Hello friends,

Well, RSA is in the rearview mirror. It was wonderful to run into so many friends and former colleagues, as well as make new friends out in SF.

This week we are turning to a topic we’ve touched on in the past- job descriptions- which are at the root of a lot of the hiring challenges/ staff shortages in security. We’ll share our thoughts on how to write a good one.

Cheers,

Brad

Job descriptions that work

If you’ve managed people before, you’ve probably been there. Somebody on your team decides to head out for greener pastures and you need to backfill. You also need to figure out how to get their work done without overburdening the rest of your team.

As you wade through a process with HR and Finance to get the job requisition opened, at some point, you need a job description. So you go in the wayback machine and dust off whatever was used in the past. Or maybe your HR person does this for you (because you are busy, right?). Or maybe you don’t have a starting point so your HR person hops on google and does some cutting and pasting.

You know you’ve been there; I certainly have.

This, however, is not an area where you want to press the ‘easy button.’ It’s worth a bit of time investment to get it right.

I reviewed the archetypes of poor job descriptions a few months ago, but let me summarize the common issues we see in security:

• Excessive years of experience with technology XYZ. Yes, it is true that there are highly specialized architect-level roles for larger companies that require deep expertise. But there are far too many that assume that technologies can’t be learned, particularly if the job is to operate and maintain instead of integrate and design.

• Requirements that are not aligned with market pay. You are not going to get a pro with 10 years of security experience for $95K. Sorry.

• Laundry lists of responsibilities. Don’t throw in the kitchen sink.

• Titles that aren’t aligned with responsibilities. Similar to the above, responsibilities are often in line with more senior roles when the titles are more junior, to try to game the comp system.

• Including educational requirements. Generally speaking, these shouldn’t be necessary in our industry. You are better off directly getting a sense for what somebody knows, how bright they are, and how hard they work. Education is a poor proxy in security.

• Just being sloppy. Things that are cut and pasted in that clearly don’t align; using words that no real human would actually use; stuffing the JD with boilerplate.

Why does this matter?

• Job descriptions are your advertisement to the world. In a market where supply is significantly less than demand, you should really focus on your first impression. It matters.

• Most recruiters don’t know security and will take the JD as verbatim. This means that as they narrow the funnel to match all your requirements, there won’t be many people left at the end, and the ones that are there will cost more than you can afford.

• If you have excessive experience requirements, you will miss out on potentially amazing candidates that are able to learn quickly, and that you can afford (and who are more likely to be loyal)

So, enough of what not to do. Let’s talk about what good looks like.

1) Ensure title, responsibilities, and comp are all synched up (and please do be transparent about comp)

2) Be simple, clear, and concise. Keep bullet points limited. Use language that real people do. Avoid ‘corporate talk’.

3) Keep to a standard, clean format. It should be:

• Company and job summary

• Responsibilities

• Requirements

• Benefits/ additional information

 The below JD does a nice job of all the above points:

4) Go one layer deeper to get to the skills you really need, not poor proxies for them.

• Describe what you want people to know and be proficient with

• Don’t use education as a proxy

• In your hiring process, test these skills directly

See this example from JPMC for an application pen tester:

5) Develop other content in and around the job description to make you and the company stand out

• Include a summary of the company and why it is an exciting place. But do this in simple, relatable terms, not terms that come across as HR boilerplate. 

• Add a ‘a day in the life’

• Create a video job description to build an initial degree of familiarity with the hiring manager and the culture

Tools, resources, and useful things from the internet

📺Videos from RSA are now live. You can see the recorded and archived sessions here (login required)

🤖Tons of discussion out there on the security implications of ChatGPT. A good study from Team8 on the security risks of generative AI and Chat GPT (Team8)

💼CyberWire has a podcast speaking with various security professionals about their careers. The episodes are succinct, around 10 minutes. Worth a listen.

🎓Google has launched a new cyber cert program aimed at entry level analyst jobs. It takes 7 hours per week over 6 months to complete. All in cost is about $400. Check it out and let me know what you think!

News

🔑Google is rolling out passkey technology for logons, in what it calls “the beginning of the end of the password.” (TechTarget)

🪟OpenAI had a (relatively minor) breach in ChatGPT this week, when user data was exposed for a few hours. This won’t be the last. (Security Intelligence)

🪢The big cyberinsurance loophole appears to be closing. After Merck was hit by the NotPetya ransomware, their cyber insurance claims were denied because it was argued that it was an ‘act of war.’ An appellate court upheld a lower court ruling against the insurance consortium this week (WSJ)

⛔The US Marshalls were victims of a ransomware attack several weeks ago, and decided not to pay the ransom (good for them!). Recovery is taking a while (Washington Post)

🩺CISA has released a draft self-attestation form for software vendors that would like to sell into the federal government. Companies would be required to attest that they follow a set of secure software development best practices (CISA)

🤖Hot on the heels of Microsoft, Google is integrating generative AI into its cybersecurity offerings, including Mandiant threat intel and VirusTotal. (Techcrunch)

🚔A large dark web site trafficking in fentanyl and other hard drugs was shut down, and 300 people were arrested. It was a coordinated international action (Fortune)

⏸️Lina Khan, head of the FTC, published an article that gives an indication as to where government regulation of AI might head (NYT)

👮The FBI is conducting fewer warrantless communications searches- down to ~120K from ~3M (WSJ)

Jobs to check out

This week we are featuring vulnerability management roles.

💼UBS. Head of Vulnerability Management-Cyber Hygiene, Cyber and Information (Weehawken, NJ)

💼Tesla. Sr Security Engineer, Vulnerability Management (Austin, TX)

💼Credit One Bank. Vulnerability Program Manager - IT Infrastructure (Las Vegas, NV)

💼Paramount Pictures. Vulnerability analyst. (New York, NY)

💼Northwestern Mutual. Assistant Director- Devsecops Vulnerability Management. (Milwaukee, WI)

💼Geico. Vulnerability Management Engineer (Remote)

💼Mozilla. Senior Security Engineer - Vulnerability Management (Remote)

💼SpaceX. Sr. Security Engineer (Vulnerability Management) (Hawthorne, CA or Washington DC)

Events

💼Sans Security Leadership New Orleans. May 8-13.

💼Sans West. San Diego. May 15-20.

💼B Sides Seattle. May 20.

💼Secureworld Atlanta. May 24.

💼Sans Rocky Mountain. June 5-10.

💼Gartner Risk Management Summit. June 5-7.

💼Rocky Mountain Infosec Conference (RMISC). Denver. June 7-9.

💼Secureworld Chicago. June 8.

Stat of the week

153

Number of people in the US arrested this week as part of the ‘Monopoly Market’ dark web takedown - Fortune.

Crux is building the talent platform for cybersecurity. Check us out.

Thinking about your next move? Join our network.

Want help with your hiring needs? Reply to this email to drop me a line