Sunday, February 16, 2014

Entry level hiring in InfoSec - the comedy of errors

I have a good friend who is trying to get work as an entry level InfoSec talent. He's a distinguished army vet, a family man, and genuinely the kind of person I'd love to live next door to. He's never really had specific work in Information Security, but he can talk processes, tools, and technologies and I feel like he's on one of those rare people who get it when it comes to making relevant policy decisions for enterprise security.

I bring him up because the guy can't seem to get a break.

You see, he doesn't have any real InfoSec experience to speak of, and while he's doing the certifications thing and as I've already said he knows his stuff - it's a weird world out there. I started looking amongst my circles and it appears that the conclusion I'm reaching is that hiring, at the lower levels of the Information Security talent spectrum is an absolute train wreck.


It seems that every entry level gig I've been able to dig up that would be even remotely worthwhile (for loose definitions of worthwhile) require ~2 years experience and a CISSP. Say what?

He told me the other day that in an otherwise promising interview path he was asked about specific flags for tools like NMAP and others ... Say what?

So let me get this get an entry level job you have to already have 2 years+ relevant work experience and the ~5yrs of practical experience to have a CISSP? What definition of entry level does that match? Certainly not one I'm aware of.

What this industry is doing is effectively filtering out those that are eager to provide fresh perspectives, and alternative viewpoints from the outside in a time we are absolutely desperate for that exact thing. I talked to a director of DFIR at a global financial services firm and he's actually stopped hiring people with infosec backgrounds and started hiring accountants and other types right out of college. Coincidentally he needs people who can do forensic accounting and DFIR work - but you can teach the tools and techniques to be a good response analyst but you can absolutely not fake the external perspective.

So why the hell is this happening? Myopia... new song, same lyrics as before.

Hiring managers who have no clue what they actually need look for 'penetration testers' and people who know the specific technologies they're currently using thinking this makes a good employee. Wrong. You should never hire someone based on whether they're intimately familiar with the details of your current setup - hell I would have failed many of these job interviews! What you should be looking for is someone who says "yes, I'm familiar with that tool, it does x, y, z, and the way to figure out the detailed command line switches is flag --h (or whatever)" ...

Bottom line - you need people who can learn and are smart enough to know when they need to go look it up in an intelligent way. "I don't know that answer, but it'll take me 10 seconds to get it" should be more than adequate... but it's not and these jobs are going to people who are from that same rut that we have a problem with now. People who do the same job, day in and day out, same technologies, same principles and never think outside their little boxes. This is such a recipe for failure I can't even begin to express it here... just look around your peers in the industry and you should see many examples of this.

/Rant over ... but seriously this is nuts.

On a serious note, if someone out there is looking for a strong analytic mind, someone who questions and has that special drive to be an InfoSec revolutionary while supporting and bettering your processes today... let me know, I'd love to help out a friend.

Saturday, February 1, 2014

Guest Post: Follow up to "Where Risk Calculations Fall Apart [Again]"

In a previous post "Where Risk Calculations Fall Apart [Again]" I made the argument that a complex formula variable in a risk calculation like "likelihood-of-exploit" is essentially (at best) undesirable, and at worst detrimental if not nonsensical. I posted the blog link to Twitter and as expected debate struck up. I think I'm going to write another follow-up on this because there still seems to be some confusion as to what I am arguing ... I appreciate all the replies and discussion so far. I even received an email from a colleague who agreed with my viewpoint and had put together a very comprehensive reply but couldn't fit it into the comments section so instead here it is in it's entirety ... I encourage you to read Heath's lengthy, but extremely well-thought-out reply.