Becky Bracken
Hello and welcome to Dark Reading Confidential. I’m your host and Dark Reading editor, Becky Bracken. And once again, I’m joined by Dark Reading’s editor-in-chief, Kelly Jackson-Higgins, and managing editor of content operations, Jim Donahue. Welcome back Kelly and Jim. It’s nice to see you again.
Today we are going to focus on the slimmed down profile of the Cybersecurity and Infrastructure Security Agency (CISA) under the new administration.
We want to know what that means practically to cybersecurity teams. We want to explore the cost of having less coming out of CISA, and any opportunities the federal government shakeup might present for business.
To get to the bottom of these questions, we’ve invited two regular Dark Reading contributors, Tom Parker and Jake Williams, who through our conversations have each provided me with thoughtful insights about what’s going on at CISA, each from a different and important perspective.
These are our ideal guests to take on the topic and these are not hot-take reply guys. They’re both thoughtful experts we rely on here at Dark Reading to provide our readers with information. Thrilled to bring them both together for our listeners today. Hello, Tom and Jake. Thank you for joining us.
Tom Parker
Hey, Becky.
Jake Williams
Happy to be here.
Becky Bracken
Let me tell you a bit about their backgrounds because I think it’s important for our conversation today. We’ll start with Tom Parker. He regularly lends his expertise to Dark Reading, as we already said. He also joins our Black Hat News desk and more. He worked his way up through the early cyber ranks, served as a Fortune 500 CISO, and then moved to startups. Most recently, he sold his cybersecurity company, Hubble Technology, to NetSPI, where he served as CTO.
Jake Williams, was widely known by his social media feeds as “Malware Jake.” He’s not just a darling of the DEFCON and B-side sets. Jake is a former medic, DOD hacker, SANS instructor, and current cybersecurity consultant to some of the largest organizations in the world as a VP of R&D for Hunter Strategy. Jake also regularly lends his expertise to Dark Reading.
So, now we’re asking both of them to open up and help us level set on the cybersecurity shakeup happening at the federal level.
Kelly, I want you to turn things over to you and have you present our first area of discussion.
Kelly Jackson Higgins
Sure, thank you, Becky. Thank you, Tom and Jake, for joining us today.
We’re really excited to have you. Just to kind of level set, we’ve been watching what’s been happening at CISA over the past few months. The organization has lost about a third of its employees so far to layoffs, some buyouts. I think it’s about 1,000 employees, some manager level, high-level folks. And the Trump administration is on point to cut about $500 million from its budget.
And we just saw, I guess it was a couple of weeks ago, the Senate confirmation hearing with Sean Cairncross, the National Cybersecurity Director, wouldn’t really even discuss these cuts when he was asked.
So, it got a little bit worrisome about what this really means for CISA. I guess what we’re trying to figure out is how bad this really is for the agency. And Jake, wanted to start with you and see what you’re thinking. Just where we are right now, where it could go, and what this really means for CISA.
Jake Williams
Yeah. Thanks so much. You know, realistically, this is not great for CISA. I’m sure anytime you lose that many workers and have that much of your budget at risk, obviously, it can’t be a great thing for the agency. But I think the more important part for most listeners is, what does this mean for cybersecurity and the federal government writ large? Then, secondarily, what does that mean to them personally? So, there’s no question in my mind based on cuts I’ve already seen — you know, some specific cuts firsthand — that this is definitely impacting the nation’s cybersecurity.
From a perspective of, just, so who cares, right? If some government agency gets hacked, you know, the reality is that even if you are in the private sector, you are forced, right? By our laws and regulations for different agencies to work with those agencies. So, you’re going to have data exchange with them. This is not something where I can simply like in most Fortune 500s scenarios look and say, “You know what, you don’t pass my third-party risk management muster so we’re not doing business with you. We’re not exchanging information with you.”
I just don’t have a choice. It’s the government and they compel me to do it. So, it matters a lot to me that they’re secure. That’s before we get into the myriad government contractors, right? Who rely on, you know, these government agencies to be secure as well.
Kelly Jackson Higgins
I think what’s interesting, too, is it took so long for the private industry to have this level of trust with the federal government for cybersecurity issues. There were ways that sort of hands-length distance that the private industry wanted to keep. And then we made inroads the last few years and now, there is a sort of concern whether that’s going to damage that relationship, you know, if the agency is slimmed and trimmed down. I don’t know if you have thoughts on that.
Jake Williams
Zero question there. In fact, I’ll share with you … I mean, she’s now out of office. I was in Jen Easterly’s office last year talking specifically about that with her and her deputies. About how, even though CISA has, absolutely to your point, increased trust. It’s not a public-private partnership, right? It’s a one-way communication. Private industry is communicating data. And we’re not often getting that rapid turnaround now.
CISA does a lot of very critical things outside of intelligence sharing and, certainly the briefings that they do. But one of the talks we’re even having there is, even though CISA has done amazing work in advancing that, it hasn’t gone nearly far enough. And we need to get into an actual partnership cadence If they really want to increase the amount of data they’re getting from private industry.
Kelly Jackson Higgins
It makes me wonder if that’s going to happen now though, with the changes. Tom, what are you thinking about all this? I know you have a little bit different perspective on the role here for the feds in the cyber industry.
Tom Parker
Yeah, I mean, I think because an agency changes shape and or the mission moves to other agencies doesn’t mean that the government doesn’t see the mission as being more or less important anymore. I think it’s important to not assume that that’s the case.
In fact, I think, you could argue even the Biden administration didn’t give enough love to CISA. You know, they rushed through an executive order that CISA drafted literally two days before Biden left office right along with some, you know, presidential pardons. You know, generally presidents do that because their political career is over. And they’re just pushing a bunch of stuff through, often to say thank you to people. I think in this case, Jen Easterly and her team had probably been drafting that for years and finally got to the president’s desk.
To think about the impact that CISA’s shrinking is going to have, it’s important to understand first the mission that CISA had, the stated mission. You know, I’ve been in DC since the [George W. Bush] administration, working with, you Tom Ridge’s [the first US Department of Homeland Security secretary] team and, and Dick Clarke [US National Security cybersecurity adviser] and company. And so, I’ve seen a lot of policy changes and every administration since then has come through and put their hand up to say, “Hey, we have this amazing cyber strategy document and it’s brand new, and no one’s done it before.”
And the reality is every administration really tries to do this. And in the case of CISA, it was a brilliant idea. But the first thing it was, it was a rollup of things that already existed. So, things like DHS [US Department of Homeland Security], ICS-CERT (Industrial Control Systems Cyber Emergency Response Team], which, you know, in a former company, I was involved in staffing that was in their industrial control system function and that broader CERT, the advisories. I mean, all these things existed, and they got rolled into CISA.
So, CISA has a strong advocacy function, right? Which I think they did brilliantly. Jen [Easterly] was the perfect person to do that. I mean, she is the polar opposite of what most people expect to see from a fed showing up to your office. I’m happy to go on record by saying that I think Jen leaving the government is a real shame.
I think they should have done everything they could to try and retain talent like that. The mission of CISA is largely advocacy and roll up of existing functions, information sharing. They have zero legislative capability or agenda. They have zero enforcement ability.
They do have some ability. So, there was a law that was passed in Congress, I think, in 2011 that allowed them to subpoena ISPs (Internet service providers). So, if they found something vulnerable, they could basically subpoena the ISP and say, “Hey, you know, who’s, who’s your customer, you know, we need to know who this is, because we think it’s impacting our national security.”
But beyond that, outside of advocacy and information sharing, [CISA’s authority is] relatively limited. And again, they did a brilliant job of those things. But I think when we think about the question of is our country less secure because of that…
Yes, I think for now, cyber is less top of mind than it was when Jen was pounding the streets and advocating for some, important practices. But I am hopeful that that will be brought back into the fray. I think if you look at the bigger picture of the cuts in the government … and listen, I’m here in DC. I have many friends who had, you know, sleepless nights worrying about whether they have their job tomorrow, what’s going to happen with DOGE, all that good stuff. But I think that it was an overcorrection, right? To be honest.
And I think there are some folks in the Trump administration that I know personally, that certainly have been in industry for a long time and will make sure that some of these things that are important to keep or revive in some cases will be brought back into government.
The last thing I’ll say is that we talk about, I think talking about the public-private partnership in DC is a bit of an eye roller these days because we’ve been talking about it for so long. I remember going to Congressional hearings with Marc Maifrett [from BeyondTrust] in 2001, 2002, and we were talking about this stuff. And I think what you are going to see is more opportunity for the private sector to do more for the government where government has shrunk. There’s more opportunity, I think, for private companies, especially some of the big platform providers like CrowdStrike, Palo Alto, the IBMs of the world to come in and partner more with the government to pick up some of the slack that’s been created.
I think if we drill into the weeds of things like threat intelligence sharing, there’s a very good argument to suggest that the private sector is better equipped anyway to curate threat intelligence. So maybe they should be getting the dollars and not federal workers, because the second a federal worker, you know, creates that it’s probably going to get classified and very difficult to share with the private sector anyway.
I don’t want to go down that particular rabbit hole, but I think there are subtopics like that where this actually could end up being a good thing, both for the private sector, but also for the security of the United States.
Kelly Jackson Higgins
That’s really interesting. I didn’t even think about it that way. The slimming down of CISA, maybe opening up opportunities for private industry to take over some of these things. Jake, do you agree with that?
Jake Williams
I mean, notionally sure, right? There’s obviously unfilled… I don’t think anybody looks at the work … and I want to take the CTI [cyber threat intelligence] out for a minute, because that’s a really good argument Tom makes that, you know, the government tends to overclassify stuff, been there, done that, have the t-shirt.
And so, you know, there’s definitely an argument that can be made there. Although there’s lots of stuff that could be regulated to, in some cases pretty critical infrastructure, for reporting to the government that we can’t then mandate that you’re going to report that to Palo Alto or something, right?
So, there are certain benefits that we get with CISA, but take that off the table for a minute.
We lost, red-team contracts, substantial numbers of actual government workers that were involved with red-teaming other government agencies. And look, I’m not worried about the big agencies. DoD [Department of Defense], they can handle themselves, right?
You know, Department of Agriculture on the other hand, yikes. All the way down, we get into these little sub-agencies that have like one or two IT people and barely can spell IT security, let alone do their own red teams, and those capabilities are gone.
We should not mince words about this, right? And that is a gap that exists today that did not exist in January of this year. And to say that some agency doesn’t matter, you know, or maybe like the security there doesn’t matter. It’s the toehold into the larger federal government system.
And [I’m] speaking as somebody who dismantled other nations’ government infrastructure through cyber. I can tell you firsthand how dangerous that is. So, you know whether it’s private money, public money, I mean, again, a lot of these folks that, particularly on the red-team side, were contractors and those contracts got canceled … bottom line, right? Who does it? I care a lot less about that.
Although there is some argument to be made for why you want actual government employees doing some of that work. But at the end of the day, like, I’m focused on the capability gap that exists today that didn’t exist six months ago.
Tom Parker
Jake, and I think, I think you probably would agree that if you up-level from cyber for a moment and think about how the cost cutting has happened generally with very broad brushstrokes, I think generally there is a notion that DOGE, and the administration perhaps more broadly, doesn’t understand what a lot of the importance of some of these smaller agencies and, even, you know, if you look at EPA [Environmental Protection Agency] is a great example, right? Department of Ed is a great example, where the administration clearly sees this being a state problem or just not a problem at all.
And so, I think there are higher-level issues that are trickling down to less of a focus on cyber within those agencies because their general budgets are getting cut even outside of the cyber domain.
Jake Williams
I don’t disagree with that. On the flip side — and please don’t think that I’m like … weighing, you know, if, we’re going to make cuts, we should make them in, you know, specific Health and Human Services spending or what have you. But look, the reality is if we are making those cuts to cyber today, those are inherently not smart cuts because we’re going to spend more building that capability back and evicting threat actors from these networks that ended up getting burrowed in than we do just maintaining that steady state. And I think there’s probably some argument to be made by lots of these smaller agencies that they weren’t getting enough cybersecurity support in the first place, and now to get more of that cut, it’s like watching a train wreck in slow motion.
Tom Parker
Yeah, for sure. I think, listen, we can all agree that should we do be doing red teaming of government systems, all government systems, regardless of size of the agency, absolutely. Right. In fact, I’m wearing the shirt of the first company I started, Fusion X, that did red teaming. But I think that if someone had taken the time to sit down with the people making the cuts, within DOGE or otherwise, and had a voice in the room and explained, “Listen, we’re doing this thing called red teaming. We got to do it for all these agencies. It’s going to protect you if we decide to go to war with Iran tomorrow, it’s going to stop the Iranians getting into our critical networks.” They probably would have said, “Yeah, we’re not going to cut that.” I think the issue was, Jake, is that they didn’t have those conversations. I think it was such a bull in a China shop approach.
And my hope is that we can now take a step back and that there are sufficiently equipped people in the area of the administration saying, “Actually, it’s really important that we bring some of these things back.”
And I think that will happen if it is articulated under a lens of national security, which we know this administration cares about deeply.
Jake Williams
I’m sorry, I don’t know that I agree with that.
I do agree in the sense of that they give lots of lip service to cybersecurity, but I don’t agree that the administration cares deeply about cybersecurity. I know they’ve got folks say, look, the actions of the administration, DOGE specifically, counter everything that says we’re serious about cybersecurity, installing Starlink on the roof of the executive building so that you can bypass network security controls does not demonstrate a commitment to cybersecurity. In fact, quite the opposite. It’s a commitment to bypassing cybersecurity.
Tom Parker
To be clear, I said national security, not cybersecurity. They understand national security, right?
Jake Williams
Sorry, national security. OK, then certainly not how cyber plays into national security. I just can’t agree with that.
Tom Parker
Right. And so that’s the bridge that needs to be created, I think.
Jake Williams
Yeah. Well, I mean, I would note here that this is not a new administration, right? You know, they, they’ve been in power before, right? So, you know, any of the “Wow, never saw that coming!” I have zero, you know, of the normal, “I’ll give you the benefit of that for the first 90 days thing,” that’s not happening here. And so what we’ve seen happen with cybersecurity already, and again, the obvious impacts or potential impacts to national security, right? The actual impacts are classified if known. I’ll note that, by the way, cutting CISA’s threat hunting budget across the government, and they were doing a lot of that work, means we don’t have the visibility to see some of those impacts already.
Again, I can’t align with somehow like this is all excusable, right? Because, you know, they took a bull-in-a-China-shop approach. Like it’s reckless. I’ll die on that hill, I guess.
Kelly Jackson Higgins
You all brought up a good point and that was the impact on the rest of the world besides the federal government. Jim, do you wanna dig into that a little bit?
Jim Donahue
Hi, yeah, the question that I had and we actually examined a good deal of it towards the end of that conversation was how the changes at CISA affect the private sector and how the private sector will be able to step forward. Again, I don’t want to reiterate that, but one thing that I don’t think got remarked upon — the loosening of regulations. And I’m wondering how you see that affecting the private sector. mean, is that necessarily a bad thing? Could it be a good thing and that it might foster some innovation?
Tom Parker
Yeah.
Well, CISA isn’t a regulator and neither do they have the ability to regulate. They are an adviser.
So, I think that is a separate conversation we can … I think if you ask is regulation good or bad, I think that’s a heavily politically loaded question because it speaks to all kinds of, you know, technology and outside of tech.
I think, generally the Republicans generally believe that people should be able to self-regulate and are pro-commerce. And generally, Democratic legislations have been more focused on passing regulation. But again, that happens through Congress, not through executive orders.
Executive orders have no budgetary power. They have no regulatory power. They can basically direct agencies to, and I think this is one of the things that outside of DC, a lot of people in the tech sector don’t really understand. They read the news in the New York Times about this new EO [executive order] got passed. And they’re gonna have all this money for, you know, for cyber, it’s not the case, right? It carries, you know, not a single dollar. The president can’t, you know, directly spend money like that. Only Congress can approve budgets. And so, I don’t think in the context of this conversation, there is any real regulatory impact on the private sector from this change.
Jake Williams
Yeah, I concur with that 100% because I mean, just factually that’s correct.
But I do think it does impact, take the regulation piece away, something that, you know, that is, top of mind for a lot of folks outside of government, outside of the DC area, is election security. And that’s a critical function that CISA was performing at state and local levels, state municipality levels, that they are no longer performing. There’s been a stop order on that work.
And we’re talking now about, you know, Podunk County? Pick a state, right? You know, with population 20,000 people, right? They don’t have cybersecurity folks, right, that can come in and say, here’s how to secure. And I’m not talking about the actual vote tabulation machines, although by all means we can talk about that. But at the end of the day, those all get reported up through your computers, like the ones we’re [using for] recording this podcast.
And you know, this is critical election security work again that CISA was advising on and helping with that they’re no longer doing. And by the way, no one’s coming to save them. The reason CISA was doing that in the first place is that states and municipalities were strapped for budget, right? You know, can’t be left to secure their stuff [on their own]. There’s a wild difference between what you know, someone in New York City is able to do versus, you know, Podunk County, Wyoming. I just picked a state in the, you know, in the West there.
But you know very different there and I think that is a broad security issue. Even though I don’t live in Wyoming, I care very very much that their votes are tabulated correctly in the context of national elections, right?
Tom Parker
Yeah, Jake, I completely agree. mean, I think, you know, the sanctity of elections obviously is super important. And I think, you know, I’m not passing judgment, just stating facts here. We know that we have an administration today that called, you know, the election manipulation a hoax. And so, you know, no prizes really for kind of connecting the dots on why they defunded that particular effort.
But just like the disinformation office that existed, you know, way back when, I guess not so long ago, but, yeah, I mean, I think that is an area that, back to my earlier point at the beginning of the webinar, I think needs to get, needs to be picked up by somebody. If it’s not CISA, then it has to be an initiative that I think has to continue.
Becky Bracken
Which I think brings us to really our important point. Where are these things going to come from? I mean, seems that de facto it’s gonna have to come from the private sector because nothing’s left in the public sector, it’s been cut. We can talk about it in terms of surging resources, we can talk about it in terms of capitalism opportunities, but where are the holes and where are they going to be filled? Who is going to surge resources to these things? Election security, bridging the gaps for these smaller departments. Are we just not in that business anymore? Will someone get in that business?
Tom Parker
Yeah, I think, listen, I mean, I think it’s great that the private sector is and already following the changes with CISA, CrowdStrike and a few others stepped up and offered to help out. But you need a coordinate, you know, regardless of what it is, whether it’s threat intelligence or advising on election security, whatever the topic is, you need someone to coordinate all of those efforts. You need a central hub to coordinate the private sector players that are contributing to that ecosystem. And CISA was instrumental in coordinating those efforts and without it … and obviously, we’re not having a “without it” conversation because there’s been no indication that it’s going to be completely eradicated. But there has to be a function to coordinate those different moving parts.
And without it, I mean, we have a massive, massive government. There is a lot of fiefdoms between agencies. There is a lot of, like, “It wasn’t invented here.” And so, agencies try to do their own things. I think before Cyber Command, pretty much every branch of the military had their own, you know, cyber red team and so forth. And so there has to be a coordinating function somewhere, which I think is the most important part of your question.
Jake Williams
Yeah. But even if we come back, Becky, even if you come back to who’s picking it up, right? Whether it’s the private or public sector that actually, you know, does the work, the money has to come from the federal government period. Right?
If we, I’ll just take election security as a straw man, because I think it’s an easy one that nobody steps back and says, you know what? YOLO! Right? And so, you know, state governments and municipalities, particularly those on the smaller side, election security is just an unfunded mandate for them. And yet it creates a national security issue. I just don’t think there’s really any question about that. And so, this is where I kind of step back and say, “Look, we had funding for this before we all recognize and collectively agreed, right? As a nation, this was important. We committed resources to it. We had an agency that did it and now they’re not.” And there’s no funding at this point to go pick up the slack.
Whether that’s at the municipality level, the state, I can tell you in one of my former consultancies, right after the 2016 election and some of the, well, even leading into the 2016 election with a hack of the DCCC — it’s the DNC as well — we offered pro bono services for municipalities, for municipality voting or election security specifically. We had several folks reach out to us who then could not accept pro bono work because their government charter prohibits it.
And so, it’s not that CrowdStrike or whoever can simply step up and say on an individual level, let me help you. And of course, we understand why those … it’s anti-corruption, we don’t want corruption in government. And that’s why these regulations exist that prevent them from taking that free assistance. I totally get it. At the same time, we collectively as a nation now have to recognize we have cut, again, some really important stuff.
Again, I don’t hear anybody in Congress saying, “Hey, even with a big, beautiful bill, right? Here’s where we’re going to replace this capability.” Right? It’s not funded. Period.
Becky Bracken
So, what are you both hearing? I know you both have a lot of friends in the government. Let’s just talk about vibes. What are they saying? What are they seeing? And what are they telling you is going on? Because there doesn’t seem to be a lot of transparency or communication going on about what’s happening inside the government at the moment.
Tom Parker
Yeah, I won’t comment on the administration’s transparency. But I do know for a fact that there are initiatives to leverage the private sector more for things like red teaming. Listen, I think, when we think about the budget being cut, right, the money’s being moved around and saved, right? There hasn’t been an amended Congressional budget that has been changed or modified in any way. The money has just been taken away from the agencies out of a larger omnibus budget. And so, the money is there, it hasn’t just disappeared. Obviously, the intent was to, you know, I’m certainly not an economist, but I imagine to try and address some of the national debt, at least the budget deficits.
But you know, there is money there to be spent. I think it’s just a question of having the right leaders within government to make sure that it’s being spent on the right things, like election security, many of the themes that we’ve talked about today on the call. And the other thing I, you know, I just kind of point out as a bit of an analogous is … listen, the US government doesn’t build tanks, the US government doesn’t build airplanes, fighter jets, there is a very well established defense industrial base that has done those things for the government for many, many years and has done it very, very effectively. They have a very mature process around, “Hey, we need this thing. It’s got to do these eight things,” and a bunch of people bid and, we,don’t really seem to have been able to create a similar construct yet for cyber. Obviously, some of the DoD does get involved in cyber, but it seems like there is more of an opportunity to take well-established models and apply it more to national defense when it comes to cybersecurity.
Jake Williams
Yeah, I guess, you know, as far as things I’ve heard from folks kind of answer the question there, I think it’s pretty clear, like some agencies that morale is at an all-time low. Even for the folks remaining there that are working in both IT and cybersecurity. I should note here, by the way, that we often focus on cybersecurity, but IT is the foundation of that.
I can’t secure a network if I’ve lost the institutional knowledge of the IT folks that put it together. And look, real talk, I know it’s been a big focus of DOGE, right? We are operating in some government spaces, just like we in private sector on frankly antiquated technology. And that tribal knowledge that we’ve lost, right, with a lot of folks either taking the fork in the road or being cut, what have you, whether it’s contract or, you know, government employee, it’s all hurt morale. Everybody’s workload is up. There’s always the question of, “Am I next?” And I’ve heard that from multiple different agencies, but, but predominantly from the exact ones you’d expect from reading the news. Friends I have over at NIH that work cybersecurity, two of them have been cut. One of them that’s remaining is just waiting for the ax to fall, [they’re] already shopping the resume around.
We’re likely to lose more people to attrition because of that. And that’s not just NIH. I’ll decline to talk about some of the smaller agencies where those folks are just individuals that can go be picked out at this point. But yeah, I don’t think the morale is high just based on what I’m hearing. And then, you know, I know of a couple of folks that are a big deal at CISA, who have helped build out a lot of what they have now that are shopping the private market as we speak whose loss will be missed.
Becky Bracken
Yeah, it’s tough times out there for sure. I just want to give you guys an opportunity to give sort of your best piece of advice to particularly cyber teams that are trying to read the tea leaves and figure out where to go next. Tom and Jake, if you could just give them your best piece of advice right now.
Tom Parker
Yeah, I I think if you’re good at what you do, and you’re in the government today, there’ll be a job for you in the private sector. And I think in many cases to go back to work where you were before under a private sector contract with the government, probably being paid twice what you’re being paid now. It’s just the way it works with these things.
Years ago, when I was doing a lot of work with DHS, we had issues with, you know, the government hiring our people into, you know, fed jobs, and then the administration changes, and it kind of flips the other way. And the same people now go to a Northrop Grumman, whoever, and get contracted back into the exact same place, and just get passed around. I think if you’re good at what you do, then you’ve got absolutely nothing to worry about.
There’s a massive shortage of cyber talent in the private sector. It’s definitely no secret, and I know something that Dart Reading’s covered extensively. Obviously, these are stressful times, right? No one likes uncertainty. But I do think eventually the right thing will be done. And again, if you’re in a position where you’re worried about your job, and you’re good at what you do, again, I think there’ll be plenty of opportunity for you.
Becky Bracken
Jake, how about you?
Jake Williams
I couldn’t have said the word better there eventually, right? But look today, the private market … obviously not for me and for you, Tom, I think we can write our own tickets pretty much in the job market. But the reality is that even junior, mid, and even some folks that five- to 10-year [experience level] where they put themselves in a senior experience, it’s a bloodbath right now in the job market.
Private organizations by and large because of economic uncertainty right now, are not hiring. I had a contract earlier canceled, you know, with a manufacturer two months ago for force majeure where they said, literally, “I don’t know what the F he’s going to tweet this afternoon, and so, we don’t know how much money we’re going to have for cybersecurity.” And so, we can argue legally, is that force majeure or not, but I’m certainly not going back and fighting them on it. It is a reality, right?
I’m seeing across the board, spending on the private side … obviously there are some folks investing, don’t get me wrong, there’s certainly pockets of this, but, you know, spending in the private market on cyber right now is stagnant. It’s definitely not growing. Eventually, I do think everything comes around in the wash, right? Where you get let go from a government contract or a government job. And if you’ve got the skills, I think you’re going to land okay.
The question is how long before that eventually comes to pass? My advice to anybody is upskill. Step back, particularly in government, and I say this as someone who’s spent a lot of time in government too, you know, and even for a lot of the government contractors, you get pigeonholed into one very, very narrow area of focus. Now, of course, this isn’t everybody, but we see this happen a lot. And then when those folks come out of one of those roles and say, I have five years of experience in X, Y, or Z, they go and interview for a job and folks like, man, you’re like a mile deep over here in this one area and don’t know the rest of the job I’m trying to hire you for. And that cuts their prospects.
So, I’d say if you’re in one of those positions, really look to branch out a little bit, right? So that you’ve got a good … you know, a much better resume and a much better hiring story to land the next job.
Tom Parker
Yeah. And I think, and this is perhaps for another webinar for you guys as well, but I think we’re seeing a timing that is interesting, right? We’ve done very well this call to not mention AI, but I’m gonna break the seal. And I think in IT in general, we are going to see something that I would liken to steelworkers in Pennsylvania losing their jobs or coal miners, right? There’s a shift in industry that is so radical that what used to be a relevant skill two or three years ago is now significantly at risk. And to Jake’s point, I think the other piece of advice I would have would be, create a perspective for yourself on what you think the market’s going to look like in the next couple of years. We live in a world where most tier-one SOC work goes away because it’s going to get triaged by an AI agent. If you’re a pen tester, but all you’re really doing is running Nessus, that’s probably going to go away. There are companies like Horizon3 and many others that are making incredible headway, in automating a lot of that. And so I think that upskilling has to be done under a lens of some of the changes that we’re, we’re seeing in the market.
And I think even with, you know, the current situation, know, Jake mentioned, know, it’s, tough at those levels, those levels, the way to stand out, I think is by upskilling, in those relevant areas and getting jobs with businesses that have also realized, “Hey, we really need to change our cybersecurity program because there’s this opportunity here for us to automate a lot of the things that have been fairly manual and expensive because it required a lot of people in the past.”
Becky Bracken
Thank you both so much for sharing your insights and thoughts with us today. We appreciate it. I learned a lot. I have a lot to think about. I know our listeners do as well. So, Tom Parker, thank you so much. Jake Williams, thank you so much for your time today. And on behalf of my colleagues, Kelly Jackson Higgins and Jim Donahue, thank you so much for listening to Dark Reading Confidential. We will see you at a future episode. Bye.
