Hello friends,

This week we are doing something a little different. Rather than a longform reflection, I’d like to share a set of new job profiles that we are debuting. These are just the starting point of developing a comprehensive set of job aids for cybersecurity hiring managers.

We also have some exciting news- we’ll be adding a new section to the newsletter this week, which we will feature occasionally, highlighting key security leader moves.

Next week we will be in abbreviated format as I’ll be at the Rocky Mountain Infosec Conference (RMISC) most of the week. As a friendly reminder, I’ll be part of a panel Wednesday afternoon looking at trends in security jobs. Please join us!

I’m also excited to announce that I’ll be participating in a livestream event with Infogov.com on June 20 discussing the private sector opportunities created by the President’s National Cybersecurity Strategy. It’s an awesome panel and should be a great conversation. You can register here.

Cheers,

Brad

IAM role guides

Part of our mission at Crux is to help security leaders improve the way they hire, so they can build teams that are engaged, effective, and resilient.

As part of that mission, we are building out a series of profiles on various security roles- going deep on the work to be done, where to find good candidates, and offering our insights on the market.

This week I’m happy to share the first entries in this series- our role guides for identity & access management.

IAM talent is difficult to find in this market- like so many areas within security, there simply aren’t enough people to meet the demand. We hope these hiring guides help IAM leaders navigate this challenging environment, and find team members that will be the right fit for their programs.

You can click the images above, or here are direct links: IAM engineering roles & IAM program management roles.

Many thanks to Sumit Sarkar for the thought partnership on these.

Please take a look- I would love to know your thoughts.

Tools, resources, and useful things from the internet

🤖People in the AI industry are getting increasingly loud about the risks and dangers of AI. Jeff Hinton was interviewed by the NYT this week- he is sometimes called the ‘Godfather of AI’ and has several warnings. Additionally, leaders from OpenAI, Antrhopic, and others signed a one sentence open letter highlighting the existential risks of AI. It reads: Mitigating the risk of extinction from AI should be a global priority alongside other societal-scale risks such as pandemics and nuclear war. (NYT)

🤝Like it or not, AI is coming into the hiring process. Practice your skills and get feedback with InterviewMeAI

🖐️Interested in IAM? The Identity Defined Security Alliance has released its annual Trends in Securing Digital Identities report (gated, but worth it)

🤖Generative AI use cases are starting to come to fruition in security. Here’s a good overview of the current scope of practice. Also this week Crowdstrike announced what amounts to an AI SOC analyst for their platform, currently in limited customer trial (eSecurity Planet)

News

💼90% of boards are not ready for the forthcoming SEC rules governing cybersecurity incident transparency and board expertise disclosures (Forbes)

🎖️DOD has issued a new cybersecurity strategy and sent it to Congress. A short summary is available here (Defensescoop)

💼Analysis of google searches suggests that interest in cybersecurity jobs has hit an all time high (atlasVPN)

👨‍💻To address the talent gap, some companies are upskilling non-technical talent into security careers (CSO)

🦹NSO Group is now (kind of) back under the control of one of it’s co-founders, as lenders foreclosed on the prior owners and wiped out their equity value. A deal to sell to US companies never materialized (WSJ)

🤦Apria Healthcare is a little late (um, 2 years) to notify customers of a breach it discovered back in 2021. Poor practice. (The Register)

🕵️New analysis from Inskit Group is out on Chinese open source intelligence gathering operations on the US. Interesting summary from NYT.

💡Carnival and FedEx CISOs offer advice for security leaders facing budget pressure: more use of contractors, don’t cut employee training (WSJ)

Jobs to check out

This week we are featuring remote appsec roles.

💼Wheels up. Sr. Application Security Engineer (Remote). $200-220K

💼Match Group. Staff Application Security Engineer (Remote). $147-196K

💼Very Good Security. Staff Application Security Engineer (Remote). $145-195K

💼Vimeo. Sr. Application Security Engineer (Remote). $136-194K

💼BeyondTrust. VP, Application Security (Remote)

💼MyFitnessPal. Application Security Engineer (Remote)

💼Replicant. Staff Application Security Engineer (Remote)

Security leaders on the move

🏃Bill O’Hern is now SVP- CISO at Travelers

🏃Derek Hardy is now VP & CISO at Marvell

🏃Jeff Simon is now Chief Security Officer at T-Mobile

🏃Jim Motes is now CISO at Ryan LLC

🏃Justin Acquaro is now CISO at Crowdstrike

🏃Alan Mitchell is now CISO at Celanese

🏃Lou Klubenspies is now CISO at Revvity

🏃Attila Török is now CISO at GoTo

Events

💼Gartner Risk Management Summit. June 5-7.

💼ExploitCon Portland. June 7.

💼Rocky Mountain Infosec Conference (RMISC). Denver. June 7-9.

💼Secureworld Chicago. June 8.

💼BSides SATX. San Antonio. June 10.

💼BSides Boulder. June 23.

💼BSides Pittsburgh. July 21.

💼Black Hat. Las Vegas. August 9-10

💼DefCon. Las Vegas. August 10-13

Stat of the week

14%

The percentage of US adults that have used ChatGPT- the fastest growing consumer product ever (It is still way under-penetrated) —Pew Research Center

Crux is building the talent platform for cybersecurity. Check us out.

Thinking about your next move? Join our network.

Want help with your hiring needs? Reply to this email to drop me a line