We constantly hear that cyber security has a serious talent shortage. It doesn’t help when job descriptions are completely asinine or when recruiting is embarrassingly bad. This also goes for the tech industry in general. After reading these tweets from my friend Ed Rojas, I decided to dedicate a hall of shame to this ongoing problem:
Just read this req on LinkedIn: Masters in cybersecurity + 2 high level certs + Risk Analysis, Ethical Hacking, Incident Response, 1/2— SilverFox (@EdgarR0jas) August 15, 2017
Security architect, BCP/DR, Forensic Analyst, SOC design/implementation. Only reply if you meet all requirements. Seriously????? 2/2— SilverFox (@EdgarR0jas) August 15, 2017
Another purpose of this post is to back up the arguments made in the article: “There Is No Cyber Talent Crunch; You’re Just Hiring Wrong” especially the points of “insisting on over-qualified applicants” and over-filtering. There are many job candidates who “are feeling utterly demoralized for no reason” especially after seeing such job postings. A message that I want to make clear with this post: don’t disqualify yourself –because the purple squirrel does not exist.
Who the hell are they going to find these jobs on a contract basis? Good luck creating and updating all those documents in six months (thanks to @tcstoolHax0r for this)
Quite a lot of requirements, good luck finding someone (thanks to @tcstoolHax0r for this)
“It’s an entire InfoSec department in one engineer!” (thanks @Triggs390)
What on earth is “cyber awareness and understanding”? (thanks to @tcstoolHax0r for this)
Someone didn’t even read the resume (thanks to @tcstoolHax0r for this)
I need to have all those certifications? (thanks to @tcstoolHax0r for this)
This is for an internship. First, Selenium is misspelled. Another one of these NDA clowns. To top it all off: “At present we are exceeding our expectations” –dafuq (thanks to @marsella_h for this)
Perhaps the only statement that is missing from the above posting is:
There is no such thing as a GIAC Certified Ethical Hacker certification (thanks to @tcstoolHax0r for this)
I was trying to find evidence of the job opening that requires 8+ years of Swift experience to no avail, but I did find this terribly written job ad for a Senior iOS Developer (10+ years of experience required) but marked as “junior” experience
“Third point down. This is what happens when recruiters use buzzwords with no idea what they mean.” AWS = Amazon Web Services, Azure belongs to Microsoft (thanks to @CthulhuSec for this)
“They are looking for someone to: lead a team, set up an SDL process, oversee all aspects of security in the cloud infra (This is the devs work if your doing devops right), work within scrum teams (can’t evangelize in scrum unless you embed with them), pen testing, 0 days mitigation (by its nature its impossible to mitigate 0days…. because they are 0days), threat assessments, compliance management, dealing with customers, hands on coding????? And they are a manager??? This has 100% burn out job written all over it.” (thanks to Toughnuts for this)
Welp. Courtesy of @huykha10
I guess this is why burnout is so prevalent in infosec. Thanks to @tcstoolHax0r
Thanks to @ronindey for keeping this hall of shame alive!
HR: We are looking for Junior SOC with experience in IDS/ IPS, vulnerability detection, hands on malware analysis, reverse engineering, kernel patching, routing and switching (EIGRP/BGP) and sales experience [CISSP appreciated]— DEY! (@ronindey) March 11, 2018
Me: I am searching for gluten free artisanal water
Someone sent me this in DM.— DEY! (@ronindey) March 12, 2018
(I think the only thing that recruiter didn't ask was "Virginity check" before being offered to SATAN) pic.twitter.com/6Urvk4LQcr
“Three years as a developer plus 5 years at least in all the other domains. In total ~55 years experience for the optimum candidate.” (thanks to @sprkyco for this gem)
(Added on May 24, 2018) And I thought the above was bad. “EVEN THOUGH THIS IS AN ENTRY-LEVEL POSITION, WE STILL REQUIRE ALL APPLICANTS HAVE AT LEAST 4 TO 5 YEARS EXPERIENCE IN A ROLE WITH SIMILAR RESPONSIBILITIES” $9.50 an hour! This job was confirmed on Reddit: https://www.reddit.com/r/networking/comments/4jemke/new_job_get_it_while_its_hot/. Screenshots of the job posting in higher resolution: https://imgur.com/a/D7qVm. Credit to @J0hnnyXm4s for the find.
(Added on July 8, 2020) This is an internship. Thanks to @ki_twyce_ for this.
I have an alert set up for information security internships on LinkedIn and this was one of them. These requirements are crazy. pic.twitter.com/sVIxd1TiXQ— Beatrix_Kiddo (@ki_twyce_) July 8, 2020
(Added on July 8, 2020) Dafuq? Thanks to @blowdart for this. Source: https://twitter.com/blowdart/status/1280156185774051328
My friend Rob Graham wrote this:
Remember: a lot of recruiting posts are designed so that nobody can fill them - except for that one foreigner you've already decided to hire— Rob Graham٩(●̮̮̃●̃) (@ErrataRob) August 17, 2017
While there is truth in what Rob wrote, the problem is when recruiters spam the same job description everywhere (e.g., on LinkedIn) which wastes everyone’s time.