Artwork for podcast Secured by Galah Cyber
Decoding Cybersecurity Hiring: Riki Blok on Industry Trends, Key Skills, and the Future of Remote Work
Episode 425th May 2023 • Secured by Galah Cyber • Day One
00:00:00 00:47:02

Share Episode

Shownotes

Riki Blok is a management recruitment consultant who specialises in cybersecurity. Riki heads up a team of recruitment consultants at the employment agency Talenza, filling positions in security, infrastructure, dev ops and cloud. This role gives him a unique perspective on the cybersecurity industry, and in his conversation with host Cole Cornford, Riki shares his insights on what companies are looking for in their hires, both for entry level and more senior security roles. Riki and Cole chat about current trends in the industry, what skills are most important in potential employees, changing expectations around remote work, and plenty more.

Secured by Galah Cyber website

4:40 - Riki’s background and career journey.

11:30 - Riki: as a recruiter, I’m the least important person in the interaction.

13:40 - Cole reflects on opportunity cost.

14:20 - Cole: recruitment’s a tough industry: why?

17:00 - Cole: I follow David Mayster’s philosophy.

20:00 - Riki: Video calls and pandemic changed recruitment industry.

23:00 - Team culture is hard to drive when everyone is working remotely.

24:20 - Pros and cons of video calls in recruitment.

26:20 - Hybrid work.

27:00 - Riki: recruiting for big tech firm that requires hybrid work.

27:50 - Cole: what are some trends in cybersecurity recruitment?

28:40 - Riki: In general, seeing a maturing of the industry.

30:20 - Riki: gender diversity trending in right direction.

31:20 - What are the right qualifications/requirements for a cybersecurity job.

33:00 - Importance of networking.

35:00 - Limited amount of entry-level cybersecurity jobs.

36:30 - Cole: if you can’t empathise with people, you’re screwed.

38:20 - Tips for people further along in their career.

39:20 - Riki: your appearance matters.

41:10 - Cole overdressed at Atlassian office.

42:00 - Quick fire questions.

Mentioned in this episode:

Call for Feedback



This podcast uses the following third-party services for analysis:

Spotify Ad Analytics - https://www.spotify.com/us/legal/ad-analytics-privacy-policy/

Transcripts

Riki Blok (:

The biggest barrier that people have when they're trying to step up the food chain is perhaps the way that they've been conditioned or trained to articulate problems has been with more of a technical lens. If you're in a principal role, you probably just talk to a technical way to solve that problem, but as you start stepping into more leadership roles, it's more looking at that problem with a business lens, and being able to articulate it in an appropriate way for that.

Cole Cornford (:

Hi, I'm Cole Cornford and this is Secured, the podcast that dives deep into the world of application security. Today, I'm joined by Riki Blok. Riki is a managing consultant who specializes in cybersecurity recruitment for the employment agency, Talenza. He helps with filling roles ranging from CISOs to security testers, DevSecOps, SecEng, and plenty more.

(:

He's got a bit of a unique perspective because he works with a lot of hiring managers and candidates across the industry. And I wanted to take some of his insights on what companies are looking for in their future hires. We also chat about the current trends in the industry, what skills are most important in potential employees, the changing expectations around remote work, and plenty more. I hope you enjoy this conversation with Riki Blok.

(:

Hey, Riki, how you going mate?

Riki Blok (:

Yeah, good mate. How about yourself?

Cole Cornford (:

Oh, I've been having a wonderful day, just been checking out schools locally. I don't know if you're at that stage of your life where you have to think about private or public, or whatever, but that's where I am at.

Riki Blok (:

It's fun. I outsourced that to my wife, and she does a lot of the, lot home related things. So we've got two kids who are school age, but she did all the research for that. I'm glad I didn't have to do it, so I don't envy you, mate.

Cole Cornford (:

It's crazy, because there's a lot of options. It's completely foreign to me. I've just had to kind of just jump into it because my daughter's nine years old, recently came from China and now I'm just sitting there, being like, "Oh, okay, how does schools work?" It's been an interesting day to start with, but the ones that we did check out were really nice. So, I'm excited to see how she thrives in those environments.

Riki Blok (:

Culturally, it's probably very different as well. Going from China to anywhere in Australia, let alone where you live, it's probably very, very drastically different, right?

Cole Cornford (:

I live in Lake Macquarie, so it's like the whitest white suburb, but you have to go a little bit further out. A bit more chicken schnitzel and a little bit less chowchow. At the same time, they've got a lot of programs in place to support her, and I'm kind of excited to see how she goes. So it's really cool that this kind of stuff exists because it didn't when I was a kid, or at least I didn't notice it.

(:

Enough about what I was doing, there. I always ask my guests when they come onto the show, what kind of bird are you and why?

Riki Blok (:

I this told to me in the office all the time, that I look like a swan, graceful on the surface, but really, really scurrying and fluttering the feet beneath the surface. So, I guess that I give a calm exterior despite the turmoil that's happening within.

Cole Cornford (:

Swans are kind of interesting because you could be a black swan. You call up someone when it's an event that no one wants to learn about, so it's like, "Hey, it's Riki, here." It's like, "Oh no, a black swan event is occurring. Are we going to find new jobs?"

Riki Blok (:

Hopefully, when I'm calling people about roles, it's not one of those, but you never know.

Cole Cornford (:

So skittish, as well? Is that it? I've never thought of swans as skittish.

Riki Blok (:

Not skittish, just for how graceful they look on the surface. They're working very hard beneath the surface to propel themselves.

Cole Cornford (:

All right, so let you're like basically, a really hard disciplined worker under this bird. Pretty chill, and everyone likes you on top from a distance.

Riki Blok (:

That's probably a nicer way of putting it. Yeah, yeah.

Cole Cornford (:

Oh dear.

(:

So tell us a bit about your career journey, Riki, our viewers, would love to learn more about you and your background.

Riki Blok (:

Sure. So, I've been in tech recruitment for 10 years. This will probably give away my age a little bit, but started in tech recruitment in 2013 and had multiple careers before that. I started my working career working for Hungry Jacks and managed restaurants for them before moving into hospitality for about six or seven years, and went through and managed restaurants and cafes and still maintained my coffee snobbery from those days. And then worked for a company called King Furniture, who are an upmarket furniture retailer, and went through sales roles there and ran one of their showrooms before starting in recruitment. Also ran a startup business, which was to sell surveillance style equipment through to defense force and emergency service providers, and did that for a couple of years, but ran out of funding.

(:

So ended up in recruitment. I've kind of recruited every vertical that exists in technical roles. So I started recruiting in IT infrastructure and back when I started recruitment, Cloud was VMware and Citrix. That was always my bread and butter. Did Linux engineering, did some network security engineering recruitment, and then moved across, did software development, did data engineering, and then started doing cyber security about six, seven years ago. It must be now. And really enjoyed it. And just the experience I had previous to that with understanding IT broadly really helped, because security's complex beast, and that kind of positioned me well to focus wholly and solely onto cyber recruitment, which I've done really since Covid actually. So the last three years or something.

Cole Cornford (:

That sounds like it's a really good background for you, to be honest. Starting with hospitality, I think it can be a bit of a humbling experience for a lot of people to just go work in a restaurant or as a wait staff. And even Hungry Jacks, the burgers are better.

(:

I'm still kind of angry at Grilled, who is a local chain that I like and they got rid of one of my favorite, which is the Mighty Mushroom, and they're replaced it with this Impossible Beef Burgers, and I just liked having a really fat portobello mushroom. They don't do it anymore, man.

Riki Blok (:

Yeah, well, I think Grilled were the first upmarket burger chain, let's say, and I never always a beef or chicken burger guy myself. I don't know, I've actually maybe given more away about myself. I've never actually tried the Beyond Beef. I've never had a mushroom burger either, to be honest. Just feel like if you're doing something bad, you go the Whole Hog. That won't go on halves.

Cole Cornford (:

That's it. You don't go to McDonald's for a salad and sort of thing, right?

Riki Blok (:

No, no. I know myself, I was quite privileged to miss out on that part of my career. I basically fell into an IT role. They were still, it was at a flat pack distributor up in Newcastle, so I remember the first couple of weeks as just me looking at their access database and just changing fields and forms and stuff on it, but it was still within IT, even if it was help desky, crappy, its kind of stuff. But I think that does a lot of value out of people who started their careers in hospitality because you deal with both the best and worst of humanity, gives you a lot of humility, right?

Cole Cornford (:

And you learn a lot of skills from being the least important person in the room, I think. You know, work in hospitality or hungry jacks, you're not very valued. So I think the traits that you learn from having to deal with that are really valuable, and they suit you well in future career.

(:

Don't get me wrong. I'd prefer to have not had to do it and be good to just be able to take those shortcuts and skip through those parts of life that are perhaps challenging for different reasons. But that's where you learn the most, right? I look back at my career, I had my high school reunion the other day, I'm 20 years out of school now, and you look back and you're like, there's zero chance that I would've predicted you end up where you are now. All those roles that you did, all the jobs that you did, forged the personality traits that you have there that can help you be successful, I guess, down the line. Yeah, you don't know where you'll end up. There's certainly no alignment from working in Hungry Jacks to being super successful at anything you do in life. So anyway.

(:

So what kind of skills do you think you're able to bring along from your previous careers? Because you've got salesman at Harma Furniture? I actually think there's a king furniture on the corner of King Street, funnily enough in Newcastle. I've never gone there because it's terrified me. Every time I see an independent furniture store, I get kind of sweats and I'm just thinking to myself, is my wife going to like this?

Riki Blok (:

Yeah. Yeah. Oh, they're a great story actually, which is probably a different tangent. They may not want to go down on the podcast.

Cole Cornford (:

No good. Oh man, I love it. Tell me more.

Riki Blok (:

They're a great story. They're an Australian own company, Australian own furniture company that were the first business to own a factory, I think in China. So they built production house over there. It was just a guy and his mum that used to build furniture and make it out of foam. His mum would sew the covers and sell them down to the markets, and it turned into this multimillion-dollar industry very, very quickly. But I think now, they're 10 years since I left there. I think they're more than three or four times the size. They've got like 50 showrooms or something nationally, internationally as well. They're actually a very, very good business. So you encourage your wife to go in there.

Cole Cornford (:

All right, well, I'll take her in some time and then we can have a look around and I'll just be very cautious about what we're purchasing.

(:

But no, I know that I'm going to say to Hungry Jacks and just doing sales has probably helped you out a lot in recruitment, and I don't do recruitment, but I guess I refer a lot of people to you and to other recruiters that you have the humility to understand that clients have different needs and you have basically a market maker between clients and the candidates, and both of them have unrealistic expectations a lot of times. So you have to sell the role both ways. So sales gets into it and having the humility to listen to what both parties need without telling them that they're dumb.

Riki Blok (:

I think that the biggest skill, in my opinion, that matters in recruitment isn't selling, it's actually listening. And I think you articulate it really well when you talk about the matchmaking because it is a perfect match. Isn't shoving something down the other one's throat?

(:

So that could be either the client or the candidate. If it's not a fit, it's not a fit. So I think the skills that I learned earlier in life were yes, around humility, around listening. You know, think about, I think back to when I used to wait tables and I'd have 10 people at the table. You'd have to remember what everybody ordered, where they sat and put it into your system so that you could enter that so that it would come back out. So you learn skills from that which are transferable.

(:

Yeah, that's probably the biggest one is listening and humility and realizing, I've realized whenever I'm talking to somebody that I'm kind of the least important person in this whole process. The two most important people are the home merger and the person that's going for that role. Now, if it works for both of them, fantastic, but if it's not going to work, I actually want to find that out very, very quickly where a results focused industry, our industry makes money if we put people into roles.

(:

We don't get paid if we get somebody an interview or if we get them close to getting a role. So I'd rather find out very quickly whether that role's going to suit somebody or not, whether it's good alignment. And if it doesn't, that's fine. We talk on the next one. I guess that the qualification process is something I've had to learn myself really hard as a business owner. I've always been an [inaudible 00:11:33] specialist. I can go up to people and be like, yeah, tell all about front modeling and DevSecOps implementations and code reviews and whatever. That's great. Then I have to go to people and be like, all right, so what's the value proposition? Do you have budget? Are you at a scale where you need this kind of stuff? And those questions really influence where whether I'm going to pursue an opportunity or not. Because at the end of the day, if people can't afford to pay for application security, why am I spending my time on that? It's just a bad way to run a business.

(:

Getting breadcrumbs, I think is the way I like it where someone's like, yeah, that sounds great. Yeah. Yeah. And then six months of dating, they'd never talk to you again. Yeah, I've had my Tinder experiences as well, I've learned from those. So married with kids now, but you know, you learn from those where you're like, yeah, everything seemed to go well for a few weeks and then slowly dropped off. So it's just, it's hard.

Cole Cornford (:

I'd say it's similar in our business and our line of business. It's all well and good for me to be on banging the drum about how great recruiters can be to help somebody solve a problem. If somebody doesn't have a business appetite for that, so they can't get budget approved or they can't get a headcount approved to hire somebody, then it's not to say that it's a waste of your time in talking with them.

(:

It's certainly for me, no conversations ever a waste of time, but there might be better ways to invest your time at that time, get to a no quickly, or if it's a great idea, but we can't do that right now. Then you revisit it later. Yeah, I think opportunity cost is a really big thing that very few people often consider. I've been wrestling with this a fair bit because if I work really hard and get overcharged on a couple of different gigs at the same time, then that's an opportunity cost in a number of ways. Wherever it's exercise for me to just look after my personal health or spending time with my kids and family or just not being able to do things I enjoy. Play computer games or go hang out with friends and so on. Do podcasts even, right? It really does matter when you are a small business owner and you've only got a few things that you can pick from, and I guess, like you said, recruitment's a really challenging and tough industry.

(:

Why has it become that way? Why? What's made it so cutthroat?

Riki Blok (:

I'd probably push back on that a little bit.

Cole Cornford (:

Yeah, okay.

Riki Blok (:

And just on it being cutthroat, I think it has a bad or had a bad reputation, which was probably well-founded. Recruitment's hard for a few reasons. I'd probably say it's hard rather than cutthroat.

Cole Cornford (:

Yeah, okay.

Riki Blok (:

It's hard because people change their minds. So imagine you talk about going down to buy that lounge, you know, go into the showroom and you pick out the lounge and you choose the lounge and then you're all committed to getting the lounge and it's going to get made and it's coming in four weeks time. And you see the correlation I'm trying to make here. The lounge doesn't get three weeks through that period and go, "Actually, I don't know if I want to go and live with Cole."

(:

But people aren't like that. People change their minds. Companies, companies budgets get removed, companies headcounts get removed. People speak with their wife and their wife's like, "No, I don't want you to work 60 hours a week for the next three months in your new job. Quite happy with the work-life balance that we've got at the moment." Or something bad could happen in their family and it might affect them being able to take a role. So all of these types of things play into it. You've got already a complicated role where you've got to navigate multiple moving pieces to get somebody into a role. You've got to manage the business to get them to have their budget aligned and everything, which is often a fun conversation in current market. Make sure that the candidate is aligned to that budget and do all of the navigation around those conversations.

(:

And we only get paid if the person starts. So you add all of those things in, like yeah, it's a complicated process. It can be difficult. So what I say is cutthroat, it can be a really ruthless industry, is probably what I would say. It can be very, very much so.

Cole Cornford (:

Yeah, I can see that.

Riki Blok (:

So rather than focus on it, because I don't want to deter people from actually moving into recruitment, I think it's a great industry and there's a definite need to, it's the be best job I've ever had, mate. I wouldn't be doing it 10 years later if it wasn't more than Hungry Jacks, man. So yeah.

Cole Cornford (:

Yes, yes. Strangely it's better than that. So, well let's dive into some more recruitment specific things. Because you are an extremely accomplished recruiter. Is it managing or principal? Which, what title do you go by now?

Riki Blok (:

I think the title is management consultant. It effectively means that I bring in revenue for the business and I manage a team. So in our business that means is management consultant, it would be a team lead in another, or it could be a tech lead in a technical role or business or principal model. Also do that, right? Because a lot of, in consulting at the very least, I'd like to follow David May's philosophy, where there's like effectively three tiers for employees or you have your partners who effectively are working on the business exclusively. So marketing, sales and bringing in clients and keeping existing clients happy. And then you just have managers who are the efficiency and effectiveness of the solutions that you're providing. And then the juniors who are just doing the work or the associates as you'd call lawyers I guess. So you are right at the top where you are effectively being able to bring in new work for LENR and deliver and manage a team, it's an interesting role.

Cole Cornford (:

That's great because I wanted to give that background so that my audience should understand why you're able to answer these next couple of questions I have in a little bit more detailed and a lot of other people who made not understand why, what separates like a principal recruiter, managing consultant from someone relatively junior and new to the industry. So I want to talk about qualification. What strategies do you use to find the right people and the right clients?

Riki Blok (:

So I'll separate that, I'll talk specifically to candidates, but for me to do that, I probably need to talk to clients first. So I'll take a good brief from a client, even if it's a client I've worked with before, I'll tend to spend 20 to 30 minutes talking with them about the nuances of the role. What is the responsibilities from a technical perspective, what are they looking for from a cultural fit perspective and the bits and pieces that aren't on a job description.

(:

Because the job description I like to think of as a guide to what we would like the people to have some of the skills for. I'll then after I do that, I'll read all and make sure that it all lines up, how do I select which clients to work with? Probably a controversial thing to comment on, but we're a commercial business, so if a company's willing to work with just me on a hire, I tend to give them a lot more focus than I will for a company that's going to have me up against five other agencies. You know, probably give 20% of your time if you've got four or five other agencies on it. Whereas if it's somebody that's using you wholly or and solely or on a retained model where we get paid part of the fee is a guaranteed for the service, then of course you're going to give everything for those people.

(:

So that would be the preference for the client side. Now why that's really important to do is then when I'm going to look for candidates, I know what to look for. I'll tend to, based on what the role is, I'll tend to have four or five questions that I will ask them that qualifies them for the role. So for context, if most of the listeners are in application security, I would ask them about where they're at from an AppSec journey, how mature is the business? Are they at a level where they're implementing tooling only? Are they then doing the next layer of automation around that tooling? Are they doing a lot of developer advocacy style work? I'll kind of narrow in a little bit more and bits and pieces that won't be on a resume is what I tend to want to get off that phone call.

(:

And within a five minute phone call, I'll know whether that candidate is going to be a good enough fit for me to put forward. Best practice is always to meet candidates. I learnt recruitment in a time where there was no video conferencing softwares. So I used to make every candidate come to my office and meet with me physically in person before I would send them forward. Obviously that's changed and we've got video conferencing and all these types of things which really alter things. But it's a really important step because I want to qualify that that candidate is going to see the process through. If somebody won't commit to spending 20 to 30 minutes meeting with me, they may be not that serious about going forward for the role, and that's okay. I'd just rather know that sooner than invest time and going down the path because somebody else who might have been really good for the role might get excluded because of this candidate that's actually not that interested.

(:

So if I just spend a little bit more time on that discovery phase with a candidate early, make sure they're aligned culturally and salary wise and everything, it kind of aligns. It ends up being that when you get through a process, I just say, so are you going to take a job instead of really having to, in inverted commas, have to "close them" about taking the role. Because you already know you've spent enough time with them, you've got an idea of what they're actually looking for to make sure that there's a good alignment.

Cole Cornford (:

I really like that idea of bringing people in person. By the way, I have a remote first company and what I find is a lot of things I struggle with. And part of that is building intimacy with staff members effectively. And just whereas with a lot of my previous roles Change and Lendy excluded, I had an office environment where I was meeting lots of different people from all sorts of different backgrounds. And I do agree, if someone's willing to meet you in person, that is a genuine show of commitment. I often travel to Sydney to go meet different people even though it's a two to three hour trip each way just so I can show them that I'm committed to making this work.

(:

And I think that 20 to 30 minutes plus an Uber or train transfer is really not that much to ask if they're looking for a 20, 30k pay jump or whatever.

Riki Blok (:

And I think one of the things that we've seen in the last couple of years is people are staying shorter periods in roles. And I can't help but think how much of a factor remote working has to play in that. Because to your point you just raised there, if you're in the office sit next to me every day and then all of a sudden you aren't there for three hours of a day a couple of times during the same week, it doesn't take too long to work out that maybe you're going for job interviews or whatever.

(:

But if you are sitting at home and you slot in an hour meeting where you can't, or an hour time where you can't be on a meeting, how is anybody to know you're not as bored into the culture? I think culture's very hard to drive remotely. Right?

Cole Cornford (:

Yeah. I haven't been able to do it particularly well at Klar and I'm willing to admit to that it's a sore point because I try to be an empathetic leader that really trusts in people and to helps encourage them to take opportunities and to help them as much as possible. And what I've found is that unless you have people in the room together, it's really difficult to get that shared vision. But yeah, going back to even just employers in general, remote work enables people to do side hustles like crazy and to just genuinely not really care too much about long-term.

(:

Like this is not a place I'm going to work for a long period of time. Right, because you're not building that team. At Westpack, I used to play a monopoly deal every single lunchtime with the same group of people. Sometimes we'd pick security architects or software engineers or whatever and just deal them in a couple of cards and deal breakers and stuff. And it was great. And on Fridays we'd have beers with people from all over ISG - an information security group, but that kind of culture completely evaporates and there's nothing you can really do with a remote workforce besides have monthly catch-ups or something where you go out for a day or you meet, try to get people to go to hang out.

Riki Blok (:

That's if they're all in proximity to each other as well, right?

Cole Cornford (:

Yeah, I mean I live in Newcastle now, so most of the people that I would hang out with are going to be in Sydney. So I basically am doing a weekly trip to Sydney to go meet people in person because I think it really does matter and remote work, it's a very interesting challenge. I think it's good and bad for you guys because you know, get to interview a lot more candidates and there's a lot more people who are open-minded about stuff, but I guess they'd be a lot less committal as well, right?

Riki Blok (:

Yeah, I think so. I think we had a period in between the two big Covid lockdowns in New South Wales where there was a lot more people accepting offers and reneging on accepting those offers or taking counter offers or taking an offer somewhere else. And I can't help but think that if those people hadn't met the companies in person, they would be more committed. And also if they had been meeting with their company in person, they might have just realized that actually I love working with John that sits next to me and I actually don't want to leave because I don't want to miss out on that.

(:

And maybe they didn't realize that through the process and they got emotionally invested. And then they've had a little moment where I used to have this thing in sales called negative dissonance, which is where you buy something and then you get home and you go, am I allowed to swear on this podcast by the way?

Cole Cornford (:

Oh yeah, go ahead man. It's all good.

Riki Blok (:

Where you buy something, you know, go to the shop and you buy something and you get home and you go, "Fuck, I just wasted 50 bucks on this piece of crap that I'm never going to use again." And I think there's a bit of that going on with people accepting offers and maybe not looking holistically at what that means for their life and their career if they take their job.

Cole Cornford (:

And I know a few people who've taken job offers while waiting for something better. And I think that, I don't know, it hurts my personal integrity to think of people who basically are holding onto something for a month or two while a job from Google or Atlassian or something comes along because that's just like backbreaking getting onboarded to some kind of other shop and then being told, "Oh yeah, I got a better job. I'm leaving now. And just handing in notice. And the only reason I took it is because I wanted a month of paychecks and I got no loyalty to you." I know a lot of hiring managers have been through that and it's devastating. Remote work sucks and is also great at the same time. Because I got to go check schools out this morning, but what do you do?

Riki Blok (:

Yeah, well look, we run hybrid. I've got three kids and I had to do drop off to work and pick up yesterday afternoon.

(:

So there's huge advantages for that. But our business offsets up by having an expectation that you're in couple of days a week. And I think that'll be the norm for most businesses to be honest. And I'm expecting that in the next two to three years, that hybrid will absolutely make a resurgence. So I wouldn't be surprised if I'm closer to Sydney, maybe up to Central Coast rather than or closer to Newcastle, depends. We'll see.

Cole Cornford (:

Just to be honest, we're seeing enterprise businesses in general start mandating days in office. We're currently recruiting for a big tech firm whose name I won't say on the podcast, but they mandate hybrid two or three days a week in office, which is against what the other big tech firms in Australia are doing where they're offering full remote. So I understand the thinking behind it, but if you are in a fully remote role and you're getting paid very well, it's hard to leave.

Riki Blok (:

But I also think that if you're living at, I don't know, Byron or Braven, in my case up Newcastle way. Fully remote positions. So you get paid a good wack, but you're not really participating in the local ecosystem all that much, right? You're just kind of there enjoying the fact that there's no one else there. And you get to go to the shops every now and then buy a bunch of groceries, but otherwise you're not really participating locally. I can see that being a bit of a drain on lot of these smaller regional communities, but I do hope that you're able to find someone for that cool role. So God speed for me.

Cole Cornford (:

Yeah, I do think that. So that's an interesting trend. I actually, I want to cover a few other trends as well. So what other things are trending in the recruitment industry, specifically in cybersecurity? What things have you noticed?

Riki Blok (:

What's trending? So not relevant for AppSec, but Microsoft Security Suite Yep. Is a huge trend. So if we went back two years, 18 months to two years, if we were recruiting for a seam engineer, everybody would be looking for Splunk. Everyone wants Splunk. 12 months ago we were recruiting for one of the big banks in Australia and they were looking to replace their existing seam and they're looking to roll out Splunk, but they were like, "Hey, we're actually going to roll out parts of Microsoft's seam, Azure Sentinel." Big drive for that. I think you've seen a maturing of their product to the point where it's actually acceptable. So even their endpoint product's actually really good. And a lot of instances is, it's either free or very low cost. So big trend for that from a technical perspective, I think in general we're seeing a maturing of the industry.

(:

What does that mean? Accelerated salaries. We've seen that over the last two years where people would change roles twice within two years, which used to be career suicide but isn't after Covid. But it might mean you got a 30% jump both times. We're now seeing that stabilize. Yeah, we were placing people into individual technical contributor roles at not big tech companies on absurd salaries that used to be executive level salaries. So in some instances you're talking about engineers getting paid $200,000, which in a normal business is madness. But we're seeing that come off the boil a little bit and it come back to some level of normality.

(:

Hybrid, definitely a drive. I think you'll see that sooner than the next two to three years. I think that'll be in the next six to 12 months. That'll be a very big push. There's already whispers of that happening in the US.

(:

A couple of other interesting trends. So I'll do a little bit of a plug for one of the reports that we released yearly here. So we've got one coming up which will be released around the end of the financial year and last year we did a holistic view of the market, but we're actually going to split that into subsets and do an area of defensive security. Talk about insights that we've seen there. Movers and shakers. Same for offensive security and AppSec, unfortunately we've lumped those two together. Cole, don't hold that against us. AppSec actually covers everything. So in my view it's like, oh, let's talk about cloud security or endpoint or defensive security for, in my view, software defines everything anyway, so you can't get away from it. AppSc here, it had to fit in one bucket. So we had put it with that one because there's less data there than we've got GRC and architect architecture in one.

(:

Area as well as leadership. Some of the points that are interesting to note, everybody talks about gender diversity in current market and what the data we've been able to capture suggests we're trending in the right direction. So overall across an industry, it's maybe one in five for the sector of female. For executives it's 16%, whatever that is. One in eight or thereabouts. But for the least experienced sector it's more like 27% of females. So we're definitely training in the right direction with that, which is really good. One of the most interesting things as we pull that data apart, is all of the, let's call them the originals from cybersecurity. People with 15, 20 years experience. Not many of them went to university. A lot of them, their education might be from Tafe. That's the biggest school that they came from. When you look at that data set, which is super interesting.

(:

Interesting. Sorry. When you then look at job descriptions that are written asking for a degree, and it's very interesting because a lot of the people who are in those jobs actually don't have one.

Cole Cornford (:

I don't like that we have a university qualification or require certifications to get a lot of entry level roles when a lot of the time it's aptitude and attitude to learn on the role. A little bit disappointing to me because it also, it does reinforce those biases, right?

Riki Blok (:

A hundred percent. I think it's a filtration process for people that don't know what they're looking for. If I was in an HR role and not to talk them down, but if I'm recruiting 50 different roles, what's an easy way that I can exclude people? Oh, they don't have a university degree. Let's put these 80% of people into a bin because we don't need them. So I think that's part of it.

Cole Cornford (:

But when you do that, you miss out on a couple of gems. And I know that there's a few people that I've met who just don't have that qualification and had fantastic careers where eventually they've moved on to look at trying to get some form of accreditation with a tertiary institution, like a master's degree or something, but not as one of the entry level roles. They've just started an IT help desk score and then transitioned. It's really disappointing that that's still a trend is that you need a BcomSCI or a software engineering degree to get into security.

Riki Blok (:

That's even to get an interview, not even to get in, just to get an interview. You need to have that and then you've got to pass through all of the other bits and pieces as well.

Cole Cornford (:

So what do you recommend for, because I got this into two questions. So the first one, it's like with entry level staff, if you don't have that kind of background, then get past that HR filter, what do you need to do? So just give Riki a phone call?

Riki Blok (:

Honestly, you could a hundred percent. I'm happy to give information, help to anybody that I can. More than happy to give time to people who are trying to break into the industry. Because it is really hard. I actually think you do better by networking, by going to events and talking to people when you go to them because it's very rare. I've been doing this job for 10 years, I've probably placed three entry level roles in all of that time. And for context, I would normally put two and a half to three and a half people a month into a role. So times up by 10, you're talking 300 people, 1% of all roles I work on, and that would probably be typical across the industry.

(:

So our recruiters the best avenue for information. They would give you some very good information. Are they going to be the best to get you into an entry level role? Probably not. Graduate programs, attending events, talking to leaders in the space, connecting me with people on LinkedIn, that's probably going to give you a better shot. Applying through a HR portal probably won't work very well.

Cole Cornford (:

Yeah, I know a few people that have got slams by filters where they're looking for an OSCP or whatever, but then you just turn up to seg talks or to [inaudible 00:33:13] and say hello to a few people and then suddenly the filter disappears. It's just like, yeah, it's an interview. So...

Riki Blok (:

Put yourself down to talk. That probably works. If you can get yourself talking at one of those events, you'll get interviews, at the least.

Cole Cornford (:

I think that as long as you are able to work on a brand external to just, it really separates you as a candidate from the majority of people. Because I feel that most people I speak with who come out of a university, they just kind of expect that a university degree is what is necessary to get a role. And there's a lot of people I've met who have gone a lot further and they just turn up to industry events and just go and speak with people about something that is interesting to them. And that's honestly pretty good. I met a person that was really into Arch. I don't know much about Arch Linux, but I'll tell you that because they were really interested in Arch Linux, I was able to at least keep them in my radar and see how they were going because that's a lot better than everyone else said I've spoken with. We just don't have any passion or any real interest outside of I need to get my, was appease for degrees. You know?

Riki Blok (:

Fair. I think as well though, there was no university degrees five years ago or whatever it was when they started doing the first cyber degrees. Now I don't know what the numbers are of people who graduated with a cyber degree. Let's pick a number and let's say there's 2000 people that graduate with a cyber degree each year. Might be wrong. I don't know, let's just pick that as an example. There is not 2000 entry level cyber security jobs in the Australian market every year. There's less than 30,000 people overall in the whole industry. We saw that that number grew by about a thousand or something across a year. How many of those were entry level roles? Probably a hundred, 200 maybe. So if you finish a degree and you're one of a hundred to get into any job or whatever it is, you've probably got to do more than just have the bit of paper. And that's where the networking piece and the passion comes in.

Cole Cornford (:

And I think that, I know probably poo-pooing cyber degrees is a lot as well, but I don't think that they're very, or maybe it's my AppSec background, but I've, every candidate that I've interviewed who's been doing a cybersecurity degree and just lacks a lot of things that I'd be really looking for, which is the ability to actually have constructive conversations around software engineering. I don't care if you're just really bad at software engineering, at least if someone comes to you and says, I want to use PHP five or React and they've done my front end options, and then you can talk to them about why both for good ideas, that is a lot better than HTML and CSS is the way to go. And that already eliminates a lot of the candidates because they just have no software engineering background whatsoever.

(:

And I find that that's why, I mean it's AppSec, there can be, but if you can't empathize some work with people as a cybersecurity professional, then you're screwed because it's all about influence and being able to listen to people's concerns and then help them move in the right direction. You can't just write up a policy and tell people to adhere to it. Otherwise they'll just eat it, tear it up and throw it out the window. So what's the point?

Riki Blok (:

There's probably a whole podcast we could do on entry level people trying to break in to industry. I think it gets spoken about quite a lot as well. But there's a gap. Everyone talks about there being a gap of people in the industry, but they're not talking about entry level, the gaps at the two to five year mark or the five to 10 year mark. So any processes that get put in place now, we're not going to see the results are for years. So...

Cole Cornford (:

At the very least of that trend you were mentioning about diversity, I think that it's good because those, that 27% is going to be moving into those mid-market and then to senior leadership positions over time. And then you will see that 16% slowly move, tick upwards as well. And that that's exciting to me as well. I don't think parody is where we should ever really be trying to work towards, but at the very least, improving representation across the board at all levels.

Riki Blok (:

Yeah. And I think we're on the way with that, which those statistics would also talk to.

Cole Cornford (:

So I know we talked about new starters. How about the other end of the spectrum? So I am someone who's a principal engineer or a manager looking to move into a director level, head of, kind of role where I just want to have accountability for a function or I am in charge of just managing risk for an organization. How do people make that transition from? What tips would you recommend for people? Because when I know that if you get into one of those things where you are a domain expert at cryptography or penetration testing, often the transition to senior leadership is extremely jarring or they just don't get looked at for those roles.

Riki Blok (:

And I think the biggest barrier that people have when they're trying to step up the food chain, is perhaps the way that they've been conditioned or trained to articulate problems has been with more of a technical lens.

(:

So if you're in a principal role, you probably just talked to a technical way to solve that problem. But as you start stepping into more leadership roles, it's more looking at that problem with a business lens or contextualizing how that risk might land from a cost perspective and being able to articulate it in an appropriate way for that, is probably the biggest challenge. Altering your verbiage as well. The way that you speak about everything matters more at a more senior level. Your appearance matters. If you're going for a role, so think of it this way, say you've been working at the same company for 10 years and you know, always rock up in a t-shirt, jeans, and a hoodie, and all of a sudden you're applying for a senior management role and all the senior managers there wear a suit to work. If you're not wearing a suit, do you think that they're going to think that you're one of them?

(:

You know, almost got to drink the Kool-Aid a little bit and start thinking about, well, if I want to be considered as an executive here, I probably need to start acting like it before I'm actually in that role. That's probably the other challenge that people might overlook if they're trying to step up internally.

Cole Cornford (:

There's a book, which is going to sound a bit weird, called Software Engineering at Google, and one of the things that they do bring up really early on is that, yes, you can wear a t-shirt to work and we encourage that, but also it is a lot harder to influence people if you are wearing a t-shirt, right?

Riki Blok (:

A hundred percent.

Cole Cornford (:

If you are looking to make large architectural decisions or do a business case or actually get funding to be able to do stuff, show up, don't just put on a t-shirt because otherwise people have already in their mind, set you as a low value person and you have to work hard to push yourself back up the chain instead of if you turn up with a suit and people think to yourself, oh, that guy actually, he is made the bare minimum effort to get there.

Riki Blok (:

I wear a t-shirt every single day in the office. If I go on a client meeting, I wear a college shirt and I wear proper shoes, because you want to look the part. Now they might be a tech startup firm, but I don't know that, I don't how they dress before they get there. In my opinion, as long as you're not wearing a $6,000 suit, you're not going to be overdressed for a role. You might stand out as being somebody that's wearing nicer clothes than the others, but that won't necessarily be a bad thing.

(:

And I think the same thing, the principle probably applies for what you're talking about, dress for the appropriate audience, right? I think the only place where I've been laughed at was at the Atlassian office because I, yeah, I know, right. I was wearing a suit because they were having some community event for ABSEC practitioners and I was thinking about, okay, yeah, I'm going to turn up and show myself as a professional, even though it's an Atlassian office and the day before I had some sales calls and stuff, so I didn't really want to be just carting around a bunch of shirts and stuff.

(:

So just carry on basically. Yeah. And yeah, I just remember on the elevator on the way out, they, they're just like, "who let the suits in?" And I'm just like, UIC's. I see. I know how it is. So I used to be one of you guys.

Cole Cornford (:

Yep.

(:

All right, Riki, we've got some rapid fire questions to finish up the interview, so here we go. First one, what's your favorite book to give to people as a gift and why?

Riki Blok (:

Oh, favorite? So there's a book by Mark Manson. It's called The Subtle Art of Not Giving a Fuck.

Cole Cornford (:

Yeah, okay.

Riki Blok (:

I was gifted that book by somebody. It is so relatable, just a real life. And I guess having you separate, almost having you separate yourself from the decisions that you make and giving you a bit of freedom around that.

Cole Cornford (:

Yeah, okay. That's a really good one to be handing out to people. I know. I don't think I've read it. I've seen it. It's a bright orange one, isn't it?

Riki Blok (:

Yep.

Cole Cornford (:

Yeah, because I know my brother read it and his personality changed a fair bit after reading it. So it gives you that freedom, right? I think a lot of people try to hold themselves to a high standard, and this says that you are able to make mistakes and you should be okay about it. Is that what the book's general...?

Riki Blok (:

Yeah, that's part of it. And there's a big part of it that talks about, if something isn't a thing that you go, "oh fuck yes" to, then the answer should be no.

Cole Cornford (:

Oh, okay. I actually, I really like that because there's a lot of times where I sign up to something in advance, and then as the day approaches, I just get a bit, oh, should I have done it's negative, negative dissonance. That's what we're talking buyer's remorse that we're talking about before buyer's remorse. It's like, why did I sign up to go out to this sort of speaker, this event or whatever, and I fully understand where that's coming from to be honest. So it's like, why didn't I say no? So I should read the book?

Riki Blok (:

Yeah you should.

Cole Cornford (:

You can send me a copy. Okay.

Riki Blok (:

I'll post it to here. Yeah. Yeah.

Cole Cornford (:

Cool. What's your favorite food and why?

Riki Blok (:

Favorite food's pasta. Always.

Cole Cornford (:

Pasta?

Riki Blok (:

Yeah, mate, I love it.

Cole Cornford (:

Which kind of pasta?

Riki Blok (:

I just love spaghetti bolognese man. Just bog standard, you know, you can't go wrong. You can make a batch of it and eat it for a few days. Everyone loves a bit of carbs, right?

Cole Cornford (:

My family loves me cooking pasta. I choose different types, but I always go upmarket with the bloody muddy sauce instead of the pasina or the domi varieties. So the muds just, it's usually got olives or some kind of actual vegetable in it instead of just mush. So I'm just like, oh, look at this.

Riki Blok (:

So I mentioned that we've got kids, kids elite spaghetti. Yeah. One of the things that we've found out works really well is to just mush up a bunch of vegetables, puree them and chuck them into the spaghetti bolognese, actually makes it taste better.

Cole Cornford (:

Oh yeah. I don't mush them or puree them, but I definitely slice up onion and great carrot.

Riki Blok (:

But kids, yeah, just kids won't eat chunks of olives, man.

Cole Cornford (:

Oh no. My kids are like, oh, it's got olive, isn't it? I think the most disappointing thing for me sometimes is my daughter's used to Chinese food, so whenever I make Western food or whatever, sometimes I just get absolutely crushed when she pulls out individual parts that are great. I was one of them the other day, I think I bought a burrito for her and I had all of everything in it. Right? You had the beans, you had the, just everything, right. So anyway, she opens the burrito as you do, and then got the knife and then scraped the avocado that I paid more of for off and then started individually with chopsticks, pulling out the beans and then wrapped it back up again, and I'm sitting there looking at her with a stunned mullet thinking, "What?" Yeah, kids. So, right. They're too hard.

(:

All right, well, hey, Riki, thank you so much for coming onto podcast. I really appreciate it. Do you have any parting words that you want to give to our audience about how to be secured?

Riki Blok (:

How to be secured? Well, yeah, I guess if you're a company that runs software and you need AppSec or you go to you guys, right? But just use common sense is probably the biggest thing. If you were like, "Hey, how you be secured?" If something seems fishy, it probably is. If you get a text message from somebody that says they're your mom and it's not your mom's phone number, it's probably not your mom. Or if your bank is texting you, asking you for your password, well, they never do that. So just use common sense, would probably be my biggest thing. And use unique passwords. So have a password manager because nobody can remember 300 different passwords.

Cole Cornford (:

Yep. I wish I could. I don't have that photographic memory. I use one password, so I fully agree. Thanks so much, Riki. A pleasure to speak with you, mate.

Riki Blok (:

Yeah, likewise. Thanks Cole.

Cole Cornford (:

Thank you for listening to this episode of Secure. We hope you enjoyed today's conversation. Don't forget to follow the podcast on your favorite platform and leave us a review. Want some more content like the above? Why not subscribe to our newsletter at galahcyberber.com.au/newsletter and get high quality apps and content straight to your mailbox. Stay safe, stay secure. I'll see you next episode.

Links

Chapters

Video

More from YouTube