Menu > Articles de la revue de presse : - l'ensemble [tous | francophone] - par mots clé [tous] - par site [tous] - le tagwall [voir] - Top bi-hebdo de la revue de presse [Voir]

---

S'abonner au fil RSS global de la revue de presse

---

Présentation : Is there an issue of skills within information or cyber security Yes, without a doubt. But it's not the way you think...the dilemma is not one of a lack of qualified and skilled practitioners, it's one of a lack of skilled managers. Okay, caveat time...if you're a manager, you might want to stop reading. If you get butt-hurt easily, you might not want to continue on beyond this point. Just sayin'... I read Scott Scanlon's The Hunt for Cyber Security Leadership Intensifies article recently, and I have to say, being in the industry for the past 19-some-odd years, I have different perspective on the issue. The second sentence of Scott's article, referring to executive recruiters, says But they are finding a lack of qualified candidates just as companies put a greater emphasis and give a higher priority to corporate security. It's not my intention to take anything away from Scott, nor am I suggesting that he's incorrect. I'm simply saying that I have a different perspective. In doing so, I'd like to take a look at that sentence specifically, what constitutes a qualified candidate , and who decides If you're finding a lack of qualified candidates , how are you looking Let's look at the process of finding a qualified candidate Job Posting Who writes job postings or position descriptions Managers Are you a manager Write a description for a position you need to fill. Now, ball it up and throw it away, because you're wrong. Here's what I mean...I was engaged in a thread recently on LinkedIn, where an employee of a company had posted two position descriptions, one for a threat intel analyst. When I read the position qualifications, one of the stated requirements was a familiarity with EnCase or FTK . I was curious, so I asked why that was a requirement, and the employee who shared the links didn't know. Shortly, one of the C-level execs from the company responded, saying that it wasn't a requirement. Then why say that it is Have you ever seen those position descriptions The candidate MUST have a CISSP, EnCE, etc. Really Running the Gauntlet Position descriptions are passed from the manager to HR or a recruiting firm, who become the gate keepers. Most of the recruiters I've encountered have no experience in the information security field themselves...they're recruiters. So for them, the position description is a set-in-stone road map, and the words used by the hiring manager become the round holes in the board. I once worked at a company where, after I was hired, one of the recruiters stated publicly that when they receive a resume from a candidate for a position in information security, they search the resume for the term information security , and if they don't find it at least 4 times, they throw the resume out. What about qualifications The hiring manager includes CISSP and EnCE as a requirements , but doesn't tell the recruiter that they really aren't requirements . So, the recruiter looks at resumes, and if CISSP AND EnCE aren't listed, you don't pass GO and you don't collect 200. So the question then becomes, how does someone who's qualified pass through that gauntlet and get an actual interview I came up in the industry before there were courses you could take, and a lot of what I know is self-taught. I know enough about EnCase and FTK to know when they're suitable for use. I'm not suggesting that I'm a qualified candidate but if I was, how would anyone know Interviewing a Candidate I'll be 100pourcents with you...most of the people I've encountered while interviewing don't know how to interview. We all like to think that we're good at it, but the simple fact is that we don't know how to interview. When I first got out of the military, I interviewed at a defense contractor, and had four hours of interviews with different departments scheduled. At the beginning of the first interview of the day, the senior manager started off by telling me, very clearly, that he'd run all of my qualifications through a model that he'd developed, and he'd determined how much I would make in my first job. This is before he even spoke to me or got to know me. That's not how to conduct an interview...and I made considerably more than what his model showed in my first job. A great way to loose a candidate is to take them around the office, and surprising members of your team by dropping the candidate off for a spur of the moment interview. Look, I've been on both sides of the fence in 19 years. When I was getting out of the military, I had to take classes in how to interview . What made it disheartening was that the people I wasn't interviewing with had NO training at all. All the preparation in the world cannot stand up to the first question in an interview being, so...why are you here I've also been responsible for conducting interviews. I've seen people lie on their resume, simply to make it past the recruiter gauntlet and get an interview. I've had interviews go really well, and some that didn't go well. I've also been in a position where someone was hired to support the work that I did, and I was not involved in the process, at any level. In fact, in that case, I wasn't even aware of the vision or business decision for filling the position...all I know is that I heard a discussion in the hallway about offering this person a signing bonus. The Reality of the Position What is the reality of the position itself Yeah, I know what the job description says about the position and the company words like dynamic are used , but all bullsh t aside, what's the reality Is the actual work position in the heart of a major city As someone who lives outside of a major city way outside , I know better than to try to drive into the city for the odd social event...and you want me to drive into the city everyday as part of the job I thought the position description said that your company values quality of life .... What about the actual work itself In my time, I've worked for a couple of contracting firms, supporting federal law enforcement. In both cases, a lot of very positive things were said about the position. When I supported a CSIRT, it took me 8 months to get my agency-specific clearance, and in that time, I found out that the CSIRT didn't actually respond to anything if they happened to find out that something happened, they had to request that someone from network ops run a tool just one on the suspect system. When I found out that the one tool was one that simply listed processes, I suggested that along with the process, we also get the path to the executable image for context , and the person I suggested this to got offended. In the other position, all of the case agents would take their work to one or two analysts, while the rest of us got really good at Solitaire. If you're a contractor and having trouble finding qualified candidates , then the issue may be one of the positions you're filling themselves. I've spent time with contracting firms whose business model is to be a seat-filler, and to be honest, I can see why they're having trouble finding qualified candidates. I'm not talking about being cynical about the position or the company...I'm talking about being honest about it, that's all. After all, if you're not honest about the position, it's going to be revolving door of candidates. As bad as it sounds, a worse outcome is having someone realize how it is, and stay. So, my point is that there are, in fact, highly skilled individuals in the cyber arena. Many of them have time in the industry, have learned a lot of the lessons I've described and more , and have created for themselves an environment where they're happy. Some of the highly qualified but relatively new individuals in the industry have gravitated to the more experienced folks, and are similarly very happy. Rather than repeating the lack of qualified candidates mantra, take a good hard look at what you're doing to find those candidates. Is it the process you're using Is it the business model that needs to be changed Or, consider rolling your own ...use your current expertise to develop and grow new expertise.






Les derniers articles du site "Windows Incident Response" :

- Training Philosophy
- Cool Stuff, re WMI Persistence
- Windows Registry Forensics, 2E
- Event Logs
- Links Plugin Updates and Other Things
- Tools, Links, From the Trenches, part deux
- From the Trenches
- Updated samparse.pl plugin
- The Need for Instrumentation
- Analysis

---

S'abonner au fil RSS global de la revue de presse

---