Sunday, February 16, 2014

Entry level hiring in InfoSec - the comedy of errors

I have a good friend who is trying to get work as an entry level InfoSec talent. He's a distinguished army vet, a family man, and genuinely the kind of person I'd love to live next door to. He's never really had specific work in Information Security, but he can talk processes, tools, and technologies and I feel like he's on one of those rare people who get it when it comes to making relevant policy decisions for enterprise security.

I bring him up because the guy can't seem to get a break.

You see, he doesn't have any real InfoSec experience to speak of, and while he's doing the certifications thing and as I've already said he knows his stuff - it's a weird world out there. I started looking amongst my circles and it appears that the conclusion I'm reaching is that hiring, at the lower levels of the Information Security talent spectrum is an absolute train wreck.

Why?

It seems that every entry level gig I've been able to dig up that would be even remotely worthwhile (for loose definitions of worthwhile) require ~2 years experience and a CISSP. Say what?

He told me the other day that in an otherwise promising interview path he was asked about specific flags for tools like NMAP and others ... Say what?

So let me get this straight..........to get an entry level job you have to already have 2 years+ relevant work experience and the ~5yrs of practical experience to have a CISSP? What definition of entry level does that match? Certainly not one I'm aware of.

What this industry is doing is effectively filtering out those that are eager to provide fresh perspectives, and alternative viewpoints from the outside in a time we are absolutely desperate for that exact thing. I talked to a director of DFIR at a global financial services firm and he's actually stopped hiring people with infosec backgrounds and started hiring accountants and other types right out of college. Coincidentally he needs people who can do forensic accounting and DFIR work - but you can teach the tools and techniques to be a good response analyst but you can absolutely not fake the external perspective.

So why the hell is this happening? Myopia... new song, same lyrics as before.

Hiring managers who have no clue what they actually need look for 'penetration testers' and people who know the specific technologies they're currently using thinking this makes a good employee. Wrong. You should never hire someone based on whether they're intimately familiar with the details of your current setup - hell I would have failed many of these job interviews! What you should be looking for is someone who says "yes, I'm familiar with that tool, it does x, y, z, and the way to figure out the detailed command line switches is flag --h (or whatever)" ...

Bottom line - you need people who can learn and are smart enough to know when they need to go look it up in an intelligent way. "I don't know that answer, but it'll take me 10 seconds to get it" should be more than adequate... but it's not and these jobs are going to people who are from that same rut that we have a problem with now. People who do the same job, day in and day out, same technologies, same principles and never think outside their little boxes. This is such a recipe for failure I can't even begin to express it here... just look around your peers in the industry and you should see many examples of this.

/Rant over ... but seriously this is nuts.

On a serious note, if someone out there is looking for a strong analytic mind, someone who questions and has that special drive to be an InfoSec revolutionary while supporting and bettering your processes today... let me know, I'd love to help out a friend.

3 comments:

Rodney McKee said...

We are looking for someone at Aconex. http://bit.ly/1jvng25

Or drop me a line at rodney(dot)mckee(@)aconex.com

Pytha said...

Every hiring manager for InfoSec needs to read this.

ScreamingByte said...

Thanks to the effort of the InfoSec community, Rafal in particular, and to Rodney, I have found gainful employment as a security analyst. I am finally able to contribute my ideas and skills and provide for my family as they deserve.

But this isn't about just me. It's about the issue of hiring in InfoSec in general. People who see this issue must take a stand to help effect meaningful change. I'm proud to be a security analyst with a GREAT group of people, and I know there are others out there who are still left out in the cold.

Google+