Got that entry level Infosec job? Don't be this guy!

cyberguypr

I know there’s a ton of people out there trying to make it into the Infosec arena. I’m posting this so once you secure the gig, make sure you won’t be this guy. This is a long story but there’s a lesson or two here somewhere.

To provide background, my team believes in developing talent. This is a decent sized company so people get promoted left and right and we like to have a pipeline in case someone makes a move. A little bit over half the team is senior level engineers and the rest are jr. A couple of years ago we hired a guy fresh out of college. The guy was hungry to learn and quickly got up to speed. Although the full IT background wasn’t there, this guy could put two and two together and either try to figure out things by researching or escalating to the appropriate individuals. He has proven to be a valuable addition to the team.

That worked out pretty well, so we tried it again earlier this year with very different results. This time the guy just didn’t live up to the expectation. Keep in mind the guy has an IS/Risk Management degree, so it’s not like he hasn’t been exposed to security things before. Example of deficiencies:
• Severe lack of foundational knowledge: no idea what nslookup is, struggled to find a Windows machine’s IP, looking at logs he thought a MAC address was an Apple Mac computer, no idea what NT Authority\SYSTEM is, etc.
• Zero research ability. Most of the questions he asks the senior guys can literally be answered by the first few hits in Google (e.g: had no idea what a file called “brochure_design.ai” was and was convinced it was an exfiltration attempt)
• Inability to take notes. Procedures are explained, he takes notes, later on can’t make sense of what he wrote down. Meetings were delegated to this guy and we were left with useless notes.
• Cannot connect the dots. Zero critical thinking
• Overthinks the most basic stuff
• Constantly missing SLAs for super basic stuff
• Given access to expensive $BigSecurityVendor training for free, he let it expire without completing the first of 4 courses.

I can go on but I think you get the picture. This person has been with us for 6 months so far and improvement, if any, is at glacial pace. He has been talked to by both peers and manager on how to improve and what the expectation is. We even removed some of the original technical duties to see if he could master the “crappy” stuff. Yet nothing! I am personally convinced he will never get it and it’s not meant for this type of work. Hey, some people do belong in McDonald's. Everyone in my team has spent considerable amounts of time trying to ramp up the guy but things come in through one ear and go out the other. We are at the point where everyone’s workload is getting affected. It is obvious we need to cut ties. Overall a sucky situation. The best part: I opposed hiring this person since day one and the boss had to tell me the other day “Yeah, you were right. This is on me.”

Takeaway: be the best you can be, especially if you are surrounded by great talent who stop what they are doing to sit with you and show you the ropes.

TLDR: new guy sucks, can’t learn, doesn’t understand the basics, everyone has spent too much time helping, we will need to fire him and go back to square one.

Ertaz

cyberguypr wrote: »

I know there’s a ton of people out there trying to make it into the Infosec arena. I’m posting this so once you secure the gig, make sure you won’t be this guy. This is a long story but there’s a lesson or two here somewhere.

To provide background, my team believes in developing talent. This is a decent sized company so people get promoted left and right and we like to have a pipeline in case someone makes a move. A little bit over half the team is senior level engineers and the rest are jr. A couple of years ago we hired a guy fresh out of college. The guy was hungry to learn and quickly got up to speed. Although the full IT background wasn’t there, this guy could put two and two together and either try to figure out things by researching or escalating to the appropriate individuals. He has proven to be a valuable addition to the team.

That worked out pretty well, so we tried it again earlier this year with very different results. This time the guy just didn’t live up to the expectation. Keep in mind the guy has an IS/Risk Management degree, so it’s not like he hasn’t been exposed to security things before. Example of deficiencies:
• Severe lack of foundational knowledge: no idea what nslookup is, struggled to find a Windows machine’s IP, looking at logs he thought a MAC address was an Apple Mac computer, no idea what NT Authority\SYSTEM is, etc.
• Zero research ability. Most of the questions he asks the senior guys can literally be answered by the first few hits in Google (e.g: had no idea what a file called “brochure_design.ai” was and was convinced it was an exfiltration attempt)
• Inability to take notes. Procedures are explained, he takes notes, later on can’t make sense of what he wrote down. Meetings were delegated to this guy and we were left with useless notes.
• Cannot connect the dots. Zero critical thinking
• Overthinks the most basic stuff
• Constantly missing SLAs for super basic stuff
• Given access to expensive $BigSecurityVendor training for free, he let it expire without completing the first of 4 courses.

I can go on but I think you get the picture. This person has been with us for 6 months so far and improvement, if any, is at glacial pace. He has been talked to by both peers and manager on how to improve and what the expectation is. We even removed some of the original technical duties to see if he could master the “crappy” stuff. Yet nothing! I am personally convinced he will never get it and it’s not meant for this type of work. Hey, some people do belong in McDonald's. Everyone in my team has spent considerable amounts of time trying to ramp up the guy but things come in through one ear and go out the other. We are at the point where everyone’s workload is getting affected. It is obvious we need to cut ties. Overall a sucky situation. The best part: I opposed hiring this person since day one and the boss had to tell me the other day “Yeah, you were right. This is on me.”

Takeaway: be the best you can be, especially if you are surrounded by great talent who stop what they are doing to sit with you and show you the ropes.

TLDR: new guy sucks, can’t learn, doesn’t understand the basics, everyone has spent too much time helping, we will need to fire him and go back to square one.

Doh. The company I'm in let this crap go on for 7 years with a guy. He had a Masters in Cybersecurity from a real brick and mortar ACC institution, CISSP, and a CISA. The guy had zero technical background and what seemed like a lack of desire/inability to learn. He showed up late and drunk many days. Nothing demotivates a person more than management tolerating a non-performer.

TheFORCE

Is this why you are trying to fill thw other position?

Sucks to be that guy, there's plenty of talent out there just waiting for the call and some people are simply not cut out for Infosec jobs no matter how much they think they want it.

cyberguypr

Lucky for me my team is solely technical. Compliance is our sister dept. I'm just trying to help them out. When I have roles open up for my team I'll post them here.

jelevated

Much of the technical stuff could have been vetted during a technical interview. If you can't even explain what nslookup does then the interview is over.

hxhx

Have you tried putting him on a plan that he can follow? Something in writing.

Have you asked him what is going on?

Was the expensive training mandatory or optional? Is he wearing the minimum pieces of flare?

IT work is not for everyone, but I wonder if the problem here is that the guy isn't being motivated the right way. The zero critical thinking skills is actually the worst part of this. That's the hardest to fix.

Was the person actually qualified in the first place other than the degree? Is he fresh out of school?

Nobody wants to carry dead weight. I just wonder if there is a way to motivate him that you haven't discovered yet. I know that can be tiresome, but it might be worth it for both of you.

gespenstern

No big deal, hope your boss fires him ASAP.

Some people are just not for IT, fire him ASAP, so he doesn't waste nobody's precious time, including his own, in the industry he doesn't belong to.

People aren't equal in many regards and it doesn't benefit anyone when people try to make everybody a programmer or STEM or whatever.

Kick him out.

LOL at comments on "try this, try that". Adapt what is useful, reject what is not. Chances are close to zero that suddenly this guy reinvents himself after 6 months of this performance. People rarely change.

cyberguypr

@jelevated We got some candidates that showed technical aptitude but the cultural fit was not adequate. This guy obviously had some technical knowledge gaps but you know how the say you can tech tech stuff to anyone but can't teach personality and fitting into a group's culture? This guy broke that dogma.

@hxhx the plan is in place. He's failing miserably at following the bare minimum expectations set. We are a bunch of pretty damn fine practitioners that stop what we are doing to share knowledge. This is exactly what we've been doing but we can't do it forever. Our productivity is taking a serious hit that represents cost to the company. Even worse than the financial impact is reputation. My team is very well regarded and respected and there has been some erosion in that area. Unacceptable.

@gespenstern Yep. This is what I've been working hard at doing. Unfortunately the culture at my workplace is very accommodating. It almost takes an act of Congress to get rid of someone. We are doing our part documenting the case so HR can do their thing. We had some movement this week so I'm crossing my fingers. My patience ran out in month 3. We are wrapping up month six so you can imagine where I am at.

I want to add that today we had the 5,143rd discussion trying to understand what the problem is. We floated the idea of a potential learning disability, because the problem is that bad. We also recalled that during the interview he brought some papers that he did in his college security classes. I recall one in particular that had to do with Forensics and it looked decent. The other day we had him use the same tool he allegedly used for that class and it was like showing me something written in Sarcee (less than 200 people speak this). Now we are even questioning the degree, the university, etc.

LeBroke

The girl who does our compliance (PCI, SOX, dealing with vendors, compiling reports, filling out audit paperwork, etc) is nailing it. She's been in the role less than a year, and was our receptionist before this.

On the other hand we hired a senior DevOps Engineer (ostensibly to be my boss) about 6 months ago. Guy with an amazing resume, 10 years doing consulting, and last 7 or 8 as a senior systems engineer at Evil Game Co. working on Massive Sports Franchise stuff (mostly monitoring and automation). Had no idea how to do a df -h and was confused why when he ran SQL queries twice in a row outside of a transaction, they would give him different outputs.

The girl is going to do her MBA on company dime, while the guy didn't make his 3 months probation.

$bvb379

Yup, got beat out by a guy like this. Would have increased my salary by $20,000. My friend was trying to get me a job as an entry level security analyst but I got beat out by a guy right out of college with a Security and Assurance degree. My friend then proceeded to tell me that he had to tell the guy what a router was and what it did. What a shame some words on a piece of paper can do for and against people.

adrenaline19

Motivation is key. If he doesn't care, nothing will help. Either find a way to motivate him or fire him.

You could put me into any job and I'll excel, because that's who I am. My brother-in-law loves his job but does it terribly because he's an unmotivated individual.

That's the way the world works.

JoJoCal19

cyberguypr wrote: »

That worked out pretty well, so we tried it again earlier this year with very different results. This time the guy just didn’t live up to the expectation. Keep in mind the guy has an IS/Risk Management degree, so it’s not like he hasn’t been exposed to security things before. Example of deficiencies:
• Severe lack of foundational knowledge: no idea what nslookup is, struggled to find a Windows machine’s IP, looking at logs he thought a MAC address was an Apple Mac computer, no idea what NT Authority\SYSTEM is, etc.
• Zero research ability. Most of the questions he asks the senior guys can literally be answered by the first few hits in Google (e.g: had no idea what a file called “brochure_design.ai” was and was convinced it was an exfiltration attempt)
• Inability to take notes. Procedures are explained, he takes notes, later on can’t make sense of what he wrote down. Meetings were delegated to this guy and we were left with useless notes.
• Cannot connect the dots. Zero critical thinking
• Overthinks the most basic stuff
• Constantly missing SLAs for super basic stuff
• Given access to expensive $BigSecurityVendor training for free, he let it expire without completing the first of 4 courses.

The point on technical knowledge is one of those things that depends, everything else is unacceptable. For the technical knowledge, like you said, he doesn't have the IT background. There are people that become really abstracted from the technical side. Now his case is a bit extreme (MAC address tho ) but just wanted to point out that technical knowledge/skills is a use it or lose it type of thing, and for someone who doesn't have an IT background to begin with, I wouldn't expect them to know nslookup or NT Authority\SYSTEM off the top of their head. For the rest of the points, he's either got learning disabilities, utterly incompetent, doesn't give a crap, or some combination of the latter two.

It definitely sounds like they just don't care because you guys have gone completely out of your way and have been very accommodating in trying to get him up to par.

infosec123

cyberguypr wrote: »

We got some candidates that showed technical aptitude but the cultural fit was not adequate.

Im sorry but I absolutely hate this line. What exactly is so great about your company culture? Personally, I have gone into several places where I did not fit the company culture and left the place 10x better due to the changes I made. One such example, working at a company where IT was looked at as a cost center, so think underfunded and understaffed. Not a single person (including the CIO) have ever discussed anything BC/DR related with senior management. When they were finally asked the question (by me) of how long they can tolerate systems being down, and how much data they are willing to lose, the results from the conversations led to a $300k spend with a $100k annual budget increase. Sorry, but only hiring people that will be cogs in your machine is not the optimal approach. I understand the approach is needed in large companies, but you are only screwing yourself when you dismiss people because they wont fit in with the way you currently do things.

TechGromit

cyberguypr wrote: »

• Inability to take notes. Procedures are explained, he takes notes, later on can’t make sense of what he wrote down. Meetings were delegated to this guy and we were left with useless notes.
• Cannot connect the dots. Zero critical thinking
• Overthinks the most basic stuff
• Constantly missing SLAs for super basic stuff
• Given access to expensive $BigSecurityVendor training for free, he let it expire without completing the first of 4 courses.

There just some things you can't teach, they either have the attitude for computers or they don't. The only thing I question is why didn't you get rid of him before his 90 day probation was up. Unfortunately some people just look at the fact they can make 120k working in cyber security, without considering if they will be good at it. He should have seen he didn't have a passion for the field while attending college and should have changed his major accordingly. Personally I rather hire someone with just a GED and a passion for computers than a person with Master's degree that has no real interest in computers / technology.

NOC-Ninja

Does your boss know the guy personally?
IMO IT sec is usually for experienced professionals. If you hire a new person then he should only do the things that nobody will want to do, which are paperwork BS. Again and again, school does not teach you the real world.

TechGromit

cyberguypr wrote: »

Now we are even questioning the degree, the university, etc.

You company didn't even verify his credentials? In that case I have a Doctorate degree in IT, speak 12 languages and have three GSE certifications, I only want 140k a year, where do i apply?

blatini

TechGromit wrote: »

You company didn't even verify his credentials? In that case I have a Doctorate degree in IT, speak 12 languages and have three GSE certifications, I only want 140k a year, where do i apply?

Ya I think it is weird if you didn't follow up on this being a security dept.

Most likely the guy just BS'd his way through school. I'm not sure if your discussions are water cooler talk or actual sit down time but it seems like you all have wasted enough time on it. Just get the HR bs with warnings out of the way and move on from him.

Blucodex

TechGromit wrote: »

You company didn't even verify his credentials? In that case I have a Doctorate degree in IT, speak 12 languages and have three GSE certifications, I only want 140k a year, where do i apply?

My current job is the first that has asked me to prove my credentials.

adrenaline19

If I was that guy, I'd do that paperwork perfectly and professionally. Then, I'd spend every free second trying to get up to the same level as the most experienced employee in the department. I'd do whatever it takes to earn my place.

That's the difference between a good employee and a bad one. It isn't the knowledge, it's the drive. If he hasn't improved in six months on the job, it'll never happen. Find a way to fire him or get him fired OP, it's the best route for your company. You can lead a horse to water, but you can't throw stones in a glass house. (that's how it goes, right?)

shimasensei

Wow I can relate to this also, a non-tech person getting into a highly technical infosec department. Words can't describe the frustration..lol.

Best of luck to you and your team in finding a decent qualified replacement.

goatama

infosec123 wrote: »

Im sorry but I absolutely hate this line. What exactly is so great about your company culture?

It's not necessarily company culture, but team culture. For example, the company I'm currently at, our security team has a different culture than the rest of the company. It's important that candidates fit *our* culture because they'll be working with us. We take them out to Happy Hour after their panel interviews and get to know them. We want to make sure we're going to be able to get along with the person we're hiring. Otherwise nobody is happy. This also doesn't necessarily mean Silicon Valley startup-culture. Ain't nobody outside the Valley got time for that crap. We just want to make sure the person can deal with the crap we take and will stand up to push back when they need to. It's very important for a security team to be able to do that. And getting a feel for how the candidate will be able to do that is part of the cultural fit.

EDIT - That word got used so much it now has no meaning. I hate when that happens.

infosec123

goatama wrote: »

It's not necessarily company culture, but team culture. For example, the company I'm currently at, our security team has a different culture than the rest of the company. It's important that candidates fit *our* culture because they'll be working with us. We take them out to Happy Hour after their panel interviews and get to know them. We want to make sure we're going to be able to get along with the person we're hiring. Otherwise nobody is happy. This also doesn't necessarily mean Silicon Valley startup-culture. Ain't nobody outside the Valley got time for that crap. We just want to make sure the person can deal with the crap we take and will stand up to push back when they need to. It's very important for a security team to be able to do that. And getting a feel for how the candidate will be able to do that is part of the cultural fit.

EDIT - That word got used so much it now has no meaning. I hate when that happens.

I get it but still disagree. When I started at one job, on my first day, I was handed a excel spreadsheet with all the admin passwords to all systems on it, normal for my team. Two months later, I had selected and implemented a privileged password management system and eradicated every trace of that spreadsheet. I went against the team culture and made the place better, and after a little grumbling from my team mates, they finally started accepting the system and realized the benefits a PPM system provides. A good team isnt made of best friends (IMO), you need conflict to drive forward and make improvements.

Blucodex

infosec123 wrote: »

I get it but still disagree. When I started at one job, on my first day, I was handed a excel spreadsheet with all the admin passwords to all systems on it, normal for my team. Two months later, I had selected and implemented a privileged password management system and eradicated every trace of that spreadsheet. I went against the team culture and made the place better, and after a little grumbling from my team mates, they finally started accepting the system and realized the benefits a PPM system provides. A good team isnt made of best friends (IMO), you need conflict to drive forward and make improvements.

I think by "culture" it's more about simpatico. Have you ever worked with someone who was such a piece of **** that HR was the only reason they weren't fired? Not someone you want in your team even if they are a rockstar at their job.

Mike R

The small MSP I work just did something similar as the OP. Only I was the original guy the owner took the risk with and it paid off for him (given my recent huge raise).

We took on a intern with a BS in CompSci in march and experienced the exact same thing as Cyberguy did. Didn't know any of the basics yet he has a BS in IT. Me and my boss were just dumbfounded he didn't know how to find an IP,add new local users,or any type of critical thinking. To top it all off it was like pulling teeth to get him to put his phone down and pay attention.

I think if you don't have a passion for learning or problem solving IT really isn't a great field for someone. We got the feeling from our intern that he really just expected to float through life by trotting out his 4 year degree.

Blucodex

What does that say about education when people can get a BS in IT and aren't able to perform basic helpdesk tasks? I just talked to a kid enrolled at the MS Cybersecurity program at ASU. He said he was getting laughed out of interviews. After 4 months hanging around a local non profit cybersecurity range he was getting jobs for $38hr with a DOD contractor.

infosec123

Blucodex wrote: »

I think by "culture" it's more about simpatico. Have you ever worked with someone who was such a piece of **** that HR was the only reason they weren't fired? Not someone you want in your team even if they are a rockstar at their job.

To some people, I am that guy. I constant push for change and improvements. Some people on my team really dont like me, but management loves me because they see the improvements I am making in spite of the company culture.

inverse_one

I think we can mostly agree there is a balance. For me, their needs to be peer review that can cause some arguments, but it's also important that it doesn't flare egos that can affect the team.

As far as infosec qualifications, if they are interviewing someone out of college they need to ask some technical questions that relate to the job. They need to know the fundamentals in order to build upon. Nothing worse then having to train someone from the ground up. A little review is fine, but full blown 101 stuff, not so much. I've interviewed so many people, that if they would just pickup a simple networking book, they would know the answers to our high level questions.

Additionally, troubleshooting skills, to me, are part talent. Some have it and others don't. That doesn't mean they cannot learn a bit, but I've seen some guys just walk on water troubleshooting anything. They can see in there head what they want to see and weed out the crap that doesn't matter. Most normal people I see rely on talking with others and working together (Hopefully learning on the way).

cyberguypr

You guys make it sound like I work at Mom&Pop's IT shop. Of course there was a full background check conducted. The degree is 100% valid. What we question is if the guy really did the school work or if he either ended up buying papers off Chegg, got answers provided by an unscrupulous teacher, or something like that. The other day I went to the college's website, checked the curriculum and brought up conversation and questions about topics covered in the classes. He deflected every one of my questions. Bizarre.

Blucodex

cyberguypr wrote: »

You guys make it sound like I work at Mom&Pop's IT shop. Of course there was a full background check conducted. The degree is 100% valid. What we question is if the guy really did the school work or if he either ended up buying papers off Chegg, got answers provided by an unscrupulous teacher, or something like that. The other day I went to the college's website, checked the curriculum and brought up conversation and questions about topics covered in the classes. He deflected every one of my questions. Bizarre.

Schools actually use software to catch plagiarized papers. C is for degree and you can almost get a C just by showing up.

blatini

>Now we are even questioning the degree, the university, etc.

To be fair that sounds a lot different than what you just said :P
I think stuff like this goes back to learning to pass and learning to learn. Whether you are writing a paper or giving a presentation it's really easy to grab a few articles and let them write your paper for you with minimal effort and understanding. It's also pretty easy to navigate your way through just knowing what to study versus knowing the topic. It doesn't have to be as nefarious as cheating.

Working with someone who is a drag in any regard sucks though. Why isn't he just being let go?

[Deleted User]

Sounds like an under achiever. The saying C's get degrees is sad but true! If you don't mind me asking Cyberguypr did this guy have any certifications and if so which ones? My best advice is that he will fall over his own feet at some point and make a critical mistake putting him next on the chopping block. From the way you are describing it, it shouldn't be to long before this kid makes a critical mistake. Also, all because he went to a brick and mortar school doesn't mean jack. It all depends on if he "learned" anything in the degree program.