One of the worst habits we have in security is speaking in absolutes. Saying things like "Unhackable", "Breachproof", "Fully Secure", "No Risk". They're simply untrue.
But this also includes when we talk about skillsets. There are no absolutes.
1/
So when someone says, "You must know x, y, z" or "You have to do a, b, c" to get a certain job (or any job) in security, you can simply toss out those absolutes in with all the other fallacious absolutisms that security people throw around. Simply ignore them.
2/
The reality is we need people of all different skillsets, all different backgrounds, and with all different perspectives in order to be successful. Security is about problem solving and problem solving is strongest when different viewpoints collaborate.
3/
Even within a specific security domain, job class, or title, we need that diversity of thought, skillset, perspective, etc. in order to thrive. You'll notice that job descriptions, as awful as they can be, do bear this out. Requirements for the same title will vary by org.
4/
Sure, there will always be skills, experience, etc. that might make the job easier, different, etc. but that doesn't mean they're required or that you need them to be good at that job.
Anyone who says otherwise is misleading you. Again, consider the source carefully.
5/
And if you doubt my expertise on this subject, feel free to ask me about how I've gone from a hacker at 12 years old to a security executive at 44.
Or ask around to other infosec people and pay attention to how many will agree with the above points.
6/
What I'm saying is, study what you're interested in. Play around with the technologies you find fascinating. Develop the technical security skills that you find most intriguing. We'll have a place for you no matter what you choose and we want you here!!!
/FIN
• • •
Missing some Tweet in this thread? You can try to
force a refresh
As more job descriptions are including pay range, you as a job seeker need to understand how those ranges actually work.
You might look at a range of $110K-155K and say, well I'll take $155K thanks! However, that might not always be the right approach.
1/
Unfortunately, most orgs only train managers (and sometimes not even them) on how these ranges work. Typically, there is a high, low, and midpoint.
The high-level goal is to bring people who are below the mid-point for a role, up to that mid-point.
2/
This happens through good performance appraisals that drive good raises and up they float. For those who've now moved beyond the mid-point, that's a sign to their leader that they should be about ready for next level up (i.e. a promotion), so those conversations start.
3/
The technical interview is one of the most contentious aspects of the recruiting process IMHO. Hiring managers and orgs don't always handle it well and candidates get beat up with anxiety from the process. So how do we make it better?
1/
When I interviewed for my role at @Snyksec, I thought I bombed my tech interview. Benji asked me a couple questions about concepts I had never heard of before.
I admitted I didn't know the answer, but then shared a bit of logical deduction based on the terms as to what
2/
I thought they may mean. I was sure I had really messed up. However, I got an offer and shortly after I started I found out he thought I did very well and actually had recommended hiring me based off the interview. He told me he liked how I thought about things and that I was
3/
So I really want @ECCouncil to understand the damage they've done (a thread):
1. People who proudly achieved certifications are now disavowing and not renewing those certifications because of the shady practices of the org that provided those certs. All that hard work, lost.
2. People who won awards from your org are now renouncing those awards because they don't want to be associated with the practices of a company like @ECCouncil. These were accomplishments they should be able to be proud of that you've ruined.
3. Organizations and universities who've built educational programs and partnerships are being forced to review and potentially change their entire approach because they can't count on the integrity of @ECCouncil's materials.
So I want to make clear just how trivial it was to find repeated cases of plagiarism in the EC-Council blogs. All it took was going to recent blogs, finding a few key terms in the content and then Googling for those terms. Literally that's it. #ECCPlagiarism
1/
With less than 30 minutes of work, I was able to easily locate the original works that were leveraged to craft two of their blogs. That time included verifying the content matched, taking screen shots, confirming the blog was cached at archive.org and posting
2/
the details.
So consider this as you hear @ECCOUNCIL claiming that they tried to prevent plagiarism. No more than 5-10 minutes of human effort per blog and they could have avoided this mess. One has to question, since they didn't, did they really even care?
3/
OK my last tweet (ok a thread) on the whole EC-Council fiasco for the night. They've shut down their blog and someone already congratulated me.
Let me be clear, I am not happy and I am not celebrating. This is not a win. There are only losers here. EC-Council loses for
1/
the obvious reasons.
However, our community loses as well. This whole thing sows distrust between practitioners and all of the educational and certification orgs we place our trust in.
Content creators lose as we realize we have to take exceptional measures to protect
2/
our works and their copyrights.
Ultimately, I hate this whole thing. I hate that it has robbed us all of so much. I hate that the effort I put into helping EC-Council in April turned out to be a waste.
I don't know where this is headed next, but no, I am not celebrating
/3