We constantly hear that cyber security has a serious talent shortage. It doesn’t help when job descriptions are completely asinine or when recruiting is embarrassingly bad. This also goes for the tech industry in general. After reading these tweets from my friend Ed Rojas, I decided to dedicate a hall of shame to this ongoing problem:

Just read this req on LinkedIn: Masters in cybersecurity + 2 high level certs + Risk Analysis, Ethical Hacking, Incident Response, 1/2
— SilverFox (@EdgarR0jas) August 15, 2017

Security architect, BCP/DR, Forensic Analyst, SOC design/implementation. Only reply if you meet all requirements. Seriously????? 2/2
— SilverFox (@EdgarR0jas) August 15, 2017

Another purpose of this post is to back up the arguments made in the article: “There Is No Cyber Talent Crunch; You’re Just Hiring Wrong” especially the points of “insisting on over-qualified applicants” and over-filtering. There are many job candidates who “are feeling utterly demoralized for no reason” especially after seeing such job postings. A message that I want to make clear with this post: don’t disqualify yourself –because the purple squirrel does not exist.

Who the hell are they going to find these jobs on a contract basis? Good luck creating and updating all those documents in six months (thanks to @tcstoolHax0r for this)

Hall of Shame Job Posting

Quite a lot of requirements, good luck finding someone (thanks to @tcstoolHax0r for this)

Hall of Shame Job Posting

“It’s an entire InfoSec department in one engineer!” (thanks @Triggs390)

Hall of Shame Job Posting

What on earth is “cyber awareness and understanding”? (thanks to @tcstoolHax0r for this)

Hall of Shame Job Posting

Someone didn’t even read the resume (thanks to @tcstoolHax0r for this)

Hall of Shame Job Posting

I need to have all those certifications? (thanks to @tcstoolHax0r for this)

Hall of Shame Job Posting

This is for an internship. First, Selenium is misspelled. Another one of these NDA clowns. To top it all off: “At present we are exceeding our expectations” –dafuq (thanks to @marsella_h for this)

Hall of Shame Job Posting

Perhaps the only statement that is missing from the above posting is:

We showed great character

There is no such thing as a GIAC Certified Ethical Hacker certification (thanks to @tcstoolHax0r for this)

Hall of Shame Job Posting

I was trying to find evidence of the job opening that requires 8+ years of Swift experience to no avail, but I did find this terribly written job ad for a Senior iOS Developer (10+ years of experience required) but marked as “junior” experience

Hall of Shame Job Posting

“Third point down. This is what happens when recruiters use buzzwords with no idea what they mean.” AWS = Amazon Web Services, Azure belongs to Microsoft (thanks to @CthulhuSec for this)

Hall of Shame Job Posting

“They are looking for someone to: lead a team, set up an SDL process, oversee all aspects of security in the cloud infra (This is the devs work if your doing devops right), work within scrum teams (can’t evangelize in scrum unless you embed with them), pen testing, 0 days mitigation (by its nature its impossible to mitigate 0days…. because they are 0days), threat assessments, compliance management, dealing with customers, hands on coding????? And they are a manager??? This has 100% burn out job written all over it.” (thanks to Toughnuts for this)

Hall of Shame Job Posting

Welp. Courtesy of @huykha10

Hall of Shame Job Posting

I guess this is why burnout is so prevalent in infosec. Thanks to @tcstoolHax0r

Hall of Shame Job Posting

Thanks to @ronindey for keeping this hall of shame alive!

HR: We are looking for Junior SOC with experience in IDS/ IPS, vulnerability detection, hands on malware analysis, reverse engineering, kernel patching, routing and switching (EIGRP/BGP) and sales experience [CISSP appreciated]

Me: I am searching for gluten free artisanal water
— DEY! (@ronindey) March 11, 2018

Someone sent me this in DM.

(I think the only thing that recruiter didn't ask was "Virginity check" before being offered to SATAN) pic.twitter.com/6Urvk4LQcr
— DEY! (@ronindey) March 12, 2018

“Three years as a developer plus 5 years at least in all the other domains. In total ~55 years experience for the optimum candidate.” (thanks to @sprkyco for this gem)

Hall of Shame Job Posting

(Added on May 24, 2018) And I thought the above was bad. “EVEN THOUGH THIS IS AN ENTRY-LEVEL POSITION, WE STILL REQUIRE ALL APPLICANTS HAVE AT LEAST 4 TO 5 YEARS EXPERIENCE IN A ROLE WITH SIMILAR RESPONSIBILITIES” $9.50 an hour! This job was confirmed on Reddit: https://www.reddit.com/r/networking/comments/4jemke/new_job_get_it_while_its_hot/. Screenshots of the job posting in higher resolution: https://imgur.com/a/D7qVm. Credit to @J0hnnyXm4s for the find.

Hall of Shame Job Posting

(Added on July 8, 2020) This is an internship. Thanks to @ki_twyce_ for this.

I have an alert set up for information security internships on LinkedIn and this was one of them. These requirements are crazy. pic.twitter.com/sVIxd1TiXQ
— Beatrix_Kiddo (@ki_twyce_) July 8, 2020

Hall of Shame Job Posting

(Added on July 8, 2020) Dafuq? Thanks to @blowdart for this. Source: https://twitter.com/blowdart/status/1280156185774051328

Hall of Shame Job Posting

Addendum

My friend Rob Graham wrote this:

Remember: a lot of recruiting posts are designed so that nobody can fill them - except for that one foreigner you've already decided to hire
— Rob Graham٩(●̮̮̃●̃) (@ErrataRob) August 17, 2017

While there is truth in what Rob wrote, the problem is when recruiters spam the same job description everywhere (e.g., on LinkedIn) which wastes everyone’s time.