Fun Question

adrenaline19 · July 2017

Okay, what if a 19 year-old guy applies to your current employer for an entry level position. He has no high school diploma, no college degree, and zero work history. (not even McDonald's)

But, the dude has one certification, an OSCE.

No OSCP, no Sec+, no CEH, nothing else; just an OSCE.

What would you do if that's all you saw on a resume?
Would you bring him in for an interview?
Would you be curious about that backstory?
Would you assume he's lying?

BuhRock · July 2017

I would bring him in for an interview for sure. I'd quiz him as I'm taking the OSCE currently. I'd like to know what he plans to do in the future for school, if any. We'd basically just talk tech for like an hr to guage his skillset. I might even have him whiteboard some scripting problems.

Danielm7 · July 2017

They wouldn't get past HR, especially without even a HS diploma. I'd be curious, if it's legit I'd assume they were really bored in HS and dropped out and did their own thing. I'd also wonder if that same person would be willing to sit though the boring parts of the regular job, write reports, present findings, and all the other stuff regular employees have to do.

DatabaseHead · July 2017

Agree with Daniel, he/she wouldn't get past HR.

Blucodex · July 2017

DatabaseHead wrote: »

Agree with Daniel, he/she wouldn't get past HR.

I think we are assuming he did. Friend or family of employee?

Phalanx · July 2017

In the UK, HR wouldn't have a say if they get past that point or not. Here, I'd be watchful of him. I'd bring him in, but I'd make sure he was tested in some manner. If it's entry-level, I'd be more inclined to look for the personality and initial drive than how good a qualification is.

BuhRock · July 2017

DatabaseHead wrote: »

Agree with Daniel, he/she wouldn't get past HR.

Maybe he wouldn't at your company.

Danielm7 · July 2017

BuhRock wrote: »

Maybe he wouldn't at your company.

I think that's part of the exercise, we're talking about our experiences.

NetworkNewb · July 2017

BuhRock wrote: »

Maybe he wouldn't at your company.

Assuming he wouldn't get passed HR at my place either. That's all someone wants, someone who has obviously spent a lot of time learning how to hack but has never worked in a professional setting and has shown no ambition to actually finish anything else. I see nothing wrong there.

networker050184 · July 2017

Depends on the competition. His/her resume certainly isn't going to stand out without any experience or at least some education. So even though they probably wouldn't be ruled out completely, they'd likely never make the cut.

adrenaline19 · July 2017

So, is HR hurting your company by not giving him a chance or are they saving you time by throwing his resume in the trash?

636-555-3226 · July 2017

Assuming he got past HR, I'd give him an interview, one of our laptops, and tell him to hack away. He wouldn't get very far, but I'd watch what he tries to do, what tools he tries to load, ways he tries to get around our defenses, and I'd know if he knows what he's doing or not. Then if he's no good I'd email the other infosec mgrs in the area and give them a heads up the guy's full of it

Iristheangel · July 2017

I would give him a call but given that he's never held a job or completed any form of school, he or she might have trouble adjusting to a job, office ettiquette, structure, etc. Since it is an entry level job, he would only be considered for such so something like help desk, NOC, etc and it's likely his OSCE qualifications would largely be irrelevant for the position

Iristheangel · July 2017

Oh one more thing to add: since he or she would not have even a HS diploma, I would worry about their ability to craft formal reports and emails a little more than others.

TheFORCE · July 2017

Why not verify the OSCE before calling them in?

adrenaline19 · July 2017

If you verified the OSCE, would that be enough for you to give him/her the job?

I think Iristheangel made a good point when she said that you'd have to worry about quality reports because of the lack of a high school diploma.

I feel like this is a really interesting question given the current state of the industry.

Would it help if the applicant also had some verifiable bug bounties under his/her belt?

Iristheangel · July 2017

OSCE would tell me that this person is fairly technical but in a way that was no way related to an entry level job so it wouldn't really sway me a great deal. In the same way that if someone with a CCIE were to apply for a helpdesk job, you can think in the back of your mind that they might understand how to troubleshoot that TCP/IP stack on a computer a little better than their peers but the rest of the CCIE-level skillset would be largely irrelevant for the job they are applying for. It's the same for the OSCE. It might tell me that they are stronger in Linux than the average helpdesk person but it's largely irrelevant to an entry-level gig like desktop support, helpdesk, etc. Regardless of bug bounties.

If they are applying for an "entry-level security job," instead of the above jobs I specified, then it's still somewhat irrelevant because most entry-level security jobs aren't full blown pentests and still require years of experience in other parts of IT. It's probably wiser to cert-up based on the professional level you're at right now or the next rung on the ladder instead of jumping too far ahead.

xxxkaliboyxxx · July 2017

I think this is where the great leaders get set apart from the good leaders. Coming from the military, not everyone has the same skillset, background, life/learning experience. Me, personally, I would reach out to them and set them up to a fast track, try to mentor best I could, would try to talk to them on a personal level and get them setup at an entry level and watch them closely. Sometimes, people need a little guidance and direction. I'm grateful to the people in my past, so I would try to return the favor. Might come out bad, but I would try.

636-555-3226 · July 2017

adrenaline19 wrote: »

I think Iristheangel made a good point when she said that you'd have to worry about quality reports because of the lack of a high school diploma.

Honestly, most reports I've seen over the past few years are canned templates with a few details customized based on the customer's network. Not a lot of writing skill is actually needed once the template is made.

UnixGuy · July 2017

I would hire all the guys with decades of experience, certs, knowledge, and LIFE EXPERIENCE over him.

OSCE, good for him. Now he needs to get life experience before I can put him in front of customers, colleagues, and others who worked very hard to be where they are

Fun Question

Comments