Aug 27, 2020
All links and images for this episode can be found on CISO
Do companies hiring cybersecurity talent even know what they
want? More and more we see management jobs asking for engineering
skills, and even CISO jobs with coding requirements. What's
this post for the basis for our conversation on this week’s
episode which features me, David Spark (@dspark), producer of CISO Series,
Alford (@allanalfordintx), and our
Connolly, CISO, Seek.
Thanks to this week's podcast sponsor, Salt
protects the APIs at the core of SaaS, web, and mobile
applications. By using patented behavioral protection Salt Security
automatically and continuously discovers and learns the granular
behavior of each unique API and stops attacks. In 2020 Salt
Security was named a Gartner Cool Vendor in API Strategy.
On this episode of Defense in Depth, you’ll
- The poor focus of cybersecurity job listings often exposes
either the poor understanding or lack of maturity of a company's
information security program.
- We often see management cyber jobs asking for engineering
skills and vice versa.
- Job listings can also portray the "last guy" syndrome. Those
are the job listings that tack on desired skills the last person
did not have.
- When you see too many requirements it comes off as a wish list.
It's not what is required, it's more of a question as to how many
boxes can a candidate check off.
- There can be serious harm to a company's ability to hire if
they throw down too many requirements or even optional items.
People who are truly required for the position you want may never
apply because they'll be scared off by the other skills required or
- CISOs are often hired by non security people and as a result
they don't have a full understanding of what type of CISO they
want. As a result it's often hard to find two similar CISO job
- While CISO technical competencies are desired, it's clear that
once hired a CISO will not be showing off their technical
expertise. As a result, there's a lot of debate as to how much
technical skill a CISO really needs. The job requires management,
influencing, and communications.
- Many hiring teams have a hard time parsing out the types of
security people they need to build out a security team. That's why
you get a single job listing that appears to want to hire five
different types of security people.
- If a CISO isn't given the budget and authority to hire a staff
to fill all the necessary gaps for the company's security program,
they will become fed up and leave. That starts the whole process
- Many debate that job titles in job listings are just there to
massage the ego. But if compensation doesn't match the title, then
they realize the title is just for show.