I recently got interviewed for a security director’s position. It was advertised as Governance, Risk & Compliance. But by the time I got deep into the interview, I felt like what they really needed was a CCNP, MCSE & RHCE – along with the CISSP. Lucky for me, I can traverse a conversation of most any IT area since I have worked in IT for so long. I often wonder though if employers out there have the wrong idea about what a CISSP is and what we do.
I had to explain and advise more than a few employers interviewing me about their appropriate IT/HR needs. So, when I hear senior management exclaim that industry certifications don’t equate to ‘performance’ which I agree with in principle. But I am now thinking that maybe such leaders are not understanding their technical / security management needs. SMH.
I have often found that Job Descriptions don't exactly go with what an organization is wanting a security professional to do. Particularly HR and most hiring managers want a CISSP to do everything related to security. In my discussions, I found the reason for this to be due to the number of domains covered in the CISSP exam.
Hello
Do they understand? Probably not at first, but hopefully after speaking with you they had a better understanding of their gap.
IMO, it is a hard question for most managers to figure out. IE what do they actually need for a skill set when it comes to security. I have met plenty of IT-centric managers that had no clue on security. Now, take a non-technical manager who is trying to fill a gap and they are throwing darts in the dark.
Just my thoughts.
Cheers
Tim
It is vital for the Hiring Manager(s)/leaders to know about the domain so that they can select right candidate(s). I have seen that often many resources are not up to the mark for the job they are hired to do and they don't have the zeal to learn which leads to a poor team which has a bigger responsibility.
@nagarajanwrote:It is vital for the Hiring Manager(s)/leaders to know about the domain so that they can select right candidate(s).
Hell Nagarajan
While I agree the above statement should be true, the point I was driving at, is that it often not true, IMO.
Cheers
Tim
And I'm sure we've all been on the receiving end of looking at a job description that asked for CISSP, CISM, ISO 27K lead auditor, risk management and data protection knowledge to find that the hiring manager really wanted a firewall admin or sysadmin.
And if they do want someone, they often want one person to do everything, which in a mid sized company just isn't humanly possible even if you work a 50 hour week every week.
Not sure business necessarily needs to know what it is we are supposed to be doing as much as they are responsible to keep an open mind and adjust both expectations and requirements as knowledge is gained. That's a bit long but true. Business needs to be open a changing environment and find the best person, if not a number of people to fill a position. Too often we do see these all-in-one roles that no one super-human could fill.
We as security practitioners need to be ready to do one of two things or loose credibility: Educate the ignorant; or be prepared to walk away. Its does no one any good to accept more work than one person could possibly accomplish in a reasonable amount of time.
Yes, I have had those conversations with prospects whose eyes are bigger than their budgets.
@tsutherburgwrote:Hello
Do they understand? Probably not at first, but hopefully after speaking with you they had a better understanding of their gap.
IMO, it is a hard question for most managers to figure out. IE what do they actually need for a skill set when it comes to security. I have met plenty of IT-centric managers that had no clue on security. Now, take a non-technical manager who is trying to fill a gap and they are throwing darts in the dark.
That's a great observation actually.
I know that ISC2 may want its professionals to be more security-focused in our careers, but I see a lot of lucrative opportunities in SALES..! Because of the dearth of understanding by senior managers in properly addressing their IT Security needs, this area seems to be wide open for certified professionals.
@Steve-Wilmewrote:And I'm sure we've all been on the receiving end of looking at a job description that asked for CISSP, CISM, ISO 27K lead auditor, risk management and data protection knowledge to find that the hiring manager really wanted a firewall admin or sysadmin.
And if they do want someone, they often want one person to do everything, which in a mid sized company just isn't humanly possible even if you work a 50 hour week every week.
It's nice to know I'm not alone! 😄