Root Causes 337: CLM and the IT Skills Gap
For decades industry has had more need for skilled IT employees than the workforce could provide. In this episode we discuss how Certificate Lifecycle Management and certificate automation can help mitigate the challenges posed by the IT skills gap.
- Original Broadcast Date: October 10, 2023
Episode Transcript
Lightly edited for flow and brevity.
-
Tim Callan
Today we want to talk about a topic that we have touched on many times, which is certificate automation. Call it Certificate Lifecycle Management or CLM if you will, but automation of certificates and automation of PKI and the IT skills gap.
-
Jason Soroko
I tell ya, Tim, I look around not just within the company that we work for but also in competitors and go to conferences, it’s been the same faces for a very long time.
-
Tim Callan
You know, this gets studied. I’ve seen a number of studies over the years. I’m gonna say for 20 years at least there has been a consistent marked IT skills gap. And what I mean by that is the number of available human employees who can go to work for companies to do the set of IT requirements that those companies would have in an ideal world if they were right-sized is less than the amount of work that needs to be done. And the consequence of that – and that’s just been persistent and there is good reasons for that. It has to do with the fact that tech is just growing really fast and it takes a certain amount of time to educate a person and, you know, very few people get done with college in less than four years. So you can’t spin up the workforce as fast as the demand spins up. And that has a real consequence on companies – not just tech companies but companies in every segment around the globe, which is that as they are trying to run all of their processes digitally. If you go all the way back to our Tim’s Digital Haircut episode, we talk about the ubiquity of digital processes even in seeming offline businesses, that the desire to run all of your processes digitally leaves you with this need for this set of skilled employees that really no company can ever meet.
-
Jason Soroko
That is correct.
-
Tim Callan
And the reason I bring that up is of course because ironically, the exact same thing that we see at the exact same time in the exact set of companies is that these employees who don’t have the time to do the full set of IT needs that a company can spec are consumed by a variety of tasks and needs that at least in principle could be removed entirely from their plates. At a real broad level we can describe this as automation to the degree that functions can be automated where they are repetitive and predictable so that they can be done by a robotic process rather than done by a human at a keyboard. That has many benefits for the business, but the one we are focusing on today is it at least lessens the pain of that IT skills gap.
-
Jason Soroko
Correct, Tim. This is fundamentally important. Looking at some statistics on this and I’ve seen an article - - I think it was CSO had an article about something like at least three million people short – just on doing the base jobs
-
Tim Callan
Three million people.
-
Jason Soroko
We are short three million people and well over half of enterprises that were responding to some survey here were saying that they are not just short but they are critically short.
-
Tim Callan
Oh 100%. We see it all the time. One of the things that I observe - and I have some hypotheses about why this is the case but maybe you and I can compare on this - one of the things I observe is these same companies who have this vast IT skills gap are also not necessarily moving forward on automating away their trouble and so, again, I have a theory on this but I’m gonna ask you Jay. Why do think that is?
-
Jason Soroko
One that comes to the top of the list is everybody is being asked to do more with less and when you have less sometimes automation, you know, it looks sexy but the problem is there might be even higher pressing things that you’ve gotta get done but, on the other hand, I think that there’s a chicken and egg problem where putting in automation also requires a skillset well.
-
Tim Callan
I think that’s a big part of it is that, you know, we’re getting through the day and at the end of the day we say, oh boy, another day with disaster averted. We gotta gear up to do the same thing tomorrow and where in there am I gonna fit new incremental projects and automating is an incremental project? It means that between now and when it is delivered I need to produce more not less, and if I am spending all my time producing what I need to produce to survive then when do I have time for that project?
-
Jason Soroko
I have another reason, Tim.
-
Tim Callan
Ok.
-
Jason Soroko
Which is a little odd but it’s one that we should just call out, which is if you have existing staff and you’re depending on them to raise their productivity – is what I mean – such as, hey, are there areas that we could automate here? Human nature, even if the idea is a good one, human nature will often be, well, I don’t want to automate that because my job - -
-
Tim Callan
That’s what I’m paid to do.
-
Jason Soroko
What I’m paid to do. So, you know, lack of automation due to job security thoughts. And I don’t see enterprises doing a terrific job at mitigating that and saying, heck no. We want you to be doing more productive things than the repeatable things that you just talked about, Tim.
-
Tim Callan
Right.
-
Jason Soroko
In other words, I think something is wrong in the communication of companies wanting to automate and people being resistant or hesitant to it. In other words, if you are an enterprise that depends on your Linux administrator to automate certificate management, for example, if you are depending on that person to come up with that idea, that person may never come up with that idea.
-
Tim Callan
I think connected to that, you know, if we look at the skills gap, we are looking at this kind of big aggregated pool but, in reality, that’s not what it is. It’s a whole bunch of individuals with their own skills. So, if my company is hurting because it can’t hire the DevOps Engineers that it needs and in order to get there it wants to eliminate traditional SysAdmins and I’m a traditional SysAdmin and I don’t necessarily have those DevOps skills then I might just be automating myself out of a job. Right? Even though there’s a skills gap in the aggregate inside of my company. And so, in that regard, just sort of natural self-preservation suggests that that person is not necessarily going to be leading the charge on this project.
-
Jason Soroko
That is very true, Tim. It’s all of these things. I don’t think you can point to one thing. There’s several problems going on here and it’s not getting any better. And the worse part is, I think we are all feeling the stress of being asked to do so much more and companies just want to slash their costs, they don’t want to hire anybody else. You’re lucky to have your job at this point, right, is the way everybody feels.
And it’s interesting that automation can help to solve a lot of this but there’s so many reasons why it can sometimes not seem like the right thing at the moment.
-
Tim Callan
It’s interesting because, again, if you back up, if you take the long view or if you get up high and you take the 50,000 foot view, it seems to be easy. An easy choice. Right?
-
Jason Soroko
Right.
-
Tim Callan
But you need to have this kind of emotional fortitude to be down in the trenches and say, no. We are gonna invest in this project. I know it’s gonna make life more difficult for the next six months but I’m confident in the dividends it will yield when we get beyond that and I’m prepared to do so. And to get there you need resourcing, you need a certain degree of institutional throw weight and permissions, if you will. You need permission to fail. What if it doesn’t work? And if I’m the manager who is gonna take on this project and it doesn’t work and I’m gonna get drummed out of my job as a result, then maybe I’m very risk averse. And so, there are a lot of ways that these things can fall short. Again, even though when we study the numbers in the aggregate and we get something from Gartner or one of their competitors and you look at it and you go, oh, there’s this massive IT skills gap. There are these institutional systemic qualities that combat moving to automation as aggressively as you would think.
-
Jason Soroko
You know, if you are an accountant looking at this, your CFO type even, your brain probably automatically says, hey, productivity is a good thing. Why wouldn’t people be self-motivated to take on tools - especially if they are the experts in the tools – to be able to be more productive because that doesn’t necessarily make that chance of a raise, chance of promotions, chances of whatever.
Or even just simply let’s help the company be a better company and help the bottom line. Everybody should want those things. But it’s harder than that. It’s harder than that. And I wouldn’t depend on the technologist to be the ones to influence upwards is what I’m trying to say.
-
Tim Callan
I’ve worked with and do work with people who I do think have those qualities who are confident that they’re always going to be able to add value and recognize that being agile and changing and growing with the times is good and, you know, sharks need to keep moving or they die and I’m gonna keep moving and all of those ideas. I know a lot of people who think that way and act that way and my hat’s off to them. At the same time, you can see where not everybody would feel that they were able to take that attitude.
-
Jason Soroko
Oh, Tim. You are so right. I’d even go as far to say, Tim, I’ve known people, some of the smartest, some of the most – from a technology standpoint, some of the smartest – but from a business standpoint, maybe the least savvy at all. Some of these people really believed that the only way they had value is if they became a single point of failure, which is the opposite of automation.
-
Tim Callan
Then there’s that, right? There’s the guaranteed job security. “I like my job. I don’t want to change. I like my salary. Everything is good. I’ve got a lot of seniority. I’ve accrued a lot of vacation and as long as I don’t rock the boat, I know I’m never gonna be in the RIF.” Right? Again, it’s the difference between looking at these things as a single pool and getting down to lots of individual companies and individual managers and individual employees making their individual decisions that for them appear to be self-optimized in the here and now.
-
Jason Soroko
Tim, I think part of what we gotta say here as well is that skills gap is so large and I think post-pandemic with all the other trends going on around work habits, how hard it was to get people back to work – if they are back to work at all –
I don’t think in anywhere near the short term future and possibly not even the medium term future, we are not solving this by just getting the people we need. It is gonna be solved through automation. It is the only way that productivity will come back. It will not come back from, geez, we are just gonna have a gigantic hiring campaign. Those skills just are not out there.
-
Tim Callan
It’s systemic improvements, of which automation is a huge one. Maybe not the only one. But, right, systemic improvements is the only way that people are going to get there. I think this applies to automation of all kinds of IT task. You and I tend to focus on certificates. Certificates absolutely is among them and is a poster child for this. but this is more than only certificates. It's a more general observation I think that we’re making.
-
Jason Soroko
If you look right across the entire identity fabric, the need to break the silos, the need to have intercommunication automation between things that were never, ever talked to each other before needs to be happening. It needs to be happening truly at the fabric level. Down in the guts and the bowels of the technologies that make our companies run. These things need to be built differently because the old days of well there was a department for this and there was a department for that and, you know, maybe we had to walk something across the hall. Those days are so gone, Tim, it’s not even funny. But it’s the world we are - - it’s the technologies that we’re still living with but not the environment that’s supporting that anymore.
-
Tim Callan
Yeah. And kind of building on what you just said, that isn’t slowing down. The need to create and set up new digital services or update and modernize the digital services I have or make them more interconnected or go to market with new systems, that’s the opposite. That just continues to accelerate and as that continues to accelerate, it feels like the gap between the available personnel I have and the real qualified need, where a business can be made, is just getting wider not narrower
-
Jason Soroko
Tim, even the way we architect apps in 2023 going into 2024 has completely changed and competitive advantages in your apps have to do with interconnectedness and to the point, Tim, where we are even dealing with architectures now that don’t even have a server concept. Like that’s how far we’ve gotten.
And from the credential standpoint - which is the world we live in – we are starting to see now ephemeral credentials being used for authentication. You and I were talking about oh geez, wow, 90-day certificates for publicly trusted certificates like how short that is. Tim, we are talking about one second certs now. Or, you know, basically because it lasts as long as the handshake.
And that’s because if you are gonna have all of this interconnectedness you can’t be having long-term certificates just floating around. That’s just a bad guy’s dream.
So, if you are gonna architect that correctly, ephemeral makes a lot of sense. And so, my goodness, if that’s the way we are building things, that’s not only there’s a skills gap, what it means is half the workforce or more doesn’t even know anything about that level of architecture.
-
Tim Callan
The skills gap gets worse right? Because that person who got their degree 20 years ago and has spent the last 20 years building and maintaining networks suddenly the way that you used to do it isn’t the way that you are going to do it now, and you’ve gotta be able to pivot and adjust and deal with this new world. So that creates another form of skills gap.
-
Jason Soroko
I bet you people who came up back in my time, were young men and women back in my time in the IT world, you know, dealing with servers and individual servers, they thought they were all hot business when they started firing up a whole pile of virtual machines. Well, how do you feel now when all of the sudden it’s containerized discrete bits of logic being orchestrated by Kubernetes somewhere in somebody’s cloud.
And that, even that, is not the cutting edge right now of how things are being built. So, like I say, it’s just – Wow. Wow. Wow. Wow.
-
Tim Callan
Wow. So, kind of what’s the takeaway. That somehow by hook or by crook finding a way to automate the things that are automatable and investing in building new skills for your existing staff to do these important new things over what they used to do is imperative, and the businesses that can’t do it are going to suffer.
-
Jason Soroko
Hate to say it.
I think enterprises as a whole have an enormous challenge in their IT just because large enterprise IT was never fast-moving to start with and I tell you, you almost have to be at the startup level to be able to have fresh staff who knows what any of the stuff even is and therefore you as an enterprise IT, the old days of questioning buy-or-build – oh my God, you’re probably not in the build scenario anymore – but the problem is all these small nuggets of functionality are so poorly - - they are clever pieces of technology, they might even be in microservices architecture but they need to be glued together and so you might have to do a lot of buy because you are not inventing the new thing but there’s still a ton of build in connecting everything together.
-
Tim Callan
I’m buying the Tinker Toys but I still need to assemble the Tinker Toys.
-
Jason Soroko
That’s what I’m hearing from people in the field right now. That’s the pain point. Hey, if I were to show you the number of logos, Tim, in just the DevOps world - - I’m running a modern app that connects to a lot of things. I have 100 tools or more that I have to learn and I have to cobble together and that’s more painful that it ever was in an IT environment.
-
Tim Callan
Ok. Well, I don’t think we’ve solved anything.
-
Jason Soroko
No. We are just pointing out just how not only has this been bad but if you look at now how things are architected, new ways things are being done, my goodness – if you don’t have a competency in your enterprise for automation overall and I’m not just talking about RPA and other forms of overt automation, if you are not doing automation in every sense of putting together your IT systems, I don’t know how you are doing it right now.
And maybe a lot of them just aren’t.
-
Tim Callan
Maybe they aren’t. Well, maybe that’s a depressing note to leave it on but it’s the situation.
-
Jason Soroko
And like everything else, something will break and probably there will become some technologies that’ll help to build these pipelines within everything better. It’ll give us a toolset to do that much more easily. I mean, hey, the reason why we had desktop operating systems was just to break this problem, Tim. Right?
Like things we never could have imagined and I think there’s things we never could have imagined that are coming and I think that this is one of the ripe areas for a complete change in how we are doing things.