Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security Businesses IT Technology

Companies Urged To Adjust Hiring Requirements for Cyber Jobs (wsj.com) 164

Companies need millions more cybersecurity professionals to fill roles around the world, but researchers say outlandish job requirements are the problem, rather than a lack of workers. From a report: Around 3.1 million professionals are needed to bridge the cybersecurity talent gap, a trade association for cybersecurity professionals estimated in a November report. The International Information System Security Certification Consortium, known as ISC2, said world-wide employment in the field would need to grow 89% to meet security requirements. However, excessive requirements for years of experience and professional certifications plus inflated expectations for junior roles aren't uncommon, said Chase Cunningham, principal analyst at research firm Forrester. He said that results in the perpetual problem of such positions going unfilled because companies often target overqualified candidates who can command greater salaries than these jobs tend to offer.
This discussion has been archived. No new comments can be posted.

Companies Urged To Adjust Hiring Requirements for Cyber Jobs

Comments Filter:
  • Not gonna happen (Score:5, Insightful)

    by rsilvergun ( 571051 ) on Tuesday December 01, 2020 @10:40AM (#60782226)
    the requirements are there because the companies don't want to train. So they set artificially high requirements to avoid training costs. This has 2 benefits:

    1. They get to tell regulators "We'd love to secure our network but we can't find competent people".

    2. They get to bring in already trained H1-Bs.

    The only way to fix this would be with government regulation, and nobody wants to do that because we've been told for 50 years that government == bad.
    • Re:Not gonna happen (Score:5, Interesting)

      by chispito ( 1870390 ) on Tuesday December 01, 2020 @10:48AM (#60782242)

      the requirements are there because the companies don't want to train. So they set artificially high requirements to avoid training costs. This has 2 benefits: 1. They get to tell regulators "We'd love to secure our network but we can't find competent people". 2. They get to bring in already trained H1-Bs. The only way to fix this would be with government regulation, and nobody wants to do that because we've been told for 50 years that government == bad.

      You're probably right. Don't forget, too, that most infosec jobs are more about compliance--paperwork, audits and bureaucracy--than anything fun or operational. So the flipside is people in Dev or Ops may not be interested in stepping over based on their experiences dealing with those same teams. Once you finally get that clueless CISSP off your back, why would you want to join his/her team?

      • that beggars can't be choosers. There's no shortage of qualified American workers willing to take the jobs if companies are willing to offer them. There *is* a shortage of companies willing to train and willing to hire for 40/wk instead of 60+/wk.
    • by Junta ( 36770 )

      Absolutely going to agree here. The companies doing this know very well what they are doing, they know they can't find people that meet the requirements. Occasionally they need to post a token job publicly that can't be filled to fulfill some internal or external regulatory requirement before moving on to what they want to do (either go without or just hand the position to someone contrary to a requirement that the person should have to fairly compete with candidates.

      In the most charitable case, they are c

    • by mark-t ( 151149 )

      Actually, they probably *could* find competent people domestically, just not ones that are willing to do that job for what they are offering.

      What sort of regulation do you imagine being effective?

      • Exactly, if it exists, then there is always supply at the right price. If it's not available at the price someone is offering it's because it's worth more than they're offering to pay. If someone can't find top notch experienced engineers willing to work at their startup for minimum wage and 100 stock options, it's not because there is an under-supply of engineers.

        • So there are millions of highly-trained engineers refusing to work because salaries are too low?

          I don't think so.

          • by mark-t ( 151149 )

            More specifically, because many of the salaries being offered are too low, but with respect to what is being discussed here, yes.

            Not all companies lowball their salaries, but many do.

      • Doing these kind of jobs w/o training time & support is like having 2 or 3 jobs. The H1-Bs do it because they come already trained. Eventually they're "used up" because their skill age (like anybody's does) but they're working too hard to maintain their skills. Local talent will see that coming and stop putting in that much work after a year or two in order to focus on their next gig.

        H1-Bs are disposable by nature, Americans are not.
    • by cordovaCon83 ( 4977465 ) on Tuesday December 01, 2020 @11:04AM (#60782290)

      the requirements are there because the companies don't want to train. So they set artificially high requirements to avoid training costs.

      Cyber-security professionals can and should have a lot of certifications. These companies are shooting themselves in the foot by gate-keeping, though. It's probably far cheaper to take someone with a degree and put them through certification than to negotiate salary with someone that already has all the pre-requisite certifications.

      They get to tell regulators "We'd love to secure our network but we can't find competent people".

      Cyber-security requires a high level of competence, so this is unsurprising.

      They get to bring in already trained H1-Bs.

      This is when H1-B visa programs work as intended. Anecdotally, I can attest that's something that doesn't happen in my industry. Security positions are not assigned to foreign nationals under any circumstances.

      The only way to fix this would be with government regulation, and nobody wants to do that because we've been told for 50 years that government == bad.

      Cyber-security is a newish discipline. The requirements are extremely high due to the nature of the job. I don't know if corporations can do that much about it in the US other than hire entry-level workers and turn right around to train them again with the right certifications. Most companies simply aren't going to have the infrastructure built to support that.

      The free market may catch up and provide the workers needed in five to ten years. Government regulation could boost those numbers by, I don't know, providing more scholarships for cyber-security degrees? Maybe the new administration will point us in the direction.

      • by Joe_Dragon ( 2206452 ) on Tuesday December 01, 2020 @11:15AM (#60782324)

        government regulation to fix the H1-B visa issues can be done.
        Like
        an min wage (With COL added in) say 80K is good in some areas but not bay area.
        Stopping Extreme OT for H1-B workers.
        Stopping fake job ad's to keep out US workers.
        Not locking H1-B's to the job so they can't be abused.
        IF an US workers needs to train an H1-B to get there severance then that should trigger an review / fines.

        • by rsilvergun ( 571051 ) on Tuesday December 01, 2020 @02:05PM (#60782868)
          You need to account for the fact that they tend to do the work of 2 employees and that training is *expensive*. Start at $300k. H1-B is for workers you can't possibly get in America. That's incredible value, critical to your business. If you can't pay $300k you didn't really need them or they're not adding enough value to justify brining them in.

          You won't be able to do the other thing's you're talking about. Regulations that try to accomplish those things can easily be worked around. Stupidly high salary requirements cannot. It's too cut and dry. Either you're paying it or you're not. Things need to be blunt and cut and dry or you'll get lobbyists writing loopholes in.
      • Cyber-security is a newish discipline. The requirements are extremely high due to the nature of the job.

        Cyber-security has literally been around for decades now. The only thing "newish" here, is the sudden desire to actually give a shit enough about cyber-security to hire people.

        And the corporate give-a-shit factor still isn't anywhere near high enough, so we should expect more of the same. Massive hacks. Massive data breaches. Massive losses. And ultimately massive lawsuits that don't change a fucking thing, including increasing the give-a-shit factor.

        Seemingly the only companies actually taking cyber-se

        • The threats have never been so pervasive or damaging.

          But the bar is set high so that HR and top mgmt can point to the lack of seats filled and have a cop-out reason.

          Your rationale fits, but the give-a-shit factor has another skew, called irrational expectations. I'll take one seasoned pro over four people with an alphabet soup of certifications any day. The problem is finding and assessing who's actually seasoned, and who thinks they're an nmap wizard and deserves the gig. If you're in HR, looking at resume

      • I pretty much agree from my experience in the field.

        Something to keep in mind for all job seekers, no matter what the field, is that job postings will list several qualifications that the employer would like to find. If you take that list as "you must have all of these, and exactly these, or don't bother applying", you're missing good opportunities. The employer doesn't know what qualifications you have before they talk to you. Maybe you have other qualifications that they didn't think about which will b

      • I'd be more than happy to move into a cyber-security position, having formerly been a network admin and support technician. I don't however have a host of cyber-security certs as they were never a core part of my job. If these people wanted someone with related experience who would be easy to train, I'd be a great fit. However, they don't even respond to my submissions.

    • 3. They already have someone in mind who has exactly those certs and years of experience and wants the position for some reason, but they have to post it publicly to tick the HR/compliance boxes.
    • by sjames ( 1099 ) on Tuesday December 01, 2020 @11:11AM (#60782306) Homepage Journal

      More specifically, they don't want to train, nor do they want to pay a reasonable rate for someone already trained. Since they're only interested in ticking boxes rather than actually being secure, they just need someone willing to claim they're trained.

    • The lack of training investment in most IT businesses is pretty staggering.

      I work for an MSP and the sheer amount of winging it that goes on is astonishing. I sometimes secretly hope it goes badly on a client project and the resulting lawsuit holds the business negligent along the lines of malpractice.

      I mean if you got on an airplane that was repaired by people who "figured it out" and it crashed, the airline would be gutted for not providing expertise.

      • I know an airline company who did just that and the airplane crashed. They are soon to give it the ol' college effort again.
    • I don't have problems with H1-B. But companies should be required to pay them the same wages as Local Employees for the same position. Also the H1-B employees better meet the requirements that they couldn't find the jobs for.

      We have been told that Government == Bad. However these are also companies begging for the Government to give them a hand.
      If you are going to ask for Extra Government Help, there should be strings tied to it, to make sure that you are working for the public good. This also should be

      • by PPH ( 736903 )

        But companies should be required to pay them the same wages as Local Employees for the same position.

        They'll just cut the position's pay for everyone until the local employees walk away and then they need H1-B labor.

        However these are also companies begging for the Government to give them a hand.

        In what way? It's not asking for a hand if they believe that they already have the right to freely hire from any corner of the world. They just want government out of the way.

        We should keep mindful that the individuals who are running the government, are working for us the Citizens, and not for themselves or special interests.

        Yeah, right. That didn't work out so well last month. Hint: Keep a close eye on your 401(k)s and IRAs. Rule changes could make them start to evaporate pretty quickly next year. Socialism will only tolerate the government h

    • by JBMcB ( 73720 )

      the requirements are there because the companies don't want to train.

      One of my friends had to hire a security team. The requirements were some sort of basic networking experience, and some general IT experience. The positions were for industrial controls security, which almost nobody has experience with, so training would be included. Out of a few dozen applicants, maybe five or six met those *basic* requirements. One of the applicants said that he dealt with managed switches - "Like, three or five port switches..." He was one of the better candidates, as he at least knew wh

    • by Zak3056 ( 69287 )

      2. They get to bring in already trained H1-Bs.

      The only way to fix this would be with government regulation, and nobody wants to do that because we've been told for 50 years that government == bad.

      You don't think that's a particularly bad example? I mean, unless you think the H-1B program came from the immigration fairy, government really does == bad in this instance.

    • by Clived ( 106409 )

      That has always been the case in ANY profession. There has always been a gap between mindset of the hiring managers and HR people, making the whole issues a confusing mess

    • Government regulation is what set up this situation. The fix is for the regulators to do their jobs. Trump has actually made progress on this front, but you can forget about it on January 21.

    • by Shaitan ( 22585 )

      Right, they outsource to india, costa rica, etc where they can find papermill freshers rather than hire and train US workers. The high requirements help them justify those moves.

    • the requirements are there because the companies don't want to train. So they set artificially high requirements to avoid training costs. This has 2 benefits: 1. They get to tell regulators "We'd love to secure our network but we can't find competent people". 2. They get to bring in already trained H1-Bs. The only way to fix this would be with government regulation, and nobody wants to do that because we've been told for 50 years that government == bad.

      I deal with cybersecurity and I can tell you that this is just simply not the case. HR and recruiters don't understand it but it's very difficult to find the right people you need anywhere in the world. Would I love to hire 10 security experts in India? Sure as hell would - but I'd pay a fortune to find anyone with the skills I need. It would be easier and more cost effective to hire some fresh college grads in the US and train them for what I need. I'd probably spend at least a year looking for such pe

  • by toddz ( 697874 ) on Tuesday December 01, 2020 @10:46AM (#60782238)
    Once was told I didn't have enough experience with a specific tech that I had been developing with it since it was released. Moved on knowing I was better off somewhere else.
    • by SkonkersBeDonkers ( 6780818 ) on Tuesday December 01, 2020 @11:32AM (#60782398)

      It may be an issue with recruiters too who for many IT jobs post outrageous lists of frequently contradictory requirements because the recruiters actually don't know diddly about IT.

      One of my favorite I saw back in the day was a recruiter posting saying they wanted a developer with 5 years of .NET experience but .NET had only been out for about 3 years.

      • I have seen something similar in my country: in the late 1990's some company put out an advert for a web developer. The company had listed "Minimum 10 years of experience" under their requirements....

        I don't know if the fault lies with the company's IT department (probably not), it's HR department (more likely) or the recruiter (also more likely), but between them they have managed to whittle down the potential candidates from a few hundred to none...

        While similar requirements might have a function to
  • by Joe_Dragon ( 2206452 ) on Tuesday December 01, 2020 @10:52AM (#60782252)

    human resources recruiter doesn’t have experience in the area to know what is entry-level??

    One time I think I had that 1st thing in the interview you have all of that but this is an entry-level job so you will not be doing a lot of the listed skills that you have.

    • by mark-t ( 151149 )
      Of course they know... they just aren't willing to pay what an intermediate position would actually demand.
    • by Corbets ( 169101 ) on Tuesday December 01, 2020 @01:10PM (#60782708) Homepage

      You know, I lead a security team of several hundred people. I can tell you that HR does not define our job ads - we do.

      And it’s been like that at every company I’ve ever worked with. HR also doesn’t understand finance roles, or medical engineering, or... etc. They don’t try to stick themselves in the middle like that.

      What they do try to do is ensure you’ve got the basics covered.

      This hate on HR has gotta stop. If cyber ads are poor, it’s our own damn fault, not theirs.

  • What do you mean 10 years experience with Kubernetes is ridiculous?
    • by CubicleZombie ( 2590497 ) on Tuesday December 01, 2020 @10:57AM (#60782266)

      What do you mean 10 years experience with Kubernetes is ridiculous?

      If they ask for 10 years of Kubernetes experience then say you have 10 years of Kubernetes experience. Hell, I've been using it since the 80's. And I know Kung-Fu.

      • by mark-t ( 151149 )

        When I got laid off from a game development job in mid 2010, I was looking for a similar career to what I had been doing, and I recall coming across one job ad that asked for five years of experience in iPhone game development.

        Considering at the time, the iPhone had only been out for 3 years, I found this amusing. Where I had been working, I had only personally been involved in one iOS project up until that point, so I applied anyways, and didn't mention my iOS experience specifically except in the con

        • Considering at the time, the iPhone had only been out for 3 years, I found this amusing. .... I never heard back from them, and I eventually landed a different job with another local game studio. I always wondered what they were actually expecting, however.

          They hired me instead because I had TEN years of iOS experience.

      • the first time your company wants to do layoffs. Lying in a job posting though is OK.

        This is why we need government regulation, workers and employees are not on even footing.
    • Reminds me of a job listing I saw back in the day for a java programmer. The only people who would qualify would be the people who wrote Java.
  • I find that the employee/employer dynamic to be more and more adversarial as time goes on. This is especially true in the tech world where employers know they can offshore or H1-B. It doesn't really make sense all the way because treating people like people usually works in one's favor. But it's a skill and people with power don't naturally treat others kindly partially because the very way they got said power was by elbowing past people.
  • Wow, you mean to tell me companies try to lowball prospects when hiring? I am shocked, absolutely shocked!

    • The bigger problem is that they lobby the government to break immigrant laws that everyone else has to follow, and that they have developed the system well enough that they can unilaterally bring down salaries between all companies. Meanwhile the person who is applying for employment gets very little information about the whole process. It is not a fair market.
      • they can unilaterally bring down salaries between all companies

        If they need to do it between multiple companies, then they're doing it multilaterally

        /pedantry

  • The International Information System Security Certification Consortium complains about excessive requirements for [...] certifications? Or maybe they want you to hire more people and then send them to get certified. You should know that certification is not for security. It's for compliance. Security is about preventing bad things. Compliance is about not getting shat on when bad things happen.
  • by oldgraybeard ( 2939809 ) on Tuesday December 01, 2020 @11:04AM (#60782288)
    Money. The big corps do not want to pay US wages, they want to pay 3rd world wages. There are plenty of IT people available if you pay the going(livable) wage.

    Any organizations, corporations or groups that are pushing this will just buy the laws and regs they want from their Political, Bureaucratic and Legal assets.
    • Comment removed based on user account deletion
    • The corporations are working towards a fix for this, by undeveloping the US. It should soon be enough of a shiathole that salaries will come in line with India and Vietnam.
      • Nonesense, only the people who don't live in massive walled compounds will be living in a third world country. The US will be great for everyone else.
    • by mark-t ( 151149 )

      This is why, IMO, that the minimum wage should be brought up to living wage standards.

      If you expect to pay a living human being to do the work, then pay them a wage that is high enough to, you know, actually live on.

      Otherwise, IMO... you need to either automate the job or else just do it yourself.

      • by Nidi62 ( 1525137 )

        This is why, IMO, that the minimum wage should be brought up to living wage standards.

        If you expect to pay a living human being to do the work, then pay them a wage that is high enough to, you know, actually live on.

        I agree with this, but to preemptively counter the "high school student/working my way through college" argument, allow for companies to apply to classify positions as "student" positions that pay below livable wage but are subject to stringent employment criteria: age of the employee, proof of attendance to an educational institution of high school/high school equivalent level or higher, a cap on the number of hours worked per week (so they can study), and workable hour restrictions (since they should be a

        • allow for companies to apply to classify positions as "student" positions that pay below livable wage but are subject to stringent employment criteria: age of the employee, proof of attendance to an educational institution of high school/high school equivalent level or higher, a cap on the number of hours worked per week (so they can study), and workable hour restrictions (since they should be attending class at certain hours of the day).

          What about retirees who want to make a little extra money to supplement their retirement income? What about people who want to earn a little extra money for the holidays?

          The individual employee qualifying for this position should also be tracked and monitored to limit the amount of hours they work per week as well (so they aren't working 3 jobs for 60 hours a week, for example).

          And, who do you expect to do this extreme invasion of people's privacy?

          I would also say limit the number/types of positions that could qualify for this classification for each workplace/location

          And, who decides what that using what criteria? Can every employee at a fast food restaurant qualify?

          This lets fast food restaurants and similar employ cheaper employees who don't need a livable wage while protecting those who actually need to be able to support themselves.

          The people primarily protesting for high minimum wages are people employed by fast food restaurants and in positions that require little to no skill or education. You ar

          • by mark-t ( 151149 )

            Why should not requiring much skill or education be an excuse to pay a living human being anything less than what a human being needs to actually live? Why should a person who lacks education or experience have less of a right to survive in society?

            Absolutely everyone, from the experienced engineer to the janitor to the person who flips hamburgers for a living should by rights make enough at their job to live off of it if that is their only job and it is anything close to full time, but because of the

          • by Nidi62 ( 1525137 )

            allow for companies to apply to classify positions as "student" positions that pay below livable wage but are subject to stringent employment criteria: age of the employee, proof of attendance to an educational institution of high school/high school equivalent level or higher, a cap on the number of hours worked per week (so they can study), and workable hour restrictions (since they should be attending class at certain hours of the day).

            What about retirees who want to make a little extra money to supplement their retirement income? What about people who want to earn a little extra money for the holidays?

            Easy, carve out exemptions for them too. Retiree based, again, on age, and total hour restricted. Seasonal should have hourly limits (since it's supposed to be a supplemental job), and of course limited by industry and time of year (the same business doesn't get to say Jan-Mar is one season, Apr-June is another, etc)

            The individual employee qualifying for this position should also be tracked and monitored to limit the amount of hours they work per week as well (so they aren't working 3 jobs for 60 hours a week, for example).

            And, who do you expect to do this extreme invasion of people's privacy?

            This may shock you, but for the people who work jobs where minimum wage is a factor, the government (specifically the IRS and state equivalents) already know exactly how many hours they are wo

      • This is why, IMO, that the minimum wage should be brought up to living wage standards.

        If you expect to pay a living human being to do the work, then pay them a wage that is high enough to, you know, actually live on.

        Otherwise, IMO... you need to either automate the job or else just do it yourself.

        Not all jobs are targeted at people who need "a wage that is high enough to, you know, actually live on." Many jobs are targeted at retirees, teenagers who live at home, people wanting to make extra money. The big problem is that people are trying to live on jobs that require no skills and grade school education because they that is all they qualify for because they blew off school and have no skills. Also, the minimum wage for the nation should be what is required in the cheapest place, not the most expen

        • by mark-t ( 151149 )

          I don't know, but whatever it is, at least they will be paid better.

          Most people who get laid off through no fault of their own do eventually find other work.

          I have not heard of any study that shows any sort of correspondence between minimum wage increases and homelessness of able-bodied people who were otherwise willing to work.

        • by Nidi62 ( 1525137 )

          Not all jobs are targeted at people who need "a wage that is high enough to, you know, actually live on." Many jobs are targeted at retirees, teenagers who live at home, people wanting to make extra money. The big problem is that people are trying to live on jobs that require no skills and grade school education because they that is all they qualify for because they blew off school and have no skills.

          Or just had shitty luck. I graduated with a Master's degree and spent 3 years working in a warehouse for $12 an hour before I got a decent paying job. Because I was lazy and unskilled? Nope. Because I graduated during the middle of a damn recession. And the only reason I got that $12 an hour warehouse job was because I had been working seasonally/part time for that company since freshman year of college and I had the seniority to qualify for a full time position. That is why you need livable minimum w

    • There are plenty of IT people available if you pay the going(livable) wage. Any organizations, corporations or groups that are pushing this will just buy the laws and regs they want from their Political, Bureaucratic and Legal assets.

      Are you actually hiring people? Where from? What you're saying sounds nice. I just have been trying to fill a team in a tech town. It's tough and we really have to compromise and still the positions go unfilled.

      For example, a routine backend engineer...we expect them to know core Java and how to write a basic SQL query, 2 of the most common skills in the last 20 years for working programmers...ideally we'd like them to have experience with ORM and writing REST services, but we gave up on that long ag

      • by Minupla ( 62455 )

        All of this - and then add that if youâ(TM)re hiring for Cybersecurity, itâ(TM)s a high stress environment (studies show that Cybersecurity has among the highest levels of substance abuse of any tech job), and often require people with BOTH high level technical skills (take a look at this code and review it for any SQL injection attacks is harder then Write code to query a table) and people skills (OK, now that you found the injection vulnerability, talk to the developer who wrote the code and tea

      • I just have been trying to fill a team in a tech town.

        I don't consider 150k-200k for entry-level routine business programming to be 3rd world wages

        That depends on the tech town in which you are trying to higher. If you are in Silicon Valley where people making $150K a years have to live with 3 roommates to be able to afford an apartment, then you are wrong.

        So, tell what tech town you are referring to and we will judge if you are in the right ballpark for entry level people.

  • by Greyfox ( 87712 ) on Tuesday December 01, 2020 @11:14AM (#60782316) Homepage Journal
    The entire hiring process is broken. None of the job postings tell you what you'll actually be doing, they just list some random skills that probably don't even apply to the position. The guy who actually needs someone to fill a role has no actual input into the wording in the job posting. The people doing the actual recruiting don't understand anything about programming, the business model of the company or what you'll actually be doing. And if you actually manage to land an interview the company therefore has to take their experienced engineers away from production for several hours to try to figure out if you're a man and not a cabbage or something. And most software engineers are really bad at talking to people, so I'd argue that your results would actually be better if you just flipped a coin as to whether to hire the guy or not. I won't even go into the number of interviews I've had where they asked me all these blue-sky questions about algorithms, data structures and logical short-cutting and then when I finally got a look at their code base none of that stuff was present. If their design was even half as good as the questions they asked me in the interview, they probably wouldn't have even needed another guy to help them maintain it.

    A lot of this could be fixed just by having the recruiter know something about programming and the business model of his clients, but that would require him to work more closely with his clients than most recruiters do. And any recruiter who knows that much about programming would make more money as a software engineer anyway. No one seems to be particularly inclined to change the system, so it'll probably stay that way. You'd think that if a company came along that could suck just a little bit less at all of this, they could clean up in the market, but so far no one actually has.

  • by dgatwood ( 11270 ) on Tuesday December 01, 2020 @11:17AM (#60782330) Homepage Journal

    They *pay* people to cyber now? Wow. I guess the pandemic really did change things.

    Oh, wait. This is about cybersecurity. Never mind.

  • How about we raise salaries and work conditions in accordance with what it takes to convince kids to go into it for a profession, or pay to train people who need a bit different experience?
    • Too many kids thing they should come into the organization as SVPs over a team of 20 people to do their bidding.
  • A lot of companies are letting possible excellent employees go, because their job requirements just stink.
    Often they take the Experience of the guy who just left the company and tries to get a new employee who matches the guy who just left. Not thinking the following.
    1. The guy who left, probably left because he was overqualified for the job, and couldn't move further. So you are trying to bring in someone just as overqualified thinking that they will jump at the opportunity to do a job beneath their abil

    • by Junta ( 36770 )

      Wanting to work for $15 an hour.

      But you are ignoring the stock options! That's how you will be rich.

      One executive that I used to work with started a company and tried to recruit me. When I said I'd need a sizeable salary bump, he responded that it would actually be a cut, but instead I would have equity given and that is going to let me be the multi millionaire instead of making someone else a multi millionaire.

      Strangely, despite his assurances that was the better deal, he wouldn't keep the equity and give me a higher salary. To no-ones s

    • Avoid coded critera (such as Fitting into the Corporate Culture),

      Fitting into the corporate culture is not "coded criteria". Hiring people who don't fit into a company's corporate culture is a recipe for unhappy employees and high turnover.

      I know of a company whose corporate culture including being on call. They hired a guy who was technically what they wanted and had the skills they needed but he told them straight up that he didn't own a cell phone and didn't want to own a cell phone. He lasted an entire day and was told not to come back because he didn't fit in with

  • by DontBeAMoran ( 4843879 ) on Tuesday December 01, 2020 @11:40AM (#60782424)

    What's the fucking point of having a checkbox "Ads disabled" if you keep resetting it or not respecting it between your dozens of sub-domains?

  • In other words, American companies are not reserving the funds they need in order to protect themselves from hostile nations. Wonderful, I'm sure that will end well.
    • In other words, American companies are not reserving the funds they need in order to protect themselves from hostile nations. Wonderful, I'm sure that will end well.

      Don't worry. I'm sure the enemies of America will be happy to provide an outsourced cybersecurity manager after American Greed complains loudly to the H1-B program about American salaries. Foreign spies will even take that job cheap.

      Only downside is finding new hires. Seems they only stick around long enough for the file copies to get done...

  • Imagine not applying for a job because hr posted outlandish requirements
    • You mean like a devops position paying $75K a year that required
      • 5 years Linux Administration
      • 5 years Windows Administration
      • 4 years of C# and .Net experience.
      • 4 years of Java with Spring and Hibernate
      • 3 years of C/C++
      • 2 years experience with at least 2 of Chef, Puppet, AWS, Jenkins, VMWare, and AWS.

      And, if you don't have the required experience, don't apply for the job.

  • This has been going on forever.

    I remember seeing a job with requirements of "5 years experience in ${PRODUCT} 2007" ... in 2008.

  • Iâ(TM)ve been hiring people for âoecyberâ positions from before it was called that :).

    Hereâ(TM)s some tips for anyone attempting to break into this segment:

    1) Cyber != IT or development. Expect different questions. Iâ(TM)m unlikely to ask you to code anything during an interview. Iâ(TM)m going to ask you to explain the difference between Asymmetric Crypto, Symmetric Crypto, and Hashing. Depending on the position Iâ(TM)m hiring for, I may ask you to describe to me a vul

    • There are a lot of cybersecurity positions that exist to ensure some cybersecurity framework or other (weak) compliance requirement is "met".

      What you are looking for I would imagine might be hard to fill unless you're offering that million dollar salary to compete with that skilled individual who's having fun sitting at home cashing in on bug bounty programs. If you have the skills to go "wide and deep" in cybersecurity, there are probably much better paying positions that are quite frankly more exciting a

      • by Minupla ( 62455 )

        > What you are looking for I would imagine might be hard to fill

        Ya, I work the operational security side of the fence. My teamâ(TM)s job is to implement real security (my bossâ(TM)s words, not mine) and watch the script kiddies and nationstates poke around the place and build the next set of walls.

        I personally find it more rewarding then the bug bounty game, and way more ethical then the 0day weapon broker market. But I agree its not a universal mindset. I find redteam to be too easy. They

  • You say 'cybersecurity' and I hear 'Yakity Sax' in my head, accompanied by images from Benny Hill.
    No doubt I'll draw angry comments from actual competent cybersecurity professionals who are here on Slashdot, but before you start shooting at me: my opinion comes from the virtually daily news stories of this-or-that large company or organization that's getting their ass handed to them by this-or-that cybercrime organization -- and yes, I acknowledge the fact that your efforts are regularly hamstrung by shitt
  • However, excessive requirements for years of experience and professional certifications plus inflated expectations for junior roles aren't uncommon,

    I don't have it handy, but a guy posted a tweet about finding a listing for a programming job. The ad said the candidate had to have five years of experience with a particular language.

    The problem was the language had only been around for three years and the guy who posted the tweet was the one who developed the language.

    The comment above has been
  • by Anonymous Coward on Tuesday December 01, 2020 @01:00PM (#60782688)
    Posting AC for obvious reasons. I am a manager in charge of InfoSec consulting team. Hiring is always a huge pain, especially due to HR meddling in the process. I know exactly the type of person that can succeed in the job but often cannot hire for the following reasons:
    a. HR filters candidates based on keyword match - if even some are missing, resume get dropped. This makes job description overly generic, as I don't want HR to filter our good candidates because they listed Python when I asked for Metasploit.
    b. Ladies at HR have their own ideas what makes someone a fit and they will often hire based on diversity goals, as their bonuses partially tied to that. I only can come up with top 3 picks out of filtered pool and they ultimately decide who to hire. For something specific, there might not be 3 qualified candidates in the pool.
    c. I have very difficult time justifying high InfoSec salaries, seeing how HR sees my field similar to IT and development and wants to pay accordingly. Our organization has salary ranges based on seniority, to offer competitive salary I have to set 10+ years seniority, this means I have to ask for 10+ years in some specific skill. This means HR will screen your resume unless you put it as a line item on your resume.
  • They'll claim they want cybersecurity... then require the certs that three people might get in 10 years, just as they do for everything else, because a) they don't want to pay fair wages, and b) under no circumstances will they *pay* for training, they'll have the employees charge it to the contractee company's accounts (like my company did).

    Then, of course, the CEO, and all the MBAs, will put that as last item of business, and be shocked, shocked, when they're hacked.

  • Those requirements are there for a reason. Have a closer look at any real-life penetration test and you'll understand why. In order to fully assess security of a given entity you must not only be capable of understanding the project, all of it dependencies, interactions and risks but also know where and what to look for. It's not as simple as launching a few predefined tools. This "what can go wrong" sort of knowledge comes only with experience. You cannot detect what you don't know.

    It also worries me gre
  • I've wanted to get into infosec but the experience and certification requirements are definitely excessive. I may not have all of the knowledge, but I'm a quick learner, have a grad degree, know some programming languages, and enough about Linux and networking to run my own home servers for a variety of services. Clearly, I have no issues learning new technologies and keep abreast of changes. It's not good enough, they say. Someone mentioned that it's about not wanting to train people, and that seems like a

"An idealist is one who, on noticing that a rose smells better than a cabbage, concludes that it will also make better soup." - H.L. Mencken

Working...