Philly’s cybersecurity industry is evolving. Here are the skills needed to combat today’s ‘weaponized’ digital world

Long gone are the days where cyber attacks come from lone actors in dark closets in shady parts of town. They’ve stepped into the light — become ransomware attacks in global warfare, shut down cities’ online courts systems and stolen the information of millions in credit card breaches.

“These days, you see groups operating like a business,” cyber expert Chris Castaldo told Technical.ly. “They have a dev team, a marketing team, like they’re ‘selling’ their product on the dark web.”

While Philadelphia’s neighboring metro regions of DC and Baltimore have long been hubs for cybersecurity talent because of their proximity to federal hubs, the need for that talent — and the number of open positions — here in Philly have become hard to ignore. We heard in 2020 that “every single company” would need cyber pros. And with outside factors like the war in Ukraine and a record high amount of ransomware attacks, we can understand why the call for cyber talent keeps on ringing.

Nationally, cybersecurity jobs stood as the second top-projected occupations for 2022, the most recent CompTIA report shows, with 4% growth. The same report shows that in 2020, Philly had about 13,746 cybersecurity analysts and systems engineers, the third most common tech job after network administrators and software engineers and programers.

And it’s projected to grow.

Data from a recent Robert Half survey of technology managers in the Philly region shows that 54% of managers said the security of their IT systems and information is their top priority for the year. Of all respondents, 74% expected to increase their budget for it this year, and 35% said cybersecurity skills were of the greatest demand by their IT departments. But finding that talent is tough — 28% of respondents said security, privacy and compliance professionals were the hardest to find.

Is there a skills gap?

If the number of cybersecurity technologists is growing, as is the number of jobs available, why are cybersecurity jobs so hard to fill?

“It’s hard to find talent because folks don’t know what they need to look for or what they need for their organization,” said Castaldo, Center City-based Crossbeam’s chief information security officer.

The field, like many in the tech industry, sees rapid changes as new threats emerge. Castaldo has been in cybersecurity since the dot-com era, spending time in the Army, then working for the government. He’s the author of “Start-up Secure: Baking Cybersecurity into your Company from Founding to Exit” and in recent years, has become an expert at building in-house cybersecurity teams.

He feels the industry is in a bit of a transition period. Cyber threats are in everyone’s faces; you’d be hard pressed to find someone whose information was not breached at some point through a credit card or health insurance attack, he said. But it took time to understand and accept the CIO role that’s now ubiquitous within tech institutions, and it may take time to form an understanding about what cyber skills are essential to a company’s business.

The foundation of what makes a great cyber pro is actually pretty simple, he said.

A cybersecurity engineer in Philadelphia makes an average of nearly $140,000 a year, several thousand higher than the average tech wage of $95,734.

“Someone with a strong engineering background — that cannot be ignored,” Castaldo said. “That foundational IT knowledge is so critical. And someone who really understands products, how they interconnect, plus a knowledge of cloud platforms.”

Jim Smith, CEO of managed IT services company Proper Sky, runs a 10-person operation in Glenside. He told Technical.ly the businesses his team serves need cybersecurity assets, but it doesn’t make sense for them to have in-house teams. Many of Proper Sky’s clients have a base of 20 to 250 users, and many are in the healthcare or professional services industries. They don’t necessarily have intellectual property to protect, but they have application services — so what’s the best way to protect that?

With many attacks coming from overseas and likely not targeting during business hours, you might want to look abroad for contractors.

“If you really want to run successful cyber practice, you need someone looking 24/7, so for a small business, that’s a lot,” Smith said. “You essentially need a manager for three shifts of people.”

It’s why Smith does security work himself, with two technologists geared toward the day to day for his own business. But he contracts out penetration testing. With demand high, in-house talent can be very expensive, he said. A cybersecurity engineer in Philadelphia makes an average of nearly $140,000 a year, several thousand higher than the average tech wage of $95,734.

A successful cyber strategy for any company would be monitoring for attacks and hardening infrastructure over time, he said. Each time they build something for a client, they’re hiring penetration testers to find weak spots.

“I’m a strong proponent for if you’re creating something, you should also be testing the defenses,” Smith said.

Soft skills in cyber

Tracy Maleeff, a Philly-based security researcher for Krebs Stamos, said the talent search shouldn’t be as hard as companies are making it out to be. The skills and qualities companies feel their cyber talent should have are different than what industry folks believe is the key to success.

The #InfoSec industry doesn't have a "talent shortage."

– Too many companies are unwilling to skill up (train)
– Have an unhealthy fixation on finding unicorns
– Needlessly complicated interviewing processes
– Poor recruiting and retention practices

It's not us. It's you.

— InfoSecSherpa (Tracy Z. Maleeff) (@InfoSecSherpa) April 13, 2022

Many companies require a CISSP certification for entry-level jobs, which includes five years of relevant work experience in the field. It’s an “absurd” ask of an entry-level position, Maleeff said.

“What people should have to be successful in information security is curiosity, aptitude to learn, empathy, critical thinking, analytical skills, humility, and good communication skills, written and oral,” she said. “Gone are the days where a cybersecurity job meant wearing a black hoodie in a secure room.”

It’s important to be able to articulate risks and their solutions to your business and to be able to listen to the struggles and concerns of the end users actually using the security protocols you’ve implemented, she said — all while making sure cyber pros can do their jobs without compromising security.

And Maleeff stressed the importance of soft skills. She came to the field with two liberal arts degrees and a master of library and information science degree.

“When I had an interview for an SOC [security operations center] job in 2017, they said to me, ‘We can teach you the tech, we just can’t teach someone all these other skills you have,’” she recalled.

How threats and security have evolved

Since his dot-com era days, Castaldo has seen more “threat actors” emerge and motivations for cyber attacks evolve.

And cyberwarfare has become a devastating part of actual war, as the world watched Russian attacks on Ukrainian software earlier this year. Microsoft’s Threat Intelligence Center found a piece of “wiper” malware in February, aimed at the country’s government ministries and financial institutions.

“When I was a kid, a virus might shut down a small business’ network, but now it’s been weaponized,” Smith said. “The market, economics and politicization drive it. It’s a whole new world with the level of risk.”

But there’s been an obvious evolution on the defense side, too. The industry has begun focusing on building cybersecurity for users, not risk, Castaldo said. There’s humans out there who don’t work in cybersecurity who don’t understand why they might need to change their password every six months or set up multi-factor authentication, he said.

“That’s where I’m starting to see a noticeable culture shift when I talk to peers and people just coming into it,” Castaldo said. “With UI and UX fields, their job is to design for a human, and we’re seeing more of that now.”

Where cyber roles are

While many cybersecurity professionals work in-house for a company, there’s a big chunk of contractors. We heard from each cyber pro we talked to this month that anecdotally, it’s a subsect of tech that can be outsourced quite easily, and often, more affordably.

Like Smith said, it’s not always going to make sense to have your own SOC team when you’re a small operation.

Gone are the days where a cybersecurity job meant wearing a black hoodie in a secure room.

Castaldo said he usually sees two camps of organizations — businesses like doctors offices and law firms with information to protect but no tech team, and startup companies that plan to grow quickly. He’s seeing the traditional 1099 contractor role go away, and instead, more and more cyber firms meant to serve businesses in the first camp.

“I’m seeing more cybersecurity startups to service that in-need market,” he said. “I would prefer my kid’s pediatrician office to be really secure, but they are not going to hire a read team or testers. I’m not paying them to be an expert in security, I’m paying them to care for my kid. So I’m seeing more startups looking to serve that market.”

And the specialty firm doesn’t go away on the scaling startup side, Castaldo said. If you’re a B2B business trying to sell to a big enterprise, they’re going to have security expectations. When it comes to in-house, Castaldo often sees that first cyber hire around 50 to 100 employees, or between a company’s Series A and Series C. Anything after that is “a little late in the game.”

So while not every single company needs a cybersecurity expert on its staff, what we heard in 2020 is still true: Every single company should be thinking about cybersecurity. It’s a risky game to play, these cyber pros say.

“Especially if you’re working on something highly sensitive, like say, a cancer treatment company,” Castaldo said. “Once someone’s stolen what you’ve developed, you can’t build another.”