How a talent crisis highlights misaligned incentives.
I’ve long been frustrated with the status quo of the web3 security talent panorama.
Not only has the quality of security work throughout the industry been the furthest from standardized (with many players capitalizing greatly on the lack of ability of the general public to validate the quality of the output), but the talent market for security researchers in the web3 space has also, for a long time, been entirely lopsided. The demand for security work is now orders of magnitude higher than the talent available to complete it.
So many problems, so little time. The standardization issue is one that needs to be solved systemically, but the latter is not.
I co-founded and worked alongside many friends, for the past five years, at an offensive security team on the web3 space. Diligence, incubated at and now an integral part of ConsenSys, has been at the forefront of security services and tooling for the Ethereum ecosystem for a while now.
Even though we’ve always prided ourselves in having the best possible work environment, caring for each other, and continuously improving our processes, the struggle to hire and maintain talent is genuine.
To add to the overall problem, good security/dev tooling suffers from a great monetization issue. It is hard for us and our peers to create financially sustainable products that help developers when, in all fairness, the developer base is still this small.
Successful security tooling is being built as a public good for Ethereans. And, as we all know, the incentives are not yet there to properly create positive feedback loops on public goods.
We need to change this.
Tackling problems all at once
Instead of solving the problems one at a time, I believe we can align incentives properly all at once. In a swift move, we might create a structure that favors both the talent crisis and the public goods funding.
Summing up the topics of interest in our problem space:
- Talent retention.
- Talent enablement.
- Public goods funding.
— Talent retention —
We need to create a dream haven for security researchers.
Somewhere that fosters creativity and rewards people for building the secure substrate of our industry. A place that appropriately recognizes the efforts of the highly talented humans working in web3’s security.
They should be happy, be adequately compensated, and support their colleagues in the type of top-tier work that we’ve all been accustomed to.
Right now, the incentives of private corporations working on security are misaligned without fair value flowing down to the people doing the job.
— Talent enablement —
Security researchers need to be able to work on innovative things.
Structured and permissionless innovation should be the norm. Informed partly by the need to do security reviews and research, people in the security sphere are in a prime position to know what tools are necessary (interactive or not) to secure the entire developer community.
Private security service providers have to very finely balance the time spent between projects extraneous to the core business model and their core activities. But security researchers individually need to have a stake in what is more important for the broader community at any given moment, whether it is to help a specific project or produce a new piece of security software.
This kind of ownership issue has already been solved countless times in the web3 space.
— Public goods funding —
We need better security tooling available to the web3 community.
Good tooling usually comes from broad contribution more than from wide usage. OSS has repeatedly shown that building in public and carefully accepting external contributions creates very robust pieces of software. There is an evident lack of such tools in the web3 security space. The security tooling panorama is fragmented, making it difficult for developers to learn, set up, and use the vast set of tools available with different capabilities.
Not only is the moment of open-sourcing security tooling code a balancing act for a security firm (as there might be some advantageous piece of research that gives some tooling a competitive edge), but the incentives may not be there to even start building it at all.
VC funds have admittedly gotten the incentives right when we talk about innovation in security and developer tooling. Since their business model is tied to the performance of several portfolio companies (which are hopefully a decent enough sample of the broader ecosystem), by enabling these teams to perform better, they will be increasing their gains. This translates into the creation of tools that, by proxy, are good for the ecosystem with positive feedback loops all over.
We should try to mimic the incentives at play in this last example as much as possible.
It’s time we do something. And we will.