Do companies hiring cybersecurity talent even know what they want? More and more we see management jobs asking for engineering skills, and even CISO jobs with coding requirements. What’s breaking down?

Check out this post for the basis for our conversation on this week’s episode which features me, David Spark (@dspark), producer of CISO Series, co-host Allan Alford (@allanalfordintx), and our guest Liam Connolly, CISO, Seek.

Thanks to this week’s podcast sponsor, Salt Security

Salt Security protects the APIs at the core of SaaS, web, and mobile applications. By using patented behavioral protection Salt Security automatically and continuously discovers and learns the granular behavior of each unique API and stops attacks. In 2020 Salt Security was named a Gartner Cool Vendor in API Strategy.

Got feedback? Join the conversation on LinkedIn.

On this episode of Defense in Depth, you’ll learn:

  • The poor focus of cybersecurity job listings often exposes either the poor understanding or lack of maturity of a company’s information security program.
  • We often see management cyber jobs asking for engineering skills and vice versa.
  • Job listings can also portray the “last guy” syndrome. Those are the job listings that tack on desired skills the last person did not have.
  • When you see too many requirements it comes off as a wish list. It’s not what is required, it’s more of a question as to how many boxes can a candidate check off.
  • There can be serious harm to a company’s ability to hire if they throw down too many requirements or even optional items. People who are truly required for the position you want may never apply because they’ll be scared off by the other skills required or desired.
  • CISOs are often hired by non security people and as a result they don’t have a full understanding of what type of CISO they want. As a result it’s often hard to find two similar CISO job listings.
  • While CISO technical competencies are desired, it’s clear that once hired a CISO will not be showing off their technical expertise. As a result, there’s a lot of debate as to how much technical skill a CISO really needs. The job requires management, influencing, and communications.
  • Many hiring teams have a hard time parsing out the types of security people they need to build out a security team. That’s why you get a single job listing that appears to want to hire five different types of security people.
  • If a CISO isn’t given the budget and authority to hire a staff to fill all the necessary gaps for the company’s security program, they will become fed up and leave. That starts the whole process again.
  • Many debate that job titles in job listings are just there to massage the ego. But if compensation doesn’t match the title, then they realize the title is just for show.