Hyperspecialization in cybersecurity | Cyber Work Podcast

November 11, 2019 posted by


– Welcome to this week’s episode of the Cyber Work with Infosec podcast. Each week I sit down with
an industry thought leader and we discuss the latest
cybersecurity trends, how those trends are effecting the work of infosec professionals
while also offering tips for those trying to break in or move up the ladder in the cybersecurity industry. John Wheeler’s our guest today. He’s the VP of Security at
Topcoder, a tech network and on-demand digital talent platform with 1.5 million gig economy
technologists in 190 countries. Prior to Topcoder, John, spent four years in consulting, helping
clients migrate cloud based technologies and solutions. His background is in enterprise and carrier grade
technology, having worked in the telecom industry
for more than a decade. He has a BS in electrical
engineering from Purdue University and an MS in information technology from Northwestern University and holds a CISSP certification. We’re gonna be talking today
through several topics, but in particular, the concept of hyperspecialization in
cybersecurity and coding. John, thank you for doing this today. – Thanks for having me
today, I appreciate it. – So tell me a bit about
your security journey. We talked about some of your past jobs, but how and when did
you first get interested in computers and security and technology. – I had an opportunity
when I started to work for US Cellular to actually
take on security there. It was traditional perimeter security,
firewalls, AAA systems. – What year would this have been roughly? – I started with US Cellular in 2005. – Okay. – And then prior to that,
I had an opportunity in leadership before that, but that was really the transition for my individual trigger to roll into just purely leadership. And what I think about in terms
of security journeys is all of the things that I
touched prior to that. When I worked for other
coding manufacturers, having an opportunity to look at networking, software development, and I think that that was the first time I would classify myself as somebody who’s in security, but I think all of the
experiences that I had leading up to that also enabled me to
be effective in that role. – Okay, how has the
cybersecurity landscape changed, do you think, directionally or procedurally since when
you first started versus now? – You know, I think that there’s a number of things that have
changed, but I think one of the things that really stands out to me is privacy, how
much privacy has changed and it’s become something that
individuals and companies, and customers are interested in. Two decades ago, from a security perspective,
people were combating viruses and worms, various nefarious activities that people could wield in a
network and now it’s trying to ensure that the
information that they manage and control is handled in a secure fashion and follows good security practices. So I think that the biggest
thing that’s changed from my perspective is that
that they will focus on privacy. – Did you get the sense
that users are more savvy in this regard, that they’re asking more of their online experience
than they did back then? – That’s a great question. I don’t know that
they’re asking much more. I can tell you from my
own personal experience. It’s something that, as I’ve taken on this role, I’ve definitely
become more aware of. But I think we probably aren’t as aware of our own privacy as we
probably could or should be. I’m certain that there’s
apps on my phone that are tracking things that I’m unaware of. – Oh, yeah.
– But I think the thing that’s most
visible is data breeches where information escapes
from an enterprise. And that’s why I say
that I think privacy’s the thing that’s changed the most. And that’s in addition to the
compromises that Trojan horses and worms in an hour can have. – Yeah, yeah, you’re looking at it from two different ends now. There’s the thing that attacks me, but then there’s also that
feeling of being compromised from the things that you
actually want on your computer. – Yeah, like I said, it
used to be that you would just have to worry about your enterprise and protecting your enterprise. Now you have to worry
about your enterprise and your data and information. And I don’t know that that’s
necessarily completely new, but I think it’s become
visible to the public now. – Oh, for sure, that’s definitely the conversation we’re having now. So let’s start with the
company we work at now as it fits closely, I think,
into our discussion for today. So Topcoder is a digital teleplatform employing technologists in
specific countries to take on specific one time projects, I believe. How does this style of security
problem solving come about? – Yeah, so the Topcoder
platform enables both members and customers to engage and be part of the global talent on-demand. One thing I would say is
that though some projects are short-lived, some are
very long in duration. We have projects have that
have lasted over a year, but the thing that really differentiates the Topcoder platform from
other vehicles or methods of delivery is the focus that
we have on our process both through technology as
well as through people. The Topcoder process enables
you to leverage humans which are probably the most
effective at this point in detecting some types of
security and vulnerabilities, but also technology. We use industry best-in-class tools to equip both our customers
as well as members or individual contributors to understand the code that they’re writing, to understand what implications
of code that they have on their overall security
posture, give them an opportunity to refactor
or upgrade that code to be more compliant
to a security standard. So I think we can provide an
environment both for customers and for members to improve
their overall security posture. – Okay, one thing we’ve
been talking about a lot in the past year or two is the
cybersecurity skills gap. Does this play at all into that? We hear a lot about not having enough qualified professionals to fill existing positions. So is a system like Topcoder aimed at solving problems that might exist when you don’t have, say, the right professional talent to work for your company in your town? – Yeah, I think companies are gonna begin to realize that the gap is just based on their
sourcing mechanisms. I will say that every
business needs to spend time and energy and effort in trying to recruit and retain the best
talent pool they can have. The reality is that the smartest people are probably not inside your four walls and trying to leverage
that community globally is what Topcoder provides. So having the ability to have access to that talent pool, we don’t
see the gap that others see. We have an elastic community
that responds to the types of work that people are interested in. This kinda speaks to
the hyperspecialization. We have folks that globally want to focus on very specific
things, wanna become the best at those things whether it’s
data science, design, or QA. So having a community available
and asking that community. And there’s really gonna be this shift or change in the businesses. We’re seeing it already. Fortune 100 companies are
embracing crowd based solutions because they’ve recognized
that they’re not gonna be able to do those within their four walls. – Okay, can you give me
some more examples of some of these hyperspecialization areas that people are getting into. You mentioned data science and so forth, but what are some of these, I wouldn’t
say titles, necessarily, but what are some of the skills that you see
people really drilling down into. – Yeah, and when I talk
about hyperspecialization, especially when I talk to
customers, I always ask them are there things in your
job that you’d like to do and would you prefer to do those things because we all have jobs
that there’s things we like to do and things we don’t like to do. An example from my perspective of the hyperspecialization is
we’ll see people that wanna just focus on a skill or
ability that they’re proficient in or they understand really well. Maybe it’s a design in building APIs. Maybe it’s front-end
development, designing and building a front-end. Maybe it’s the integration between the two that can be just ETL. We have people that just specialize in building the algorithms
for image recognition. We are people that just focus on the AI. So they become experts in those things and that doesn’t mean, I don’t know that there are mutually exclusive. I don’t know that you
can be hyperspecialized and not have some generalization. – Right.
– What I do think is that in, again, in your
career, you may not have the ability to specialize in something because the expectation is that you have this generalist capability and that’s what the talent on-demand
community provides is access to those people that want to be the best at whatever skill that
you’re trying to solve. – So this supplants, or not supplants, but this augments your current position. You have to be a
generalist in your day job, but you can be a hyperspecialist
on these specific projects. It sounds to me like,
you know, I used to work for physicians and
you’d have certain types of medical specialists
that work on a certain type of vein and do that all day long, but I would say they still have
some generalist background. – Well, yeah, the
analogy that I always use is that when you’re
building a house, you get a general contractor because
the general contractors is the one person that needs
to understand how to talk to the guy that pours the
foundation, the guy that does the electrical, the guy
that does the plumbing, but he probably doesn’t do those skills. He lends them out to other
people that are experts in that and that’s why I think that a part of what Topcoder provides
that truly differentiates from competitors is that you have access to this hyperspecialization that you otherwise wouldn’t have access to and it’s a passion economy. If you go through traditional methods of trying to find skills
and abilities, you may get a laundry list of buzzword bingo on your resume that
fits your overall need, but when you’re finding people in a passion economy,
you’re finding people that are the most interested in solving that particular
type of problem. That’s what’s a true differentiator. – So as these gig economy projects and outsourcing projects become part of the everyday landscape
for even the largest of companies, what in your opinion is safe for organizations to
outsource and what is not? So for example, how can an
enterprise protect their IP and verify product
quality when working with an external team of developers like this? – Yeah, the protection of IP is probably the most critical thing, the
question that I get asked the most with respect
to how to engage a crowd and what I’d say is we have
built over the last 20 years a number of different
methodologies to assist customers in protecting their intellectual property from things like building synthetic data, to be able to master manage their existing data building translations to be able to translate their data into a different domain to building a scaffolding of their
existing infrastructure. Customers will say, “Well, wait a minute, “I have my own authorization system that’s “a little bit different, how am I “gonna be able to use that?” So we’ll build up mock systems. This isn’t actually that dissimilar from what most companies already do if they have a development environment. If you have a development environment, you don’t take your production data and put it in your
development environment. Because from a security perspective that’s something you shouldn’t be doing. And so it’s not that much different than what they traditionally do. I think the thing that customers
are better understanding is that this just looks more and more like what they’re already doing, it’s just how they’re engaging at work. So and in this perspective I’d say whatever policies you have internally, those policies can be
mirrored with leveraging and using the community, it’s
a matter of understanding and adapting those policies to
how the community interacts. So if there’s data that’s
required how do we either sanitize or obfuscate that data to be
able to use that community. If it’s code, how do we stub things out so that we can interact
with the systems that are required for them to interact with, but do it in a manner
that better represents a scaffolding or a mocked up system. – So I’d like to talk a little bit about Topcoder’s ranking
system for coders. I looked at the page
explaining how the figures are calculated and
someone who’s eyes tended to glaze over a bit as soon as a stigma gets introduced,
I got a little lost. Could you tell me about how the calculation system was
devised, what it’s built to emphasize, and what the complexity of the formula is aiming to
remove from the equation. IE people who might try
raising their scores by getting involved in as many projects as possible without
doing any work for them. – Yeah, I think the shortest answer is that our scoring system is based on traditionally chess
metrics, how you would score a chess master, but in
its most simplest terms, the folks that engage in a passion economy or a crowd economy, they want to be able to understand how they relate to their peers in that economy. And so providing a transparent
mechanism of scoring and ensuring that they
can see how effective their outcomes look compared to others is an important aspect of
engaging that community and making sure that they’re
interested in the types of works that you do and also giving them feedback into
how their performing. One way of thinking about it
is if you’re in a competition and you’re competing against
people that don’t know as much as you, the expectation is that if you’re more knowledgeable,
you’re going to win. And so what we want to
encourage people to do is try to compete against the
best and that’s what the scoring system
helps do is, it reflects when you’re competing against the best, the metrics of the individual members. – Okay, have you seen any
evidence that people were able to leverage their ranking level
as a calling card for jobs. They might wanna jump into a
high security level job due to various machinations around the skill gap, they might not be able to show off their real world HR skills to people who are only looking
for research or job titles. – Yeah, there’s a couple of different, I think, avenues for that. I think first and foremost
we do see members reference their skills and abilities
in a CV or resume. In addition to that, it’s
well known that both Facebook and Google will omit first
round interviews based on code qualification interviews if you have a certain
ranking within Topcoder. I think another place
that it’s important is one of the things that is
effective in building and managing a community is rewarding that community
and recognizing that community. Annually, Topcoder has something called the Topcoder Open, TCO, and
every year we gather together the best and brightest from the globe and we have a competition for a few days and it’s actually coming
up here in November. And we host those members
and only the best are able to come and compete, and so
it’s the world championship of software design,
development, and data science. And it gives them the ability
to not only meet folks that are in their vocation, but
also gives them bragging rights as a result of that competition. They’ll be able to say they
were the best for that year. So I think that’s representative of how they can use those scorings. – Okay, to the other side
of that, do you have a sense for HR people or employers,
how do you read a number? What sort of translatable
skills will they see in someone that has, I don’t know, a high number of 1,200
or something like that. Are you seeing, is it showing accuracy, is it showing quickness, is it showing problem
solving skills, what are– – Yeah, I think it’s
probably all of the above. I think to effectively compete
in a community, they need to be able to work within a team. Part of our platform enables members to work with each other. We have processes in place to ensure that as members are submitting solutions those solutions get verified, so they work with folks called reviewers
that are part of the platform. They work with co-pilots,
so they exhibit teamwork, they exhibit individual
contribution, they exhibit the ability to receive feedback. Often times when members
submit they may be scored on something and they may not
understand that, so they have to work with their peers to be able to understand what their
perspective was on that. So I think it’s all the above. I think the reason why I
would struggle to put it into a box that fits well
into HR is that typically with HR, you’re looking
at a CV or resume and one of the things that, if
you go onto our website and you look at a challenge you can see the interactions that members have and you can see the real world problems
that they’re solving. I think it’s really hard to do that from a staffing perspective. – Sure.
– What somebody’s done other than through their own lens.
– Okay. – As a competitor you could say here’s the 15 competitions I competed
in last year, here’s the 25. It’s much, much easier, right? And much more transparent to be able to show a potential employer the things that you’re proficient in and how you’ve been able to
perform all of those tasks. – Can you, I meant to ask this before, but can you tell me a bit more about these competitions versus the specific projects. So you have these
challenges that are aimed to show proficiency that would
maybe make you more qualified to take on the projects that
people are requesting of you? – Yeah, so the model itself is
based on a competition model and it basically is each one
of the problem statements is presented as a challenge, but the problem statements are broken down into small enough chunks. We often to refer to it as atomized. It’s not really that dissimilar from a traditional agile approach. If you have a scrum master
that’s managing a work stream and he has a number of
stories, he has to figure out is this story gonna be multiple tasks, am I gonna break it up over a sprint? Those same types of activities go on when you leverage
crowdsourcing or a community to engage members of our
community to solve those problems. So those same types of
skills that you would use to break down enterprise work
streams are the same types of skills you would use
on the community platform. – Okay, so I wanna go back
to hyperspecialization as a career choice, I guess,
maybe, is what I’m looking for. I think you already
explained it very well in the sense that you’re not, I
came into this thinking that the idea was that everyone
was just gonna do one thing and be really good at it to
the exclusion of all else, but you’re saying people
wanna be hyperspecialized in certain things so that
they can get those kind of jobs while still
retaining general knowledge. So tell me about the benefits
of hyperspecialization for the average
cybersecurity professional, in using this universal skillset, apart from getting these specific
projects, what will they gain? And I guess, what will the entire cybersecurity ecosystem gain by going deep into these
specific areas of expertise. – Yeah, and I’ll maybe
use a specific use case, so if we have a challenge
that’s either re-crafting or designing a front-end,
often times you’ll get exposed to OWASP top 20, or top 10
types of things you need to be aware of, especially for validation. And so by running through
that type of challenge from a software development perspective the individual contributor can understand and see how their solution
best meets the needs of the problem, but also ensures that it
supports security best practices. But that doesn’t limit them to just working on front-end
types of development. And so they may find that that’s not something that they wanna do,
they wanna be proficient in, maybe they wanna stay in APIs, but gives them an overall exposure. And I think back to
when you first asked me about my security
journey, I think each one of the interactions that I’ve
had has helped me figure out where I want to focus my efforts and then where I have gaps as well. I think in the passion economy
people can go try things that they may not have otherwise tried. The reference case that I
always use is we have a lot of folks that compete
part-time in the platform. They’re still trying to
figure out what they wanna do and they have an opportunity to use spare time to work on the platform. And so maybe their day
job is working on SAP, but they really wanna learn Node. They want to get a job in
Node and there isn’t a way for them to do that otherwise,
and so for them to be able to use those skills, they
can take traditional classes or schooling, but to be able to prove those skills is another thing. So they use Topcoder as a platform to be able to do those things. So they may specialize
in SAP and running SAP, but they’re aspirations
are not all outside of that so they can specialize in something that gives
them skills and abilities to again potentially compete full-time on the Topcoder community or use Topcoder to find another vocation. – So these challenges and so forth, these can almost act as a second school. – Yeah, absolutely, and we see that often. Not only in terms of the
types of competitors you see, but also just in the engagement
of the community itself and the questions that they ask. – Okay, so to relay a point, we discussed a few different topics
prior to this interview. One of them was, I wanted
to talk about your idea of moving the DevSecOps tool chain closer to the developer and enable more real time
secure code practices. You describe multiple stages
of verification in order to ensure that your company is practicing “defense in depth.” What would need to change in
most development departments to make this possible? Is this a skills gap
issue, a bigger budget, or just a procedural change that’s more of an issue of time an attention than
allocation of resources. – Yeah, I would say that
all enterprises have an aspiration of moving
the tool chain closer to developers and it’s a matter
of not only instrumenting the tool change can be time consuming and costly, identifying
the right technologies. The same can be time consuming and costly, but providing that the skills and abilities to their developers and one of the things that we
do that I think really opens an executive’s eyes to
what crowdsourcing can do is we’ve moved that closer
and closer to the developer. Again, by using tools like
standard code analysis, like software composition analysis and enabling those
post-challenge to be able to influence how the next
co-challenge may be run. What our desire to do is
to move that all the way to the developer so that
as their developing during the submission process, much
like a developer checking into GitHub repo and kicking
off CICD tools, they would be able to get feedback
and give them an idea of how close their code is coming to the mark prior to any
submission happening. Again, I think that
enterprises are starting to embrace more of the
DevSecOps and having that closer and closer, it’s just a matter
of how mature they’re at on their digital transformation and where their tool chain was at. But we have the ability now
to be able to reflect where a developer is at the
conclusion of a challenge and moving that closer I think is what everybody’s aspirations are. – Okay, so where do you see the role of DevSecOps
in the next five years? If your prescriptions are widely put into place,
how does that effect not just the safety of the code and the products, but the job force, the skills gap, and the way that people prepare for careers in the cybersecurity force? – Yeah, I think once we’re able to have that real time feedback and enable the developers to make good design and development decisions,
you’re gonna start to reduce not only your
overall deep threat period, but have a better impact on
your overall security posture. I believe that we’re
close to those things. I think the tools, we’re
actually in the process of evaluating some tools at this point and it’s interesting that some of the tools have higher
maturity in their ability to deliver their services
over APIs than others. You’re also starting to see
some of the tools consolidate. You’re also starting to see some of the same things that have happened at SMTP or email delivery now
happened to software delivery. So GitHub, and GitLab, and
Bitbucket are all starting to integrate these things
into their tool change and make it easier for
consumers or their services to be able to manage that
overall security pipeline. Now it’s a matter of making
these things proactive so that things don’t
get into the lifecycle with nefarious code or
with code that doesn’t take into consideration good
security practices, pushing that again along with developer. And again, I think that
the end result, you asked about where this is gonna go for security. I think the end result will be what security professionals want which is security is really worn by everybody. It’s not a department or we didn’t need this
insurance security, it’s everybody’s responsibility.
– Great. – But by pushing that out all the way to the developer gives them
the equipment to be able to do their job effectively,
but also doing the secure mail. – Okay, so to pull things back into terms of training and learning, and career development against
your specific challenges to the projects and the hyperspecialization
model, what are your thoughts on current learning
platforms certifications? What certs if any are most
important at the moment? What are some general advice you have for people who might wanna go deep, but still need that
general cloak of knowledge? What do you recommend in that if anything? – Yeah, I think it’s important
understanding what you like and take an opportunity to
focus on some of those things. Thinking back to my career,
I’ve jumped to a number of different things. I actually started in software development and realized that I wasn’t very good at software development,
but I wasn’t terrible, but I recognized the people
that were really good. – Yeah, because that’s usually
where you spark. (laughing) – Well, yeah, they knew the libraries backwards and forwards. – Right.
– And they could code Without having to consult a manual which unfortunately I
still do to this day, but I’d say figure out what
you like and what you wanna do. And in terms of
certifications, I think there’s a plethora of ways to
verify your capabilities. I just recently took and passed the CRSSP and it is a compendium of information and I’m grateful for the
background that I have because across so many domains
from network to systems, but at the same time it’s a challenging certificate to go obtain. So I think it really depends
on what you wanna do. Topcoder’s a cloud based
company so we use a lot of AWS and I think a lot of the cloud based senders,
whether it’s Azure or Heroku, or AWS are great places to get
some level of certification. In addition to that, I
think that networking is something that is and software by network means something
that’s foundationally changing. I think it changes how we think about how we manage and
monitor our networks. And so specializing in
that, I think there’s lots of opportunities, but I think first and foremost, find out
what you like to do. I ran across that in one of my career opportunities
that I really enjoyed systems. I had an opportunity to do networking. So I’ve always gravitated towards systems and it’s been what sparked my interest in security here as well. – Yeah, that’s great advice
because you’re able to try a lot of different things and see what you like, and not necessarily chase
the money or whatever, just find the thing that you
can do, like you say, without a book and without looking
at the cheat sheets, or whatever and then you’re on your way. – Yeah, my son is pursuing
his degree and he’ll come in and he’s living with me,
and he’ll come in here and look over my shoulder and
he’ll say, “I still marvel at “the things that you
type into a command line “and how you came up with those things.” And so just having a
passion about what you do and chasing that and pursuing that in terms of security, I think
is the most important thing. – Okay, so to wrap up
things today, do you have any one last piece of advice for young people who are
considering cybersecurity or coding as a career and course of study, and what would that be? – Who’s to say, that’s a good question. Like I said, my son’s pursuing that. I’m not sure what’s available
in terms of course of study. I would say that I had an
opportunity to get exposed to security and the
number of different ways through my career computer
science is, I think, a good place to start. Even the folks that I knew that went into networking, they generally
started somewhere else and they went into networking before they then jumped
into security so that some of my very good friends that are security professionals, they started in networking and then
they ended up in security. I’d say that trying a
few different things. So an almost antithesis to the hyperspecialization,
try a few different things to figure out where you
want to specialize in. I think that’s probably the
best advice because it’s hard to know until you try and do some of those things and figure
what’s important to you. – Okay, and to wrap up at long last, if people wanna know more about Topcoder or John Wheeler,
where can they go online? – Topcoder.com, I always
encourage people to register and if nothing else, just
see what the competitions are that are there and you can
always find me on LinkedIn. – Great, John Wheeler, thank you so much for your time and insights today. This was really fascinating. – Thank you so much for your time. I appreciate it. – Okay, and thank you all for
listening and watching today. If you enjoyed today’s
video, you can find many more on our YouTube page,
just go to youtube.com and type in “Cyber Work with Infosec” to check out our collection of tutorials, interviews,
and past webinars. If you’d rather have us in
your ears during your workday, all of our videos are also
available as audio podcasts, just search “Cyber Work with Infosec” in your favorite podcast catcher of choice to see the current
promotional offers available to listeners of this podcast go to infosecinstitute.com/podcast. One of our big pushes for 2020 is to learn more about election security and if you want to use our free election
security training resources to educate co-workers and volunteers on the cybersecurity threats
that they may face during the election season please visit infosecinstitute.com/IQ/election-security-training or click the link in the description. Thank you once again to John Wheeler and thank you all for
watching and listening. We’ll speak to you next week. (upbeat music)

No Comments

Leave a Comment

Your email address will not be published. Required fields are marked *