Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Rethinking Cybersecurity Hiring: Dumping Resumes & Other 'Garbage'
Newest First  |  Oldest First  |  Threaded View
tdsan
50%
50%
tdsan,
User Rank: Ninja
10/13/2019 | 8:36:43 PM
Re: Interesting comment about Garbage

I could not agree with you more Bradley, it sounds like you are not just talking about it but you have dealt with the real world. My buddy has went through the same thing you have gone through wiht a security company located in VA (he found a security bug and issues, point it out and later they walked him to the door, not because he was trying to help, but "how dare he" identify problems in our security solution. 

In addition, we identified the same problem with a security assessment at the US Dept.of Navy, they received a raving score for their security setup and implementation, but again, a friend of mine in Bethesda found issues with the network from HP OpenView scans. He reported the issues to our site in DC and we made changes based on some registry entries, easily done. But when he reported the same thing to the members in Bethesda, they asked him to shutdown the system, leave the lights on and paid him to leave the location.

There are a number of other instances, it is not really going to change anything, it has to come from the top down. It cannot be leadership covering up the truth, they have to embrace it so positive change can come. Sometimes it means bringing light to people (negative incertain instance) and their incompetence, but so be it. It is a political game but in the end, we are all better for it.

T
BradleyRoss
50%
50%
BradleyRoss,
User Rank: Moderator
10/13/2019 | 7:41:39 PM
Re: Interesting comment about Garbage
I have heard technical managers say that they have never received a usable candidate through Human Resources or the various job boards.   The outside firms have wined and dined the managers and told them they can get them all the workers they need with great qualifications quickly and they can pick the cheapest.

Middle level managers want employees who won't disagree with them and won't make waves.  The problem is that the type of employee who can actually do the job won't lie and claim that the system is fine when it really needs several months of work.  My experience was that managers want people who will say it's good enough and shove it out to the customer immediately.  That's how you get so many failed projects.

IBM said that it didn't want older engineers because they couldn't accept the new techniques.  The problem is that they know that the so-called "modern methodologies" like Agile, Extreme Programming, DevOps, and Six Sigma don't work unless the people have an obsession with things working.

They also know that when managers say that they'll take the blame if the decision goes wrong, they are lying.  They'll use you as the scapegoat the moment the customer complains.

Setting up the employees as competitors may work in sales but it doesn't work in any type of engineering.  The survivors aren't the best workers, but the ones who are the best at passing the blame onto others.

You may think that I'm exagerating.  I was hired to find the bugs in a program and was dismissed because I found the bugs in files I wasn't supposed to look at.  (The files written by the manager.)

You have to figure on one to two years of salary to replace a good employee.  Of course, on that basis, you probably shouldn't lay them off.

DevSecOps is a joke.  The premise is that anything passing the test suite is suitable for implementation.  The problem is that security flaws are usually based on things that won't be in the test suite.  You can test if something will meet a set of specifications, but writing a complete set of specifications is very difficult and is an art in itself.  You can't use tests to verify that the system won't do things it isn't supposed to do.  You can't test in quality or security.  Try using Google to search can't test in quality.
tdsan
0%
100%
tdsan,
User Rank: Ninja
10/7/2019 | 9:25:13 AM
Interesting comment about Garbage

CyberSN, a talent acquisition firm focused on cybersecurity professionals, debuted its KnowMore platform at Black Hat in August to sync up what they said is a pool of qualified talent who simply aren't being matched to the right opportunities.

"In our opinion, the No. 1 fundamental problem is that companies are relying on the old traditional hiring methods: draft a job description, which is usually garbage, post this garbage on a job site, and then complain when all the responses are garbage," Aiello says.

Interesting statements but the other thing that is missing is that employers still have racial tendencies and biases against people of color. Often times they look at hiring their friends or within to find out that those people don't have the propensity to do this level of work.

Lets be real about it, there are numerous people out here who can do this, but they have been looked over because they did not have 10-15 yrs of experience, or they say, we will get back to you (and never do) or out of the 10-15 things they are asking for, if the person is not certified in one area but has certifications in similar areas, they are still passed over or they are waiting on a friend to end a project so they can bring them on.


This is the reality people go through and have to deal with on a regular, it is sad that even in 2019, things are still this way, just look at the news. Indian, chinese, hispanic or black companies are going after government business but are often shunned (even if the group is from the US) not because they can't do the work, but because the garbage that is sitting at the other end of the desk, can't do the work him or herself (they are just talking heads), but they try to legitimize themselves because someone gave them the position.


So it does not suprise me that we have a shortage, it maybe because employers have on blinders that are keeping them from finding talent who may be sitting right in front of them.

T


Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19040
PUBLISHED: 2019-11-17
KairosDB through 1.2.2 has XSS in view.html because of showErrorMessage in js/graph.js, as demonstrated by view.html?q= with a '"sampling":{"value":"<script>' substring.
CVE-2019-19041
PUBLISHED: 2019-11-17
An issue was discovered in Xorux Lpar2RRD 6.11 and Stor2RRD 2.61, as distributed in Xorux 2.41. They do not correctly verify the integrity of an upgrade package before processing it. As a result, official upgrade packages can be modified to inject an arbitrary Bash script that will be executed by th...
CVE-2019-19012
PUBLISHED: 2019-11-17
An integer overflow in the search_in_range function in regexec.c in Oniguruma 6.x before 6.9.4_rc2 leads to an out-of-bounds read, in which the offset of this read is under the control of an attacker. (This only affects the 32-bit compiled version). Remote attackers can cause a denial-of-service or ...
CVE-2019-19022
PUBLISHED: 2019-11-17
iTerm2 through 3.3.6 has potentially insufficient documentation about the presence of search history in com.googlecode.iterm2.plist, which might allow remote attackers to obtain sensitive information, as demonstrated by searching for the NoSyncSearchHistory string in .plist files within public Git r...
CVE-2019-19035
PUBLISHED: 2019-11-17
jhead 3.03 is affected by: heap-based buffer over-read. The impact is: Denial of service. The component is: ReadJpegSections and process_SOFn in jpgfile.c. The attack vector is: Open a specially crafted JPEG file.