Wednesday, September 26, 2012

Should Cyber Security Jobs be Posted On-Line?

What has been eating away at me for quite some time is the number of companies that post information security jobs or cyber security jobs on-line.  Yes I know the Internet is a powerful tool for bringing candidates and companies together.  But is the practice of posting security jobs for the world to see actually a dangerous practice.

We Have no Security Leadership

For instance, when a company posts a CISO job description on-line for the world to see, aren’t they telling the world “We Have No Security Leadership”!  If I were a cyber bad guy, I’d be looking for companies that don’t have defense to stop my offensive attacks.

When a company posts a detailed description for a Web Application Security Engineer for instance, aren’t they in essence telling the hacking community that they have limited or weak defense in place. 

A Job Description is a Hacking Recipe

When a job description asks for a Java, J2EE development background, isn’t that enough information for a hacker to know which tool to pull from their tool belt to mount an attack?

How about when the job description asks for experience with secure software development methodology, cross-site scripting, buffer overflows, etc.  Isn’t the description pretty much telling the hacking community precisely where the company has a hole in their defense?

If I were a hacker, I think I’d look for job postings that pretty much tell me where a company has a weakness in its defensive line.  Then I’d point my attacks where the defense is clearly weak.

A Security Engineering Manager Job Description

I read a Security Engineering Manger job description yesterday.  This description belongs to a darling VC funded company in the Silicon Valley.  The description asks for someone who has a coding background who can work closely with the company’s software engineering teams to help them develop secure code.

While this is a critically important role for a software company to fill, I wonder if it is wise for this company to let the hacking community know they have a weak defensive line when it comes to actually protecting the software applications they’re entire business model is built around.

I’m Not The Hacker

I don’t hack.  In fact, I’m the “power user” most information security professionals fear.  I’m the guy who will push a button just to see what happens.  I break things but I usually have no idea how to fix what I broke.  Ask my web developer friend Eric who fielded my HELP call yesterday when I broke something.

I don’t know how to break into Internet applications nor do I have a desire to learn.  What bothers me is that companies routinely post information security job descriptions on-line that look like a recipe for a break-in.  Your thoughts?'s Security Recruiter Blog