View this email in your browser

Defense in Depth

Let's Write Better Cybersecurity Job Descriptions

What should a cyber job description require, and what shouldn't it? What's reasonable and not reasonable?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark, the producer of CISO Series, and Geoff Belknap, CISO, LinkedIn. Our guest is Rob Duhart, Deputy CISO, Walmart

Much of the frustration with cyber hiring starts with job descriptions. Christopher Zell of Dell posted a job that had 19 bullets of job skills, each one of them requiring five years of knowledge. While appearing to be computer generated, the job description’s lack of thought infuriated the LinkedIn community. Neither our guest or co-host qualified for this unrealistic position and these kinds of posts hurt the industry, but more importantly they hurt the company that posts it.

Be more inclusive. Don’t create artificial entry barriers. There’s just too great of acceptance and a promoted view that potential candidates must come with multiple years of experience and an endless string of certifications, argued Anthony Rodriguez of Baptist Health South Florida. It hurts all levels of the hiring process. It’ll probably take five years to find that candidate, joked Luis Valenzuela of InComm Payments. "If this candidate exists, she would never accept the job of manager. She'd be all of our bosses," said Rob Duhart.

What are the minimum skills required to perform the job? Years of experience in multiple disciplines seems like an unnecessary checklist that doesn’t explain how the person will perform. "An easier route would have been to say, ‘Be a security person... Have 5 years of experience,’” suggested Marc Varner, Global CISO of Lowe's Companies. "Organizations really need to rethink what is the minimum requirements they need than some unrealistic wish list,” said Yolanda W. of CompQsoft Inc. “You still have to learn the company and the job role within the company’s framework."

Years of work don’t demonstrate skills. "Our industry and its members need to have an agreed upon definition of ‘skills’ and ‘experience,’” said E.J. Hilbert of KCECyber. “Skills are those things you have experienced and can now accomplish in a reasonable manner. Experiences are simply something you have knowledge of and worked to understand/handle in you past." In addition, "STOP with counting years,” said Darren Young of iManage. “What matters is demonstrable experience and produced results.” "What is it the organization actually needs,” asked Brandon Keath of RapidAscent. “Reverse engineer that into the role."

Job descriptions like this speak more to how ill prepared the company is to hire for this role. "It’s a great job description,” joked Norman Hunt, deputy CISO for GEICO, “to help one determine that’s likely not a great place to work since they don’t really seem to know what they want." An unrealistic job description begs an unrealistic candidate. “This isn't a manager. You're advertising for Ironman," said Marie Nellist of MUFG.

Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now.

Thanks to our podcast sponsor, Normalyze

Super Cyber Fridays!

Join us Friday [07-21-23], for "Hacking 5G Security"

Join us Friday, July 21, 2023, for “Hacking 5G Security: An hour of critical thinking about the looming explosion of IoT on 5G networks.”

It all begins at 1 PM ET/10 AM PT on Friday, July 21, 2023 with guests Kevin McNamee, security product manager, Nokia and Howard Holton, CTO and industry analyst, GigaOm. We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.

Register

Thanks to our Super Cyber Friday sponsor, Nokia

LIVE!

 Cyber Security Headlines - Week in Review 

Make sure you 

 to join the LIVE "Week In Review" this Friday for 

Cyber Security Headlines 

with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Hadas Cassorla, CISO, M1.

Thanks to this week's headlines sponsor, SlashNext

Cyber chatter from around the web...

Jump in on these conversations 

"In a field as complex as cybersecurity, what separates a good cybersecurity professional from a great one? In your opinion, what's the most important skill for success in the field?" (

More here

)

"What are the best resources for researching cybersecurity career salaries and bonuses?" (

More here

)

"Should I learn Python for an entry level cybersecurity position?" (

More here

)

Coming Up On Super Cyber Friday...

Coming up in the weeks ahead on Super Cyber Friday we have:

• [07-21-23] Hacking 5G Security

Save your spot

and register for them all now!

Do We Need To Worry About This?

"The thing you were worried about before the Black Hat conference is the same thing you'll be worried about after the Black Hat conference," said a redditor on the r/cybersecurity subreddit. The cool greatest awesome new threat that doesn't affect us is not worth our time.

In this video Paul Reid, global head of threat intelligence of OpenText, talks about how they're now able to find more localized threats for their customers. Also, they're able to watch for smokescreens where one giant boom is solely a diversion from another more targeted attack which is the one the attacker really wants to accomplish.Watch the videoHUGE thanks to our sponsor, OpenText

Thank you!

Thank you for supporting CISO Series and all our programming  

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.