Episode: 3688
Title: HPR3688: Education, Certifications, and sipping on the Socials
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr3688/hpr3688.mp3
Transcribed: 2025-10-25 04:03:17

---

This is Hacker Public Radio Episode 3688 for Wednesday, the 21st of September 2022.
Today's show is entitled, Education Certifications and Sipping on the Socials.
It is part of the series' privacy and security.
It is hosted by Lurking Pryon and is about 30 minutes long.
It carries an explicit flag.
The summary is, I discuss, the value of an education certifications and a positive social
media presence.
Hey, welcome to another episode.
Today I wanted to talk to you about education and social media.
One of the things I get asked all the time is whether or not you should go to college
or you should get certifications.
I hate the idea that we have come to an either-or-fork in the road when it comes to this.
The simple truth of the matter is, education matters and I will stand by that and I will die on that hill.
So do I think a bachelor's or a master's degree matters?
Absolutely.
Do the certifications also matter?
Absolutely.
Should you have both?
Yes.
Now, you might say, but who cares?
All right, well, let's talk about it from a hiring manager standpoint.
From a hiring manager standpoint, you can come to me with a bunch of certifications
and no background or limited background in which case I'm going to look at you and say,
hmm, this person had enough knowledge to pass a test.
Or I could look at somebody who comes to me with little to no knowledge and a degree.
And maybe they have a certification, maybe they don't.
However, they have already proven that they can commit to the long haul
and see a project through to its end.
That's really the value in the degree from a manager standpoint.
You have shown that you have the ability to commit and follow through.
And the certifications, that will come.
As you get knowledge, you will be able to pass the certifications.
We live in a world where certifications have been turned upside down.
Certifications should never, ever, ever have meant to be an entry level or a job requirement
at the junior level, for the senior level, absolutely.
But certifications were developed to show whether or not you actually had the experience
that you were telling people. Way back in the day, it used to be easy for somebody to come up
and say, hey, I've got experience working on databases and somebody hires them just to find out
that no, they had no clue what they were doing and left their company in a horrible lurch.
So people started offering certifications to actually filter out the people who knew something
from the people who didn't know something. Well, the problem is, the people who didn't know
something didn't want to be left out. They wanted their paycheck for going in and jacking up
companies or doing as little work as possible. So they hired really smart people to go in
and take the test and then come out and write down as many of the questions as possible.
And voila, we have created test dumps. So now you can go and memorize a bunch of questions,
go in, take the test and pass it and voila, you have the same certification as the person who
actually studied their ass off. Well, there you go. That's the world we live in. We have lazy
people who would rather just study a test dump rather than the people who would actually put in
the time and effort to learn the material and the result shows. If you look at the sad state
of information security across the world, you're going to see that there are a whole lot of people
who are doing just barely what they need to get their paycheck. You don't have a whole lot of
people in any organization going above and beyond the call of duty sitting there in their spare time
actually researching learning and making themselves better. Those people are the minority in the work
center. They are not the majority. And if you happen to work in a work center where that is not
the case that I'm going to tell you do not leave. If you work in a place where everybody is
exceptional, do not leave because you will go somewhere where you find that you are the exceptional
person and everyone else sucks. And you're going to be like, oh, that's great. I'm the exceptional
person except you're going to be the person always getting called at 2 a.m. You're going to be
the person who's always stuck fixing stuff, always taking phone calls on vacation. And yeah,
life is not going to be good. So exceptional people are not that common. And unfortunately,
we need more of them. Do certifications have a place in the world? Sure. Have we abused it
and absolutely throttled the hell out of what it was supposed to be? Yes. Today is just the money
making embargo. So now it's just a matter of whether or not you have forked out the money to get
this little piece of paper that somebody wants as a prerequisite for the job. Well, here's the
problem. The person who is actually hiring for the job is never even going to see your resume until
it gets past those little words that say security plus or whatever the case happens to be. So
here are my pro tips. If you do not have a certification, put down that you are studying for a
certification, start studying, and put a date on it. Now, this brings me to the next part of the
conversation, which is social media. And I'm probably going to catch a lot of flak for this one,
but I'm going to stand by it. I think that everyone should develop two social identities. One
that is completely absolutely 100% private. This is the social media that you share with the people
that you actually know. The ones that you have actually spent time in a room together,
your family, those close friends. That little social media circle should be incredibly small,
private, and locked down as much as possible. Then you should have a second 100% public profile.
Put yourself out there. Brand yourself. Get on LinkedIn. Make sure that you're on Facebook. Make
sure that you're on Instagram. Get on the big social media platforms. Start posting. Start making
friends and start building a network. Now, there's a number of reasons why you should do this.
So let's just start at the top. As a hiring manager, whenever I got resumes, the very first thing I
would do is go and find the social media for all of the potential candidates. You would be surprised
how many candidates had their resume thrown in the garbage from the crap that I found on their
social media because they didn't bother to filter out anything that they put out there. And
people can be really, really stupid on social media. Now, the other thing is, and I personally
did not do this, but I know other hiring managers do, is they went and looked at the friends that
the candidate associated with. So for example, you may not be 420. You may not be smoking dope every
day. But if all of your friends are pot heads and they're posting stuff about their bongs and pot
and all the great stuff they've got, that's probably going to reflect back on you, even though you
are not that kind of a person. So keep in mind that when it comes to your public profile, you need to
be very careful about what you post and who you have an acquaintance with. This is going to be
something where you may have to sever ties with people on one of your social medias. Preferably
the public one. Hey, the public one. Now, something that's even worse than having bad stuff on your
social media is having no social media. Candidates that have no social media are a huge red flag.
That's because this is abnormal. This is not the way society works today. This is not how people
interact and communicate. So if you come in as a candidate with no social media presence,
that is going to be a huge red flag for your employer. And you're already sitting there saying,
well, but you know, that shouldn't be the case. Well, I'm going to tell you it is the case. Pure,
straight, simple 100%. No social media. You might as well be sitting there writing your manifesto
for blowing up whatever government building. They suspect you might be planning on doing. Is that
the case? No. There's a lot of us who really don't like social media at all. I'm one of them. I
hate social media. I hate being on it. It's a waste of time. But is it necessary? Yes. Point number
building a network of connections. You're going to find that the majority of jobs that you get in
your career are not going to be from you applying for jobs. They're going to be jobs that you find
out through your network of friends. So if you build yourself a large network and you have a large
number of friends and acquaintances, they can be people that you don't know. But they know you
from your social media presence. You're posting professional things. You're posting about your
career field. The stuff that you're interested in. You're posting about stuff that relates to your
job or the stuff that you're studying. That is stuff that is going to reflect very well on you.
And people will gain a good favor of you. So whenever it comes time to look for a job, you can put
it out there that, hey, I'm looking for a job. And you'll be surprised how many people will pop up and
say, well, hey, it hasn't hit the waves yet. But we've got a job opening over here. Somebody
just put in their resume. There are two weeks notice. So some of your resume will take a look at it
and see what we can do. You're going to find that networking is going to be the best way to get
the best jobs in your career. So you need that social media presence. You need that network of
connections. Now, which social media's look bang for your buck? You need to have LinkedIn.
Recruiters are looking through LinkedIn. That is the number one place they go to look for candidates.
And they do keyword searches. Remember how I said when you're studying for that certification to
put it out there? So the moment that the words security plus or certified ethical hacker or
fill in the blank certification. As soon as those words appear on your LinkedIn or you're
indeed, indeed is another one that I highly recommend. Put that on there. Now those key words
are going to show up. I would simply put down, hey, security plus estimated completion date,
put it for three months down the road. What do you think is reasonable for you to study and pass
that certification and start studying for it. But what you're going to find is even though you
don't have the certification, the fact that those words are now on your profile now puts you
in the visibility of those recruiters who are looking for people for positions that require
that certification. It's not having the certification that gets you seen by hiring managers.
It's the keywords on your resume that gets you seen by the hiring managers. A lot of times when
you send resumes into a company, they will just run it through one of the CR and they will do a
keyword search. And if your resume does not have the right keywords for the job description,
it goes into the bit bucket and no one ever calls you back. Get those keywords on there.
If they want somebody that has a security plus and you don't have that, put security plus on your
resume and say, hey, I'm studying for security plus. Here's my estimated date that I'm going to
complete this in test. And you're going to find that employers really don't care if you have the
certification. What they care about is whether or not you are willing to do it. So you're going to
find that a lot of employers will look at you and say, well, okay, I realize you don't have the
certification yet. You say you're going to get it in this time. So we'll do like a three month
or a six month and we'll see how you do. And I'll come back and if you don't have that certification
within that time period, then we'll have to rediscover and maybe you'll be looking for new employment.
Again, motivation. So keywords are what's going to get you seen by hiring managers.
College degrees. Those show that you have the ability to put together a plan and stick with it
through to the end. It doesn't matter if that degree is in cyber security or underwater basket weaving.
The fact that you took the time to go through and follow through to completion is what matters
in the business world. Now again, when you talk about most bang for your buck at the master's level,
100% MBA. Master's a business administration. I'm going to stick with that one. Get your
minor in cyber something or other, but that MBA by far is going to be worth its weight and gold.
It's sad to say that not all certifications are worth the same amount of money. And it's also
sad to say that not all degrees are worth the same amount of money. This is where you need to start
looking and figuring out what it is that you need to move yourself in the trajectory of the
progression that you want to go in. For example, there's been debate for years about the OSCP,
the Offensive Security Certified Pantester versus Certified Ethical Hacker.
Look, which one is better? Yes, I don't care. At the end of the day, CEH has name recognition.
Managers who don't know anything about cyber security know CEH. That means something to them.
And you might be sitting there saying, oh, but my OSCP, I really knew something. I had to go,
nobody cares. At the end of the day, if they don't know what those acronyms stand for, they don't care.
And the fact is, you are not trying to impress them with the things that can't show up on your resume.
You have to impress them with the words that they understand. And this is where a lot of people fall
down flat and they don't find themselves moving in the way that they should in their career.
You need to make sure that you are moving with the career field. And if the career field says,
hey, CEH is what everyone should have, then you should be getting your CEH. Does that mean that you
should get that and stop? No. By all means, no. Get that CEH and then go get the OSCP.
Hey, which one doesn't matter. Which one's going to get the money? That matters.
So keep in mind, the same goes for degrees. When you're going in, you're paying money to get
a college degree. They don't all have the same payout on the back end. And that's not what they
tell you. They tell you, oh, cyber security, this is really hot. And okay, for the junior level,
positions, yeah, those matter. People want to see people with cyber security degrees coming into
those junior level or maybe even mid-level positions. But again, when you start getting to the
management level, that degree in cyber security. I don't care if you have a PhD in cyber security.
Chances are, the person who has that MBA is going to be picked over you. Again, that's the gold
standard. When it comes to certifications, you also need to make a decision as to whether or not
you want to be a technical person or if you want to be a management person. People always come
to me and they're like, oh, should I get the CISSP? Well, they're two completely different things
going in completely opposite direction. The Casp is very, very technical. That's for people who are
engineers and architects in a large enterprise environment. That is something that is really
going to have a lot of technical background and a lot of technical application. The CISSP, on the
other hand, that's a management certification. That is teaching you how to translate geek speak
into management so that you can talk to the sea level executives and tell them what it is that
geeks are actually trying to say. We have a problem. There's a disconnect. We at the geek level,
we have a language. At the management level, they have a different language. The CISSP is the
translator. They're the ones who sit there and make it happen. The way they communicate and relay
that information to the upper management is what makes the difference as to how your program moves
forward. The CISSP is really aimed at managers. It's not aimed at technical people. It's not a
technical certification. When people come to me and they're like, oh, I need to get the CISSP
so I can move up and I ask them, what do you want to do with your life? I want to be an architect.
I'm like, then why are you getting the CISSP? If you want to move into management and you want to
be a manager, you want to be the manager of your work section, whatever the case happens to be,
you want to be a project manager. Again, if you want to be a project manager, PMP might be the way
you need to go. Start looking at what certifications matter for the position that you want.
A lot of people just go for big shiny because everybody has it or everyone talks about it.
Instead of looking for the big shiny for the career field or trajectory that they are actually
trying to land themselves in, you have to know where it is that you want to go and what it's
going to take to get there. You have to map out a plan and say, okay, this is where I want to go.
Right now, these are the major certifications that people are looking at. This is the type of
degree that they're wanting to see and start working your way toward it one degree at a time.
Work your way there. Is it going to take some time? Maybe. Maybe you'll get lucky and you'll get
pulled right into a position. The world may never know. Again, we need more people in cybersecurity
and it's not just cybersecurity people that we need. I keep talking about diversity and
different thinking, different ways of approaching problems. When it comes to cybersecurity,
we lose side of the fact that cybersecurity is there to enable the business to accomplish
its mission, whatever that happens to be. We are to be a business enabler, a business facilitator.
We are not there to shut down the organization so that they can no longer make money.
That is not the name of our game. We are there to help them do business in the best way
that we can. Again, it's all risk assessment. So, hey, look, here's the way you want to do this.
Here's the risk associated with this. And do you want to accept that or you want to do something
too lower the risk for this particular thing? And again, it's up to them to make a decision.
But that is the nature of the game. Now, we need other people coming in who can look at this
and say, well, hey, when I was on this side of the business, these are the kinds of things that
really got in my way and stopped me from being productive. So, they can start giving you input
from a different vantage point. Psychologists coming in and saying, hey, look, we can start
taking a look at the types of attackers that are coming after us. And we can start understanding
psychologically the kinds of things that they are doing and maybe the kinds of things that they
are looking for. We can actually build profiles on our threat actors. There are so many different
ways that people with different backgrounds can help out in cybersecurity. So, should you be
getting into cybersecurity? Absolutely. Is the career field going to go away? Nope. Not going to
happen. We keep talking about AI and machine learning. That's great. Machine learning really
kind of worthless if we haven't seen the attack before. Doesn't really matter what product you're
selling. If we haven't seen the attack before, machine learning is pretty much going to die. AI
isn't there yet? Nope. Not there yet. Getting better? Yeah. And again, keep in mind, not everybody has a
bazillion dollars to throw out and not everybody has a perfectly locked down network and users that
are completely security focused. Matter of fact, I would think that list is probably kind of small.
So, come on in. The water is fine. So, again, get your degree. It matters. Education matters.
Not only that, but it'll expose you to different parts of the career field. As you're going through
and you're getting your degree, I want to be in cybersecurity. You might take a database course
and say, holy crap, this is exciting. I really like doing this. Well, hey, databases need to be
secured too. We need people that know databases and security. We need people who are developers and
know security. It does the team know good to have a cybersecurity person come to you and say,
hey, this is wrong with your web application. And the web developers say, okay, how do I fix it?
And they're like, yes. Okay. So, what do I do? I just keep doing it until it goes through the
scanner clean. Is that really helpful? No. Do we need people who can look at the results at the
output and say, hey, look, here's the problem. Here's what's going on. You've got this particular
thing going on. We need to sit here and filter this out. You aren't doing proper input validation
here. We need to clean that up. Whatever the case happens to be, we have to be able to talk the
language with people who may actually fixing the problem. And we don't have enough of those people
out there. We need more people. So, certifications, do they matter? Yes. Do you absolutely have to
have a certification to get a job? No. Do you need the letters on your resume and on your LinkedIn
in order to get noticed and recognized for that job? Absolutely. Estimated completion date.
Same thing with your degree. If you're going to get a college degree, put it on your LinkedIn,
put it on your indeed, and put down your estimated graduation date. It doesn't matter that you
actually haven't graduated yet. It's the fact that you are currently doing that. That is something
that you are currently working on. That is perfectly fine and perfectly acceptable. Think about an
organization that had a risk assessment. And they come in and they find all of these things wrong
with the organization. Does the organization fix everything all at once? No. They create a five-year
plan. And they're like, okay, we're here. We're going to do this this year and then this this year
and then this this year. And it's all working toward the results of that first risk analysis.
And then the second year comes along and another risk analysis comes out. And now your objectives
have changed. Now you've got to change that five-year plan. Do you think that managers understand that
when you're planning for something, that that is a perfectly legitimate thing to do? So,
long as you're actually doing it, yes. And the same holds true for every other part of the business
community. Work on it. Work toward it. Don't sit there and feel that you can't take credit for it
until you actually have that piece of paper in hand. That is going to hold you back. That is going
to be a detriment to your progression. So, education, get it. Certifications? Yes. Do I personally
feel that they've been tweaked into something that they shouldn't have been? Yes. Is there anything
I personally can do about it? No. Is it the world we live in? Yes. So, I say this even as I
am studying for another certification. Yay! More letters to throw behind my name.
Now, do I throw all the letters behind my name? No. Nope. No, I don't. Now, you see those people,
they've got all those acronyms sitting behind their name. They've got all these little badges
floating around. If you want to do that, you want to be that person, you can. I'm just going to
say that I believe most people look at that and they say, huh, that's not really modest.
There you go. Pick one certification and throw that behind your name. CISSP. Boom. There you go.
Done. CEH. Done. Boom. Do you have to put all of them? No. No. That's ridiculous. Especially
your email signature line. For God's sake, please stop doing that. All right. So, anyway,
there you go. Hopefully this helps those of you who are out there looking to grow your network.
And again, for those of you who are wanting to avoid the social media, keep in mind,
people are looking at that and having no social media is really a big negative. Create that
completely public profile. Have that public facing Facebook. Have that public facing LinkedIn.
Have that public facing Instagram or whatever else that people are on. Look at the major
platforms that people are using. Get on them and be active. Make friends. Build your network.
Look for other people who are in your career field or in the career field that you're trying to
get into. Stay abreast of what's going on with the current topics, the current news, the current
threats, whatever it happens to be. And keep posting. Stay consistently regular on that social media.
You don't have to be sitting there posting pictures about how you feel, about blah, blah, blah.
You don't have to jump into political discussions. You don't have to do any of that. I scroll past
all of that crap. But hey, when I see a new vulnerability that people who have an iPhone really
need to patch like yesterday, then yeah, that's the kind of thing I'm going to post. When I sit here
and I find out, hey, here's a new exploit. Here's how it was exploited. Am I going to share that?
Yes, absolutely. Somebody is sitting here feeling the X candidate is something, blah, I don't care.
Don't waste my time. Doesn't matter. Not going to sit there and turn my feed into that kind of
garbage. I'll just scroll right past that you should too. And you should make sure that you are
continuously checking your public profile to see what is out there. What kind of things come up
when you Google search your name or the email address that you are using for that public facing
side. And I would highly, highly, highly recommend 2FA everywhere you can, especially on the phone
number that you use for registering and getting those backup verification codes or those SMS
codes whenever you log in. Make sure that you've got two-factor authentication on that so that
somebody can't come and simply sim swap you and end up with all of your public facing profiles
that would not be good. And again, you've got to be consistent, you've got to be vigilant,
and the other thing is is if you're consistent on LinkedIn and you are consistently posting things
and you happen to be looking for a job, that is not going to raise any red flags. However,
if you have a LinkedIn and your boss knows that you have a LinkedIn and you never post anything
and then all of a sudden here you are hopping on LinkedIn all over the place. Well, that's kind of
a red flag. That kind of tells me that this employee is probably looking to jump ship. And yeah,
if you think managers don't do that, well, you don't know your managers. Just say it. Yes,
they keep tabs on you. And if you're sitting there and you're consistently doing things,
hey, are they going to actually go look at all the posts you do? No, do they get updates when
somebody in their network has posted something? Yep. If they follow somebody to get updates when
they do something, yep. If you never do something, and all of a sudden you start doing a whole
lot of it, that's something out of the ordinary. Oh, look at that. User behavior analysis. Here's
something exceptional. Maybe we should take a look at that. Bit with your own truth serum. So,
think about it. I know a lot of us, we don't like to have social media. I'm right there with you.
However, is it a necessary poison? I believe it is today. So, build that public profile,
and seek out those with similar interests. And who knows? Maybe we could even find a quarter
on the internet where we could actually have a social media part that is not just
diatribe and flotsome from people who have no other interest in life than politics or religion.
Just saying. Might be nice for a change. So, that's all I've got for you today. This is
me signing off. So, hey, have a good day. Okay, now where the fuck is my mouse?
You have been listening to Hacker Public Radio. Hacker Public Radio does work. Today's show was
contributed by a HBR listener like yourself. If you ever thought of recording broadcast,
you click on our contribute link to find out how easy it leads. Hosting for HBR has been
kindly provided by an honesthost.com, the internet archive, and our sings.net. On the Sadois
status, today's show is released on our Creative Commons' Attribution 4.0 International License.