Re: Do they understand..? - Page 2

Lamont29 · ‎04-10-2018

I recently got interviewed for a security director’s position. It was advertised as Governance, Risk & Compliance. But by the time I got deep into the interview, I felt like what they really needed was a CCNP, MCSE & RHCE – along with the CISSP. Lucky for me, I can traverse a conversation of most any IT area since I have worked in IT for so long. I often wonder though if employers out there have the wrong idea about what a CISSP is and what we do.

I had to explain and advise more than a few employers interviewing me about their appropriate IT/HR needs. So, when I hear senior management exclaim that industry certifications don’t equate to ‘performance’ which I agree with in principle. But I am now thinking that maybe such leaders are not understanding their technical / security management needs. SMH.

Lamont Robertson
M.S., M.A., CISSP, CISM, CISA, CRISC, CDPSE, MCSE

Lamont29 · ‎05-03-2018

@Steve-Wilmewrote:
And I'm sure we've all been on the receiving end of looking at a job description that asked for CISSP, CISM, ISO 27K lead auditor, risk management and data protection knowledge to find that the hiring manager really wanted a firewall admin or sysadmin.

And if they do want someone, they often want one person to do everything, which in a mid sized company just isn't humanly possible even if you work a 50 hour week every week.

This is nearly always the case for small to medium size businesses. They often times have a poor understanding as to the time and energy that's required in these positions. Working more than 50 hours a week causes your good IT security personnel to seek greener pastures elsewhere. One can never negate the value of 'quality of life' in a career position.

Lamont Robertson
M.S., M.A., CISSP, CISM, CISA, CRISC, CDPSE, MCSE

Jaesimpson · ‎05-03-2018

This scenario has happened to me. I find a job description that I fit, practice interview based on that description. Then during the interview and instead of a security person, they want a Dev-ops person. It's extremely frustrating.

billybob · ‎05-03-2018

I'm not sure what you mean. All I can say is that if you can't put hands on a keyboard and actually implement any security controls (harden an OS, properly configure a firewall, set up DNSSEC, set up a CA, run an actual pentest, etc), you have no business calling yourself a security professional. You should be clear that you are only a compliance professional. You don't need to be able to do everything - that's insanity. But if you don't have the technical ability and experience to do at least something security-related, and do it well, you simply aren't a security professional.

Employers should understand that "almost" anyone that would claim they could do it all is likely not being honest, and should put them to the test if they truly feel they've found a unicorn during the hiring process.

Baechle · ‎05-04-2018

James,

I’ve definitely been getting my share of Unicorn hunting calls/emails lately. Specifically, around the buzzword “Insider Threat”.

I think what folks here are talking about is an advertisement for one position that turns out to be a different position entirely. An example from recent history is one that I got pitched by a headhunter:

The position of “Network Security Engineer” that requires a CISSP with a CCNA or CCDA, and either a CCNP or CCIE R&S highly desired. The position requires knowledge of the Cisco IOS command line, routing and switching protocols, cable plant design and management, and network security architecture.

I think many people, including myself, would see this as a senior level position. Someone possibly doing network planning and design, and able to quality check subordinate’s work by reviewing configuration files or planned command sequences, and approving changes. When I got to the phone interview with the customer, it became apparent that they are looking for a router/switch installation technician. The CCNA/CCDA/Network+ level qualification was wholly appropriate. Possibly even a BICSI qualification as well for the cable plant responsibilities. There is absolutely no need for the CISSP, and a CCNP/CCIE would be severely overqualified. Not only that but the salary range pitch is about 50% of what I expected and was more in line with an entry level person.

Sincerely,

Eric B.

billybob · ‎05-04-2018

Yeah, understood. I believe employers are now looking at the CISSP as a basic requirement for any job with a security component. Which shouldn't be the case.

In all honesty, I have yet to meet a CISSP with much practical/technical security experience...most I've met are solely policy/compliance people. I personally sat for it because of exactly what you are describing - a requirement for a job application. Which is stupid - but unfortunately necessary.

Lamont29 · ‎05-07-2018

@billybobwrote:
Yeah, understood. I believe employers are now looking at the CISSP as a basic requirement for any job with a security component. Which shouldn't be the case.

In all honesty, I have yet to meet a CISSP with much practical/technical security experience...most I've met are solely policy/compliance people. I personally sat for it because of exactly what you are describing - a requirement for a job application. Which is stupid - but unfortunately necessary.

Yeah,

That why I proposed the very rhetorical question of "Do They Understand..?" I am arriving at the conclusion: "Of course they don't!" Yet, I see opportunity in the gap.

Lamont Robertson
M.S., M.A., CISSP, CISM, CISA, CRISC, CDPSE, MCSE

Baechle · ‎05-07-2018

James,

@billybobwrote:
Yeah, understood. I believe employers are now looking at the CISSP as a basic requirement for any job with a security component. Which shouldn't be the case.

I agree. That is unfortunate, but it is also an opportunity for those of us with the CISSP to take leadership roles and fix the problem.

@billybobwrote:
In all honesty, I have yet to meet a CISSP with much practical/technical security experience...most I've met are solely policy/compliance people. I personally sat for it because of exactly what you are describing - a requirement for a job application. Which is stupid - but unfortunately necessary.

That hasn’t been my experience. I have to admit that I am one of your stereotypical non-technical CISSPs. I am somewhat intimidated and simultaneously bored by new technology. I was formerly in a hands-on role in network and business systems consulting… about 20 years ago.

In my professional travels, I have met two archetypes of CISSPs.

The first is your stereotype. My very first professional engagement was an IT Audit contract circa 1998. I will even admit to having come full circle by currently undertaking an Accounting degree rather than something in Tech.

The second, though are amazing specialists! These are folks that are Network Engineers, Systems Engineers, Programmers and DevOps. With the CISSP these careers normally functioning in their silos and stovepipes began to speak a common language and understand the impacts their security constraints had in other business units. They interfaced with facilities and security and were able to articulate protection needs. They interfaced with human resources and line managers and got feedback on access requirements. They jived with management accountants and budget analysts that wanted to know if a repair contract or on-hand spares for their gear were a better value.

If you haven’t seen much of this second breed of CISSP, then man… you’re missing out.

Eric B.

rslade · ‎08-17-2018