S4x24 closing panel highlights challenges in OT security job market with insights from industry leaders

The closing panel of the S4x24 event convened Thursday with Dale Peterson, the founder of S4xEvent and CEO/catalyst at Digital Bond; Megan Samford, a chief product security officer for energy management at Schneider Electric; Zach Tudor, associate laboratory director for national and homeland security science and technology at the Idaho National Laboratory and Ralph Langner, founder and chief executive officer at Langner Inc. addressed the audience.

Peterson zeroed in on the OT security job market as it is currently experiencing a downturn, leading to layoffs and challenges for skilled professionals in finding ideal employment. 

Addressing how long the difficult job market is going to continue, Samford said that she honestly couldn’t say, and “I don’t want to predict, but I can speak from the OEM perspective, in that when you’re working with large OEMs and publicly traded companies, one of the first things that a Gartner or Forrester or any type of analyst will ask you when they’re trying to engage the maturity of their cybersecurity program is how many cybersecurity staff do you have, and what is the budget totally for cybersecurity in your company?” 

So within OEM, Samford added that it can be said “that thankfully, we have not been doing and seeing layoffs in the OEM space when what you maybe have seen more of is we don’t need you to do this type of role anymore. We feel that the capability is at a decent enough level. However, we’re gapped over here.”

Samford describes “Layoffs in the cybersecurity community impact all, whether or not you’re an OEM or a startup or working for some type of consulting or services firm, because what happens is you lay people off, the work doesn’t go away. Other people have to absorb that work. They get burnt out, especially if they work in incident response or other fields response fatigue is a very real thing. So then they move on to other companies, and the problem just compounds upon itself.”

Tudor said that he took some informal polls, “and I think some people are saying, some of the vendors, and this was more in the services area, thinking about the OEMs, maybe they were trying new product lines and new service lines that didn’t seem to pan out and seemed like a good time to say. Others were saying that there was just a certain price tag in your company. You’re growing, maybe faster. And then also a little Covid reset.” 

He added that some people were talking about the mix of personnel that they had, which was potentially time to bring it back. “One other impact that someone mentioned to me is that in the last, they haven’t seen a number of independent vulnerabilities submissions. Independent labs that were doing things.” 

Tudor pointed out that they have downsides, some of those capabilities. “So we may see that research. And like you say, though, I think that the work needs to get done and it will go somewhere. There’ll be an entrepreneur out there that will come back to us.”

Speaking on attrition rates within teams, Samford said “If you’re a manager, is something that we’ll always look at. What is the turnover year over year? I think that cyber, and I’m opening up a debate more than I am making an opinion about it at this time. But if we were to compare this to a typical tech world or development team, 20% to 30% of turnover within a team per year is considered healthy. And why they consider it healthy is that it means that you are hiring people that other people want. If you have like 5% attrition rate or something in your team, well, it could mean that people just really love working for you, and that’s great, but it could also mean that maybe you have people that nobody else wants,” she added.

Addressing the one topic that would be picked that the industry is over-investing in and one area that is being under-invested in, Tudor said “Well, yes, we do kind of bank about these. So I’m all about resilience, part of my issue, and the credit support in the ‘protect’ area. A lot of people are getting tools that they are not mature enough to use. So they may be sold into things that are kind of above their head. And that’s being the locking task and some of the basics that they really need to do to maybe get tested by another. And once again, on the resilience side, I think we need to be able to respond or recover where we need.”

Ralph Langner, founder and chief executive officer at Langner Inc., said that “certainly we are over-invested in detection. That’s obvious that what you should all do is you should focus more on identifying that there is a fantastic product on the market. But in all curiousness, then we try to provide more. Let’s just forget the bias for a minute here. The one thing I find strange to understand, I really don’t get it. If you look back at the real-world cyber attacks that we see in our sectors and catch the infrastructure, what has happened?” 

“So cybercrime did not happen, but we see a lot of friends in that. I think that the content is here. If that is the case, then that would suggest to me that we are totally underinvested in recovery. And I even could imagine a couple of reasons for that,” according to Langner. “Because recovery is probably the least sexy topic of that circle that you can imagine. Right. It’s so boring. But, anyhow, it’s easy to do, it’s easy to accomplish and it doesn’t cost a lot.” 

He added “So if I could give you a couple of other metrics. How many hours, how many days, or maybe even minutes do you need to recover your critical, whatever it is, DCS system from scratch? That’s a very simple metric. And your business should have a target value for this. Somebody should have gone through that exercise and determined where you must arrive and then actually do training exercises and see if you’re already there or not. So that totally doesn’t conclude from me why we’re seeing so little engagement in the recovery sector. I cannot explain that other than what. It’s just not sexy enough. And let’s not for yet.”

Coming in at this point, Samford said “That’s where I think we see the least amount of focus discussion. There are good solutions out there that dot his, but when’s the last time someone tested their back of a recovery plan? That’s really important. Yeah, we’re probably good at detection at this point, although one could argue that we’re not very good at responding to what breeds to test, and we certainly can’t do that at scale. That’s where again, people are going to say, there goes Megan Samford, talking about how cybers really disaster science and how we should follow the incident command system. That’s why I said what I said is going to be your thing. All of that still holds true.”

In his opening keynote address, Peterson emphasizes the significance and impact of belief on success, reflecting the essence of the S4x24 gathering. While S4 has spotlighted the importance of gender diversity through its Women in ICS initiative, the industry’s pursuit of broader diversity remains an ongoing challenge, with much work still ahead.

Danielle Jablanski, ​​an OT cybersecurity strategist at Nozomi Networks, highlighted a notable disparity within the industry and broader society: the existence of double standards and inequities, especially in professional expectations and resource distribution among organizations. She emphasized how smaller, resource-limited organizations are frequently left most exposed.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.