Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Rethinking Cybersecurity Hiring: Dumping Resumes & Other 'Garbage'
Newest First  |  Oldest First  |  Threaded View
tdsan
50%
50%
tdsan,
User Rank: Ninja
10/13/2019 | 8:36:43 PM
Re: Interesting comment about Garbage

I could not agree with you more Bradley, it sounds like you are not just talking about it but you have dealt with the real world. My buddy has went through the same thing you have gone through wiht a security company located in VA (he found a security bug and issues, point it out and later they walked him to the door, not because he was trying to help, but "how dare he" identify problems in our security solution. 

In addition, we identified the same problem with a security assessment at the US Dept.of Navy, they received a raving score for their security setup and implementation, but again, a friend of mine in Bethesda found issues with the network from HP OpenView scans. He reported the issues to our site in DC and we made changes based on some registry entries, easily done. But when he reported the same thing to the members in Bethesda, they asked him to shutdown the system, leave the lights on and paid him to leave the location.

There are a number of other instances, it is not really going to change anything, it has to come from the top down. It cannot be leadership covering up the truth, they have to embrace it so positive change can come. Sometimes it means bringing light to people (negative incertain instance) and their incompetence, but so be it. It is a political game but in the end, we are all better for it.

T
BradleyRoss
100%
0%
BradleyRoss,
User Rank: Moderator
10/13/2019 | 7:41:39 PM
Re: Interesting comment about Garbage
I have heard technical managers say that they have never received a usable candidate through Human Resources or the various job boards.   The outside firms have wined and dined the managers and told them they can get them all the workers they need with great qualifications quickly and they can pick the cheapest.

Middle level managers want employees who won't disagree with them and won't make waves.  The problem is that the type of employee who can actually do the job won't lie and claim that the system is fine when it really needs several months of work.  My experience was that managers want people who will say it's good enough and shove it out to the customer immediately.  That's how you get so many failed projects.

IBM said that it didn't want older engineers because they couldn't accept the new techniques.  The problem is that they know that the so-called "modern methodologies" like Agile, Extreme Programming, DevOps, and Six Sigma don't work unless the people have an obsession with things working.

They also know that when managers say that they'll take the blame if the decision goes wrong, they are lying.  They'll use you as the scapegoat the moment the customer complains.

Setting up the employees as competitors may work in sales but it doesn't work in any type of engineering.  The survivors aren't the best workers, but the ones who are the best at passing the blame onto others.

You may think that I'm exagerating.  I was hired to find the bugs in a program and was dismissed because I found the bugs in files I wasn't supposed to look at.  (The files written by the manager.)

You have to figure on one to two years of salary to replace a good employee.  Of course, on that basis, you probably shouldn't lay them off.

DevSecOps is a joke.  The premise is that anything passing the test suite is suitable for implementation.  The problem is that security flaws are usually based on things that won't be in the test suite.  You can test if something will meet a set of specifications, but writing a complete set of specifications is very difficult and is an art in itself.  You can't use tests to verify that the system won't do things it isn't supposed to do.  You can't test in quality or security.  Try using Google to search can't test in quality.
tdsan
50%
50%
tdsan,
User Rank: Ninja
10/7/2019 | 9:25:13 AM
Interesting comment about Garbage

CyberSN, a talent acquisition firm focused on cybersecurity professionals, debuted its KnowMore platform at Black Hat in August to sync up what they said is a pool of qualified talent who simply aren't being matched to the right opportunities.

"In our opinion, the No. 1 fundamental problem is that companies are relying on the old traditional hiring methods: draft a job description, which is usually garbage, post this garbage on a job site, and then complain when all the responses are garbage," Aiello says.

Interesting statements but the other thing that is missing is that employers still have racial tendencies and biases against people of color. Often times they look at hiring their friends or within to find out that those people don't have the propensity to do this level of work.

Lets be real about it, there are numerous people out here who can do this, but they have been looked over because they did not have 10-15 yrs of experience, or they say, we will get back to you (and never do) or out of the 10-15 things they are asking for, if the person is not certified in one area but has certifications in similar areas, they are still passed over or they are waiting on a friend to end a project so they can bring them on.


This is the reality people go through and have to deal with on a regular, it is sad that even in 2019, things are still this way, just look at the news. Indian, chinese, hispanic or black companies are going after government business but are often shunned (even if the group is from the US) not because they can't do the work, but because the garbage that is sitting at the other end of the desk, can't do the work him or herself (they are just talking heads), but they try to legitimize themselves because someone gave them the position.


So it does not suprise me that we have a shortage, it maybe because employers have on blinders that are keeping them from finding talent who may be sitting right in front of them.

T


COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/3/2020
Data Loss Spikes Under COVID-19 Lockdowns
Seth Rosenblatt, Contributing Writer,  5/28/2020
Abandoned Apps May Pose Security Risk to Mobile Devices
Robert Lemos, Contributing Writer,  5/29/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13777
PUBLISHED: 2020-06-04
GnuTLS 3.6.x before 3.6.14 uses incorrect cryptography for encrypting a session ticket (a loss of confidentiality in TLS 1.2, and an authentication bypass in TLS 1.3). The earliest affected version is 3.6.4 (2018-09-24) because of an error in a 2018-09-18 commit. Until the first key rotation, the TL...
CVE-2020-10548
PUBLISHED: 2020-06-04
rConfig 3.9.4 and previous versions has unauthenticated devices.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
CVE-2020-10549
PUBLISHED: 2020-06-04
rConfig 3.9.4 and previous versions has unauthenticated snippets.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
CVE-2020-10546
PUBLISHED: 2020-06-04
rConfig 3.9.4 and previous versions has unauthenticated compliancepolicies.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.
CVE-2020-10547
PUBLISHED: 2020-06-04
rConfig 3.9.4 and previous versions has unauthenticated compliancepolicyelements.inc.php SQL injection. Because, by default, nodes' passwords are stored in cleartext, this vulnerability leads to lateral movement, granting an attacker access to monitored network devices.