The opinions expressed herein are my own and do not represent my past, present and future employer’s views in any way. Nothing posted here should be considered official or sanctioned by my past, present or future employer or any other organization I’m affiliated with.


Written by Duarte Castelo Grande de Carvalho (dcgc)


Trainee: one that is being trained especially for a job. This is the definition according to Merriam-Webster dictionary. This is what we are told when we are learning, when we are starting our learning experience, our developing journeys. We feel excitement, exhilaration, enthusiasm, and ultimately, it is what we look forward to, when we reach this stage. With the proliferation of jobs in the IT sector, especially customer support, we see a lot of people joining the IT space with no background in tech (people coming from reconversion programs) and a lot of young people joining the masses just right out of college. Usually, the start of someone’s career in IT involves going through an internship, with the excuse that it will be a learning ground for the young individual, but ultimately, being done due to ulterior motives coming from the employer, who is providing the trial. Let’s have a look at some of there intership offers and why we have to do an internship when we start our path.

What is an internship?

The purpose of being a trainee in a company is to be trained and taught a craft or a trade, for a pre-determined period of time. In IT, this usually means a programming language (to become a code monkey), helpdesk service (to become a machine) or an engineer handling a specific technology/system (to become a manual operations worker). The fact of life is that companies need IT infrastructure and people specialized in different areas, to develop/maintain/create it. This is both seen as a cost and investment, also depending on the business and industry the organization is in. It can be a cost due to the fact that we are in the 21st century and the world revolves on technology and telecommunications. So, organizations that are not inherently technological need to adapt to this. It can be an investment due to the fact that the service, product and the business of the organization as a whole, runs on technology or is technology. It is key for organizations to have qualified personnel and we need new people to be qualified and to be ready to work (out with the old, in with the new).

An internship (or traineeship) is often seen as a first step for a newcomer to start their journey in “CyberSecurity” and organizations make enticing propositions for fresh-green graduates (from university) to work on their projects. For graduates, internships are viewed as a necessary requirement in order to gain quality work experience. Many times, employers will hire graduates after they have completed their degree in Computer Science (or not (reconversion programs)). Students are desperate to get a job, which usually means that any company and any job position is their dream company and their dream job. Sometimes, the situation is so dire that graduates accept unpaid positions (are internships really that awful these days?). Despite this paradigm, we still look forward to start our new job.

Depending on expectations, depending on education background, depending on knowledge, depending on life, our opinion and feedback regarding our starting position will transcend our initial impression or will change drastically for the worst. A lot of what we were told in university by professors, who usually have no industry experience and not are up-to-date with it, is outright misleading. The truth of the matter is, in life you will experience many surprises (usually called “sunshine rays” or “buckets of cold water”, respectively) and the internship is one of them.

What (actually) is an internship?

I start of by saying that being a trainee used to be a role entirely focused on providing graduates with an opportunity to learn some skills, and also to serve as a talent-feeder for companies. Instead, it has now become a way to source out mundane work for cheap (or for free), but most surprisingly, it has become a place to bootcamp (awfully) normal people, to churn out bad professionals (technically, at least) and to cut out normal paid jobs in favor of internships. This trend affects everyone. Companies need to get back to the true nature of the internship, because as of this moment, we have an abundance of people who will do a “sufficiently fine” job. Maybe that is fine to not disturb the normalcy (as most companies expect), but that is not fine for efficiency and innovation, which leads to better results and to improvement overall. To be honest, IT really ought to be considered the new “blue collar” job. Internships are the modern version of apprenticeships that “blue collar” unions have been doing for decades.

Then there are the lies:

The deal about internships is that they are one of the biggest bullshit je ne sais quois things going on, and most of the people involved with it in some form or capacity don’t want to admit it. It goes against their own interests. Schools and universities that include it in their programs won’t admit it, companies that use them won’t admit it, and the students who participate in it won’t call out on it because they need it… and so the cycle continues. Due to this, new joiners can end up being a waste of the organization’s time (many employers will tell you that you’re great one second, and then dismiss you the next), especially if no adequate resources are allocated: management and recruitment sees them as cheap labour and interns come with unrealistic expectations.

Despite all of this, however, I have to say that even if our experiences in internships were downright awful, they were not a failure and they were an important milestone. When we mature enough to realize that, we truly learn this lesson. There are valuable lessons to be taken away from them and it is a small sample of what you will encounter in the rest of your career:

Why you must do a (shitty) internship

A bullshit job is a job which is pointless. A firm believer of the job enjoys and lives it day-by-day, a normal person pretends to enjoy the job and secretly hating it, knowing that it shouldn’t exist. Pretending is the bullshit element, you kind of have to pretend there’s a reason for the job to exist. But secretly, you think if this job didn’t exist, it would not make a difference at all, or that the corporate world would be less cluttered with bullshit. You need to undertake a bullshit internship in the beginning of your career, because:

Decoding an internship job offer

Let’s take a look at a job offer from a company I’m familiar with, and understand what they look for in a trainee/intern, so as to grasp what are the expectations we can assume from this opportunity.


Official description of the department inside the organization and IT infrastructure, not representative of their real functions.

Continuation of the official description of the department and detailing what types of roles it has.

Explanation on why IT exists in the company, not necessarily on what you will encounter.

Job “Summary”

Your job title.

Brief description on the envisioned purpose of the role in the department and the “sales pitch”.

Brief description on the envisioned daily collaboration and work dynamic of the role in the department.

Official description of the “project” your work will be under.

Official enumeration of some of the envisioned tasks the position entails.

Official positioning of the role and department inside the company; envisioning expectations for the role.

Illusion of friendliness by the company.

Key Accountabilities/Responsibilities

Enumeration of responsibilities commences…

Hint on what technology you will work with.

Who you will work with on a regular basis.

“On-the-job” learning (“unshit yourself”).

Every company uses “Fake Agile”, get used to it

Profile and Skills

What you need to “be” in terms of “hard-skills” and work-personality.

What is an UK-based qualification system doing on a job ad for a position to be taken in a country outside of UK, funny innit.

You can read and understand text, diagrams, code, etc.

You can speak and be understood in the language you communicate.

Ability to not give a fuck when you get shouted at and/or get an unreasonable and unfair task.

Know fake Agile and have heard about Waterfall from university (because they still teach that crap).

You need to understand the technology of the position you are applying for.

You need to understand the technology of the position…

You need to understand the technology of… yes.

Willingness to listen to others (senior teammates), even when they are wrong.

You follow orders and agree with what people say, unconditionally.

You know English from school and television.

What you need to “be” in terms of “soft-skills”, life-personality, what qualifications you have and repeated items.

You are not an asshole.

You can read and understand text, diagrams… yes.

Ability to not give a fuck when you get shouted… yes.

You can read and understand text… yes.

You follow orders and agree with what people say… yes.

You are not a street hood.

You need to have a degree from a university, because that will be the deciding factor for the company accepting you for an interview.


Do not expect this to be true and this paragraph is a legal requirement by the company so they can save themselves from legal complications regarding shenanigans.

Justifications and vindications

“Simply put, there aren’t enough qualified cybersecurity professionals.”

We are constantly hearing this all the time, and interns are faced with this statement when undergoing the internship and when facing difficult situations, or when the time to contest arises. Interns are pressured and blackmailed into thinking that they have gotten a golden opportunity and that if they don’t follow whatever is necessary, they are dismissed. We don’t have a workforce shortage problem, we never really did. What we have is a wrong placement and allocation problem. It’s not about training people with Udemy online access and vendor in-person courses, it is about meaningfully onboarding, introducing and directing newcomers into understanding what their role is and what it contributes to. If companies were to hire enough people to eliminate every security issue in their estate, they’d need to at least onboard both qualified people and new people. We don’t see this regularly as we do not see a balanced hiring of both levels. Nevertheless, the answer is to have both trained personnel and technology that supports the security program into efficiently addressing most of the security issues and that prepares the organization to combat and respond against security incidents. Enterprises have treated information security as a manpower and triage problem when it necessarily isn’t. Find tools that help you get the most out of your available resources, don’t piggyback and weight all your information security problems on top of people. Employers will hire interns thinking that they will automatically solve their issues, expecting that they have a ridiculous skill-set that is impossible to learn without prior experience in the same field, and planning a lot of their security program work hours with uncontested devotion from part of the newcomers.

Then you have different types of internship that justify the lack of payment, minimal support and cut-throat environments:

In the context of an internship, usually there are several parties involved and responsible for different aspects:

So, what else?

Blog posts about Information Technology, Information Security Industry and Life. Whatever comes to my mind.

Information Security Technical Articles/Notes

Pages containing reviews and notes about Information Technology and Information Security technologies. Whatever I am studying and working on.


Pages containing reviews and notes about Information Technology Vendors products and services. Whatever Vendor I deal with in my professional career.