top | item 11103161

(no title)

raesene4 | 10 years ago

FWIW, I saw that ad. Looks very interesting, but I think you may have a challenge getting someone who is a Vuln researcher/pen tester type (who most commonly have CVEs, PoCs to their name) who also has a decent knowledge of banking security, policies etc and also is looking to graduate out of technical work into team management...

Most of the pentesters/vuln researchers I know aren't huge fans of writing ISO2700x style policies documents (actually thinking about it there aren't many people who are fans of that kind of thing!)

if you're looking for non-traditional advertising routes for this you might want to post on /r/netsec's hiring thread https://www.reddit.com/r/netsec/comments/3zfj6v/rnetsecs_q1_...

discuss

jhuckestein|10 years ago

Thanks a lot for the link :)

I'd rather hire a CISO that understands security and teach them how to think like a regulator than vice versa! Heck, I have long hair myself and didn't have any contact with policy documents until just over a year ago. And both our CTO and CEO like to write code.

Basically, we're looking for our Alex Stamos. Any more ideas you have how we might find somebody like that and avoid the stigma of the "Bank CISO" job would be much appreciated.

consp|10 years ago

[rant mode] From personal experience I can say that true crypto knowledge is not needed as a Bank CISO. Just keep repeating 'hardware token only, hardware token only' and everyone will trust you opinion at the expense customer experience and true security. The reason that most banks use the identifier+card method is because they don't want to change. (or don't see the benefit of an improved customer journey without actual loss of security and improved/lowered cost) [/rant mode]