Dave Bittner (15:34)

We've actually been running this for a good, good number of years now. So it's kind of one of our year to year reports. So it's got referential integrity, I. E. You can look at the trend. Even if you disagree with the absolute figures, the trend is what's important and some of the insights that come from it. So it drills into a number of areas, technical skills and covers around 16 this year. 16,000 cybersecurity professionals have input into the report. So pretty big survey.

Interviewer/Host (16:03)

Yeah, pretty big sample size there. Let's dig into some of the results here. What were some of the findings that caught your eye?

Dave Bittner (16:10)

Yeah, there's a few you cannot mention. Cannot talk about technology if you're not going to talk about AI. So AI is an in demand skill. No surprise there. I think probably what's surprising is if you looked sort of two years ago, it was either not on the survey or very, very low down and now it's leased by the professionals. The number one desired technical sk. I think it's number two by hiring managers. So that's really leapt up to the fore. That's one of the sort of the key findings and really a shift from that. Do we have enough people in the seats to actually do the people have the right skill sets that we need to protect society? So, and it's the latter. It's a focus on skills and skill sets rather than just the sheer number of people. Really came through loud and clear and we started to see that trend come through the 2024 survey as well, which is reinforcing that direction of travel.

Interviewer/Host (17:09)

Can we dig into that notion of the skills shortages? Because I think as you mentioned, that's been trending for a few years now. Unpack that for me. What does that really mean for both the folks out there looking for jobs and the folks looking to hire?

Dave Bittner (17:24)

So I think there's sort of two components to it. One is cybersecurity profession requires and desires, not just requires skilled professionals within it that are market current. I think that's what's really come to the fore again, that that leapfrog of AI shows that an in demand skill set or an in demand technology in the business sense translates to an in demand skill set in the cyber security sense. Not only using AI for good security outcomes, but obviously securing AI as well. So the business can go and execute on that opportunity in a risk managed way. So it and some of those skills are fast moving, AI being one of them. And we've actually seen really some of the non technical skills. So things like strong problem solving, teamwork and collaboration skills come to the fore. Strong communication skills is now one of the most expressed desired non technical skills. And I think that shows an adaptability of what a cyber pro needs to be so technically proficient absolutely in the relevant technologies and the relevant security stuff, but also now a true member of business able to communicate logically, think and problem solve.

Interviewer/Host (18:38)

I hear so many people out there saying that they're finding frustration when they're out there looking for these jobs. And yet on the other side you'll hear hiring people who I, I guess the, the old chestnut has been that they're out, they're looking for unicorns and so it's hard for the, the people who are just starting out to find their place. Is that reflected in the survey at all?

Dave Bittner (19:01)

Well, we didn't look sort of at the absolute numbers game but I think there is a little bit of difference between hiring managers are looking for and what so the number one non technical skill demanded there was problem solving 29% versus the professional view which is problem solving is 55% but actually top there was the communication skills. So yeah, there's a little difference between the desire line and actuality. But I think if you sort of really unpack it, we've got some interesting macroeconomic conditions. So there's continuing pressure on resources and budgets and therefore that means if you have a limited hiring opportunities, you're going to want to hire the people that are most compatible with what you're looking for. So I think that piece of rarity comes through and that's maybe what's stressing the market a little bit, you know. And if we concentrate on the non technical skills, those are things you can use to differentiate hard technical skills are learnable and teachable and trainable. The quid pro quo is we should do that as a profession anyway and a good employer does. But balance that against some of the non technical and develop those as equally. So there are jobs out there, but they may be looking for something slightly different. And you mentioned entry level. I think what we've seen in this year's survey and in previous is really a focus on some, some of the experiences that you bring, not just the qualifications that you bring and there's a number of good ways of going to get them. So we're not precluding entry level at all. In fact, I know personally in my team we've got to build the next generation. So looking for entry level skills is one of those key things a profession has to do.

Interviewer/Host (20:54)

You mentioned AI. What sort of pressure is that putting on the folks in that entry level position there? Are we finding folks, people displaced by the AI tools already?

Dave Bittner (21:06)

I think what we're starting to see is potentially a change in shape of the job. So AI. I know there was a posit and many comments have said it's going to disintermediate entry level positions. I don't think that's true. I think what the entry level position will do is slightly different. Technology has always been moving along at a pace and we've seen jobs change and react to technology. And do we see the wholesale elimination of entry level jobs by technology? Very, very rarely, if at all. But what you do in that entry level position has definitely changed. So we're seeing AI as a desired skill for entry level positions as well, which is actually how to use it effectively, so using it for good security outcomes. And we sort of talk a little bit about AI being used to get to a decision point quicker. So it's going to speed up and make you efficient in what you do. Again, embrace it. And I think entry level people are probably AI natives more than, you know, like me and potentially you, so they're well equipped and well placed to adopt it rapidly. And I think that that's the other thing. AI is probably one of those skills that has been rapidly adopted so from very little two years ago to pretty much the top in demand two years henceforth. So that rate of change is probably the. Not a shocker, predictable sort of a little bit, but still noteworthy. You know, rate of change is going up, it's not going down.

Interviewer/Host (22:45)

Yeah. John, I'm curious for your opinion on this. I mean I was talking to someone not long ago, a senior level person who was concerned that it was going to be harder for people to accumulate the skills to become a senior level person because there are fewer opportunities on the way up and perhaps AI displacing some of those folks. Do you share that view?

Dave Bittner (23:12)

No, not, not wholesale. I think actually what's. If you're going to make it to the senior echelons in cyber security, historically it's been looked at as a very technical discipline and technical career path. I that notion is somewhat softening quite rightly as we become closer to partnering for business. Our business skills and acumen have to complement it at the senior level. So yes, understand technology, risk controls and all that good stuff, but balance that against being able to communicate, talk and operate at a business level. So I think actually as cyber professionals, especially at the senior level, it's about getting some of those opportunities and experiences in the sort of the arts of business, not just the arts of security. So I think, I think it's a different landscape to what we traditionally seen maybe a decade ago and one actually I wholeheartedly embrace. Yes, I'm a techie but, but I love business as well. Technology is usually in service to a business outcome.

Interviewer/Host (24:18)

Yeah, when we talk about AI and the attractive skills that people are bringing to the table here, did their surveys dig into that at all? Are there specific, specific things that are going to have someone's resume put to the top of the pile?

Dave Bittner (24:36)

No, we, I mean I don't think we've got a hard data on, you know, is it large language model, is it prompt injection, is it whatever, it didn't go, it didn't go to that level. So we don't have that kind of empirical data to reflect back. Yeah, but again I come back to that rapidity of change. So you know, this week it might be AI per incident response and next week it might be for something different. I think getting comfortable with using a modern tooling and tool sets and technologies being one of them is probably where you've got to really show your metal, as it were, which is comfortable in change and comfortable in adopting new ways of working.

Interviewer/Host (25:17)

Well, based on the information that you all have gathered here, what's your advice? What sort of words of wisdom do you have for the folks who are out there?

Dave Bittner (25:26)

I think it's actually employers and not just getting employed, but whilst you're in job. We're looking for a good balance between technical skilling, empirical knowledge that's teachable, trainable, so certification is part of that, but also some of those non technical skills, in fact that's they tend to be good differentiators. So strong problem solving skills, teamwork, collaboration, communication, critical logical thinking, those kind of things are a really, really good way to show adaptability and really sort of go in with a balanced approach. It's not all about technology, it's not all about business, it's about the intersection of those two. And security pros is obviously about risk management ultimately. What's the old phrase, you can't accumulate without speculation and speculation you need to take some risk as well. So we are the purveyors of taking appropriate risk within appetite and in the business get what it needs to be done and actually being part of that change.

Interviewer/Host (26:30)

And we'll have a link to ISC2's 2025 ISC2 Cybersecurity Workforce Study in the show notes our thanks to John France for joining. No, it's not your imagination. Risk and regulation really are ramping up and customers expect proof of security before they'll sign that deal. That's where Vanta comes in. Vanta automates your compliance process and brings compliance, risk and customer trust together on one AI powered platform. Whether you're preparing for SOC 2 or managing an enterprise governance risk and compliance program, Banta helps keep you secure and keeps your deals moving. Companies like Ramp and RYTR spend 82% less time on audits with Vanta. That's not just faster compliance, that's more time for growth. Take it from me, if you're thinking about compliance, take the time to check out Vanta. Get started@vanta.com cyber.

Dave Bittner (27:47)

So good so good so good.

Nordstrom Rack Advertiser (27:49)

New markdowns up to 70% off are at Nordstrom Rack stores now. And that means so many new reasons

Dave Bittner (27:56)

to rack cause I always find something amazing. Just so many good brands cause there's always something new.

Nordstrom Rack Advertiser (28:01)

Join the NordicLub to unlock exclusive discounts. Shop new arrivals first and more. Plus buy online and pick up at your favorite Rack store for free. Great brands, great prices. That's why you rack.

Interviewer/Host (28:22)

And finally, Microsoft Azure CTO Mark Russinovich recently decided to revisit a piece of his own programming history. A small Apple II utility he wrote in 1986. He gave it a modern audit courtesy of AI. The program, called Enhancer, was written in 6502 machine code to extend Applesoft Basic with more flexible goto and gosub commands. Russinovich fired up Claude Opus 4.6, which promptly decompiled the four decade old code and spotted several flaws, including a subtle bug where the program quietly misbehaved. Instead of throwing an error when a destination line wasn't found, the fix, in hindsight, was check the carry flag. The discovery is mostly nostalgic trivia for Apple II enthusiasts, but it highlights a broader shift. Modern AI systems can now analyze low level code and uncover vulnerabilities in software that humans may not have examined for decades. That capability could help defenders patch old systems, though it also gives attackers a powerful new way to hunt for bugs lurking in the world's vast supply of aging firmware and legacy code. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing@thecyberwire.com don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment on Jason and Brian's show. Every week. You can find Grumpy Old Geeks, where all the fine podcasts are listed. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's lead producers, Liz Stokes, were mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our contributing host is Maria Vermazes. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. If you only attend one cybersecurity conference this year, make it RSAC. It's happening March 23rd through the 26th in San Francisco, bringing together the global security community for four days of expert insights, hands on learning and real innovation. I'll say this plainly, I never miss this conference. The ideas and conversations stay with me all year. Join thousands of practitioners and leaders tackling today's toughest challenges and shaping what comes next. Register today@rsaconference.com cyberwire26 I'll see you in San Francisco.