1% For Cybersecurity

omeone and forgotten the source (steal from me and you’re stealing twice). It’s a phrase that is particularly apropos this week during the RSA conference and it goes like this:

Nobody is in the security business, not even security companies, they’re just in business.

The point being: you need to make money, to make your solution, to help people with security problems. Nobody works for free, nor should they; labor is worth something. The labor performed by rare security talent is worth a lot.

The question I keep asking myself though, and socialization with a wide range of fellow security nerds suggests that its something tickling the backs of all our minds, is whether or not the expense of all this flash comes at the expense of something more substantive?

This is not a diatribe on the importance of fundamentals or hygiene. I’ll save that for another day (and another, and another…). I ask for a little introspection as you wonder at the temporary booths with nicer furniture than you have in your own house; the cars being auctioned off; the high-end electronic swag; the hundreds of dollars’ worth of printed collateral you receive that will be filling the garbage dumps around San Francisco by this weekend: is this not money better spent elsewhere?

The reason this question resonates so much is that it dovetails with one of the major themes being promulgated by so many of those vying for your attention this week: that their silicon solutions are an attempt to counter the lack of flesh and blood resources. The so-called ‘talent shortage’ is not a point that needs to be belabored (no pun intended), but what makes more sense: spending money talking about it, or spending money to do something about it?

The 1% Club

I’m going to use RSA as an example because I’m at the con (and a well-done con it is), but this is an exercise you could do for every one of the ~2,000 security cons that are being held every year. How much revenue does the con generate? Well some very rough math based just on booth sales alone, let’s say for the sake of discussion its $10M. 1% of $10M is $100,000. At an average of $6,000/class that’s roughly 16 SANS classes.

“But Mike, 15 freshly minted GIACs isn’t going to make a big difference in the ‘talent shortage’ problem.”

No, but it’s not zero, which his what we’re funding now. I don’t care what field you’re in 16 new people is better than 0 new people. But if its scale you want then let’s do something that scales. What’s the estimated market for security products and services? Estimates vary so let’s pick something middle of the road: $150B. For those of you who want to check your answers in the back of the book, that’s 250,000 new GIACs.

Now we’re cooking with gas.

Again: the math is very rough, and SANS GIAC is simply an example of one source of training (albeit highly regarded), but you take my point: everyone giving a little bit of something can have a significant difference.

And yes, if you want to be base about it all, that’s 250,000 new users. 250,000 more people spending money to go to cons.

Oh, sorry, 250,000 PER YEAR.

If we’re doing things right, the 1% club probably doesn’t have to exist for much more than a few years, give or take. If we assume 3.5M unfilled cybersecurity roles, and assume technology does in fact serve as a force multiplier.

I expect no one to sign up for this, because to do so would in part point out the imperial nudity of "the way things are done." The lobby for the status quo would rather talk about the change required than actually do it. Human nature? Sure. Most people are averse to working themselves out of a job, but then you have to ask yourself: are we in this business because of security or something else?