Where Have All The Cyber Security Pros Gone?

Ben Rothke, Senior Information Security Manager, offers his perspectives on cybersecurity and employee burnout in this episode of The Tech Trek.

Or listen on

Where Have All The Cyber Security Pros Gone?

Ben Rothke, Senior Information Security Manager, offers his perspectives on cybersecurity and employee burnout in this episode of The Tech Trek.

Or listen on

Description

Ben Rothke, Senior Information Security Manager at Tapad, is the featured guest of this episode of The Tech Trek. Host Amir Bormand asks Ben to share his insights about Cyber Security and employee burnout.

Show Notes

2:09 – Ben gives us an overview of burnout in the Cyber Security industry.
6:43 – Which signs should managers look for that indicate burnout?
10:32 – How can people get into the Cyber Security industry?
16:55 – The relationship between security and information technology.
19:18 – Ben offers his perspective on the near future of Cyber Security.

Ben Rothke

Senior Information Security Manager at Tapad

Meet our guest

Ben Rothke is a senior information security and risk management professional. His career incorporates a successful track record across corporate and consulting roles, securing IT assets for numerous Fortune 1000 companies. His areas of expertise include analyzing and providing cyber security, and much more.

Episode transcript

Amir Bormand: [00:00:00] On this episode of the podcast I have with me Ben Roth. He is the Senior Information Security Manager at Taped. We’re gonna be talking about burnout and hiring in the cybersecurity space. They kind of go hand in hand and I think Ben has some interesting points that we’re gonna be talking about. We’re gonna talk about the shortage of the industry, making security more, you know, approachable for others to get into.

I’m excited to have Ben on. So, uh, thank you for being on the podcast. Uh, thank you. Awesome. Let’s start off right at the top to understand two things. One, what does tap ad do? And then I know your title is Senior Information Security Manager, but let us know what some of your responsibilities are. Yeah. 

Ben Rothke: So, you know, tap A in the, uh, ad tech space has an identity resolution targeted to, uh, large digital advertisers.

Those with, uh, you know, six figure and above advertising who are looking. Do a better job of, you know, targeting people to get them, you know, what they want to see. So, [00:01:00] taped solution is unique in the field, and so, you know, I manage information security, so responsible for, you know, cloud security compliance since we’re, uh, ingesting, you know, massive amounts of data from our customers, you know, they wanna make sure it’s done in a safe manner and that all aspects of privacy are taken.

Awesome. And then, 

Amir Bormand: you know, information security manager, have you covered some broad areas? What falls in your lap there? Yeah. 

Ben Rothke: Anything related to security, privacy, risk, you know, vendor management, you know, from that end, you know, a lot of different things. Yeah, 

Amir Bormand: I, I like it. We’re gonna get this podcast kicked off here and, uh, we’re talking about, you know, two different, I guess topics, but they kind of interrelate, you know, we’re talking about hiring and burnout.

I think they go hand in. I think we’ll, we’ll start off talking about, you know, some of the burnout that exists within, you know, cybersecurity and kind of get your views on that and then move into hiring. So, I mean, you’ve been in security for a while, I mean, and you’ve seen different aspects, different size companies.

I guess when we talk [00:02:00] about burnout, a lot of that relates to resource constraint and obviously people, you know, doing too much, being stressful in general. When we talk about burnout, what are some of those aspects? If you’re a cybersecurity professional, you’re in the industry and we’re talking about burnout from the outside, what does that 

Ben Rothke: look like?

It’s not really unique to information security. You know, there was a fascinating New York Times article in September about Dr. Kimberley Becker, you know, a medical doctor. She worked in West Virginia, so I I I in the New York City area, and within 10 miles, 50 hospitals, of which, you know, many of them are world class hospitals.

So she went to rural West Virginia. She was the only doctor. And you know, in the end, I think at about age 45, you know, she had to stop because, uh, just to her own health reasons, she was, you know, highly constrained. A lot of her, um, patients, you know, didn’t have [00:03:00] insurance, so she burnt out, you know, quite.

At a high level, it’s not tied to information security, but more specifically information security. There is a shortage of security people, so in a lot of organizations, they’re doing the jobs of, you know, two people and you know, everyone pretty much everyone’s, you know, everyone’s a team player, you know, you have a job and you, you’re gonna give it all you can.

And, you know, people don’t mind, you know, going the extra mile for a week or two. Maybe it’s, you know, during an audit or it’s a peak period. But when you have to, you know, keep giving 110%, 150%, you know, month, quarter after quarter, year after year, that’s the perfect storm for burnout. And companies are losing, you know, good people, you know, because of that.

Amir Bormand: Absolutely. I love the fact that you brought up, you know, basically the example from the doctor and, you know, we’re talking about anytime when we’re asking people to do more and you can’t hire more sometimes. Right. It’s, it’s d. [00:04:00] And that is putting stress on the existing team. When you kind of look at the industry and you look at, you know, the burnout, and obviously you know, it’s not unique to information security, it exists in other disciplines as well, and people are doing the job of more than one person.

When you kind of look at that and you look at, you know how to deal with it, and maybe it’s your, you know, from your personal experie, How can you deal with that? Cause obviously, you know, the work has to get done, you feel has a sense of ownership, especially in security. You feel even a greater sense of ownership cuz you feel like you’re there at the wall.

So how do you deal with kind of balancing and making sure that we, we don’t get to the burnout stage 

Ben Rothke: clearly. Uh, you know, management needs to understand it and, you know, ensure, you know, they don’t burn out their employees. But at the end of the day, you know, we’re all responsible, you know, for ourselves.

A person needs to understand, you know, what their limitations are and needs to keep their physical health, their mental health in check in an order. And I said is, you know, people can, you know, go and overdrive [00:05:00] for a while, but you know, using an analogy of a jet airliner, you know, they take off, the engines are at a hundred percent, but if you listen, you’ll hear maybe after, you know, three, four minutes.

They pull the engines back to maybe 80%, because even though these are high performance engines, they’re meant to work at 80% and they’re only gonna work at a hundred percent for, you know, short amounts of time. And so to, um, you know, people have to, you know, use that analogy is make sure they do not, you know, burn themselves out, know what they could handle as it is, you know, skipping lunch every now and then is fine, but if, if person’s, you know, working so.

They don’t even have time for lunch, you know, that is going to affect them physically. You know, it’s gonna impair their thinking abilities. And, and it’s sort of those type of, you know, markers which really indicate a, you know, a much bigger problem. But at the end of the day, you know, everyone has to look out for themselves and know where they’re holding and if [00:06:00] they, uh, start, you know, getting, you know, feel, you know, burnout, you know, coming on, that’s when you sort of need to take action even physically, you know?

The person has a, a slight pain, you know, you’re gonna take action. But you know, if the pain is that bad for days on end, by the time they, you know, get to their physician, you know, there could be a, you know, significant long-term damage that is irreversible. 

Amir Bormand: I guess as a manager, when you’re, you know, looking after your staff, obviously you mentioned you have to know what you have to handle as, as the person sitting in the job, you know, know your limits, know your, you know your capacity.

You don’t want to burn out, obviously no one really does, but you get deep into the job. You feel that sense of ownership, you’re try and deliver as a manager, what are you looking for? So if you’re looking at your staff, you’re looking at your team, what are signs that, hey, this person’s just, you know, obviously said, you know, skipping lunch, uh, now in the Zoom remote world, we can’t see, you know, what people do with that additional time.

How do you keep an eye on, uh, on your team? [00:07:00] You know, one 

Ben Rothke: thing is, you know, is a good manager, you know, needs to be attuned to how you could see those things, even with, you know, physic. They look, you know, not just that what the patient says is, you know, but their overall demeanor and those things and you know, sometimes employees will be upfront and say, Hey, it’s, it’s too much for me.

It’s, you know, I can’t do it. I need a break. And, but you know, there is a large population of employees that, uh, you know, won’t, won’t be as upfront with that and won’t let you know. But, you know, managers have to be, you know, realistic, you know, knowing it’s, once again, it’s like a horse, it’s like a jet, you know, you could put it at a hundred percent, but you need to know, you know, when to pull back to 80%.

And, you know, you have to be realistic is, uh, you know, what people can do and you know how much you’re, you know, overloading, you know them, et cetera. And, you know, I’m a former pilot. I like aviation, so I always find aviation analogies. You know, if you [00:08:00] overload a plane, you know it’s not gonna take off. And if you try to take it off to be tellable, consequences, you know, 20 years ago or so, there was a singer, Aliyah, they overloaded the plane and you know, 10 people perished.

And it’s the same thing as if you’re overloading them when you’re not cognizant of what’s going on. The repercussions are significant, as I said is with aviation and physics, it’s very easy to see the repercussions as this plane tried to take. Physics is unforgiving. Uh, the plane crashed. Physics is relatively easy.

It’s very easy to measure, but that’s always the challenge of burnout. If you can’t measure it in the same way, you could, uh, you know, measure your tank and know you’re half, you’ve got half a tank, or you’re going, you know, 50 miles an hour. And that is the challenge. This is a big HR issue. And, you know, hopefully in an organization, you know, HR is attuned to it.

They work with management. So in a. Well, functional organization, these are not such an issue in [00:09:00] dysfunctional organizations of which there’s too many, this can become a significant issue and the employees 

Amir Bormand: suffer. And that’s actually a very good point, and I think, I like the airplane analysis. I think that’s really very apt.

You know what’s interesting is obviously even with the airline, obviously that, you know, we’re seeing the shortage of people. Pilots have always, you know, talked. You know, being stressed, you know, they have their own burnout and obviously issues to deal with. And within cybersecurity, we’re always talking about burnout.

And then we’re talking about, well, there’s a shortage of people. We can’t hire people to help staff out. And what’s interesting to me is, you know, we see these numbers of 2 million plus, 3 million plus, you know, employee, you know, cybersecurity professionals needed. But yet sometimes when I look at it and I’m talking to cybersecurity, you know, executives and leaders, it seems like there’s a very distinct focus on hiring.

You know, maybe from a much smaller pool, there’s, there’s a ton of rolls open, but there’s only, let’s say a couple hundred thousand. I don’t know what the number is. I’m making it up, but there’s a small subset of actual qualified [00:10:00] senior level people that everyone wants. And then obviously there’s, you know, 10, 15 jobs, so you can’t even grow your team.

This shortage, obviously, you know, we’re not gonna come up with a solution on this episode, but this shortage and the burnout go hand in hand. And on the flip side, when I talk to people, You know, people think of cybersecurity as something really complicated, something, you know, a little bit outta reach.

It’s, you know, stigma of Hollywood and, you know, a bunch of hackers pounding on keyboards to be their image of what cybersecurity is, you know, to even approach the industry. And I, I don’t, from my point of view, I think that is a problem of making the job more approachable so we can address some 

Ben Rothke: of that shortage.

I think, you know, there’s a lot of. Articles out there, and the popular media talks about 3 million, 4 million open security jobs. And if you do some simple math, it would mean that, you know, 1% of the US population works in information security. So a, a lot of the [00:11:00] numbers, I think are completely, you know, don’t mimic reality.

Is there a shortage? Definitely. So is the shortage that drastic? Not really. There’s shortages in a lot of, in. From jet mechanics to dermatologists. You know, I’ve written about this and a good chunk of the reason companies can’t find security people is because they’re simply not paying salaries commensurate with what the, you know, industry is demanding.

And I get, um, numerous emails on LinkedIn about jobs and I, I probably may say, you know, I know people looking, what’s the salary? And often it’s, you know, they want someone with, you know, 10 plus years of experience. Secret clearance, blah, blah, blah, you know, $110,000. And I’m saying is, you know, that’s not, you know, what the market rate is and companies that are willing to pay market rates, they find people, it’s hard to find good people in areas.

You know, certain things like cloud security [00:12:00] engineers, secure application development. The pool, you know, right away is, is a, a smaller pool. But once again, as companies that are paying, you know, Margaret rates can’t find people. When we talk about security, it’s a massive field from software development, administration, analysis, management, et cetera.

So there’s only one area where a person has to be extraordinarily smart. And that’s, I think, in those who are like working, you know, writing encryption, cryptography, algorithms, and you know, doing that area. But you know, to work in security. You don’t have to be, you know, any smarter than in any other area of it.

I mean, obviously the smarter you are, you know, the better. But if a person is not in Einstein, they shouldn’t say, you know, security’s not for me. Yeah, I mean, Hollywood always does things wrong in an or shell because, you know, if you go into corporate American information security, it’s, it [00:13:00] can be boring.

You know, you’re in long meetings, you’re, you’re looking at, you know, audit logs and it’s not like, you know, exciting hackers and like, like they make it. But once again, is, you know, Hollywood is about entertainment, not about a reality. I mean, even something as simple, you know, there’s, um, the show, you know, house MDs, you know, extraordinarily entertaining.

You know, he’d last an hour in any hospital in America today. I mean, maybe two days. But you know, that, that just simply wouldn’t go. I mean, even, even something as simple as in house, you know, the doctors do everything. While in most hospitals, the nurses do everything. You know, anything you’ve see in Hollywood about computer security is, you know, just is not accurate.

So with that, security needs a, a specific skillset. But a person doesn’t. Um, you know, I can speak for myself, you know, I’m not brilliant. You don’t have to be brilliant to succeed in the industry. So that shouldn’t, you know, keep people away. You have to like it, you have to [00:14:00] have an interest in it. And that’s true for once again, anything you do, whether you’re a heart surgeon, a mechanic, uh, airline pilot, whatever it is, you know, if a person doesn’t like what they’re doing, you’re not gonna succeed.

And you know you’re gonna burn out at age 23 rather than age, you know, 73. So if a person, you know, finds security interesting and once again, this thing we call security, I is so Broad Sand’s Institute has a career met and you know, there’s, you know, there’s a lot of different career paths. But if a person has an interest in security, you know, I’d say, you know, that initial drive and curiosity is, uh, you know, could be 75% of it and then, you know, their own educational pursuits and add, add another 25.

A lot of security is learning on the job because even if someone graduates with a bachelor’s degree, even with a specialty in information security, security in 2022 is different than security 2018. Sure. Which is gonna be different from, uh, security in [00:15:00] 2026. So that’s one thing also is that you need to have an interest in it because you always have to be learning because if you, you just sort of, you know, stay static, you know, the world’s changing.

It is changing drastically. And you know, for some people they don’t like it in general and security specifically because it is changing so fast in the sense is that they just don’t like that they want a career which is a more static and, you know, that’s fine. But once again, is if once again have a, if a person has those, that skillset, that temperament, that personality, it’s a, it’s a great career field.

I think so 

Amir Bormand: many of those are great points. And to kind of touch on a few, I mean, it is interest. Like, you know, some things you mentioned cybersecurity, some of the more technical roles you need. Some time, like, you know, doing cybersecurity architecture or cloud security architecture means you need some fundamentals of ic, you know, more junior level work to build up.

So that’s a time, you know, we need people. It’s fairly new so [00:16:00] you can only have so much experience. There’s only so many people who have kind of migrated onto cloud security architecture, for instance. I think a lot of the other roles you mentioned, some of them have more of a business. Facing, you know, priority.

And I think those are interesting roles that, you know, people don’t view as, you know, the core cybersecurity, you know, talk about compliance risk, you know, where you don’t have to be overly technical, but maybe an interest in technology. And I think, you know, I talk to a lot of people in the data science field and I always, you know, bring the observation that I see a lot of diversity in data science.

And it’s interesting to me because you see, you know, people. Gravitate towards it cuz you know, they think the numbers are interesting or they wanna, you know, get into the data side and you know, obviously it’s a skill they can learn with security. You would think that it has some of those attributes that people see on the data science side and, and the different functions, right?

There’s a ton of functions we’re talking about here in cybersecurity. I would imagine it, it would be a very good magnet for diverse candidates [00:17:00] that maybe are looking at data science to kind of go, Hey, you know, I can find something of similar. Interest in, in the security world, 

Ben Rothke: it is a mosaic with a lot of room for growth.

You know, one thing I I’d like to add also is that security is sort of, should we say an add-on to, you know, information technology in general and there’s these tech courses out there. They say, you know, they could prepare you for a career in security in 90 days. But with that is, you know, a person really needs to know the, you know, fundamentals of information technology, how networks work, you know, IP addressing and you know, 20, 30, 40, 50 other things, you know, software development.

And once a person has that understanding, then you could start working on, you know, how do you secure those things. But if a person sort of just jumps into security and they don’t have that, you know, that overall. Context, you know, they’re missing something there. In [00:18:00] the same way in the medical field is, you know, if physicians go do a basic residency and then they’ll have, you know, fellowships and specialties in, you know, cardiology, nephrology, dermatology, et cetera.

But you know, they have to do those, uh, prerequisites within that internal specialty and then they go onto that. And so too, with information security really is you need those fundamentals of it and then you add on security. 

Amir Bormand: I think that’s a, a great analogy. Those building blocks and some of the security programs you see out there, you see that within the engineering space as well.

You know, people go to bootcamp thinking they’re gonna come out with a job and they do. I mean, it works out, but it’s not exactly the, the one-to-one that you’re gonna come out as a, you know, engineer. You still probably need some more work experience. You need some more exposure to kind of, you know, build out your skillset.

And then, and then obviously a couple years later you look back and it doesn’t matter where the training came. I think, I’m hoping what we’re we’re gonna see is more people kind of see, hey there, there’s this shortage everyone talks [00:19:00] about. And and go, Hey there. That might be an interesting area for me to get into cuz it’s less crowded and obviously decent paying jobs, high demand and goes back to the burnout where if we have more professionals you can, you know, add more people to the team.

And it seems like it’s gonna go 

Ben Rothke: hand in. Yeah, I mean, I said there’s definitely, as you know, current trends grow. You know, it is a great career path. Anyone who’s looking to get in it, there’s a good book out there by Helen Patton called Navigating the Cybersecurity Career Path Insider Advice for navigating your First Gig to the C-Suite.

You know, she lays it out, what it really takes to, you know, get into security because even if you, you know, you, you walk through an airport, you see these signs, you know, as I said, it is, Enter the security career field in six months, high paying job. And so obviously these technical institutes, you know, have an interest in, you know, making claims like that.

But, you know, the question is, is are these people finding jobs? Anyone considering, um, [00:20:00] going into security should definitely get Helen’s book. I think it’s like, you know, $20 to get some, you know, really good advice on, uh, how to do it because as it, it’s, Wide open field, but it’s, you know, companies are not just hiring people because they have a pulse and, you know, people are graduating these programs and finding, you know, the floodgates of jobs are, are, are not there.

So it, it’s those type of books and speaking to people who were in the trenches will give you a realistic view as opposed to, you know, watching the next hacker movie, Absolut. 

Amir Bormand: Ben, I appreciate it, man. That obviously, you know, uh, very wide area of topics. I think you did a great job kind of bringing some visibility.

I love the examples. By the way, I’m a, I’m a big analogy guys, so I love the medical and the, uh, aeronautics examples, so thank you for that. I ask every guest this question, uh, wanna see what you would say? If you could ask a future guest that comes on the show to talk about a topic or answer [00:21:00] a specific question, what would you like to hear 

Ben Rothke: about?

Hmm. You know, Einstein always try to have a, you know, unified field theory, but I think, you know, within it, or you know, how, you know, how do we unify it all is because, you know, there’s more tools, more everything, and it seems like it’s getting more complex, not easier. So, you know, what’s the way to really simplify things?

I like that. 

Amir Bormand: Actually. I hadn’t heard that before, but I’m a big believer of that. And as the complexity is growing and the skillset complexity is growing, it’s becoming a challenge. So that’s, that’s actually a really good one. If somebody wants to reach out to you to talk to you about security or anything you mentioned on the podcast, what’s a good way of getting in contact with you?

I know obviously a lot of people like LinkedIn, but is there a preference that 

Ben Rothke: you have? I have a simple website, roski.com. R OT h k e.com. I could go there, you know, LinkedIn, uh, reach out to me there, could give you my PayPal address also. That’s a great way to reach me. 

Amir Bormand: I love it. I love it. We’ll definitely include some of [00:22:00] those links in show notes so people can chat with.

Ben, thanks for being on. Thanks for sharing. My pleasure. Absolutely. That’s it for this episode. We’ll back again. Different guests, different topic until then. Two things. One, Ben’s topic’s. Very interesting about simplifying IT and technology. More tools, more everything. How do you keep things simple? If you have any experience or views on that, reach out to me.

I’d love to have you on the. Secondly, if you find the podcast interesting, please share it with others. That’s how we’ve, we’ve been growing. Drop a review at a, a rating to whatever your flavor platform is. That helps the podcast grow. Can’t thank you enough. Until next time, thank you and goodbye.

Latest Episodes

Sunil Mallya

VP of Engineering at OncoHealth

Eric Labourdette

Cloud Business Operation Consultant

Kelsey Steinbeck

Director Software Engineering @ Indigo

A community built by you
for you

Subscribe to Elevano Insights

By clicking Sign Up you’re confirming that you agree with our Terms and Conditions.