Got that entry level Infosec job? Don't be this guy!

I know there’s a ton of people out there trying to make it into the Infosec arena. I’m posting this so once you secure the gig, make sure you won’t be this guy. This is a long story but there’s a lesson or two here somewhere.
To provide background, my team believes in developing talent. This is a decent sized company so people get promoted left and right and we like to have a pipeline in case someone makes a move. A little bit over half the team is senior level engineers and the rest are jr. A couple of years ago we hired a guy fresh out of college. The guy was hungry to learn and quickly got up to speed. Although the full IT background wasn’t there, this guy could put two and two together and either try to figure out things by researching or escalating to the appropriate individuals. He has proven to be a valuable addition to the team.
That worked out pretty well, so we tried it again earlier this year with very different results. This time the guy just didn’t live up to the expectation. Keep in mind the guy has an IS/Risk Management degree, so it’s not like he hasn’t been exposed to security things before. Example of deficiencies:
• Severe lack of foundational knowledge: no idea what nslookup is, struggled to find a Windows machine’s IP, looking at logs he thought a MAC address was an Apple Mac computer, no idea what NT Authority\SYSTEM is, etc.
• Zero research ability. Most of the questions he asks the senior guys can literally be answered by the first few hits in Google (e.g: had no idea what a file called “brochure_design.ai” was and was convinced it was an exfiltration attempt)
• Inability to take notes. Procedures are explained, he takes notes, later on can’t make sense of what he wrote down. Meetings were delegated to this guy and we were left with useless notes.
• Cannot connect the dots. Zero critical thinking
• Overthinks the most basic stuff
• Constantly missing SLAs for super basic stuff
• Given access to expensive $BigSecurityVendor training for free, he let it expire without completing the first of 4 courses.
I can go on but I think you get the picture. This person has been with us for 6 months so far and improvement, if any, is at glacial pace. He has been talked to by both peers and manager on how to improve and what the expectation is. We even removed some of the original technical duties to see if he could master the “crappy” stuff. Yet nothing! I am personally convinced he will never get it and it’s not meant for this type of work. Hey, some people do belong in McDonald's. Everyone in my team has spent considerable amounts of time trying to ramp up the guy but things come in through one ear and go out the other. We are at the point where everyone’s workload is getting affected. It is obvious we need to cut ties. Overall a sucky situation. The best part: I opposed hiring this person since day one and the boss had to tell me the other day “Yeah, you were right. This is on me.”
Takeaway: be the best you can be, especially if you are surrounded by great talent who stop what they are doing to sit with you and show you the ropes.
TLDR: new guy sucks, can’t learn, doesn’t understand the basics, everyone has spent too much time helping, we will need to fire him and go back to square one.
To provide background, my team believes in developing talent. This is a decent sized company so people get promoted left and right and we like to have a pipeline in case someone makes a move. A little bit over half the team is senior level engineers and the rest are jr. A couple of years ago we hired a guy fresh out of college. The guy was hungry to learn and quickly got up to speed. Although the full IT background wasn’t there, this guy could put two and two together and either try to figure out things by researching or escalating to the appropriate individuals. He has proven to be a valuable addition to the team.
That worked out pretty well, so we tried it again earlier this year with very different results. This time the guy just didn’t live up to the expectation. Keep in mind the guy has an IS/Risk Management degree, so it’s not like he hasn’t been exposed to security things before. Example of deficiencies:
• Severe lack of foundational knowledge: no idea what nslookup is, struggled to find a Windows machine’s IP, looking at logs he thought a MAC address was an Apple Mac computer, no idea what NT Authority\SYSTEM is, etc.
• Zero research ability. Most of the questions he asks the senior guys can literally be answered by the first few hits in Google (e.g: had no idea what a file called “brochure_design.ai” was and was convinced it was an exfiltration attempt)
• Inability to take notes. Procedures are explained, he takes notes, later on can’t make sense of what he wrote down. Meetings were delegated to this guy and we were left with useless notes.
• Cannot connect the dots. Zero critical thinking
• Overthinks the most basic stuff
• Constantly missing SLAs for super basic stuff
• Given access to expensive $BigSecurityVendor training for free, he let it expire without completing the first of 4 courses.
I can go on but I think you get the picture. This person has been with us for 6 months so far and improvement, if any, is at glacial pace. He has been talked to by both peers and manager on how to improve and what the expectation is. We even removed some of the original technical duties to see if he could master the “crappy” stuff. Yet nothing! I am personally convinced he will never get it and it’s not meant for this type of work. Hey, some people do belong in McDonald's. Everyone in my team has spent considerable amounts of time trying to ramp up the guy but things come in through one ear and go out the other. We are at the point where everyone’s workload is getting affected. It is obvious we need to cut ties. Overall a sucky situation. The best part: I opposed hiring this person since day one and the boss had to tell me the other day “Yeah, you were right. This is on me.”
Takeaway: be the best you can be, especially if you are surrounded by great talent who stop what they are doing to sit with you and show you the ropes.
TLDR: new guy sucks, can’t learn, doesn’t understand the basics, everyone has spent too much time helping, we will need to fire him and go back to square one.
Comments
Doh. The company I'm in let this crap go on for 7 years with a guy. He had a Masters in Cybersecurity from a real brick and mortar ACC institution, CISSP, and a CISA. The guy had zero technical background and what seemed like a lack of desire/inability to learn. He showed up late and drunk many days. Nothing demotivates a person more than management tolerating a non-performer.
Sucks to be that guy, there's plenty of talent out there just waiting for the call and some people are simply not cut out for Infosec jobs no matter how much they think they want it.
Have you asked him what is going on?
Was the expensive training mandatory or optional? Is he wearing the minimum pieces of flare?
IT work is not for everyone, but I wonder if the problem here is that the guy isn't being motivated the right way. The zero critical thinking skills is actually the worst part of this. That's the hardest to fix.
Was the person actually qualified in the first place other than the degree? Is he fresh out of school?
Nobody wants to carry dead weight. I just wonder if there is a way to motivate him that you haven't discovered yet. I know that can be tiresome, but it might be worth it for both of you.
Some people are just not for IT, fire him ASAP, so he doesn't waste nobody's precious time, including his own, in the industry he doesn't belong to.
People aren't equal in many regards and it doesn't benefit anyone when people try to make everybody a programmer or STEM or whatever.
Kick him out.
LOL at comments on "try this, try that". Adapt what is useful, reject what is not. Chances are close to zero that suddenly this guy reinvents himself after 6 months of this performance. People rarely change.
@hxhx the plan is in place. He's failing miserably at following the bare minimum expectations set. We are a bunch of pretty damn fine practitioners that stop what we are doing to share knowledge. This is exactly what we've been doing but we can't do it forever. Our productivity is taking a serious hit that represents cost to the company. Even worse than the financial impact is reputation. My team is very well regarded and respected and there has been some erosion in that area. Unacceptable.
@gespenstern Yep. This is what I've been working hard at doing. Unfortunately the culture at my workplace is very accommodating. It almost takes an act of Congress to get rid of someone. We are doing our part documenting the case so HR can do their thing. We had some movement this week so I'm crossing my fingers. My patience ran out in month 3. We are wrapping up month six so you can imagine where I am at.
I want to add that today we had the 5,143rd discussion trying to understand what the problem is. We floated the idea of a potential learning disability, because the problem is that bad. We also recalled that during the interview he brought some papers that he did in his college security classes. I recall one in particular that had to do with Forensics and it looked decent. The other day we had him use the same tool he allegedly used for that class and it was like showing me something written in Sarcee (less than 200 people speak this). Now we are even questioning the degree, the university, etc.
On the other hand we hired a senior DevOps Engineer (ostensibly to be my boss) about 6 months ago. Guy with an amazing resume, 10 years doing consulting, and last 7 or 8 as a senior systems engineer at Evil Game Co. working on Massive Sports Franchise stuff (mostly monitoring and automation). Had no idea how to do a df -h and was confused why when he ran SQL queries twice in a row outside of a transaction, they would give him different outputs.
The girl is going to do her MBA on company dime, while the guy didn't make his 3 months probation.
You could put me into any job and I'll excel, because that's who I am. My brother-in-law loves his job but does it terribly because he's an unmotivated individual.
That's the way the world works.
The point on technical knowledge is one of those things that depends, everything else is unacceptable. For the technical knowledge, like you said, he doesn't have the IT background. There are people that become really abstracted from the technical side. Now his case is a bit extreme (MAC address tho
It definitely sounds like they just don't care because you guys have gone completely out of your way and have been very accommodating in trying to get him up to par.
Currently Working On: Python, OSCP Prep
Next Up: OSCP
Studying: Code Academy (Python), Bash Scripting, Virtual Hacking Lab Coursework
Im sorry but I absolutely hate this line. What exactly is so great about your company culture? Personally, I have gone into several places where I did not fit the company culture and left the place 10x better due to the changes I made. One such example, working at a company where IT was looked at as a cost center, so think underfunded and understaffed. Not a single person (including the CIO) have ever discussed anything BC/DR related with senior management. When they were finally asked the question (by me) of how long they can tolerate systems being down, and how much data they are willing to lose, the results from the conversations led to a $300k spend with a $100k annual budget increase. Sorry, but only hiring people that will be cogs in your machine is not the optimal approach. I understand the approach is needed in large companies, but you are only screwing yourself when you dismiss people because they wont fit in with the way you currently do things.
There just some things you can't teach, they either have the attitude for computers or they don't. The only thing I question is why didn't you get rid of him before his 90 day probation was up. Unfortunately some people just look at the fact they can make 120k working in cyber security, without considering if they will be good at it. He should have seen he didn't have a passion for the field while attending college and should have changed his major accordingly. Personally I rather hire someone with just a GED and a passion for computers than a person with Master's degree that has no real interest in computers / technology.
IMO IT sec is usually for experienced professionals. If you hire a new person then he should only do the things that nobody will want to do, which are paperwork BS. Again and again, school does not teach you the real world.
You company didn't even verify his credentials? In that case I have a Doctorate degree in IT, speak 12 languages and have three GSE certifications, I only want 140k a year, where do i apply?
Ya I think it is weird if you didn't follow up on this being a security dept.
Most likely the guy just BS'd his way through school. I'm not sure if your discussions are water cooler talk or actual sit down time but it seems like you all have wasted enough time on it. Just get the HR bs with warnings out of the way and move on from him.
My current job is the first that has asked me to prove my credentials.
That's the difference between a good employee and a bad one. It isn't the knowledge, it's the drive. If he hasn't improved in six months on the job, it'll never happen. Find a way to fire him or get him fired OP, it's the best route for your company. You can lead a horse to water, but you can't throw stones in a glass house. (that's how it goes, right?)
Best of luck to you and your team in finding a decent qualified replacement.
Future Plans: MSc + PMP, CCIE/NPx, GIAC...
It's not necessarily company culture, but team culture. For example, the company I'm currently at, our security team has a different culture than the rest of the company. It's important that candidates fit *our* culture because they'll be working with us. We take them out to Happy Hour after their panel interviews and get to know them. We want to make sure we're going to be able to get along with the person we're hiring. Otherwise nobody is happy. This also doesn't necessarily mean Silicon Valley startup-culture. Ain't nobody outside the Valley got time for that crap. We just want to make sure the person can deal with the crap we take and will stand up to push back when they need to. It's very important for a security team to be able to do that. And getting a feel for how the candidate will be able to do that is part of the cultural fit.
EDIT - That word got used so much it now has no meaning. I hate when that happens.
Next up: eCPPT, eWDP, eWPT, eMAPT
I get it but still disagree. When I started at one job, on my first day, I was handed a excel spreadsheet with all the admin passwords to all systems on it, normal for my team. Two months later, I had selected and implemented a privileged password management system and eradicated every trace of that spreadsheet. I went against the team culture and made the place better, and after a little grumbling from my team mates, they finally started accepting the system and realized the benefits a PPM system provides. A good team isnt made of best friends (IMO), you need conflict to drive forward and make improvements.
I think by "culture" it's more about simpatico. Have you ever worked with someone who was such a piece of **** that HR was the only reason they weren't fired? Not someone you want in your team even if they are a rockstar at their job.
We took on a intern with a BS in CompSci in march and experienced the exact same thing as Cyberguy did. Didn't know any of the basics yet he has a BS in IT. Me and my boss were just dumbfounded he didn't know how to find an IP,add new local users,or any type of critical thinking. To top it all off it was like pulling teeth to get him to put his phone down and pay attention.
I think if you don't have a passion for learning or problem solving IT really isn't a great field for someone. We got the feeling from our intern that he really just expected to float through life by trotting out his 4 year degree.
To some people, I am that guy. I constant push for change and improvements. Some people on my team really dont like me, but management loves me because they see the improvements I am making in spite of the company culture.
As far as infosec qualifications, if they are interviewing someone out of college they need to ask some technical questions that relate to the job. They need to know the fundamentals in order to build upon. Nothing worse then having to train someone from the ground up. A little review is fine, but full blown 101 stuff, not so much. I've interviewed so many people, that if they would just pickup a simple networking book, they would know the answers to our high level questions.
Additionally, troubleshooting skills, to me, are part talent. Some have it and others don't. That doesn't mean they cannot learn a bit, but I've seen some guys just walk on water troubleshooting anything. They can see in there head what they want to see and weed out the crap that doesn't matter. Most normal people I see rely on talking with others and working together (Hopefully learning on the way).
Schools actually use software to catch plagiarized papers. C is for degree and you can almost get a C just by showing up.
To be fair that sounds a lot different than what you just said :P
I think stuff like this goes back to learning to pass and learning to learn. Whether you are writing a paper or giving a presentation it's really easy to grab a few articles and let them write your paper for you with minimal effort and understanding. It's also pretty easy to navigate your way through just knowing what to study versus knowing the topic. It doesn't have to be as nefarious as cheating.
Working with someone who is a drag in any regard sucks though. Why isn't he just being let go?