cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Community Champion

Re: Do they understand..?


@Steve-Wilmewrote:

And I'm sure we've all been on the receiving end of looking at a job description that asked for CISSP, CISM, ISO 27K lead auditor, risk management and data protection knowledge to find that the hiring manager really wanted a firewall admin or sysadmin.

 

And if they do want someone, they often want one person to do everything, which in a mid sized company just isn't humanly possible even if you work a 50 hour week every week.


This is nearly always the case for small to medium size businesses. They often times have a poor understanding as to the time and energy that's required in these positions. Working more than 50 hours a week causes your good IT security personnel to seek greener pastures elsewhere. One can never negate the value of 'quality of life' in a career position.

 

 

Lamont Robertson
M.S., M.A., CISSP, CISM, CISA, CRISC, CDPSE, MCSE
Highlighted
Newcomer I

Re: Do they understand..?

This scenario has happened to me.  I find a job description that I fit, practice interview based on that description.  Then during the interview and instead of a security person, they want a Dev-ops person. It's extremely frustrating. 

Highlighted
Newcomer I

Re: Do they understand..?

I'm not sure what you mean. All I can say is that if you can't put hands on a keyboard and actually implement any security controls (harden an OS, properly configure a firewall, set up DNSSEC, set up a CA, run an actual pentest, etc), you have no business calling yourself a security professional. You should be clear that you are only a compliance professional. You don't need to be able to do everything - that's insanity. But if you don't have the technical ability and experience to do at least something security-related, and do it well, you simply aren't a security professional.

Employers should understand that "almost" anyone that would claim they could do it all is likely not being honest, and should put them to the test if they truly feel they've found a unicorn during the hiring process.
Highlighted
Advocate I

Re: Do they understand..?

James,

 

I’ve definitely been getting my share of Unicorn hunting calls/emails lately.  Specifically, around the buzzword “Insider Threat”. 

 

I think what folks here are talking about is an advertisement for one position that turns out to be a different position entirely.  An example from recent history is one that I got pitched by a headhunter:

 

The position of “Network Security Engineer” that requires a CISSP with a CCNA or CCDA, and either a CCNP or CCIE R&S highly desired.  The position requires knowledge of the Cisco IOS command line, routing and switching protocols, cable plant design and management, and network security architecture. 

 

I think many people, including myself, would see this as a senior level position.  Someone possibly doing network planning and design, and able to quality check subordinate’s work by reviewing configuration files or planned command sequences, and approving changes.  When I got to the phone interview with the customer, it became apparent that they are looking for a router/switch installation technician.  The CCNA/CCDA/Network+ level qualification was wholly appropriate.  Possibly even a BICSI qualification as well for the cable plant responsibilities.  There is absolutely no need for the CISSP, and a CCNP/CCIE would be severely overqualified.  Not only that but the salary range pitch is about 50% of what I expected and was more in line with an entry level person.

 

Sincerely,

 

Eric B.

 

 

Highlighted
Newcomer I

Re: Do they understand..?

Yeah, understood. I believe employers are now looking at the CISSP as a basic requirement for any job with a security component. Which shouldn't be the case.

In all honesty, I have yet to meet a CISSP with much practical/technical security experience...most I've met are solely policy/compliance people. I personally sat for it because of exactly what you are describing - a requirement for a job application. Which is stupid - but unfortunately necessary.