topic Re: Do they understand..? in Career Discussions

Do they understand..?

Lamont29 — Tue, 10 Apr 2018 21:33:39 GMT

I recently got interviewed for a security director’s position. It was advertised as Governance, Risk & Compliance. But by the time I got deep into the interview, I felt like what they really needed was a CCNP, MCSE & RHCE – along with the CISSP. Lucky for me, I can traverse a conversation of most any IT area since I have worked in IT for so long. I often wonder though if employers out there have the wrong idea about what a CISSP is and what we do.

I had to explain and advise more than a few employers interviewing me about their appropriate IT/HR needs. So, when I hear senior management exclaim that industry certifications don’t equate to ‘performance’ which I agree with in principle. But I am now thinking that maybe such leaders are not understanding their technical / security management needs. SMH.

Re: Do they understand..?

nagarajan — Wed, 11 Apr 2018 03:52:45 GMT

I have often found that Job Descriptions don't exactly go with what an organization is wanting a security professional to do. Particularly HR and most hiring managers want a CISSP to do everything related to security. In my discussions, I found the reason for this to be due to the number of domains covered in the CISSP exam.

Re: Do they understand..?

tsutherburg — Wed, 11 Apr 2018 11:42:12 GMT

Hello

Do they understand? Probably not at first, but hopefully after speaking with you they had a better understanding of their gap.

IMO, it is a hard question for most managers to figure out. IE what do they actually need for a skill set when it comes to security. I have met plenty of IT-centric managers that had no clue on security. Now, take a non-technical manager who is trying to fill a gap and they are throwing darts in the dark.

Just my thoughts.

Cheers

Tim

Re: Do they understand..?

nagarajan — Wed, 11 Apr 2018 17:15:03 GMT

It is vital for the Hiring Manager(s)/leaders to know about the domain so that they can select right candidate(s). I have seen that often many resources are not up to the mark for the job they are hired to do and they don't have the zeal to learn which leads to a poor team which has a bigger responsibility.

Re: Do they understand..?

tsutherburg — Wed, 11 Apr 2018 17:43:35 GMT

@nagarajanwrote:
It is vital for the Hiring Manager(s)/leaders to know about the domain so that they can select right candidate(s).

Hell Nagarajan

While I agree the above statement should be true, the point I was driving at, is that it often not true, IMO.

Cheers

Tim

Re: Do they understand..?

Steve-Wilme — Wed, 02 May 2018 12:17:17 GMT

And I'm sure we've all been on the receiving end of looking at a job description that asked for CISSP, CISM, ISO 27K lead auditor, risk management and data protection knowledge to find that the hiring manager really wanted a firewall admin or sysadmin.

And if they do want someone, they often want one person to do everything, which in a mid sized company just isn't humanly possible even if you work a 50 hour week every week.

Re: Do they understand..?

Lamont29 — Wed, 02 May 2018 14:21:03 GMT

Yes. That's exactly what I'm talking about Steve! What I've learned is to get as much out of the phone interview as I can. One recent contract opportunity went wayward because the recruiter had no idea what the requirements were. She was confused as to whether the primary requirement was project management or GRC. I suggested that they were not mutually exclusive, which enraged her and we went no further. But I did not want to formally attend an interview that I had no idea of the requirements. Those interviews rarely goes well in my opinion.

Re: Do they understand..?

Beads — Wed, 02 May 2018 20:11:18 GMT

Not sure business necessarily needs to know what it is we are supposed to be doing as much as they are responsible to keep an open mind and adjust both expectations and requirements as knowledge is gained. That's a bit long but true. Business needs to be open a changing environment and find the best person, if not a number of people to fill a position. Too often we do see these all-in-one roles that no one super-human could fill.

We as security practitioners need to be ready to do one of two things or loose credibility: Educate the ignorant; or be prepared to walk away. Its does no one any good to accept more work than one person could possibly accomplish in a reasonable amount of time.

Yes, I have had those conversations with prospects whose eyes are bigger than their budgets.

Re: Do they understand..?

Lamont29 — Thu, 03 May 2018 17:33:31 GMT

@tsutherburgwrote:
Hello

Do they understand? Probably not at first, but hopefully after speaking with you they had a better understanding of their gap.

IMO, it is a hard question for most managers to figure out. IE what do they actually need for a skill set when it comes to security. I have met plenty of IT-centric managers that had no clue on security. Now, take a non-technical manager who is trying to fill a gap and they are throwing darts in the dark.

That's a great observation actually.

I know that ISC2 may want its professionals to be more security-focused in our careers, but I see a lot of lucrative opportunities in SALES..! Because of the dearth of understanding by senior managers in properly addressing their IT Security needs, this area seems to be wide open for certified professionals.

Re: Do they understand..?

Baechle — Thu, 03 May 2018 17:51:53 GMT

@Steve-Wilmewrote:
And I'm sure we've all been on the receiving end of looking at a job description that asked for CISSP, CISM, ISO 27K lead auditor, risk management and data protection knowledge to find that the hiring manager really wanted a firewall admin or sysadmin.

And if they do want someone, they often want one person to do everything, which in a mid sized company just isn't humanly possible even if you work a 50 hour week every week.

It's nice to know I'm not alone! 😄

Re: Do they understand..?

Lamont29 — Thu, 03 May 2018 20:00:11 GMT

@Steve-Wilmewrote:
And I'm sure we've all been on the receiving end of looking at a job description that asked for CISSP, CISM, ISO 27K lead auditor, risk management and data protection knowledge to find that the hiring manager really wanted a firewall admin or sysadmin.

And if they do want someone, they often want one person to do everything, which in a mid sized company just isn't humanly possible even if you work a 50 hour week every week.

This is nearly always the case for small to medium size businesses. They often times have a poor understanding as to the time and energy that's required in these positions. Working more than 50 hours a week causes your good IT security personnel to seek greener pastures elsewhere. One can never negate the value of 'quality of life' in a career position.

Re: Do they understand..?

Jaesimpson — Thu, 03 May 2018 20:50:13 GMT

This scenario has happened to me. I find a job description that I fit, practice interview based on that description. Then during the interview and instead of a security person, they want a Dev-ops person. It's extremely frustrating.

Re: Do they understand..?

billybob — Thu, 03 May 2018 23:30:48 GMT

I'm not sure what you mean. All I can say is that if you can't put hands on a keyboard and actually implement any security controls (harden an OS, properly configure a firewall, set up DNSSEC, set up a CA, run an actual pentest, etc), you have no business calling yourself a security professional. You should be clear that you are only a compliance professional. You don't need to be able to do everything - that's insanity. But if you don't have the technical ability and experience to do at least something security-related, and do it well, you simply aren't a security professional.

Employers should understand that "almost" anyone that would claim they could do it all is likely not being honest, and should put them to the test if they truly feel they've found a unicorn during the hiring process.

Re: Do they understand..?

Baechle — Fri, 04 May 2018 16:00:51 GMT

James,

I’ve definitely been getting my share of Unicorn hunting calls/emails lately. Specifically, around the buzzword “Insider Threat”.

I think what folks here are talking about is an advertisement for one position that turns out to be a different position entirely. An example from recent history is one that I got pitched by a headhunter:

The position of “Network Security Engineer” that requires a CISSP with a CCNA or CCDA, and either a CCNP or CCIE R&S highly desired. The position requires knowledge of the Cisco IOS command line, routing and switching protocols, cable plant design and management, and network security architecture.

I think many people, including myself, would see this as a senior level position. Someone possibly doing network planning and design, and able to quality check subordinate’s work by reviewing configuration files or planned command sequences, and approving changes. When I got to the phone interview with the customer, it became apparent that they are looking for a router/switch installation technician. The CCNA/CCDA/Network+ level qualification was wholly appropriate. Possibly even a BICSI qualification as well for the cable plant responsibilities. There is absolutely no need for the CISSP, and a CCNP/CCIE would be severely overqualified. Not only that but the salary range pitch is about 50% of what I expected and was more in line with an entry level person.

Sincerely,

Eric B.

Re: Do they understand..?

billybob — Sat, 05 May 2018 02:37:37 GMT

Yeah, understood. I believe employers are now looking at the CISSP as a basic requirement for any job with a security component. Which shouldn't be the case.

In all honesty, I have yet to meet a CISSP with much practical/technical security experience...most I've met are solely policy/compliance people. I personally sat for it because of exactly what you are describing - a requirement for a job application. Which is stupid - but unfortunately necessary.

Re: Do they understand..?

Lamont29 — Mon, 07 May 2018 19:15:36 GMT

@billybobwrote:
Yeah, understood. I believe employers are now looking at the CISSP as a basic requirement for any job with a security component. Which shouldn't be the case.

In all honesty, I have yet to meet a CISSP with much practical/technical security experience...most I've met are solely policy/compliance people. I personally sat for it because of exactly what you are describing - a requirement for a job application. Which is stupid - but unfortunately necessary.

Yeah,

That why I proposed the very rhetorical question of "Do They Understand..?" I am arriving at the conclusion: "Of course they don't!" Yet, I see opportunity in the gap.

Re: Do they understand..?

Baechle — Mon, 07 May 2018 21:17:03 GMT

James,

@billybobwrote:
Yeah, understood. I believe employers are now looking at the CISSP as a basic requirement for any job with a security component. Which shouldn't be the case.

I agree. That is unfortunate, but it is also an opportunity for those of us with the CISSP to take leadership roles and fix the problem.

@billybobwrote:
In all honesty, I have yet to meet a CISSP with much practical/technical security experience...most I've met are solely policy/compliance people. I personally sat for it because of exactly what you are describing - a requirement for a job application. Which is stupid - but unfortunately necessary.

That hasn’t been my experience. I have to admit that I am one of your stereotypical non-technical CISSPs. I am somewhat intimidated and simultaneously bored by new technology. I was formerly in a hands-on role in network and business systems consulting… about 20 years ago.

In my professional travels, I have met two archetypes of CISSPs.

The first is your stereotype. My very first professional engagement was an IT Audit contract circa 1998. I will even admit to having come full circle by currently undertaking an Accounting degree rather than something in Tech.

The second, though are amazing specialists! These are folks that are Network Engineers, Systems Engineers, Programmers and DevOps. With the CISSP these careers normally functioning in their silos and stovepipes began to speak a common language and understand the impacts their security constraints had in other business units. They interfaced with facilities and security and were able to articulate protection needs. They interfaced with human resources and line managers and got feedback on access requirements. They jived with management accountants and budget analysts that wanted to know if a repair contract or on-hand spares for their gear were a better value.

If you haven’t seen much of this second breed of CISSP, then man… you’re missing out.

Eric B.

Re: Do they understand..?

rslade — Fri, 17 Aug 2018 19:16:25 GMT