Options
Cyber Security- Growing trend
Comments
-
Options
McxRisley
Member Posts: 494 ■■■■■□□□□□
cyberguypr wrote: »I also work at one of those mythical places were policies and processes work as designed and are followed. Using POAMs as band aids and getting away with it it's an issue of governance. If I try that crap at my $dayjob there would be a LOT of explaining to do.
In regards to experience I think you guys are seeing it too much as black or white. The answer is somwehre in the middle. As a security leader, do I prefer people like me who have been through desktop>network>servers>cloud, etc? You bet I do! To kaiju's point, do I take people fresh off college and train them in the simpler tasks that don't require such an extensive IT/IS background? Of course I do. This doesn't mean my newbie will be doing pentesting, forensics, etc. Not every single security task requires experienced engineers . Maybe is the fact that my area has a wide range of responsibilties ranging from basic (metrics, reporting, access reviews) to very advanced (dev, sec analytics, threat hunting), but there's a place for all levels in my team regardless of experience. You have to keep that pipeline healthy.
FINALLY! A sensible and reasonable response from someone else who actually works in security.I'm not allowed to say what my previous occupation was, but let's just say it rhymes with architect. -
Options
kaiju
Member Posts: 453 ■■■■■■■□□□
cyberguypr and McxRisley > I think we are on the same page. I only mentioned pentesting because it popped up in a previous post. A small organization will want the most experienced professional that they can afford while an enterprise will utilize the multi-tier platform with the entry level personnel at the bottom. Many organizations recruit the entry level personnel so that they can mold them into a professional that fits their agenda.Work smarter NOT harder! Semper Gumby! -
OptionsMcxRisley
Member Posts: 494 ■■■■■□□□□□
Many organizations recruit the entry level personnel so that they can mold them into a professional that fits their agenda.
Yep, thats what we try to do here as well and also mentioned it in a previous comment. This thread is making me question how many here actually work in security or are just regurgitating what they have heard others say. Yes, I get everyones reasons that they have listed BUT you guys keep listing NON-ENTRY level positions and duties. In some cases, these duties may be entry level but they will be supervised and guided until they are competent enough on thier own. Security is not an all inclusive country club and you can't tell entry level applicants to "get off your lawn" just because they lack 4000 years of experience....I'm not allowed to say what my previous occupation was, but let's just say it rhymes with architect. -
Options
UnixGuy
Mod Posts: 4,567 Mod
...
You guys are so stuck on the elitist mentality that you cant even think logically on this issue.
Mate, two years of real world experience in system administration or network administration is not 'elitist'
-
OptionsUnixGuy
Mod Posts: 4,567 Mod
.... This thread is making me question how many here actually work in security or are just regurgitating what they have heard others say. . .....
Nope, we work in security and we disagree with you - the two aren't mutually exclusive.
Read my previous post in page #1, I listed bullets points of what I think people starting in security should look like.
Some people will always disagree with you, debate the point and don't try and discredited them. Your defensive opinions seems to be based on the fact that you started in security with no experience. This is not a personal attack on you, so don't take it as such. We respect you here, but we are entitled to disagree with you.
Good luck with your 2018 career goals. -
Options
Sheiko37
Member Posts: 214 ■■■□□□□□□□
TechGromit wrote: »I'll stick with someone know knows enough that if they get in they are not going to screw up my production environment. Security isn't "an inclusive club", but I see nothing wrong with asking for some experience in other areas of IT before jumping right into security.
You want a security tester to have experience with network administration so they don't screw up the production environment. Don't you think the reverse is equally likely, a screwed environment if it were set up by a network administrator with no security experience?
I can imagine an argument that the latter is actually more damaging.
I see no merit in saying someone ought to start their career in one field over the other. -
Options
paul78
Member Posts: 3,016 ■■■■■■■■■■
That's quite a harsh accusation. It's seldom ever a black or white matter. Most people will have their own biases based on their experience and preferences. And the reality is that the career path of most people can take very different routes. I'm quite sure that you are not the only person that entered security early in their career. As I am sure that others come from environments and industries that would never hire someone without relevant experience.You guys are so stuck on the elitist mentality that you cant even think logically on this issue.
My preference has always been to hire internally for security. But for new hires, I generally favor: software engineers, someone that's worked in similar industry (usually financial services), someone that's works at a consulting company or MSP, and lastly someone that's worked with regulated data. I rarely have ever hired anyone in security without experience unless I have a budgetary constraint or enough grunt work that justifies an FTE. And in that situation, I look for passion for their chosen craft more than anything else.
AFAIK - most of the folks that responded to this thread, work in security. What makes you think otherwise? And I'm pretty sure that some also have hire/fire authority. There could even be some with decades of relevant experience.McxRisley wrote:This thread is making me question how many here actually work in security or are just regurgitating what they have heard others say. -
Optionsinfosecs
Member Posts: 48 ■■□□□□□□□□
But Why?My preference has always been to hire internally for security. But for new hires, I generally favor: software engineers, someone that's worked in similar industry (usually financial services), someone that's works at a consulting company or MSP, and lastly someone that's worked with regulated data. I rarely have ever hired anyone in security without experience unless I have a budgetary constraint or enough grunt work that justifies an FTE. And in that situation, I look for passion for their chosen craft more than anything else.
Paul please help me understand why many people in Cyber security prefer to hire internally or someone from similar organization rather than hire a super enthusiastic highly qualified infosec wanna be? Because a person who can master cissp/ ccie/ cisa/ ccsk exams can not learn a few skills, in matter of weeks if not days? -
OptionsMcxRisley
Member Posts: 494 ■■■■■□□□□□
@paul78 I thought this discussion was about entry level people and them wanting to start out in security? In which case, to me, this would be a black and white situation since they would only be qualified for entry level jobs. I feel like most of what others have mentioned here ARE NOT entry level jobs, hence my stance on this thread.
I think some may not actually work in security based off of thier responses and not being able to think in accordance with certain processess. Although, this could just simply be because they have never worked somewhere that things are done correctly or differently.
@UnixGuy I know that some people will never agree with each other and I don't take this as a personal attack on me. I'm just addressing how most peoples responses to this topic come off to me. In my experience, most incumbent security folks that have been around for awhile seem to resent new blood coming right into thier domain fresh out of college when they themselves spent many years getting to where they are. Thats just the way of the world, some people have an easier path to thier goal than others. I know my career progression is not the norm and would make most people scoff given my position and not having 10+ years of experience. Hell, I am the lead here and am fully invovled in the hiring/firing process and I have less than 5 years total of real security experience. We don't even hire mid-level people with less than 5 years experience here. I just happened to be in the right place at the right time. The lead here left and I had the desired skills and have demonstarted them on numerous occasions, so I was given the lead spot over the other team members who have been here much longer than me.
I agree that not everyone belongs in security and that certain positons require a candidate with the right amount of experience.I'm not allowed to say what my previous occupation was, but let's just say it rhymes with architect. -
Options
volfkhat
Member Posts: 1,061 ■■■■■■■■□□
full disclosure: i don't work in Infosec.
With that being said,
i respect your perspective; i just disagree with it.
But i admit, your journey definitely gives you specific insight into what it takes to become successful in Infosec; starting from complete ZERO.
Personally, i think your story is the exception to the rule.
I think you need at least 2-3 years of legit EXP in some other domain.
You think otherwise; given your first-hand account of your own success.
I respect that; and acknowledge that perhaps you are right, and i am wrong :]
As for your observation:... most incumbent security folks that have been around for awhile seem to resent new blood coming right into their domain fresh out of college when they themselves spent many years getting to where they are.
I think your perspective is slightly boxed-in here (understandably).
Those same resentful incumbent folks are also on our Network teams and Server teams.
That 'elitist mentality' is not exclusive to just Security folks :] -
OptionsMcxRisley
Member Posts: 494 ■■■■■□□□□□
full disclosure: i don't work in Infosec.
With that being said,
i respect your perspective; i just disagree with it.
But i admit, your journey definitely gives you specific insight into what it takes to become successful in Infosec; starting from complete ZERO.
Personally, i think your story is the exception to the rule.
I think you need at least 2-3 years of legit EXP in some other domain.
You think otherwise; given your first-hand account of your own success.
I respect that; and acknowledge that perhaps you are right, and i am wrong :]
As for your observation:
I think your perspective is slightly boxed-in here (understandably).
Those same resentful incumbent folks are also on our Network teams and Server teams.
That 'elitist mentality' is not exclusive to just Security folks :]
Well I can finally agree with you on all of this lol.I'm not allowed to say what my previous occupation was, but let's just say it rhymes with architect. -
Optionsvolfkhat
Member Posts: 1,061 ■■■■■■■■□□
But Why?
... Because a person who can master cissp/ ccie/ cisa/ ccsk exams can not learn a few skills, in matter of weeks if not days?
Certifications are like Driver Licenses.
Just because you have one... doesn't mean you know what you are doing.
Compare someone who got their license last month, with someone who got their license last decade.
On average, who is probably better at driving?
And before say "Well some people are terrible drivers, and shouldn't be driving at all but still somehow have a license, blah blah"
Okay,
compare yourself with yourself.
Who is the better driver?
You after 1 year?
or, You after 10 years?
When the next security breach happens,
do you want to be the person who added the "super enthusiastic highly qualified infosec wanna be" to the team?
Not saying it's right.... just saying "why". -
Optionsinfosecs
Member Posts: 48 ■■□□□□□□□□
Very well explained. Good Job.Certifications are like Driver Licenses.
Just because you have one... doesn't mean you know what you are doing.
Compare someone who got their license last month, with someone who got their license last decade.
On average, who is probably better at driving?
And before say "Well some people are terrible drivers, and shouldn't be driving at all but still somehow have a license, blah blah"
Okay,
compare yourself with yourself.
Who is the better driver?
You after 1 year?
or, You after 10 years?
When the next security breach happens,
do you want to be the person who added the "super enthusiastic highly qualified infosec wanna be" to the team?
Not saying it's right.... just saying "why". -
Optionspaul78
Member Posts: 3,016 ■■■■■■■■■■
But Why?
Paul please help me understand why many people in Cyber security prefer to hire internally or someone from similar organization rather than hire a super enthusiastic highly qualified infosec wanna be? Because a person who can master cissp/ ccie/ cisa/ ccsk exams can not learn a few skills, in matter of weeks if not days?
Opps - how embarrassing for me. One of my pet peeves is when an opinion is offered without context.
I can't really speak for other managers - I can only speak to my own believes and convictions. And there are so many factors when it comes to hiring for security or any other function for that matter. If I'm running or building a team, I usually think first about my fiduciary responsibility to my employer or my client's investors.
In a SaaS company, the percentage of security people relative to the software engineering or tech team as a whole can be much smaller, so that security team leaves little room for someone that isn't already a seasoned or experienced security professional.
As for hiring a super enthusiastic highly qualified infosec wannabe - well - that's my point about hiring internally. If there's already a super enthusiastic highly qualified infosec wannabe in the company, I rather give that individual a chance instead of bringing in an outsider. Plus that individual is likely someone that already knows the business and the threat landscape.
My career is mostly in financial services so because stakes can be a bit higher, I have always favored hiring someone that has some relevant experience when it comes to a security role.
As to individuals that can obtain a CISSP/CCIE/etc - well - that's really someone with relevant experience so I would consider them as candidates - depending on the security role.
Sure - I understand what you meant. Perhaps it's just definition, I don't personally believe that there are really any entry level security roles - at least not in the companies that I work with.McxRisley wrote:@paul78 I thought this discussion was about entry level people and them wanting to start out in security? In which case, to me, this would be a black and white situation since they would only be qualified for entry level jobs. I feel like most of what others have mentioned here ARE NOT entry level jobs, hence my stance on this thread.
I think some may not actually work in security based off of thier responses and not being able to think in accordance with certain processess. Although, this could just simply be because they have never worked somewhere that things are done correctly or differently.
I'm sure that there are teams that hire individuals with no relevant experience to run vulnerability scans from a runbook, monitor a SIEM for categories of alerts, perform access control and entitlements provisioning. They may even advertise those roles as a security job so they can get a larger applicant pool. And I think that's a great way for someone to get some experience. But those are jobs that I won't ever create in any security organization that I manage. It really depends on a business's risk tolerance, their threat profile, and countless other factors.
Very true. I sometimes work with a law firm that would never hire lawyers out of school or someone that has never argued before a court. And if you want to intern with them as a lawyer, you must have clerked for a judge. The firm was a bunch of litigators and I'm sure many would consider them snobbish but a big part of their business model is to cultivating a reputation as a boutique firm of expert litigators.volkhat wrote:That 'elitist mentality' is not exclusive to just Security folks :]
I tend not to think of it as an elitist mentality. It's really just a business decision that management chooses to make. There's definitely pros and cons to never hiring someone in a security role who doesn't have certain requisite experience. -
OptionsUnixGuy
Mod Posts: 4,567 Mod
In my experience, most incumbent security folks that have been around for awhile seem to resent new blood coming right into thier domain fresh out of college when they themselves spent many years getting to where they are. Thats just the way of the world, some people have an easier path to thier goal than others........
It's like that in every field. Unix admins don't let people touch their servers...I've seen worse. It's not ideal but like you said this is the world we live inI know my career progression is not the norm and would make most people scoff given my position and not having 10+ years of experience. Hell, I am the lead here and am fully invovled in the hiring/firing process and I have less than 5 years total of real security experience. We don't even hire mid-level people with less than 5 years experience here........
Then you've done well for yourself, and this is actually not Uncommon at all. That's how most managers/team leads get into their positions anyway. It's also not a guarantee for the future, things change quickly. I'm not opposed to giving people a chance, quite the opposite. But I'm well aware of how this can go wrong, and would always prefer the experienced folk. Here in Australia, we have something called "Grad Program", where you give fresh grads a year long internship then hire them, I always have grads in my team and they do very well. Nothing wrong with that, as long as (mentioned previously), they have the people skills, willingness to learn, and humbleness. -
Options
snokerpoker
Member Posts: 661 ■■■■□□□□□□
Busy stretch at work so I didn't get to chime in on this much.
Thanks for all the takes on this thread. Very good insights from everyone.
