Panel: Certs vs. No Certs

hello everybody welcome um to the search versus no certs panel i am very excited to be here with this amazing slate of people to discuss this topic um if you are on twitter at all you will see this come up periodically as the eternal question are asserts important are degrees important is experience important what's what is it that makes you like a good cyber security professional in my mind it can be a bit of all those things um oh and let me introduce myself real quick too i forgot that part so i'm marcel lee i'm a senior security senior security researcher with the secure works and uh i actually have the pleasure of knowing all these gentlemen

professionally or through this conference so i'm going to let them introduce their cells uh jonathan do you want to go sure uh hello i'm jonathan tomek i am member of a company i just started called maddox where i do cyber to physical discovery of iot devices and i am a former marine a threat intelligence investigator all the fun things malware researcher and i'd like to have a lot of fun i am on the no cert side uh we'll get into that soon hello everyone you've uh you've actually seen me before if you were tuned in for the opening remarks but my name is steve higdon um i've been in the cyber security industry for something close to

15 years now um everything from uh hands-on keyboard to now more managerial sort of thing i would find myself on the certs side with an asterisk which we'll get into later hey good afternoon jessie to brock i work for a large insurance company as the threat manager and incident responder uh 12 to 13 years in the field i started out as help desk worked my way up from there um and i've switched on the search versus no certs um topic over the years which way did you go though right now i'm on you don't need them uh but we'll get into that soon i'm sure so that's literally my first question was which team you are on

um which you all pretty much answered for me um i have like i don't know 14 or 15 certs so i guess that kind of puts me on the side of the table but i could definitely see the viewpoints from both sides which is possibly why i'm the moderator i don't know anyway so um so one of the questions i wanted to ask you also is is what is your work role like are you hands-on keys or managerial and you kind of touched on that a little bit um but maybe talk a bit about like what your your day-to-day work role is like um so now i am definitely hands on keyboard doing my own thing but i am

formally also very much into leadership so i don't like to ever say that i'm managerial because i really like to be as much involved as possible because you kind of forget where you come from if you're only managing people but it's it's definitely goes all the which way like you have to roll up your sleeves and get into it if you want to keep your knowledge base sharp so that's why hands-on is important for me at least sure no same same with me uh just like jesse i came up through the help desk you know and kind of moved my way up from there to system administration network administration and then finally uh to information

assurance in the army which was before they could spell cyber i don't think they can spell cyber even anymore but um but uh yeah it's it's strange so right now i'm a cyber security program director um so it's it's largely not hands on the keyboard but there's another side of that as well because you get to get you touch on it perfectly when you mention leadership you get to try to develop the next folks because especially if you started like help desk like i did you're able to to see where their path probably is going to go and you can kind of nudge them along that road and and that's probably the most beneficial part for me however it is pretty cool

i have to admit when every once in a while there's a problem and i can you know say move aside like young buck and uh and write a script real quick to do something for them and uh and they are very odd they never thought that you know their manager could do something like that so that's a that's a cool cool benefit do you wear the head at work as well or is this a con hat so you will only only see this hat on me at conferences so i've done a little bit of both um i came up to the help desk so i was hands-on for the longest time um i switched over to the managerial

side for a little bit um i didn't really enjoy it i enjoyed that's one thing we can all agree on i think is you want to be your hands-on you gotta have the technical chops to be able to yeah that doesn't smell right or yeah i can help you with that um so i definitely the hands-on is the way to go for me how about you marcel oh i am very much hands on keys um that's my passion i like i like that side of things and i was manager in my previous pre-cyber security life and that was like boring giant yawn so i like what i do now so jesse while you still have the mic

what what do you do to keep your skills fresh like is that a hard thing to do um yes and no um my current role changes all the time um the jack of all trades master of none i think a lot of the ir guys are kind of like that they get dabbled in multiple different fields network memory dead box forensics um right now it's it's all on my own that's how i started um i started the last talk with oz and um sophia you know build your own network at home and i still do that once a while analysis on bms and getting those to work and designating malware new malware old malware to see if i can still pull the memory

capture pull the um the p cap see if i can still find you know um what i used to so it's just constant if you if you don't use it you lose it [Music] so another version of me um wears a different uniform for sure and in that version of me it is strictly hands-on keyboard um there's very little management or leadership there so that is what that's one way that i try to to uh to keep my skills proficient but also just a research required even if you're like like i said cyber security program director i'm having to sell cyber security solutions uh even internally uh maybe not as much externally and in order to do that you've got to be

able to do your research you've got to be able to say hey there's a better way that we can do this sort of thing especially when it comes to picking vendors or picking products uh all of that because if you don't have that sort of expertise or at least that drive to research uh whether you have the expertise or not um then you're not going to be able to say for example like yeah i see you're trying to to uh buy this new tool that's very expensive to do this one little thing that you're trying to do have you considered uh maybe combining some of the tools that you already have to get something that's

pretty darn close enough um to what you're trying to do so between those things and of course conferences being here uh that certainly helps so for me i'd say the biggest thing to keep my skills fresh is mostly a lot of competitions i probably thoroughly enjoyed it you would say that yeah competitions like hands down for me is like the most important thing wherever i go even if they're easy just just see if you could do it but with the same utmost importance now where i'm at i like building them i learn way more now building puzzles and making competitions because i want people to like grow in their skill sets to like i want them to follow a path

and if you give them just enough trajectory they're like oh this is so cool and i really enjoy when you see like somebody that is still doing this like their eyes light up like i just solved it myself that's like my favorite so i by me growing my skills i'm actually helping somebody else so it's kind of like that fun thing but definitely i love competitions whether it's defcon besides wherever just the most fun i'm totally with you on the cyber competitions and i'm just wondering why i haven't pulled you into the diana initiative thing yet because i'm running that competition and i have a crew of people so i hit him up later for that

anyway um so just for all former military i guess um and one of the things i was going to ask is you know with regard to your background what was your your path like degrees but obviously we're all military so you can speak to that but you might have degrees as well i don't know what everybody has so just talk a little bit about your journey like how you got to where you are oh okay well i guess i'll start because you're kind of leading that so you're holding the mic yeah of course um well growing up i wanted to be a computer gi joe and i literally didn't know what a marine was until i was in the marine

corps i don't think most people know what a marina is but i do like crayons and but either way um i did join and i was doing a lot of hands-on keyboard work and playing around with networks and learning some very fundamental basic things because i just did not want to go to college i was so adverse to doing it and little did i know that the military is college they just pay you and it's a little harder but um but after that after i got out i'm like you know what i really like this security thing only because it seemed a lot more freeform because it's um a lot more people don't understand it's

more wild wild west and i could really choose my own path so after i kind of got into cyber security and just like doing hacking in general that the path chose me more than anything because i just in this field you can follow your passion as opposed to this is the steps that you have to take to get to here and you stay there for 30 years and retire so that was kind of my path and i'm still on that but now i kind of grow a little bit more with my ceo stuff yeah as i say now you've got entrepreneur added to the list yeah so that's it's a very interesting question um so i've got uh

seven seven or eight certs um it's funny how after a while you kind of forget the exact number uh which ones you may have paid the cpe fees for um so uh but i also have i have a site or i have a bachelor's degree in cyber security i have a master's degree in cyber security policy and i also have an mba that was completely paid for by the military and i was i was very blessed that um so i'd been doing just basic kind of i.t sort of roles within the military until i got to uh the dc area with my last active duty assignment i was working for or in an organization where getting

certs and i had no search at that point we were getting close to probably seven or eight years of my time in the military and i went to an organization where signing up for a cert class was just literally point and click um and you were you were in a boot camp like a commercial boot camp and you took the test at the end of the week so um within you know two years i was able to knock out five search finish my bachelor's degree that was a big uh jumping off point for me because if anybody's familiar with the military there's this kind of rule that once you hit 10 years you've got to make a hard decision

on whether you're going to stay in you know until retirement or if you're going to get out and because of the location i was in the search the training all those things that i was able to get uh my decision was to get out and it's been a fantastic decision by the way but that's basically been from there i was blessed with a really fantastic uh i've had i've been very lucky several times in my career role right out of the military working for the air force their ciso department they didn't even really have a ciso at the time but they were building it out i learned a lot there got into uh kind of the sales side the management

side so yeah i guess that's my path that's that's where it's directed me and no regrets for sure i'm also a fellow cran eater my time in the military i don't think i touched a computer uh just a rifleman oh 311 never thought i would get into a cybersecurity career i lucked out and got a job to help desk at a government contractor and again a reference oz from the last talk uh but the passion that's where i was like i enjoy this i'm good at this i can this is a lot of fun um so that's how i started out no experience just getting that lucky break you know i think certs no asserts is also you know either way

but the networking is just as important so coming to these events if not more important sometimes find that this is that one break yeah the networking for sure is a huge piece of this and i don't think i even had a question about that so i'm so glad that you you brought it up because it it definitely made a huge impact for me in my career um the networking piece does anybody else want to touch on networking a bit or [Laughter] i'm going to say networking is probably your biggest thing that and the reason for it is because you play off of everybody else's passions and you kind of learn from their experience whether it's

at a conference itself and you just volunteer everybody wants to help everybody here and that is literally the way you can grow because you get to see everybody else's excitement you're like i'm gonna i'm gonna try that and maybe you don't know how to do something let's figure it out but everybody wants to help everybody and that's how you can get jobs i mean i don't think anybody in this industry doesn't get a everybody gets a job from somebody else that's like hey here's your free form you probably don't even need a resume at some points like yeah that's why it's so great for the community and networking so i agree i talked to just a little bit

i'll keep this short i talked a little bit about you know my first job outside of the military and how i was blessed with that and that was 100 from networking i remember i wasn't even fully out of the military yet and um and a buddy of mine who was a contractor said hey i'm moving on uh but i think you'd be a good fit for this role i'm gonna go ahead and uh and refer you and i had a 10 minute phone interview that night and seven of those minutes was the hiring manager giving me interviewing tips because i had no clue what i was doing but i was already in because you know i

had someone who vouched for me and that's that's extremely important in this field so that's another thing i wanted to touch on too is you know the experience thing so obviously we all have experience now in this industry but for people who are kind of new to the scene what are some ways that you can kind of get experience and competitions is one thing that comes to mind um also maybe like um volunteering in an event like this so just what what are some of the ideas that you all have okay okay so uh so yeah absolutely especially for people trying to break in um it's tough it's tough i think there's there's a whole

i won't say industry but um that's that's a big part of our community is breaking into cyber security i think there's some podcasts uh related to that as well and and that's a it might may or may not actually be called that [Laughter] but uh yeah that's a big thing it's tough um a lot of it is and i fully agree you know and i said earlier in the the opening remarks uh i probably get more out of volunteering than i do out of the talks i love the talks um but just something about being around and actually meeting folks behind the scenes uh that's huge you can learn so much just by sitting next to someone who's preparing

their talk you know to who's gonna speak in 10 minutes and they're finishing up their slides that's a that's a really big thing that's an easy way to get a little bit of um maybe not experience on paper but certainly experience in your head um and you know home labs that's a big thing there's a ton of free resources online that are fantastic cyber is one that comes to mind that's free um any of those sorts of training things that you can do i hired a guy once who had literally zero i.t experience on his resume but when i was talking to him about you know have you ever dealt with windows servers or anything like that he was like

yeah i've got a windows server uh in my basement right now that i'm hosting all of my family's media on and we're doing all these things and i've got file sharing going all over the place i set permissions on everything and i said dude like you need to put that kind of stuff on your resume because right now you're looking like you're just a cook um not not an i.t guy and thankfully that guy he became a really good friend and and now he's probably getting paid more than i am doing sock work and as a sock manager so it's those little things that you can even do at home um are huge for boosting your experience uh

while you're trying to break into cyber security can i just throw in a comment there too um with regard to resumes like i always encourage people to to put things on their resume like people are shy about it like they're like oh i don't really know it that well or whatever but you don't have to be an expert in everything that's on your resume you can at least have some talking knowledge to it or whatever so i always say put it all on there just don't lie mine's not good so you kind of sound like no certs there when you say uh the little asterisk um so it's it's funny i'm i do agree with

you that it's tough to get into cyber security but i actually i'm gonna say that it's really not because the tough thing is the intimidation and not knowing how to get into it and i'll say that for most things because if you're watching you probably at least now know cyber security is a thing so you then it's just about getting involved but outside of this group people really they're like i want to get into cyber security how do i do it and then they have this intimidation factor of oh i've got to get certs or a degree in that i'm like nope you really don't i mean that's the fun part about the wild wild west here that

we have is you just have to start picking up some things and it's free form you can start learning as much as your brain can hold because there is everybody wants more people i mean there's no shortage of jobs i'll tell you that but it's getting over the intimidation i think is i'm going to say that's number one followed by just find the right people to talk to which again is the networking thing and then you can get to where you need to go but yeah do a few cyber competitions that'll help you get over your intimidation yeah and that you guys covered it same thing i would say um but these small conferences like b-sides really

expensive but then your resume too you'd be attending any of the workshops like the cti or the ocean that's trying to get those workshops i mean it's a small community but there's still well-known people oh oh yeah i saw that i know b-sides that's your foot in the door it just takes one thing yeah this is not even a plug just because sofia is in earshot but i went on love besides conferences [Laughter] she's just monitoring us um i love b-sides it's my favorite con hands down and i really love besides nova a lot so um i think they're a fabulous way to kind of fight off a small bit um you know because they're not like

super huge they're very attainable there's lots of cool things to do so yes hopefully everybody who's here thinks the same way but so um let's talk a little bit about um so i'm dying to hear steve's asterisks i'm pretty sure i know how jonathan feels about it

um on the help desk my first sock job still had no idea i saw sam's classes but they were too expensive for me at the time and not until i was forced to as a government contractor and say you need these three certs to get you working here i was like oh well okay so i got those three certs all within two months and that's the only search i've ever gotten yeah because i did the classes i did the workshops i did the stuff and none of that stuff was on the exam and i was like well all right then that's so that that was the beginning of my formation of yeah they if you

better know the knowledge and the networking and the connections and the passion than the certs but i know other people feel differently about that well i would also say not all certs are created equal there's a very broad spread of like kind of good and bad and let's just clarify in case anybody's not sure we're talking about cyber security certifications um just because somebody thought i was talking about like you know like some of the basic security operations your security plus yours see this certified hacker yeah so there's like the comptia line um the sans various certifications um easy council these are different vendors um most of the certifications we're going to have a video issue again here oh should i

stop her okay should i pause okay okay the audio's still going we made this video here in a second but the audio will still go you can dance on the table now [Laughter] maybe not as glass anyway so um so there's industry certifications that are sort of generic um and then there's other ones that are tied to a specific like vendor so for example like aws that has a bunch of different certifications um do you have and i know not everybody got to talk about the certain thing yet but just kind of expanding on that idea um do you think that some are better than others um that's a dangerous question well i mean you don't have to call out names

yeah not to call out names vendor specific versus not vendor specific so the problem with that is um and i think we're gonna that's we're getting close to my asterisk um is that uh a lot of these these uh if you if you don't have a vendor-specific cert uh then it's largely not going to be on the uh job requirements that that were uh you know when you're trying to get hired for a position and uh bless our hearts i know some fantastic recruiters in our industry i really do um but a lot of them aren't going to know you know these uh i won't say obscure search but these lesser known certs they're not going to know

about those so in that case even though some of those i might argue very high known vendor certs might be a little bit more about having a piece of paper than maybe actually gaining knowledge and demonstrating knowledge in my opinion at least you know you're going to get past that that first hurdle with the recruiters or with the you know the automated resume scans and that sort of thing so um if you couldn't guess i don't like certs but i will say the aws certs are much more of like an operator cert and some places will pay you to get those so you know how to do things i every place i've known if you're very

close they're like yes let's just get you over the hurdle but um when it comes to like a security plus and you like that you're basically educating yourself at that point so you might as well go the extra mile and learn the things that are practical so i am a recovering sisby i only got it because i got out of work for free for a week it was paid for um i didn't know what i was getting into and i really sat back in the class mainly because i knew a lot of the things but the stuff that i didn't know i'm like why is this relevant who cares fire extinguisher put on the wall but hey that's it is

what i'm sure somebody does somebody does but um but when you're looking at like the security plus or the a plus i mean those are for the people that really don't know how to break into a security world i think and for all that it is it's like it's to me it's kind of like hey did you do this extra side thing but um i'm i'm going to say if we separate between like what's really good and which ones aren't i'll say like the oscp the things that really push you having to know how to do something as opposed to here's a multiple choice memorize the test it's it's less of a license it's more of a

practical knowledge i'm all for it but i would call those less asserts as more of like a i don't even know maybe we can it's like a diploma it's kind of like hey i got my degree it's the fundamental knowledge base which i think is what starts we're supposed to be so yes i do have my sisby and i still do it just because it's kind of fun to say that i have it because nobody can talk about me behind my back but i'm pretty sure the system is not going to stop them there was a sticker a long time ago that went around that was the not assist bee so i missed those there's a lot of extra action going on

what was the question so i'd like to bring up a very important point this is why cross training is very important because i've been running the cameras all day and it's been non-stop and never took the time to train anyone else and now we're having camera issues that's our organizer right there i'm sorry what was the question i i think we were kind of on the topic of like not all certs are created equal and yeah yeah like potomac said the aws ones are great um i've done the classes never taken the certs so i know how to use it but i've just never had the time to do the certifications i guess um the cisp man

i think sophie and i tried it a couple times and we can't get past domain two um because i i fall asleep within a couple minutes um but yes some certifications are better and i think certifications come into play at two times when you're first starting out um the basic one security plus ch just that proves it you know a background at least a little bit you know some things and if you're trying to change careers like if i was coming from a forensics um or instant responder or forensics individual trying to get into reverse engineering then the gram or gram is one of the sans courses certifications when you want to change within cyber then i think they would

come in handy as well just to prove that yep i know at least the background i know enough to get in there and do it now that makes sense um so just a fun story when i was taking the sisby i literally fell asleep twice during the exam because it was so boring i was the first one to finish my test when i because they there was like a thousand plus people in the room for the sisby i was the first one to finish and i was like did i do something wrong like because people were still like doing it oh that was that was that was a scary moment yeah that was i mean not to talk smack

about any i mean cis b is great for like managerial type people but for me it was just a total yawn um i only did it because um well for me like certifications are kind of like it's almost like a collection thing i started getting some and then i wanted more and more and more [Laughter] and that was like a checkbox thing for me to get it but i've never worked anywhere that like required certifications but you all have and like jesse you touched on yeah government contractors sometimes require can you speak to that a little bit like i think you're probably talking about like the idea the 8570 yeah at the time it was windows

7 um ceh and security plus most companies will pay if you're working for them they'll pay for you to go to the boot camp or the crash course or whatever those are the three that i got and i did not do the cpes and i did not continue them unfortunately um that's my side yeah no so uh cisp was the second cert that i got um so again right when i moved to this area really cool organization um they said you don't have security plus and i said no i don't have security plus i said 8570 and i said yeah whatever so they they signed me up for that first one um and then i liked it and i'm a fairly competitive

person and someone uh that i worked with had just gotten their cissp and i was like i'm smarter than that guy so the very next week so i'm like week one security plus week two was cissp now luckily again i was halfway through my bachelor's in cybersecurity at that point which i think those are probably pretty close if i were to if i were to put some things uh uh align uh college with certs you know having a bachelor's degree in cyber security and cissp it's a heck of a lot of the same material um so i was and i'm fairly good at taking tests that's i'll say that i'm smart i'll never say that

definitely not an expert at anything but i am pretty darn good at taking tests um so that definitely opened some doors for me because especially around this area um and at that time cissp in the dod land uh had such a a high ranking you know that was like that that was the the the pinnacle of cyber security certs at least to them at that time so it definitely opened some doors for me so i'm gonna say that if there's any crash course and a certificate it's probably not gonna be as high holding all right hi hell because you're basically just having to regurgitate knowledge really quickly so i i could even separate like sans

from just the certificates like if you're having to do like something within a week and you just have to hey let's get this it's not i'm not going to hold in high regard but that doesn't mean that um having like when you're saying changing the careers and you really that's it's typically the people that just don't know where they're going um i'm also going to even kind of knock degrees right now because i so i don't have my degree in case anybody wants to also jump on me there everybody everybody loves to do that i did start it but i got so bored and i ended up getting a job out here which is why i'm here but

um the the reason that i i go into that is because college and universities are just so far behind the curve ball when it comes to some of the the latest tech i mean they were barely touching ipv6 when i started going and the teacher just didn't know stuff i had to read the book and i actually corrected the book that's just me being arrogant but it was just silly but it was those things that i just i just was so interested in and um i think why i'm i'm as adverse is because i think that people that are in this world are i find their passion and they're gonna learn it whether it's something they don't know about or

they just have to figure it out and those are the best people it's kind of like that fundamental base and yeah a lot of people don't know how to like get there but if you go back a hundred years and people didn't know about computers somebody had to get there nobody had certs then nobody had degrees then so you have to figure it out and that's where we're coming up with some of the coolest technology and tools is because people were like hey i have this base let's go just really quickly yeah just kind of expanding a little bit on the the the college part the the university part i don't know if it's gotten better now

but uh i was able to go straight from you know through bachelor's to masters because cyber security if you're teaching it in that kind of environment uh everything gets outdated by the minute right like the second you say something it's outdated um so everything had to be kind of theory-based um so the cool thing is uh for a four-year degree there's not a whole heck of a lot of theory that you can teach about cyber security so it was largely and it was largely the same class each time with a different book that you had to pay for and uh and different assignments and that was it you know it was the same class over and over again because it was

they could only teach the the fundamental kind of security principles um and i learned way more studying for search than i ever did in any of my school real quick so i was like no rush you guys are longest time um i just finished my degree um thanks to my better half convinced me to get that check box done but i'm going to say i'm not going to say what school i went to but they were still using videos and documentation for my programming class from 2011. so if that says anything about it and you made a comment earlier about your good test taker so that's why i'm kind of against certs and nothing against anyone who has them

i know you're smart so it doesn't apply to you what i've seen people yeah with the alphabet soup after their name on their email signatures asks some of the most rudimentary questions about how to do things and then you look at the numbers and letters after their name and you're like i've taken that class i'm pretty sure you're supposed to know what that is so no it was it was 85 70 that definitely did it uh for our industry i think because uh the dod is such a a big uh organization and they they hire probably i've never done the math so i'm pulling this out of my back side but they probably hire more

cyber security folks and even i.t folks than like any other organization so at that time i remember when 8570 first came out and it required a security plus just to work on like a help desk if you had any sort of privileged access to anything if you had security plus at that time you were guaranteed a job first off and two you're probably guaranteed to get a job that you weren't qualified for just because there was literally nobody else out there so i don't want to place any blame on any three-letter agencies that we may have just been talking about but um but that that could have been no i mean it that could have been the

kind of the jumping off point about this whole argument you're right and the the interesting part is there are so many positions in this field that we need to fill that that's why this is happening there's not enough people that are trained in anything but i i guess the best question is how do you find those people and then make them qualified that's probably the better question of this that's where the certs even came into play but good test takers hey we got a lot of them yeah and i'll just going back to the degree thing for a second um again not all degree programs and schools are created equal and i'm a big proponent of community

colleges because community colleges seem to be a little more nimble about having like more current curriculum and they're more hands-on keys focused because they are scaling people up to get into a job quickly not like a more theoretical path so so i often recommend community colleges to people who are interested in getting some kind of degree thing and that's for me like that was my launching pad when i got into this field um so so definitely those are good and then i will also say um like i teach security plus prep classes but [Laughter] no it's more fun to hear what you say um but when i teach them we are literally hands-on keys i mean you can't do it all

hands-on keys of course there's a lot of theory but for the bits where i can dream up a lab or something for people to do then then we'll do that and and my students have been super successful because i think it helps like actually learn it as opposed to just cramming it in and spitting it out on an exam but i don't know if you all have thoughts about like different kinds of training methodologies or what works what doesn't yeah hands-on by far is going to be your biggest one i say that for like every industry i mean universities colleges can only teach you so much no matter what i mean unless you're like a doctor or a lawyer and

that's that's you're passing for effectively assert at that point but the big thing is they'll never be able to keep up with the way the world is moving that's just what it is and it will get you started i mean there are like programming classes that will kind of get you interested but you still have to be the one to take that extra mile to go further but you're not going to really i mean unless you're trying to get a job in java or c plus that's usually the university college courses um you kind of have to do your own self-initiative and that's why the community being at a b-sides to me is kind of like more of an

extracurricular thing and i will immediately be drawn to somebody that goes to conferences as opposed to like a university course but i mean it yes some degree programs like berkeley try to really push the boundaries but oftentimes those people still have something under there like computer clubs i like those i like the linux user groups like i maybe i have a bias to that but it just shows that you're interested more than anything and throw it on your resume throw everything on your resume because i want to talk about it assert to me on a resume is like it's a good talking point and i'll be like so what did you think about your cert

and then they can tell me oh it was the best thing ever i'm like yup okay we'll talk about other things i'm trying to remember from when you interviewed me if you asked me about what i said i did i i'm certain if it was on there i i had to have asked you so you have all these are they a collector's item and you're like absolutely there's i want to get more i said okay well let's get you more oh and i'm really glad that you brought up the community college thing because that's that's certainly a thing um they're just like you said much more nimble by the time the amount of time that it takes to get

a set of curriculum actually approved by the board go through on the university side uh a community college that that that at least in my mind again no research so the grain of salt um it has to be much quicker and you're actually having practitioners usually your your community college professors are practitioners out in the community anyway so you are getting a lot more practical and updated uh sort of thing and going on to the uh um you know hands-on sort of curriculum absolutely absolutely i would much rather have someone who's that that uh friend of mine who worked through extremely hard problems sitting in his basement you know in front of us his uh server you know trying to work

through things that he'd never done before that's how we learn you know they say that that growth happens or learning happens when you meet resistance and then you overcome it right you're not really going to do that when you're reading out of a book or answering a test uh it's i mean maybe there's some resistance there but it's not the same the the magic happens when you're presented with things that you've never seen before and you have to research and you have to fiddle with things and break things and fix them again uh just to make things work that's that's where the development actually comes in so that's what a hacker is right so that's what the ctfs are all about

now they are literally promo items if you go and see a lot of the big ones that are on like every year they're like here's a stage thing they'll throw problems out there they're really a recruitment tool so that's why i tell people to do it because if you get to a certain point you're going to probably get a job offer yeah i think about like shmukon for example like you walk around the vendor area and like practically every vendor is doing some kind of ctf and it's absolutely a recruiting tool and and that's i think partly how you find that that elusive passion thing like we all talk about passion it's very hard to like actually find

that especially if you're just looking at somebody's resume for sure jesse sorry go ahead no i just want to we got 10 minutes left so i want to make sure we if you have any more questions about your topics what was the question then i'm sorry i haven't had enough crayons for today yeah i think we were just talking about different kinds of learning and training and actually i'm curious about like i think you mentioned sidebury i don't know if anybody else uses platforms like that for training like i know i've signed up for like a lot of udemy courses not that i've actually ever done them but signed up for it i've used they have a place i think in in the i

think it's more like if you want to learn maybe a new skill that you haven't um explored that much yet like i think i signed up for like a go lang class i will do it one day maybe just because i was i'm still shitty but i was coming across a fair bit of gulag malware so it piqued my interest yeah so um oh yeah we have one question from the crowd we're wondering for the certs lovers how do we feel about commentary or the other surf providers are we putting any clout on any surface more than others so i'll definitely speak to the comptia line of certifications like i mentioned i do teach a security plus

prep class i think they're a very good sort of introductory level certification for people who are maybe just coming into the field and they want to get something they're they're pretty good and and i did um pentest plus last year and i was very pleasantly surprised by that because there was actually questions about python in it that i managed to like you know work my way through but uh you know they're not hands on keys but they're definitely more like looking at tool output and things like that so so it's a little bit kind of like fake hands-on keys i guess um i i don't want to call out the sorts that or the companies that i'm not in

love with but but i like comptia so if that helps and i'd say the same thing and i'm probably not going to point out the same vendors that you're thinking of um very good for introductory and i think this is a good time to start exploring a little bit of the asterisk and i won't take too much time i know we're running short so it's great it is fantastic to have all the skills it's fantastic to have all the experience maybe even more of the skills and experience that are required for a certain job but we spoke with where we spoke about our wonderful recruiters when it comes to them they're not going to be able to discern

that so i think the problem here is not sources no certs i think it's a process the process for hiring because while networking is really good for hiring a lot of people if they're not involved in the community as much as we are they just don't have that or if they're changing industries they're not going to have you know someone who can vouch for them so until we fix the hiring process to not be so cert heavy especially when it comes to you know you're opening up this position and you're going to stop the applications when you get to 200 people the very first uh filter that's going to be done on all of those applications

is going to be the search that are required for the position right and you have a lot of even hiring managers and i'm a hiring manager but a lot of your hiring managers aren't going to know anything about the experience that's actually required for it they're not even going to have good questions to ask um so that's why certs are are leaned on so heavily for that sort of thing so that's my asterisk actually like i i actually i would be in the no cert camp i would if the process didn't require it and right now with with where we are in our industry and the world uh writ large certs just simply are important for that sort of

thing and i equate it a lot to compliance um so if you have a ton of different organizations within a certain industry um and they all have different environments uh it all comes down to trust how can i trust that one of these organizations or all of these organizations are going to be secure you've got to have some sort of measuring stick against that and that's what compliance jeff mann compliance frameworks are all about he had to when i say that and um he'll say cyber security frameworks and i don't argue but uh but that's what they're all about is they are a measuring stick uh against those things and right now in our industry uh certs are

the exact same thing that is your measuring stick because it's the only easy measuring stick we have to compare a lot of different people with a lot of different backgrounds yeah i would agree 100 it's it's really a differentiator if you have you know 10 people that all have kind of the same background on paper but one of them has security plus then you're gonna be like yeah maybe we'll go for that person it's like a time saver it's really we we do a lot of interviews so so i mean we could do an entire panel on how broken the hiring process is not the least of which are you know entry-level jobs that want you

to have sisby and yeah five two years five to seven years experience and a lot of that is driven by the government contract work of course um so i think we are seeing a shift in the landscape a little bit but it's just so slow majorly slow so i think are we out of time a couple more minutes okay so so really the last thing i wanted to ask you all and you probably have touched on this to some degree or another but like what is what is a piece of advice that you would give to somebody who's kind of coming into this field and doesn't really know what to do so the big one is because if you're on here

i'm going to say get as involved with the community as possible that'll absolutely be it but i i'm actually going to just change this because if you are watching this if you're part of the community reach out to a lot of people to try to bring them in regardless of what it is because a lot of people are surprisingly very happy in the cyber security field and that's the one problem that i'm seeing it's not just the beginners but find somebody that you can grow with and then come into this community with because you will go much further you go way further together than you do just by yourself because you don't have somebody pushing you

that's yeah that's a great point having like kind of a partnering crime or buddy to to go to this journey with is is a huge thing i think for me that was my friend dustin also maureen yeah so uh my advice would be to try all the things and um we talked about it a little bit before uh you know imposter syndrome is real you know you go to these conferences especially if you're brand new to the industry or not even in the industry yet and it's just something you're thinking about um i usually give out some stickers it has a it's a sticker of a camel with a unicorn horn that says imposter syndrome is real i

don't have any today but i usually give those out at um what a tease i know i usually give those out and um and so much of our industry and we talked about it a little bit before is figuring out things that you've never seen before that is really that's a skill so whenever i'm hiring i'm looking for that exact skill like what are you going to do when there's not an sop for that right um what are you going to do when when some new problem and especially i mean we could talk about oh days for for days stuff like that there's always going to be something in this industry that you've never seen

before what i'm hiring for is the person who's going to be able to like think through that problem and struggle with it because that struggle is the number one skill that i think anybody in this industry could have the problem solving the analytical minds critical thinking kind of stuff um big takeaway network like i said before i hate twitter with the passion but i'm on it because it connects me with other people yeah see oh yeah steve's our twitter guy um get on and connect network um volunteer for the b-sides dc nova whatever one you're close to let's talk to people people are more than happy to help out um more than happy resume review we didn't have one this

year because we're not in person but next year we'll have resume review people on twitter reach out like you say most people in cyber are pretty happy you get a couple people who are not but they're just angry people in general but most people are just happy to help and want to help and want to bring more people on you know no angry people here no i will say and especially you know having come to this this industry from another industry um i've found that people are so welcoming and and like surprisingly so to be honest um but yeah so and we could talk about diversity too but like like when i work with you like i

never feel any different just because i'm a female yeah we just we just like to geek out together so so it's that kind of common ground i think and we're all doing something cool and making a difference in the world which is important thank you all so so much thank you for coming