Community Manager at Infosec!
Who we are | What we do
The unicorn fallacy, are you seeing this trend growing ?
Azt7
Member Posts: 121 ■■■■□□□□□□
After 3+ years at my current job (Cybersec Advisory), I'm entertaining some change.
As much as I understand that budget can be tight, some of the expectations companies have today are reaching a scary level.
Here are some positions I was approached for by recruiters and 3 key skills that I circled after the interview with the hiring manager :
For position 1 and 2, I wasn't selected because I didn't have an advanced level in one of the key skills. But the trend is becoming dangerous that we are looking for either unrealistic unicorns (job requirements says 5+ years on average) or seniors that the business can't afford.
Just curious to know what everybody else is coming across either as a hiring manager or a candidate.
As much as I understand that budget can be tight, some of the expectations companies have today are reaching a scary level.
Here are some positions I was approached for by recruiters and 3 key skills that I circled after the interview with the hiring manager :
- Cyber Risk Advisor : Cloud Architecture (AWS / O365 / Azure) - GRC (Specifically NIST, ISO 27001 and associated controls) - Extensive Intune Administration
- Cybersecurity Consultant : Multi-cloud Cloud as above - Advisory services background - Red / blue teaming
- Cloud Security Architect : Cloud Security (AWS / O365 / Azure / GCP) - Scripting / DevOps / Code review (Python, C#, Ruby...) - Security buffet (STRIDE, NIST / DISA, DAST, SAST, OAUTH, SAML)
For position 1 and 2, I wasn't selected because I didn't have an advanced level in one of the key skills. But the trend is becoming dangerous that we are looking for either unrealistic unicorns (job requirements says 5+ years on average) or seniors that the business can't afford.
Just curious to know what everybody else is coming across either as a hiring manager or a candidate.
Certifications : ITIL, MCSA Office 365, MCSE Productivity, AWS CSAA, Azure Architect, CCSK, TOGAF
Studying for : TBD
Studying for : TBD
Comments
-
shochan Member Posts: 1,014 ■■■■■■■■□□Yup, it seems they all want an "ALL IN ONE" printer, I mean, person...in reality, it is like 3 person job but want 1 person to do it all...It baffles me too...No time to explain, just get in the van down by the river!
.
CompTIA A+, Network+, i-Net+, MCP 70-210, CNA v5, Server+, Security+, Cloud+, CySA+, ISC² CC, ISC² SSCP -
chmod Member Posts: 360 ■■■□□□□□□□An this is becoming more and more common.
Full stack developer, sr infrastructure engineer, etc are the new titles for the jack of all trades. -
Infosec_Sam Admin Posts: 527 AdminWhen I think about it from the hiring manager's perspective, it makes sense. Why hire a Sysadmin and a Network Admin to do the job of a "Sr Infrastructure Admin?" The Inf. Admin isn't going to make the salary of the other two combined, so it makes sense from a business standpoint. From the unicorn's perspective though, this seems a little dangerous. Unless you really enjoy being stretched that thin, you're probably going to have a bad time. It seems like jobs like that will be very prone to 60-hour work weeks, which is not really my cup of tea.
-
Azt7 Member Posts: 121 ■■■■□□□□□□Don't get me wrong, I'm hiring people in my current position and I see the value of a multi-platform cloud Architect or a DevOps.
But still as a manager, What is dangerous is starting to mix those things with security and then expect security controls to be properly implemented. A DevOps is not an infosec advisor (maybe can evolve into an application security person) and a cloud architect is not a cyber risk manager. Obviously, you can grow and acquire those skills but it takes years.
IMO, this approach might save the company money now but creates a non quantifiable risk and actually, gives more work to the rest of the team if ever you want to keep an eye on what's being done.Certifications : ITIL, MCSA Office 365, MCSE Productivity, AWS CSAA, Azure Architect, CCSK, TOGAF
Studying for : TBD -
MontagueVandervort Member Posts: 399 ■■■■■□□□□□Anyone who has been in this field for more than a year or two realizes job titles and supposed "expectations" are weak. 🤣
Probably will only get even worse as government regulations concerning security become even more and more stringent...
It is what it is.
-
NetworkNewb Member Posts: 3,298 ■■■■■■■■■□MontagueVandervort said:job titles and supposed "expectations" are weak. 🤣
-
Azt7 Member Posts: 121 ■■■■□□□□□□MontagueVandervort said:Anyone who has been in this field for more than a year or two realizes job titles and supposed "expectations" are weak. 🤣
Probably will only get even worse as government regulations concerning security become even more and more stringent...
It is what it is.
That's exactly what I thought. I was thinking if I fit about 45 % of what they ask, I'm good to go.
But those 2 positions really wanted somebody who checks all the boxes.Certifications : ITIL, MCSA Office 365, MCSE Productivity, AWS CSAA, Azure Architect, CCSK, TOGAF
Studying for : TBD -
mikey88 Member Posts: 495 ■■■■■■□□□□Best one is - Looking for a senior person in technologies that didn't exist 5yrs ago.Certs: CISSP, CySA+, Security+, Network+ and others | 2019 Goals: Cloud Sec/Scripting/Linux
-
shadmego Member Posts: 2 ■■□□□□□□□□Hey folks! First post...I get the distinct impression that many job descriptions are a way to replace someone that vacated the role. The company wants to replace them with someone else exactly like them, to include specific "soft" skills and capabilities. And then the companies complain that there is a shortage of "qualified" security professionals.Having said that, I realize we all have to learn how to do more with less but I think companies will only help themselves when they are honest in what they are looking for instead of overstating thier requirements. As sales, I'm going to overstate what the cost is. As a buyer, I'm going to understate what I'm willing to spend. Maybe a better way to express it is as a buyer (company), I'm going to overstate what I'm looking for and understate how much I'm willing to spend. As a seller (applicant), I'm going to overstate the capabilities of the product and overstate how much it will cost to obtain. The hope of both roles is to compromise on capability and agree on price.I don't think this is a great way to look for talent in any industry. It sets both parties up for failure and frustration.
-
Infosec_Sam Admin Posts: 527 Adminshadmego said:Hey folks! First post...I get the distinct impression that many job descriptions are a way to replace someone that vacated the role. The company wants to replace them with someone else exactly like them, to include specific "soft" skills and capabilities. And then the companies complain that there is a shortage of "qualified" security professionals.Having said that, I realize we all have to learn how to do more with less but I think companies will only help themselves when they are honest in what they are looking for instead of overstating thier requirements. As sales, I'm going to overstate what the cost is. As a buyer, I'm going to understate what I'm willing to spend. Maybe a better way to express it is as a buyer (company), I'm going to overstate what I'm looking for and understate how much I'm willing to spend. As a seller (applicant), I'm going to overstate the capabilities of the product and overstate how much it will cost to obtain. The hope of both roles is to compromise on capability and agree on price.I don't think this is a great way to look for talent in any industry. It sets both parties up for failure and frustration.
-
jpat Member Posts: 1 ■■□□□□□□□□The lack of judgment used in posting some of the recruitment notices and want ads is astounding. From a security perspective, organizations' soft spots are being revealed by recruiters - some of the job posts I've read lately list just about every platform in use: Splunk, Symantec, CyLance, O365, MS SQL 2012, Windows 2k8 (yikes), Forescout, etc.... that's not the way to do it!
I received a call from a recruiter a couple of weeks ago in "DESPERATE" need of someone who knows technologies X, Y, and Z because the position had been advertised nationally for a year and they have no one to do the job now and very few prospects. Does anyone else read that the same way I heard it that day? How many people with malicious intent have seen the desperate ads with the security systems deficiency list during this year-long search? How many legitimate recruits have avoided it like the plague for that very reason? I know of at least one... this guy! This is a massive target - I mean - company... I wouldn't be surprised to hear their name in a breach of the day report any minute. I don't wish for that but the recruitment effort is bad - someone was asleep at the wheel.
And with today's extraordinary shortage of security talent - where is the ingenuity and creativity in attracting us? Don't tell me you REQUIRE someone to fulfill 30 specific product admin roles without also offering up a few carrots! For example, advertise a paid training plan with a bonus structure to learn each of the requisite skills and certify. Demonstrate your understanding of humans by acknowledging a potentially significant skills ramp-up period. Advertise 'semi-redacted' roles (DevOps, SQL DB security, edge security, endpoint protection, etc.) and a minimum starting salary. If you advertise positions/roles with more generalized yet highly relevant KSAs, you will get considerably more interest from experienced security professionals. ...and experienced modern security professionals are likely capable of coming up to speed quicker than a recruiter can find a real unicorn with the required vendor-specific qualifications. It's a 'beggars can't be choosers' market out there now for recruiters. I'll take an interest in the posts that focus on attracting me with realistic expectations and attractive compensation packages. Compensation does not necessarily = $$$. It can take on many forms. In direct response to Azt7's original post, they at least semi-'redacted' the platforms in most of those but man - they are asking for a Hummer that handles like a Ferrari, accelerates like a funny car, and gets 80 mpg! I recommend organizations recruit for the cybersecurity 'all-in-ones' by first stating the primary responsibilities for example... Azt7 said:After 3+ years at my current job (Cybersec Advisory), I'm entertaining some change.
As much as I understand that budget can be tight, some of the expectations companies have today are reaching a scary level.
Here are some positions I was approached for by recruiters and 3 key skills that I circled after the interview with the hiring manager :- Cyber Risk Advisor : Cloud Architecture (AWS / O365 / Azure) - GRC (Specifically NIST, ISO 27001 and associated controls) - Extensive Intune Administration
- Cyber Risk Advisor: Seeking cloud platform-as-a-service risk advisor experienced in the use of cybersecurity framework controls. The position requires extensive cloud-based server/endpoint security management. The candidate with the appropriate KSAs is scheduled 40 hours per week minimum (training counts toward minimum) with time and-a-half offered for hours worked over 50 per week. Alternatively, employees can be comped 100% of their 50+ overages in vacation time. The selected candidate will receive company-sponsored training on the organization's specific platforms.
- Minimum experience/education in each of the listed technology categories:
- Minimums: 3 years + B.S. in Computer Science, Cybersec, or Info Tech
- Desired: 5 years + MS in Computer Science, Cybersec, or Information Assurance and Security.
- Selected candidates can expect a minimum of $90k annually + medical/dental/FSA/401k plans. Remote work is allowed as needed. Extraordinarily qualified candidates (minimal training required) can expect a higher pay grade...
-
shochan Member Posts: 1,014 ■■■■■■■■□□If the recruiter or HR dept of company was smart-er...they would be very vague with the posting with just an extraordinary IT title...that way they are not setting themselves up for hackers to know everything they are using on their network.CompTIA A+, Network+, i-Net+, MCP 70-210, CNA v5, Server+, Security+, Cloud+, CySA+, ISC² CC, ISC² SSCP
-
Mike R Member Posts: 148 ■■■□□□□□□□As I'm in the process of looking for a new job due to my company eliminating my position this sort of thing is super annoying. HR or recruiters may as well just say if it has a circuit board we expect intermediate experience with it. I love seeing stuff asking for windows 98 and exchange 2008 admin, then in the next line asking for O365 administration experience. I'd just rather you tell me what you use/need and then approach the subject of if you offer training etc. Having only 3 years in this field I know how much I just don't know, but it's super unhelpful to figure out what's needed when HR/Recruiters just list everything.I'm probably especially salty though currently as it's been difficult getting released after pouring all my efforts into my last employer and watching him squander multiple opportunities I cultivated.
-
Azt7 Member Posts: 121 ■■■■□□□□□□Mike R said:As I'm in the process of looking for a new job due to my company eliminating my position this sort of thing is super annoying. HR or recruiters may as well just say if it has a circuit board we expect intermediate experience with it. I love seeing stuff asking for windows 98 and exchange 2008 admin, then in the next line asking for O365 administration experience. I'd just rather you tell me what you use/need and then approach the subject of if you offer training etc. Having only 3 years in this field I know how much I just don't know, but it's super unhelpful to figure out what's needed when HR/Recruiters just list everything.I'm probably especially salty though currently as it's been difficult getting released after pouring all my efforts into my last employer and watching him squander multiple opportunities I cultivated.
Certifications : ITIL, MCSA Office 365, MCSE Productivity, AWS CSAA, Azure Architect, CCSK, TOGAF
Studying for : TBD -
DatabaseHead Member Posts: 2,760 ■■■■■■■■■■Found a Unicorn myself where expectations are set like we are back in the 90's It's really nice, perks for working for a Euro company I suppose.
Title I have is ridiculous (in a bad way) pay has never been better. -
jeremywatts2005 Member Posts: 347 ■■■■□□□□□□Issue I have seen with these all in ones is they keep throwing in things that just don't tie together. I know for me companies want someone who does AWS, Azure or some other cloud, then they want you to have experience using forensics tools like EnCase, then they want legal experience using those tools and using those tools in the cloud and then they want IR experience to go with that and on and on it goes. I was on an interview that was just insane. I went through three interviews and was grilled for over an hour on each call about a whole bunch of different areas from forensics, cloud, IR, dev, engineering and so on. Then when it was done they told the recruiter that I was not in depth enough with my answers. They are still looking and for what they are paying no way you would get someone with all of this experience at an expert level let alone someone would be an expert in all of these things.
-
shadmego Member Posts: 2 ■■□□□□□□□□jeremywatts2005 said:Issue I have seen with these all in ones is they keep throwing in things that just don't tie together. I know for me companies want someone who does AWS, Azure or some other cloud, then they want you to have experience using forensics tools like EnCase, then they want legal experience using those tools and using those tools in the cloud and then they want IR experience to go with that and on and on it goes. I was on an interview that was just insane. I went through three interviews and was grilled for over an hour on each call about a whole bunch of different areas from forensics, cloud, IR, dev, engineering and so on. Then when it was done they told the recruiter that I was not in depth enough with my answers. They are still looking and for what they are paying no way you would get someone with all of this experience at an expert level let alone someone would be an expert in all of these things.I've had recruiters approach me with job descriptions that sound like this. I've thankfully never been through an interview process as grueling as you recounted above. When I see the job descriptions that don't make sense, I let the recruiter know the expectations are unusually descriptive and don't make sense together (breadth of experience with minimal years of experience as an example). I thank them for reaching out and wish them luck in their search.I've actually had a recruiter get back to me once with a revised job description. Still didn't take it but I thanked them for being responsive.I wonder if, as job seekers, we are looking for the "reverse" unicorn - a company/job description that checks all our boxes. I can't help but think that as we lament the fact that companies, recruiters, and interviewers don't seem to collectively see us as people first, we also don't see them as people... Maybe we should see the process more as a give-and-take rather than a one way street. Yes, as security professionals we are highly sought after, but maybe it's encombant upon us to help companies get better at their recruiting processes/candidate expectations?Just a thought.
-
jeremywatts2005 Member Posts: 347 ■■■■□□□□□□shadmego said:I've had recruiters approach me with job descriptions that sound like this. I've thankfully never been through an interview process as grueling as you recounted above. When I see the job descriptions that don't make sense, I let the recruiter know the expectations are unusually descriptive and don't make sense together (breadth of experience with minimal years of experience as an example). I thank them for reaching out and wish them luck in their search.I've actually had a recruiter get back to me once with a revised job description. Still didn't take it but I thanked them for being responsive.I wonder if, as job seekers, we are looking for the "reverse" unicorn - a company/job description that checks all our boxes. I can't help but think that as we lament the fact that companies, recruiters, and interviewers don't seem to collectively see us as people first, we also don't see them as people... Maybe we should see the process more as a give-and-take rather than a one way street. Yes, as security professionals we are highly sought after, but maybe it's encombant upon us to help companies get better at their recruiting processes/candidate expectations?Just a thought.
-
clarson Member Posts: 903 ■■■■□□□□□□they are looking for the fish also.
https://insights.dice.com/2019/05/10/tech-recruiting-is-totally-broken-fish-are-taking-your-jobs/?CMPID=EM_RE_UP_JS_AD_DA_CP_A_
-
Azt7 Member Posts: 121 ■■■■□□□□□□shadmego said:
When I see the job descriptions that don't make sense, I let the recruiter know the expectations are unusually descriptive and don't make sense together (breadth of experience with minimal years of experience as an example). I thank them for reaching out and wish them luck in their search.I wonder if, as job seekers, we are looking for the "reverse" unicorn - a company/job description that checks all our boxes. I can't help but think that as we lament the fact that companies, recruiters, and interviewers don't seem to collectively see us as people first, we also don't see them as people... Maybe we should see the process more as a give-and-take rather than a one way street. Yes, as security professionals we are highly sought after, but maybe it's encombant upon us to help companies get better at their recruiting processes/candidate expectations?Just a thought.
I do agree that a lot of work needs to be done on the recruiting side. From casual conversations with security managers (I work in Infosec Advisory), the reason why those job description are so complex is that they do not have time / resources to train new hires. So getting somebody who's experienced helps them tremendously.
So now, everybody is trying to hire advanced level people which ruins the industry.Certifications : ITIL, MCSA Office 365, MCSE Productivity, AWS CSAA, Azure Architect, CCSK, TOGAF
Studying for : TBD -
LeBroke Member Posts: 490 ■■■■□□□□□□All I know is my interviews are confusing as hell.
Some company wants a Cloud Architect. JD is all Ansible/Terraform/AWS architecture/application scaling/cloud security.
...Then I go in for an interview and they're asking me to write a log parser for nginx in 15 minutes or less in Pyhon. wut? Why not just post an ad for a developer at that point? -
Azt7 Member Posts: 121 ■■■■□□□□□□Azt7 said:
- Cloud Security Architect : Cloud Security (AWS / O365 / Azure / GCP) - Scripting / DevOps / Code review (Python, C#, Ruby...) - Security buffet (STRIDE, NIST / DISA, DAST, SAST, OAUTH, SAML)
LeBroke said:All I know is my interviews are confusing as hell.
Some company wants a Cloud Architect. JD is all Ansible/Terraform/AWS architecture/application scaling/cloud security.
...Then I go in for an interview and they're asking me to write a log parser for nginx in 15 minutes or less in Pyhon. wut? Why not just post an ad for a developer at that point?
They were asking about SMB vulnerabilities, purchasing certificates and server hardening.
The hiring manager and the recruiter were together during the interview so we can't even blame HR for that. Managers have to do a better job at clarifying what they are looking for, at least for this instance.
Certifications : ITIL, MCSA Office 365, MCSE Productivity, AWS CSAA, Azure Architect, CCSK, TOGAF
Studying for : TBD -
EANx Member Posts: 1,077 ■■■■■■■■□□My budget got cut, I can only afford people who fart five-color rainbows.
-
TrunksXV Member Posts: 33 ■■■□□□□□□□I have the same question. The jobs that are being posted on Indeed and so forth are seemingly going for a market of people that aren't available. Nobody can realistically meet those standards in an 8 hour workday and in the past in order to post a job advertisement in the newspaper with that number of words, you'd have to pay almost a whole section of the page.
Today, you can write just about anything you'd like whether its real or not. I think it all boils down to a cultural problem in these job advertisements.Certifications: A+, Network+, Security+, Project+, CySA+, MCP, ITIL
Future Goals: DevOps, CASP+, Server+, Linux+, Red Hat, PenTest+ -
UnixGuy Mod Posts: 4,570 ModThis is how you end up with incompetent people in positions...They claim to be experts in 5+ areas...while in reality they barely scratched the surface...
-
TrunksXV Member Posts: 33 ■■■□□□□□□□That's another reason why I'm studying the ITIL, DevOps and other management frameworks. It seems like a lot of these organizations are staffed by people who don't understand what IT is. Case in point, when I worked at my help desk job, I was suprised at how many people couldn't tell what type of computer they were using. That's like not even knowing what kind of car you drive. Or what car you even want to drive to start with. But it does exist. And people are never going to be like us in some sense. If you can't even know what type of OS that's on your computer, then how can you describe a job position in just 500 words or less?
Certifications: A+, Network+, Security+, Project+, CySA+, MCP, ITIL
Future Goals: DevOps, CASP+, Server+, Linux+, Red Hat, PenTest+