An Unrealistic Job Posting? - IT Security Engineer III - Active Directory

So i just came across this.. and when i read it...I was just stunned. You really gotta watch out for stuff like this.. Googling some of this description, listed a few Staffing agencies who have " tried to fill the position. " Which further tells me, this post is even more questionable..

a few things...

1) Who in the world is experienced in Coding or basically a Programmer, and has Security experience?

2) Why would anyone with a Security related certification, have any know-how of Active Directory? I mean the 2 just dont mix.

3) On top of all of that, who would have Unix, Linux, BSD, or Cisco iOS experience to go along with it?

4) No mention of a Linux+, Cisco Cert or Microsoft Cert, which in reality is what they are really after?

5) They want someone with HIPPA and SLA experience but they dont even mention ITIL?

Just a terrible, horrible job posting.

JOB SUMMARY
Designs, develops, configures, and implements solutions to resolve complex and highly complex technical and business issues related to related to information security, identity management, user access authentication, authorization, user provisioning, and role-based access control.
Designs, develops, and implements solutions to successfully integrate new information security and identity management systems with the existing architecture.
Provides end-user support as directed by management and works on multiple functions of high complexity. Identifies and recommends functional, technological and/or control solutions.
May drive one or more projects as part of a Security or Security Risk Management team.
Acts as a subject matter expert (SME) for one or more security, IDM, or risk management areas.
May act as team-lead for other security or risk management personnel.

ESSENTIAL FUNCTIONS
Coaches and trains engineers integration of systems, including but not limited to databases, applications, network elements and devices, and data storage
Guides an mentors engineers on the development of custom scripts, programs, and application interfaces to enhance existing monitoring infrastructure as part of project team efforts
Pursue continuing education to maintain advanced knowledge of best practices, compliance requirements, and threats and trends in identity management and information security, translating into operational action items, policies, procedures, standards and guidelines as part of the IT Security team
Develop root-cause analysis strategies to determine improvement opportunities when failures occur. Contribute as lead and SME on incident research and resolution when appropriate, mentoring incident team members
Assist in Continual Service Improvement efforts by identifying, and sometimes leading, opportunities for process improvement
Manage workload, prioritizing tasks and documenting time, and other duties.
Provides training, coaching, and mentoring for Engineers and Senior Engineers in the IT Security organization
Assists management in the definition of cross-platform information security and/or identity management policies and procedures as well as a senior contributor on departmental (IT Security) standard operating procedures, processes and guidelines.
Drive and participate in the collection and documentation of departmental knowledge artifacts; key participant in the development, population, and championing of knowledge management and collaboration systems for the IT Security team.
Communicates complex technical information to team members and all levels of management.
Provides identity management advice and support for network systems and applications

Act as a security advocate for IT operations team"s adherence to Dignity Health policies and industry best practices

Mentors and guides fellow engineers in the selection, installation, integration, configuration, and maintenance of information security systems.
Defines Information Security frameworks for existing and new systems.
Review and perfect diagrams, maps, and documentation of interrelated architecture and systems, pro-actively review solutions to determine possible failure points, coaching engineers accordingly.

EXPERIENCE

6+ years" experience in enterprise-scale information security engineering and operations required.

Experience evaluating and implementing new hardware and software solutions and managing vendor support/SLA required.

Experience with UNIX/Linux/BSD operating systems preferred.
4+ years technical project experience designing, developing, integrating, and implementing solutions to resolve complex technical and business issues preferred.
Coding experience and proficiency (e.g. Python, Perl, Ruby, PowerShell, Java, bash, etc) preferred
Experience in Windows Office (Work, Excel, etc) required.
Experience in UNIX/Linux OS and/or Cisco IOS strongly preferred.

EDUCATION
Bachelor"s Degree in Computer Science, Information Security, Information Systems, or related field, or equivalent professional experience required.

TRAINING/CERTIFICATIONS
Two or more relevant technical/professional security certifications (such as: COMP-TIA Network+ , Security+, SANS GIAC, CISSP, CRISC, CISA, or vendor-specific) required.

SPECIAL SKILLS
Proficient understanding of regulatory and compliance mandates, including but not limited to HIPAA, HITECH, PCI, Sarbanes-Oxley preferred.

Find more posts tagged with

Comments

docrice

These people are rare, but they exist. Many security engineers definitely have AD experience along with Linux and network management. Scripting is a common skill, perhaps even coding (although that's more rare).

I don't have a programming background, but I've done AD/Windows, Linux, IOS, ASA, other networking/security devices, endpoint management, etc.. I don't have the auditing or compliance/governance background, but some out there might along with everything else.

joelsfood

There are definitely people out there that fit this. You have to have security knowledgeable people who can code to write the security apps that we all use. Similarly, you can't write and enforce security policies for active directory unless you have some idea of how they work.

That being said, a lot of the time a post like this is casting the widest net, and then use interviews to find someone who is the actual best match they can find for the job.

d4nz1g

Why is it horrible? Just because you don't fit on it?

They are looking for a real Security ENGINEER, with reverse engineering, coding and infrastructure experience. It is not unrealistic.

castagnolac

I see postings with similar lists of qualifications all the time. I'm sure there are a few people out there with all of these skills, but they are likely few and far between. Just about every security job posting I'm seeing recently has need for Linux and Active Directory, a few have called for programming skills such as PHP, Perl, etc. I'm just wishing I had all those skills!

Thechainremains

d4nz1g wrote: »

Why is it horrible? Just because you don't fit on it?

They are looking for a real Security ENGINEER, with reverse engineering, coding and infrastructure experience. It is not unrealistic.

NO.

It's horrible because Employers like to copy off each other.. meaning.. if two or three start doing it, than another 5 or 6 will.. Sooner or later.. their will be quarter of the job market looking for ridiculous skill sets that no one will have.

If they wanted a real security engineer, they would have asked for more Certs like Microsoft/Linux/Cisco. Then at that point.. it makes sense.. but the combination of all those random certs, just doesnt make sense at all..

It's all over the place.. That's why it's a horrible job description.

Thechainremains

castagnolac wrote: »

I see postings with similar lists of qualifications all the time. I'm sure there are a few people out there with all of these skills, but they are likely few and far between. Just about every security job posting I'm seeing recently has need for Linux and Active Directory, a few have called for programming skills such as PHP, Perl, etc. I'm just wishing I had all those skills!

We all wish we had every skill.. You and me both.

If I had serious programming skills I dont think I would be looking for to work at an employer.. I'd be on my 10th Apple or Android app, raking in the royalty income.

Expect

I'm sorry but this is far from being an unrealistic job description

Security engineers need wide range of experience in many fields, active directory goes under the access control field which is one of the specialties a security guy must have under his/her belt.

regarding coding, knowing how to code doesn't necessarily mean you have to have a BSc in computer science, you could very well know how to code in Python/PHP/any other and be able to udnerstand languages that you may not necessarily have coding experience in.

to be able to call yourself a good security engineer you can't just know Microsoft server. I personally know security engineers who are at instructor level of expertise in both Linux and WIndows paltforms, know how to code in various languages and have good understanding in web development.

take this one for example:
you purchased a monitoring system from vendor A. vendor A provides you with a Linux image that you simply need to deploy into your VMware vCenter for example, and the web application is ready to use out of the box.

how will you audit this? you need to udnerstand how Linux hardening works, how to configure your firewall iptable, which sysctl directives are important, which services can be disabled, how to define password policies and expirations. and I'm just talking about OS-level here, what about the web application itself? you need to understand the various attack vectors and weaknesses a web-application might have. Stored/Reflected/DOM XSS, XXE, CSRF, yadda yadda yadda.

Change the scenario so that vendor A provides you with a Microsoft based image, now you need to understand how to harden a microsoft server. a completely different field of expertise under security.

In this simple example I have already covered network security, Linux security and web application security...does that sound unrealistic to you? it's the day-to-day work of good security people.

Thechainremains

Expect wrote: »

I'm sorry but this is far from being an unrealistic job description

Security engineers need wide range of experience in many fields, active directory goes under the access control field which is one of the specialties a security guy must have under his/her belt.

regarding coding, knowing how to code doesn't necessarily mean you have to have a BSc in computer science, you could very well know how to code in Python/PHP/any other and be able to udnerstand languages that you may not necessarily have coding experience in.

to be able to call yourself a good security engineer you can't just know Microsoft server. I personally know security engineers who are at instructor level of expertise in both Linux and WIndows paltforms, know how to code in various languages and have good understanding in web development.

I didnt say it had to be all Microsoft Certs.. Im guessing your hinting at the current certs I have...

Just look at this: such as: COMP-TIA Network+ , Security+, SANS GIAC, CISSP, CRISC, CISA, or vendor-specific.

Now you tell me, if any of that spells out having expertise in Linux or Windows?

You could be a Department of Defense Security Guru.. and not know Windows Server.. Again i am just saying this posting is just Misguided..

Expect

Thechainremains wrote: »

I didnt say it had to be all Microsoft Certs.. Im guessing your hinting at the current certs I have...

Just look at this: such as: COMP-TIA Network+ , Security+, SANS GIAC, CISSP, CRISC, CISA, or vendor-specific.

Now you tell me, if any of that spells out having expertise in Linux or Windows?

You could be a Department of Defense Security Guru.. and not know Windows Server.. Again i am just saying this posting is just Misguided..

TBH, i haven't bothered looking at anyones certs, I simply gave an example which involved microsoft server.
and for your question, no, the certs do not spell out having expertise in linux or windows, but security related roles often combine both becasue most networks involve both Linux and Microsoft servers.

regarding the certs portion of the job description:

TRAINING/CERTIFICATIONS
Two or more relevant technical/professional security certifications (such as: COMP-TIA Network+ , Security+, SANS GIAC, CISSP, CRISC, CISA, or vendor-specific) required.

they obviously can't list all possible certs, they clearly stated 'such as', doesn't have to be any of those to my understanding...

aftereffector

This looks like a good job posting from a company that knows more or less what they want. From the first sentence of the Job Summary:

Designs, develops, configures, and implements solutions to resolve complex and highly complex technical and business issues related to related to information security, identity management, user access authentication, authorization, user provisioning, and role-based access control.

RBAC, that's your Active Directory requirement right there.

Guides an mentors engineers on the development of custom scripts, programs, and application interfaces to enhance existing monitoring infrastructure as part of project team efforts

And there's your coding or scripting. The EXPERIENCE section asks for Python, Perl, Ruby, PowerShell, Java, bash, etc., which are mostly scripting and API languages. Any good security engineer with 6+ years of experience (another requirement) will pick up some scripting along the way just to make her life easier.

Experience in UNIX/Linux OS and/or Cisco IOS strongly preferred.

Looks like they have UNIX/Linux systems and Cisco networking devices as well as some Microsoft workstations. As a security engineer, you would need to know how to harden all three of those types of systems - Windows, Linux, and Cisco IOS. The posting isn't looking for a network engineer or systems administrator, which is why they didn't list CCNA/CCNP or MSCA/MSCE as a required certification, but the engineer is still going to have to be familiar with the security ramifications of all of that technology.

TRAINING/CERTIFICATIONS
Two or more relevant technical/professional security certifications (such as: COMP-TIA Network+ , Security+, SANS GIAC, CISSP, CRISC, CISA, or vendor-specific) required.

And there are the security-specific cert requirements. Overall, this looks like a pretty standard job listing for a SECURITY engineer - emphasis mine.

MTciscoguy

I don't find it to be unreasonable at all, I have experience in many of those areas and worked on a lot of that type of systems while I was in security and intelligence gathering while at the Pentagon, I had many guys and gals that work for or with me that had those skills as well. I have worked on computers and different operating systems, programming, scripting, etc for over 30 years. So from my standpoint and knowledge level it looks like a very good in depth job listing with the specifics that this company wants and requires.

xnx

Not unreasonable, these type of people are those who DESERVE a high paying job

d4nz1g

Yea, maybe they are looking for a pentester.
Not every security positions are all about watching logs and configuring proxy/firewall rules.

Mitechniq

The position is exactly what I do...

I am on a Systems Engineering and Technical Assistance (SETA) contract for the Department of the Army.
[h=3][/h]

rsutton

You seem mad... because the employer wants someone with a variety of specific skill sets, and you are worried other employers will copy that? If employers can find these candidates then kudos to them. If they can't they will need to revise their expectations. Why worry about something that is completely out of your control, and has little basis to legitimately be concerned?

NetworkNewb

Honestly this sounds like position I would want in a few years... right now I do systems support, and currently working on my networking certs, and after that I plan on learning python and working on my security certs....

MTciscoguy

Mitechniq wrote: »

The position is exactly what I do...

I am on a Systems Engineering and Technical Assistance (SETA) contract for the Department of the Army.

Exactly, when I was in the Army, we contracted a lot of people with your skill set.

NotHackingYou

Many of the security folks I know have a development and sysadmin/networking background so this doesn't seem to far fetched to me.

MrAgent

Doesnt sound too far fetched to me as well. I have a majority of that experience, minus the programming aspect.
I do know security, *nix, and AD pretty well.

Thechainremains

I guess I (myself) must be a narrow minded fool. If i had that kind of experience, they couldnt pay ME enough to do that job..

I would be asking for $175,000 a year at the minimum.. at that point they may as well hire 3 people and just pay them cheaply.

beads

Sounds like my job a couple of years ago to be frank about it. Nothing wrong with the description at all other than some of the wording does appear to be boiler plated in from another source.

As an engineer you should really have a decent idea as to how to write and run a script, sheesh. Sounds like a fairly small shop with intent to grow. Did you recognize the name of the company? Dignity? Know what they do? If not go check them out. Surprised no one bothered to say something. I can only imagine the company promotional posters around the office. Cherie!

Would this be difficult to fill? Yes, thats why people like me have a phone and voicemail that's always full and I leave it that way on purpose. I am also overqualified for this position. But that isn't why they are, most likely, unable to fill this position. They probably want a very senior engineer type for a bargain basement price. Been pitched many a JD (Job Description) and sounded really fascinating only to find out they want to pay 50k less than what I currently make. Heard it all to often, thanks.

So what if this isn't your dream security job. For the right person with a bunch of certs and no experience it could be there ticket to big bucks and bigger headaches. Chances are that is who will end up filling this position and why its been "hard to fill".

- b/eads

aftereffector

Looks like this one:

IT Security Engineer III at Dignity Health (Phoenix, AZ)
IT Security Engineer III - Active Directory Engineer Jobs in Phoenix, AZ - Dignity Health

NetworkNewb

So you wouldn't learn a programming language and get a security certification for $175k a year? Looks like you got most of the other stuff they are asking.

Partyball

I wish there were positions like that around my area of the woods. Right up my alley. A security position here might open up once every 5 years.

dou2ble

Thechainremains wrote: »

NO.
If they wanted a real security engineer, they would have asked for more Certs like Microsoft/Linux/Cisco. Then at that point.. it makes sense.. but the combination of all those random certs, just doesnt make sense at all..

I have to disagree with your comment about "real security engineer". I work with CCIE's, Linux guys, and Microsoft consultants and they aren't security engineers. They can certainly address security requirements but they don't know how to identify risk and security laws and regulations. They spend their time building a solution and I advise on how to create it securely. I do the risk assessment and recommendations, they do the clicking and required research to build security into the solution. Together we get it ready for certification. It's also part of the SoD. They focus on functionality and security focuses on risk. I have some knowledge and experience in servers and networking but I look at networks from a different perspective then they do. This has been my security engineering and IT audit experience in commercial and Federal work.

TheProfezzor

Thechainremains wrote: »

So i just came across this.. and when i read it...I was just stunned. You really gotta watch out for stuff like this.. Googling some of this description, listed a few Staffing agencies who have " tried to fill the position. " Which further tells me, this post is even more questionable..

a few things...

1) Who in the world is experienced in Coding or basically a Programmer, and has Security experience?

2) Why would anyone with a Security related certification, have any know-how of Active Directory? I mean the 2 just dont mix.

3) On top of all of that, who would have Unix, Linux, BSD, or Cisco iOS experience to go along with it?

4) No mention of a Linux+, Cisco Cert or Microsoft Cert, which in reality is what they are really after?

5) They want someone with HIPPA and SLA experience but they dont even mention ITIL?

Just a terrible, horrible job posting.

JOB SUMMARY
Designs, develops, configures, and implements solutions to resolve complex and highly complex technical and business issues related to related to information security, identity management, user access authentication, authorization, user provisioning, and role-based access control.
Designs, develops, and implements solutions to successfully integrate new information security and identity management systems with the existing architecture.
Provides end-user support as directed by management and works on multiple functions of high complexity. Identifies and recommends functional, technological and/or control solutions.
May drive one or more projects as part of a Security or Security Risk Management team.
Acts as a subject matter expert (SME) for one or more security, IDM, or risk management areas.
May act as team-lead for other security or risk management personnel.

ESSENTIAL FUNCTIONS
Coaches and trains engineers integration of systems, including but not limited to databases, applications, network elements and devices, and data storage
Guides an mentors engineers on the development of custom scripts, programs, and application interfaces to enhance existing monitoring infrastructure as part of project team efforts
Pursue continuing education to maintain advanced knowledge of best practices, compliance requirements, and threats and trends in identity management and information security, translating into operational action items, policies, procedures, standards and guidelines as part of the IT Security team
Develop root-cause analysis strategies to determine improvement opportunities when failures occur. Contribute as lead and SME on incident research and resolution when appropriate, mentoring incident team members
Assist in Continual Service Improvement efforts by identifying, and sometimes leading, opportunities for process improvement
Manage workload, prioritizing tasks and documenting time, and other duties.
Provides training, coaching, and mentoring for Engineers and Senior Engineers in the IT Security organization
Assists management in the definition of cross-platform information security and/or identity management policies and procedures as well as a senior contributor on departmental (IT Security) standard operating procedures, processes and guidelines.
Drive and participate in the collection and documentation of departmental knowledge artifacts; key participant in the development, population, and championing of knowledge management and collaboration systems for the IT Security team.
Communicates complex technical information to team members and all levels of management.
Provides identity management advice and support for network systems and applications

Act as a security advocate for IT operations team"s adherence to Dignity Health policies and industry best practices

Mentors and guides fellow engineers in the selection, installation, integration, configuration, and maintenance of information security systems.
Defines Information Security frameworks for existing and new systems.
Review and perfect diagrams, maps, and documentation of interrelated architecture and systems, pro-actively review solutions to determine possible failure points, coaching engineers accordingly.

EXPERIENCE

6+ years" experience in enterprise-scale information security engineering and operations required.

Experience evaluating and implementing new hardware and software solutions and managing vendor support/SLA required.

Experience with UNIX/Linux/BSD operating systems preferred.
4+ years technical project experience designing, developing, integrating, and implementing solutions to resolve complex technical and business issues preferred.
Coding experience and proficiency (e.g. Python, Perl, Ruby, PowerShell, Java, bash, etc) preferred
Experience in Windows Office (Work, Excel, etc) required.
Experience in UNIX/Linux OS and/or Cisco IOS strongly preferred.

EDUCATION
Bachelor"s Degree in Computer Science, Information Security, Information Systems, or related field, or equivalent professional experience required.

TRAINING/CERTIFICATIONS
Two or more relevant technical/professional security certifications (such as: COMP-TIA Network+ , Security+, SANS GIAC, CISSP, CRISC, CISA, or vendor-specific) required.

SPECIAL SKILLS
Proficient understanding of regulatory and compliance mandates, including but not limited to HIPAA, HITECH, PCI, Sarbanes-Oxley preferred.

My profile fits for the position you mentioned. I have the experience and skills they require and I have been working on Python, Powershell and Java. I used to code my own versions of tools in .Net.

gespenstern

I'm very good with AD, multi-site, multi-domain forests design for 15 years. CISSP, other certs and worked in security. Know assembly language, can do malware analysis. Wrote some hundreds of lines of powershell code/windows CMD/BAT shell/AIX Korn shell. And finally I work in healthcare, went through HIPAA trainings, participated in incident response in healthcare and can help with HIPAA compliance.

I kinda suck with cisco, but can do simple admin level stuff.

So it's not totally BS, I can imagine some guys who could fit, especially if the pay is good.

impelse

I think a lot of security guys are coming to be like a generalist, doing a lot of stuff and then going deep until begin to learn more security.

Security is very difficult and wide, just look CISSP, it is a bunch of knowledge, that you need, then you begin to choose your specialization.

If you work for a consulting IT company for small and medium customer then you will need to acquire a lot of those skill and more. In my case I wonder that new things will I get tomorrow, LOL

UnixGuy

beads wrote: »

Sounds like my job a couple of years ago to be frank about it. Nothing wrong with the description at all other than some of the wording does appear to be boiler plated in from another source.

As an engineer you should really have a decent idea as to how to write and run a script, sheesh. Sounds like a fairly small shop with intent to grow. ...

impressive experience you have. How many years did it take you to reach that level? What kind of job gave you the chance to learn all this? a service provider/ISP/financial services? Did you change jobs a lot or did you stay for years in some jobs? Any advice ?

docrice

Speaking just for my own experience, I'd say having a generalized background and some specialization really helps in making a good security engineer. Virtually everything stems from fundamentals, and being able to deep-dive requires seeing things from the ground up and recognizing the moving parts and mentally compartmentalizing them as needed. That's where being detail-oriented stems from in regards to having a wide array of exposures and understanding the bigger picture because everything's dependent on each other.

Risk management and providing justification requires being able to research, figure things out, and demonstrating or relaying the gritty details in a way that's relateable. Having that flexibility/adaptability requires 1) a keen interest and curiosity in general, 2) maintenance and self-refreshes as the larger world evolves, and 3) mental tenacity.

In general, the security professionals that I've known don't see themselves as "having a job" but rather being part of a larger mission. There are some IT professionals who are really dedicated to their craft, but there's also a lot more who just want to do their shift and go home. Security is going to be really, really tedious work for someone who just wants to get a paycheck.