies in leveraging the technology, but also hiring the people who can automate a lot of the manual tasks? Maybe we don't need 25 analysts. Maybe we can hire one or two security engineers and four analysts. Maybe we can hire somebody who can, instead opening every single alert, or instead of manually performing all the tasks they have to perform in the day to day, maybe we can get people who can look at those workflows, who can find inefficiencies, who can find opportunities to automate it, to eliminate all of those manual tasks in such a way that we need less talent. That's really the primary message when I talk about the qualitative approach. I think we need less people, but people who are more proficient in understanding the basics of security and in understanding the foundations of “what does it mean to secure a patch of technology that was being stitched together by a vendor?” Yeah, so that's really the angle I look at it.

[33:00] Matt: I love that, and I haven't looked at the recent estimates. I just know it's a very large number, and I love that last point that you just made. That number assumes that things are going to continue to be the way they were in the past, and we all know, we've all been talking for pretty much this entire year about AI, so there has to be, and I know there will be, an impact on that, but like you said, that number, whatever it is, 700,000, a million, whatever the number is, in terms of the “shortage” that exists, assumes that there will be no impact from AI, no impact from progress in general in technology.

[33:42] Ross: The conversation, when you state the advantages and the potential promise of AI in this way, it actually makes me worried that the problem of talent shortage is going to get worse, not better, and here is why. The state of artificial intelligence today is not sufficient to replace a highly experienced engineer or a highly experienced incident responder. However, it can absolutely be used to handle some of the low-level tasks. Potentially, obviously, not regenerative AI, but there's different types of AI. Potentially, we could be talking about triaging alerts better and reducing the number of false positives, and so on, and so forth, but those tasks are currently being performed by the most junior people. So, we once again run into this problem where the AI is probably going to be able to automate a lot of the work performed by the people who are junior, so we need to hire more senior people because now we don't really need junior tier-one analysts to come in and handle some basic triage. So, once again, how do we solve that so that there’s balance?

[35:06] Matt: I think you're right, and I haven't thought enough about that, but I think you’re right. There's definitely been some talk about how it's going to solve the talent shortage, because the assumption is, “hey, we have all these entry level-jobs that are open,” which is probably not actually true, but the assumption was, “AI is going to solve that,” because if you remember a couple years ago, when we looked at the SOAR market, security orchestration and response, the idea was, “this is going to handle in a SOC, all the tier one, maybe even tier two things, will automate that.” Whether or not that happened, I think, depends on how much investment you put into a SOAR platform, but now with AI, people are talking about very similarly. “Well, now this time, for sure, with AI, it's going to eliminate those tier one, tier two type things.”

[36:02] Ross: It is an interesting question, because on the topic of SOAR, I think one of the biggest complexities of SOAR is that creating playbooks requires a Venn diagram, an overlap of two kinds of skills. You need somebody who knows how to write playbooks, and somebody who understands incident response and who understands security. The overlap is actually quite small. So, that is probably one of the reasons why, even though in theory, companies could have automated a lot of their security operations with a SOAR, in reality, there is just, again, not enough talent to do it. With AI, it's hard to say, because when it comes to the response, security teams have never trusted and have never believed that you can delegate an autonomous system to respond to a threat and potentially decide to isolate a mission critical server to the business. So, you still need people who have that understanding of technology who have the understanding of the business. I don't know if their entry-level jobs or demands are going to get automated, but that's also, in my view, that's not for the talent shortage is. I don't believe the industry is looking to attract a bunch of entry-level people today, and that's what it's struggling with. If you look at the job postings that are supposedly unfilled, they are not entry-level people.

[37:36] Matt: I think that's the case. I saw a headline just today on LinkedIn, where somebody I think was diving into that perspective. I didn't read the entire article, but I think you're probably right, but I also think that there's a perception, which is not reality, that well, there's all this entry-level work. Maybe nobody wants to do it. You could say, if you look at the level of work that's open at a fast food restaurant, the level of low-level work that “nobody wants to do,” it's obviously different from a cybersecurity perspective, but I think certainly when we talk about AI, a lot of people who are not in technology, when they think about AI, they think we're talking about SkyNet from Terminator. Fully autonomous, making decisions. We know that being generally available, we're not there yet. GPT-5’s still not going to get close to that. When we think about cybersecurity from a vendor perspective, vendors for years have been talking about, if you remember Cisco, over a decade ago, talked about the self-healing network. Do you remember that? I don't know if you remember, that was one of their slogans, the self-healing network, and the idea was that their system was going to help you recover, whether it was a cybersecurity incident, or something else. Of course, it didn't actually do that, and that's not Cisco's fault. That was really good marketing, but the technology wasn't there yet. I think from an AI perspective, we're likely to get to a point where a system could be able to handle things automatically like that, but if you think about nuclear missiles and things like that, there's still a human that has to be in the loop for certain things, because you have to think about, “if I give a system fully autonomous ability to respond to a threat, do I know the scope to which it can respond and what the possible ramifications could be of that, because maybe I can't control what happens next.”

[39:40] Ross: Now, what's quite interesting about artificial intelligence and cybersecurity is that this is the second wave. You already had Silence, you already had Dark Trace, you already had a large number of companies trying to bring their autonomous technology into a SOC and so far, that hasn't become the solution to the security problems. In the same way I think it's going to happen to the current wave, we will find that generative AI is great for solving some problems, but a lot of the problems, they're not on AI to solve. A lot of the problems are not the problem of content generation. A lot of the problems are not the problems of eliminating false positives. There is still a lot of the fundamental security work that needs to be done, and you need qualified people to do it. Hence, the problem of talent shortage, it may get a bit better, but also, I don't know to what degree it will, because as more and more companies are realizing that security is indeed something they need to take care of, the demand for security practitioners should continue to grow.

From this perspective, it absolutely is, because historically, we've been talking about security in the context of the enterprise, but about 50% of the US employees, well, it might be anywhere between 44 and 50, I don't remember the exact numbers, are not employed by enterprises. They're employed by SMBs, many of which don't have more than two or three people. So, somebody also needs to think about securing those people and as there is more demand outside of the enterprises, which are typically forced to think about their security by the regulators. The SMBs also have to start thinking about improving their security posture, and over time, the demand should shift a bit there. That is the hope, at least.

[41:53] Matt: So, what are you writing about next?

[41:56] Ross: Ah, that is a great question. One of the topics I have been looking at recently has to do with, essentially, the problem, the questions of fundraising, building capital-efficient companies, looking at different ways to exit companies, and what does that actually mean from the founder’s standpoint? Where does the company need to be, in terms of their revenue, metrics, and other milestones in order for it to go public? So, looking at the numbers behind the industry. I find that quite fascinating.

[42:39] Matt: I think you'll have a lot of founders and a lot of VCs who are very interested in that article.

[42:44] Ross: It is an interesting topic. Absolutely.

[42:46] Matt: So, is there is there anything else I should have asked you? Anything else you wanted to add?

[42:52] Ross: No, I don't think so. We've had a fantastic chat. Thank you so much. There are so many problems, we could discuss for days, but given the limitations and the time box of a podcast, this has been an absolutely fantastic conversation. Thank you so much.

[43:09] Matt: i'll ask you one last question. I probably shouldn't do this, but I will. How do you stay sharp? You go deep on a lot of topics, but what is your method for just keeping your pulse on cybersecurity?

[43:22] Ross: It's a good question. See, I talk to a lot of people, I meet a lot of people, I ask them questions, I try to understand the industry from the first principles, and frankly, I think, really, that's the only way to do it. The other very tactical thing I do, I take notes, I have a bunch of Google Docs, and if I think of something, if I read something interesting, if I arrive at an interesting thought, I just drop it into a Google Doc, and over time, when you see an accumulation of it, and you just skim through it, it becomes so much easier for you to generate some insights and some interesting perspective.

[44:02] Matt: I love it. That's a good habit. I started doing something similar. Everyone, if you have an iPhone, you have the Notes app on there, and I started to keep a list of just when I had an idea, just write it down, and I'm up to I think 140, in terms of just ideas like, “hey, I need to write about this. I need to talk about this.” It's super helpful, because a lot of times when I'm trying to write, that's not the time that I'm most creative. It's when I'm away from work, I'm somewhere else, and if I don't write it down literally within 30 seconds, I will totally forget it.

[44:37] Ross: Yep. So, for me what ends up happening whenever I sit down to write a new article, it's never me staring at a blank sheet of paper. It's me looking at the bunch of chaotic disorganized notes and trying to see the theme, and structure the article first, and that makes it so much easier. I don't think I would ever be able to write 5000-word articles by just sitting down in front of the empty Google Doc or empty sheet and just starting to type. I don't believe in inspiration. I believe in organized mind, organized thoughts, and discipline to do it.

[45:17] Matt: Ross, this has been a fascinating discussion. Thanks for coming on the show.

[45:19] Ross: Thank you, Matt.

Thank you for joining us for today's episode. To find out more, please visit us at Cloudsecuritytoday.com.