The unicorn fallacy, are you seeing this trend growing ?

After 3+ years at my current job (Cybersec Advisory), I'm entertaining some change.

As much as I understand that budget can be tight, some of the expectations companies have today are reaching a scary level.

Here are some positions I was approached for by recruiters and 3 key skills that I circled after the interview with the hiring manager :

Cyber Risk Advisor : Cloud Architecture (AWS / O365 / Azure) - GRC (Specifically NIST, ISO 27001 and associated controls) - Extensive Intune Administration
Cybersecurity Consultant : Multi-cloud Cloud as above - Advisory services background - Red / blue teaming
Cloud Security Architect : Cloud Security (AWS / O365 / Azure / GCP) - Scripting / DevOps / Code review (Python, C#, Ruby...) - Security buffet (STRIDE, NIST / DISA, DAST, SAST, OAUTH, SAML)

Taking a step back, I can recognize that some of those skills definitely go together. However, we do have to admit that finding one competent person with all those skills at a production level is more than complicated. Each of these key skills takes years to somewhat master.

For position 1 and 2, I wasn't selected because I didn't have an advanced level in one of the key skills. But the trend is becoming dangerous that we are looking for either unrealistic unicorns (job requirements says 5+ years on average) or seniors that the business can't afford.

Just curious to know what everybody else is coming across either as a hiring manager or a candidate.

Find more posts tagged with

Comments

shochan

Yup, it seems they all want an "ALL IN ONE" printer, I mean, person...in reality, it is like 3 person job but want 1 person to do it all...It baffles me too...No time to explain, just get in the van down by the river!

Image: https://us.v-cdn.net/6030959/uploads/editor/ax/5i0bkos8x2o1.png

chmod

An this is becoming more and more common.

Full stack developer, sr infrastructure engineer, etc are the new titles for the jack of all trades.

Infosec_Sam

When I think about it from the hiring manager's perspective, it makes sense. Why hire a Sysadmin and a Network Admin to do the job of a "Sr Infrastructure Admin?" The Inf. Admin isn't going to make the salary of the other two combined, so it makes sense from a business standpoint. From the unicorn's perspective though, this seems a little dangerous. Unless you really enjoy being stretched that thin, you're probably going to have a bad time. It seems like jobs like that will be very prone to 60-hour work weeks, which is not really my cup of tea.

Azt7

Don't get me wrong, I'm hiring people in my current position and I see the value of a multi-platform cloud Architect or a DevOps.

But still as a manager, What is dangerous is starting to mix those things with security and then expect security controls to be properly implemented. A DevOps is not an infosec advisor (maybe can evolve into an application security person) and a cloud architect is not a cyber risk manager. Obviously, you can grow and acquire those skills but it takes years.

IMO, this approach might save the company money now but creates a non quantifiable risk and actually, gives more work to the rest of the team if ever you want to keep an eye on what's being done.

MontagueVandervort

Anyone who has been in this field for more than a year or two realizes job titles and supposed "expectations" are weak. 🤣

Probably will only get even worse as government regulations concerning security become even more and more stringent...

It is what it is.

NetworkNewb

MontagueVandervort said:

job titles and supposed "expectations" are weak. 🤣

This is how I feel about pretty much every job ad. My rule of thumb is if you have a good understanding of half of what they want you are probably a good fit for the job.

Azt7

MontagueVandervort said:

Anyone who has been in this field for more than a year or two realizes job titles and supposed "expectations" are weak. 🤣

Probably will only get even worse as government regulations concerning security become even more and more stringent...

It is what it is.

That's exactly what I thought. I was thinking if I fit about 45 % of what they ask, I'm good to go.

But those 2 positions really wanted somebody who checks all the boxes.

mikey88

Best one is - Looking for a senior person in technologies that didn't exist 5yrs ago.

shadmego

Hey folks! First post...

I get the distinct impression that many job descriptions are a way to replace someone that vacated the role. The company wants to replace them with someone else exactly like them, to include specific "soft" skills and capabilities. And then the companies complain that there is a shortage of "qualified" security professionals.

Having said that, I realize we all have to learn how to do more with less but I think companies will only help themselves when they are honest in what they are looking for instead of overstating thier requirements. As sales, I'm going to overstate what the cost is. As a buyer, I'm going to understate what I'm willing to spend. Maybe a better way to express it is as a buyer (company), I'm going to overstate what I'm looking for and understate how much I'm willing to spend. As a seller (applicant), I'm going to overstate the capabilities of the product and overstate how much it will cost to obtain. The hope of both roles is to compromise on capability and agree on price.

I don't think this is a great way to look for talent in any industry. It sets both parties up for failure and frustration.

Infosec_Sam

shadmego said:

Hey folks! First post...

I get the distinct impression that many job descriptions are a way to replace someone that vacated the role. The company wants to replace them with someone else exactly like them, to include specific "soft" skills and capabilities. And then the companies complain that there is a shortage of "qualified" security professionals.

Having said that, I realize we all have to learn how to do more with less but I think companies will only help themselves when they are honest in what they are looking for instead of overstating thier requirements. As sales, I'm going to overstate what the cost is. As a buyer, I'm going to understate what I'm willing to spend. Maybe a better way to express it is as a buyer (company), I'm going to overstate what I'm looking for and understate how much I'm willing to spend. As a seller (applicant), I'm going to overstate the capabilities of the product and overstate how much it will cost to obtain. The hope of both roles is to compromise on capability and agree on price.

I don't think this is a great way to look for talent in any industry. It sets both parties up for failure and frustration.

I think you're absolutely right. I've heard of job postings get referred to as a "wish list." What this means is that they're looking for someone with most of the qualifications, not necessarily all of them. I mean, I'll apply to jobs where I only meet 60-70% of the qualifications on a job posting and I'll get asked to schedule a phone interview. I'm all good with that, but when a company requires candidates to be a unicorn to even be considered, I tend to wonder just how long they've been looking.

jpat

The lack of judgment used in posting some of the recruitment notices and want ads is astounding. From a security perspective, organizations' soft spots are being revealed by recruiters - some of the job posts I've read lately list just about every platform in use: Splunk, Symantec, CyLance, O365, MS SQL 2012, Windows 2k8 (yikes), Forescout, etc.... that's not the way to do it!

I received a call from a recruiter a couple of weeks ago in "DESPERATE" need of someone who knows technologies X, Y, and Z because the position had been advertised nationally for a year and they have no one to do the job now and very few prospects. Does anyone else read that the same way I heard it that day? How many people with malicious intent have seen the desperate ads with the security systems deficiency list during this year-long search? How many legitimate recruits have avoided it like the plague for that very reason? I know of at least one... this guy!

This is a massive target - I mean - company... I wouldn't be surprised to hear their name in a breach of the day report any minute. I don't wish for that but the recruitment effort is bad - someone was asleep at the wheel.

And with today's extraordinary shortage of security talent - where is the ingenuity and creativity in attracting us? Don't tell me you REQUIRE someone to fulfill 30 specific product admin roles without also offering up a few carrots! For example, advertise a paid training plan with a bonus structure to learn each of the requisite skills and certify. Demonstrate your understanding of humans by acknowledging a potentially significant skills ramp-up period. Advertise 'semi-redacted' roles (DevOps, SQL DB security, edge security, endpoint protection, etc.) and a minimum starting salary. If you advertise positions/roles with more generalized yet highly relevant KSAs, you will get considerably more interest from experienced security professionals. ...and experienced modern security professionals are likely capable of coming up to speed quicker than a recruiter can find a real unicorn with the required vendor-specific qualifications. It's a 'beggars can't be choosers' market out there now for recruiters. I'll take an interest in the posts that focus on attracting me with realistic expectations and attractive compensation packages. Compensation does not necessarily = $$$. It can take on many forms. In direct response to Azt7's original post, they at least semi-'redacted' the platforms in most of those but man - they are asking for a Hummer that handles like a Ferrari, accelerates like a funny car, and gets 80 mpg! I recommend organizations recruit for the cybersecurity 'all-in-ones' by first stating the primary responsibilities for example... Azt7 said:

After 3+ years at my current job (Cybersec Advisory), I'm entertaining some change.

As much as I understand that budget can be tight, some of the expectations companies have today are reaching a scary level.

Here are some positions I was approached for by recruiters and 3 key skills that I circled after the interview with the hiring manager :
Cyber Risk Advisor : Cloud Architecture (AWS / O365 / Azure) - GRC (Specifically NIST, ISO 27001 and associated controls) - Extensive Intune Administration

Let's re-work the requirements of the least absurd of the three listed in Azt7's post (which is the only one I listed above)...

Cyber Risk Advisor: Seeking cloud platform-as-a-service risk advisor experienced in the use of cybersecurity framework controls. The position requires extensive cloud-based server/endpoint security management. The candidate with the appropriate KSAs is scheduled 40 hours per week minimum (training counts toward minimum) with time and-a-half offered for hours worked over 50 per week. Alternatively, employees can be comped 100% of their 50+ overages in vacation time. The selected candidate will receive company-sponsored training on the organization's specific platforms.
Minimum experience/education in each of the listed technology categories:
Minimums: 3 years + B.S. in Computer Science, Cybersec, or Info Tech
Desired: 5 years + MS in Computer Science, Cybersec, or Information Assurance and Security.
Selected candidates can expect a minimum of $90k annually + medical/dental/FSA/401k plans. Remote work is allowed as needed. Extraordinarily qualified candidates (minimal training required) can expect a higher pay grade...

What are everyone's thoughts? I'm curious. I have shied away from some opportunities that seemed pretty far-fetched. If the recruiting needs to attract the zero-day unicorn, then great and good luck! Have those checkbooks out and practice writing lots of '0's. If however, the organization can serve as the 'unicorn-whisperer' by fostering and molding their own stable of quarter-horses into unicorns, that's something I'm game for... sign me up.

shochan

If the recruiter or HR dept of company was smart-er...they would be very vague with the posting with just an extraordinary IT title...that way they are not setting themselves up for hackers to know everything they are using on their network.

Mike R

As I'm in the process of looking for a new job due to my company eliminating my position this sort of thing is super annoying. HR or recruiters may as well just say if it has a circuit board we expect intermediate experience with it. I love seeing stuff asking for windows 98 and exchange 2008 admin, then in the next line asking for O365 administration experience. I'd just rather you tell me what you use/need and then approach the subject of if you offer training etc. Having only 3 years in this field I know how much I just don't know, but it's super unhelpful to figure out what's needed when HR/Recruiters just list everything.

I'm probably especially salty though currently as it's been difficult getting released after pouring all my efforts into my last employer and watching him squander multiple opportunities I cultivated.

Azt7

Mike R said:

As I'm in the process of looking for a new job due to my company eliminating my position this sort of thing is super annoying. HR or recruiters may as well just say if it has a circuit board we expect intermediate experience with it. I love seeing stuff asking for windows 98 and exchange 2008 admin, then in the next line asking for O365 administration experience. I'd just rather you tell me what you use/need and then approach the subject of if you offer training etc. Having only 3 years in this field I know how much I just don't know, but it's super unhelpful to figure out what's needed when HR/Recruiters just list everything.

I'm probably especially salty though currently as it's been difficult getting released after pouring all my efforts into my last employer and watching him squander multiple opportunities I cultivated.

Yes, I'm almost 10 years into my career and I'm affected. I can't even imagine how junior people like you are feeling in this situation.

DatabaseHead

Found a Unicorn myself where expectations are set like we are back in the 90's It's really nice, perks for working for a Euro company I suppose.

Title I have is ridiculous (in a bad way) pay has never been better.

jeremywatts2005

Issue I have seen with these all in ones is they keep throwing in things that just don't tie together. I know for me companies want someone who does AWS, Azure or some other cloud, then they want you to have experience using forensics tools like EnCase, then they want legal experience using those tools and using those tools in the cloud and then they want IR experience to go with that and on and on it goes. I was on an interview that was just insane. I went through three interviews and was grilled for over an hour on each call about a whole bunch of different areas from forensics, cloud, IR, dev, engineering and so on. Then when it was done they told the recruiter that I was not in depth enough with my answers. They are still looking and for what they are paying no way you would get someone with all of this experience at an expert level let alone someone would be an expert in all of these things.

shadmego

jeremywatts2005 said:

Issue I have seen with these all in ones is they keep throwing in things that just don't tie together. I know for me companies want someone who does AWS, Azure or some other cloud, then they want you to have experience using forensics tools like EnCase, then they want legal experience using those tools and using those tools in the cloud and then they want IR experience to go with that and on and on it goes. I was on an interview that was just insane. I went through three interviews and was grilled for over an hour on each call about a whole bunch of different areas from forensics, cloud, IR, dev, engineering and so on. Then when it was done they told the recruiter that I was not in depth enough with my answers. They are still looking and for what they are paying no way you would get someone with all of this experience at an expert level let alone someone would be an expert in all of these things.

I've had recruiters approach me with job descriptions that sound like this. I've thankfully never been through an interview process as grueling as you recounted above. When I see the job descriptions that don't make sense, I let the recruiter know the expectations are unusually descriptive and don't make sense together (breadth of experience with minimal years of experience as an example). I thank them for reaching out and wish them luck in their search.

I've actually had a recruiter get back to me once with a revised job description. Still didn't take it but I thanked them for being responsive.

I wonder if, as job seekers, we are looking for the "reverse" unicorn - a company/job description that checks all our boxes. I can't help but think that as we lament the fact that companies, recruiters, and interviewers don't seem to collectively see us as people first, we also don't see them as people... Maybe we should see the process more as a give-and-take rather than a one way street. Yes, as security professionals we are highly sought after, but maybe it's encombant upon us to help companies get better at their recruiting processes/candidate expectations?

Just a thought.

jeremywatts2005

shadmego said:

I've had recruiters approach me with job descriptions that sound like this. I've thankfully never been through an interview process as grueling as you recounted above. When I see the job descriptions that don't make sense, I let the recruiter know the expectations are unusually descriptive and don't make sense together (breadth of experience with minimal years of experience as an example). I thank them for reaching out and wish them luck in their search.

I've actually had a recruiter get back to me once with a revised job description. Still didn't take it but I thanked them for being responsive.

I wonder if, as job seekers, we are looking for the "reverse" unicorn - a company/job description that checks all our boxes. I can't help but think that as we lament the fact that companies, recruiters, and interviewers don't seem to collectively see us as people first, we also don't see them as people... Maybe we should see the process more as a give-and-take rather than a one way street. Yes, as security professionals we are highly sought after, but maybe it's encombant upon us to help companies get better at their recruiting processes/candidate expectations?

Just a thought.

I turn down a lot of different recruiters anymore. I am disgusted with the whole industry. It is getting worse not better. What is funny companies keep screaming skill shortages and things. However they cannot figure out competitive comp packages, benefits are in toilet in most cases and salaries are across the board the same with most companies. How is a company going to fill roles when they want massive skills and experience but want to pay for what one portion of the description would pay. Really companies should hire 3 people all at the same salary to do the job or significantly increase comp packages to pay for what they want.

clarson

they are looking for the fish also.

https://insights.dice.com/2019/05/10/tech-recruiting-is-totally-broken-fish-are-taking-your-jobs/?CMPID=EM_RE_UP_JS_AD_DA_CP_A_

Azt7

shadmego said:

When I see the job descriptions that don't make sense, I let the recruiter know the expectations are unusually descriptive and don't make sense together (breadth of experience with minimal years of experience as an example). I thank them for reaching out and wish them luck in their search.

I wonder if, as job seekers, we are looking for the "reverse" unicorn - a company/job description that checks all our boxes. I can't help but think that as we lament the fact that companies, recruiters, and interviewers don't seem to collectively see us as people first, we also don't see them as people... Maybe we should see the process more as a give-and-take rather than a one way street. Yes, as security professionals we are highly sought after, but maybe it's encombant upon us to help companies get better at their recruiting processes/candidate expectations?

Just a thought.

Yeah I think it's great to be able to turn a recruiter down. However, not everybody is able to do that.

I do agree that a lot of work needs to be done on the recruiting side. From casual conversations with security managers (I work in Infosec Advisory), the reason why those job description are so complex is that they do not have time / resources to train new hires. So getting somebody who's experienced helps them tremendously.

So now, everybody is trying to hire advanced level people which ruins the industry.

LeBroke

All I know is my interviews are confusing as hell.

Some company wants a Cloud Architect. JD is all Ansible/Terraform/AWS architecture/application scaling/cloud security.

...Then I go in for an interview and they're asking me to write a log parser for nginx in 15 minutes or less in Pyhon. wut? Why not just post an ad for a developer at that point?

Azt7

Azt7 said:

Cloud Security Architect : Cloud Security (AWS / O365 / Azure / GCP) - Scripting / DevOps / Code review (Python, C#, Ruby...) - Security buffet (STRIDE, NIST / DISA, DAST, SAST, OAUTH, SAML)

LeBroke said:

All I know is my interviews are confusing as hell.

Some company wants a Cloud Architect. JD is all Ansible/Terraform/AWS architecture/application scaling/cloud security.

...Then I go in for an interview and they're asking me to write a log parser for nginx in 15 minutes or less in Pyhon. wut? Why not just post an ad for a developer at that point?

So I had the interview for the above position last week and your post is so similar to my experience.

They were asking about SMB vulnerabilities, purchasing certificates and server hardening.

The hiring manager and the recruiter were together during the interview so we can't even blame HR for that. Managers have to do a better job at clarifying what they are looking for, at least for this instance.

paul78

Azt7 said:

Just curious to know what everybody else is coming across either as a hiring manager or a candidate.

As a hiring manager - nope - because I write awesome job descriptions. I expect all my candidates to fart rainbows and burp flowered perfume.

EANx

My budget got cut, I can only afford people who fart five-color rainbows.

TrunksXV

I have the same question. The jobs that are being posted on Indeed and so forth are seemingly going for a market of people that aren't available. Nobody can realistically meet those standards in an 8 hour workday and in the past in order to post a job advertisement in the newspaper with that number of words, you'd have to pay almost a whole section of the page.

Today, you can write just about anything you'd like whether its real or not. I think it all boils down to a cultural problem in these job advertisements.

UnixGuy

This is how you end up with incompetent people in positions...

They claim to be experts in 5+ areas...while in reality they barely scratched the surface...

TrunksXV

That's another reason why I'm studying the ITIL, DevOps and other management frameworks. It seems like a lot of these organizations are staffed by people who don't understand what IT is. Case in point, when I worked at my help desk job, I was suprised at how many people couldn't tell what type of computer they were using. That's like not even knowing what kind of car you drive. Or what car you even want to drive to start with. But it does exist. And people are never going to be like us in some sense. If you can't even know what type of OS that's on your computer, then how can you describe a job position in just 500 words or less?