Ep.5 - But It's Better If You Do Pass Your Exam [Cyber Certifications]


In this episode Holly is accused of being a robot because she has an unusual approach to exams and Morgan attempts an exam only to have it crash part way through. Overall exams are determined to be: quite awful actually.


Transcription


Holly:0:00

I have a, I have a good way to start the podcast. Are we doing, are we doing exams and careers, are we ?

Morgan:0:04

Yeah.

Holly:0:05

You ready?

Morgan:0:06

Yeah.

Holly:0:08

So in this episode, we're gonna talk about exams because I recently passed my AWS Security Specialty exam.

Morgan:0:14

No. Oh f*** you . Oh my God, I hate you. That's not even funny . When did you take that? This morning?

Holly:0:23

20 minutes ago. <Laughs>.

Morgan:0:24

<Sigh>

Holly:0:27

<Laughs> When I, when I texted you, when I texted you to say, oh, are we still doing this podcast? I'd just finished.

Morgan:0:38

So the reason this is so offensive, but also kind of hilarious is that I sat my AWS Security Specialty exam yesterday and the exam browser lock software that the provider use , uh , crashed two hours into my three hour exam. And I wasn't allowed to finish it. So that's great. I've been studying for this one for a while . I've been intending to take it for a while . And Holly did the thing that Holly does, where she orders a book and goes, I'm gonna take this in two weeks. Oh, I hate you so much. <Laughs> Why are you like this?

Holly:1:20

So my, my plan originally was, so I started studying on Friday morning didn't I? So I had Friday and Saturday. And my plan was , um, I , I wasn't sure on this recording if I was gonna be able to do it before , but that's what I was like, wanted to do, get the exam before, and then you'd pass yours yesterday. I'd pass mine this morning. And when you said, oh, I've just passed my AWS exam. I'd be able to really annoyingly say oh me too, but that wasn't at all how this turned out.

Morgan:1:48

I'm very happy for you. I like truly, truly am. Um , I'm , I'm annoyed for me, but I'm happy for you. I'm gonna have to take it again. Anyway, how did you find it?

Holly:2:01

Oh, I didn't enjoy it. I didn't enjoy the process at all. I didn't enjoy the exam at all. It's a good exam. And I like the breadth that it covers in terms of the book initially makes you think that it's like, it's just, IAM and it's just logging and it is, that's probably like 45% of the exam there. But it does talk about, you know, the security specifics of a lot of the other services as well. I was quite happy with how broad it was. The thing that annoyed me though in comparison to other exams is when they're just asking you about factoids, that makes it really easy to pass. If they're just asking you like a fact, do you know this thing? What is a prerequisite for this technology or something like that? I find those very easy, 'cause it's just do I recall from memory this, this fact, but I found with the AWS Security exam, it's way more scenario based. And a lot of the questions are very long and a lot of the answers themselves are also very long. An extreme example is when it's asking you about things like IAM policies, the answer might be like here's 15 lines of JSON and there's four or five different possible options. So just kind of working out the context of the question is quite difficult. So it's good because it's more realistic because it's scenario based. And it's a kind of, here is a problem that you might face in the real world. What considerations would you have? But it's a little bit frustrating. You know, this question is, is essentially asking, do you know this fact, but it's taking 25 lines to ask that. So I found it , um, took a lot of energy.

Morgan:3:29

Yeah. I had the same kind of thoughts with it actually. Initially I was looking at the spec and I was like, why is it three hours long if it's only 65 questions? Like this sounds awful. And I did some practice questions and I was getting kind of the feeling that it was far less like the Solutions Architect Associate or any , any associate level exam or the Cloud Practitioner exam, where it is very much, do you know this service, which service would you use for this particular kind of review or this piece of work. And it is like really kind of lengthy scenario based and then nuanced answers actually where there might just be like one word that's slightly different and it changes the context of the whole sentence. But if you don't read it properly, then you get it wrong. And it did take kind of a couple of minutes to read the question some instances, just to get the question to make sense because they're American. So they don't use commas where I would use commas for a sentence to make sense and the- the meaning of the sentence changes entirely. So there's a couple of potential options for what it is that they're trying to get you to achieve. And if you are practiced at taking exams, then you'll get used to the style of question and what it means and what they're asking you to do. And then beyond that kind of making the answers sense , um , and decide which one's the best fit because it won't always be something that you've learned either. It's a really broad exam and it isn't just, IAM and logging and monitoring. There's kind of like incident response heavy questions in there too, which wasn't something that I felt was covered in great detail on any of the materials that I looked at. Additionally, the book that you mentioned, I- I've got that one too. And I was also using an online learning platform. Both of those were kind of dated in like 2020 when the material was originally produced, but there's been quite an advancement in the security space and the services that AWS offer since then. So things like Macie that are reasonably new and do feature in the exam, Security Hub has kind of advanced since then Guard Duty , um , a few services have developed massively. So the , the kind of content that you expect in the exam as a result has changed slightly. And I don't think that the exam materials that I studied so far set me up very well for that.

Holly:5:37

There is some difficulties as well. I actually didn't come across any in the exam, but it was something that I was thinking about where some of the default configuration within AWS has changed. And you could imagine that catching you out on a question. So for example, the question might be around the fact that CloudTrail holds logs for seven days, but it doesn't now, it's 90 because that changed. So there's some things like that where it's like a configuration or a default isn't the same anymore. I didn't find that during the exam, none of the questions caught me out because of that. But definitely some of the material that I was reading online was outdated.

Morgan:6:12

I think that's one of the challenges with AWS and also with the Azure actually, because they release new services and , and make changes on a weekly basis. And these like exam materials, like books and things just aren't updated very often. So it is difficult to know what to expect. And also the opposite can be true if the exam hasn't been updated, but the services have, when are the exam questions like which period of time are those talking about? Is it talking about when CloudTrail only held logs for seven days? Or is it an updated exam question that wants you to say 90 days? How do you approach that?

Holly:6:47

I didn't actually come across anywhere it was a problem, but that was something that I was kind of like keeping an eye out for. You can leave feedback during the exam to say, hey, you should remove this question. Or this question is now ambiguous because it depends on what time you're talking about. But yeah, it was just a , a concern of mine.

Morgan:7:06

You can do that. But again, like if it was quite close or it was like the deciding question, you getting that question right or wrong is the difference between a pass and a fail, it doesn't make a difference to your grade to leave that feedback.

Holly:7:17

This, this is a thing though you don't know if that's the case. I'll , I'll explain what I mean. So it's my understanding that there are 65 questions in the exam, but 15 are ungraded . I see this in a lot of exams and what this is, is these are questions that they are testing for future exam releases. So they want to get a baseline for how many people get them right and wrong. So, many of the questions that you're answering are not included in your overall score. So if you are checking through, based on how confident you are on the answers to the questions that you've given, you can't necessarily tell, am I scraping through this or am I passing it massively because you don't know which questions are graded questions.

Morgan:7:57

That's horrible.

Holly:7:59

Yeah. It also impacts of course, 'cause you know, they have this , um , grading where it's- it scores between 100 points and a thousand points and the pass mark is 750, but it isn't an even number of points per question. And also you don't know which questions are giving you points or not . It's really hard to work out during the exam whe- you know, am I , am I on the line of pass or fail or have I flown through this easily?

Morgan:8:23

Yeah some of the questions that have multiple answers as well, where it's like tick two boxes, tick three boxes. Like how many points are those worth? Is that gonna be three points? Like one for each answer? Or is it one point collectively? And you don't get the point if you get one of those wrong?

Holly:8:36

Yeah that was definitely something that, that in the Security Specialty exam, there is many select two and select three. Far more than- I did the , uh , Machine Learning Specialty as well, and I don't remember there being anywhere near as many of those , uh , in that exam. And I hated them like ask , ask me one thing at a time please.

Morgan:8:55

So the thing that I found difficult about those was I was expecting to choose answers that would fit together to provide a holistic solution. So perhaps you would look for one answer that would address the logging solution issue that you were facing, and one that would provide kind of more monitoring or more incident response reaction and how you would deal with that. And a lot of the scenario based questions where you needed two or three answers to complete it, they didn't fit together in the way that I was expecting or one of the answers would sort of repeat another part of a different answer that you thought was correct. And that makes it a little bit difficult to work out as well. It makes more sense, like having taken most of the exam and seen all the questions at least anyway, why it's three hours long and only 65 questions.

Holly:9:47

How do you approach exams then? Do you look at all of the questions and then pick which ones to answer? Do you rush through them all and answer them then go back, or do you spend a lot of time on each one and kind of spread the , the time out ? How do you approach these exams?

Morgan:10:01

I don't have like a uniform approach to them. It depends completely on how difficult the exam is and how prepared I feel and how confident I am. So ordinarily, I would like to work through them one at a time and keep an eye on, on kind of how much time has passed and if I'm on track for completing on time and having time to review and all of that, but that only really works if I feel massively confident about what it is that I'm sitting the exam on and feel that I've like learned all of the source material and revised enough, if it's a more difficult exam where it's harder than I was expecting it to be something like that, and the first couple of questions are really difficult, then I will like flag them for review. I'll like try and put an answer in any way , just go back and like, know that I reviewed that because I wasn't confident in my answer or I wanna come back to it later. And I think like I do that more if it takes me a little bit longer, or I know that the first few questions are gonna eat into the time that I've got left. And that's when I'm kind of a little bit more liberal with flag for review later, answer the ones that I'm confident in and then go back and look at the more difficult ones. And then I'll kind of work through and review the , the whole thing again and just make sure that I'm comfortable with all my answers before I submit it.

Holly:11:11

Very different to me, I will have answered all of the questions within the first 30 minutes. Always, always do that. And the , this this came about for , for two reasons, but the most significant being I did an exam a little while ago, these exams are not in difficulty order. They don't start easy and get harder as you go along. And I did an exam a while ago where the first kind of four or five questions were really difficult and it threw me and I spent, you know, a huge amount of time on the first few questions. And I think I'm gonna fail this thing because I've got no idea. And these , these are complex long questions. And then I click through to , to maybe five or maybe six and it's like, oh, that one's easy. Oh, and that one's easy. And that one's easy. And I kind of set myself up to have like a really negative experience in this exam. So what I do now is I basically click through them as quickly as I can. Um , looking for ones that I can just give a very confident answer to . It is looking for a fact. I recall that fact, I'm very confident and , and I kind of shotgun all of the ones that I'm very confident at . And then I go back and look at them and I'll try and reserve any ones that I need to take notes for or ones that are gonna be complex or things like , uh , reviewing JSON policy or reviewing access control lists, those kinds of things, where you gotta take notes to answer those questions, right. To keep everything in your head. I'll save those until a little bit later. And the effect of that in some instances is I might kind of like technically finish the exam in like 30 minutes, if I do really well. And I get through all of the questions and then I just go back and I review them and I, and I'm not really changing my answers, but that doesn't mean that I'm 30 minutes in and I'm like, yeah , done end exam, and I walk out kind of thing. I will use all of the time. I used about , uh , two hours and 15 of this one and it's just shy of three hours. Right. So I do the them all very quickly, but then I do go back through and, and kind of work on them as kind of sequential, as spending minutes on them. It's just 'cause of this experience of having those first few be horrendous. And, and now I'm like getting flashbacks to just that, that bad, bad management. So yeah , I get through them very quickly.

Morgan:13:09

Yeah I think that's important. It's not too different to how I do it, it's just, it seems like you are doing that like a speed run. I don't speed run my exams, but I do try and answer the, what I think are the easier ones first, because it does soothe you and it kind of makes you feel more confident in your answers. And also, I dunno if anybody else did this, but even at school, I was always kind of like, okay, the , the 15 ungraded questions does affect this somewhat. But if you're like the pass mark is 750 and there are 65 questions, I need to get at least X number right to pass this exam. I think I've done this so far or um, I think these ones could be wrong because I'm not super confident in those answers. So I need to work this many more out to be confident that I can pass this before I submit. And that's, that's a bit of a , a ridiculous approach probably, but that's how I do it.

Holly:13:59

You should try speed running exams. It's much more effective.

Morgan:14:03

It might have been actually because maybe if had speed run it and like submitted in two hours then my browser crashing wouldn't have meant that I didn't get to sit the exam and I would've passed it too .

Holly:14:12

So that, that has happened to me . So I've had my exam system crashed on two separate occasions on one of them, I can't remember which provider it is, 'cause it was a long time ago, I think it was Cisco, and I dunno if they still do this, but back in the day when you hit next, you couldn't go back. And what that was effectively was you were submitting the answer to the question, I guess this is in part so that you can find the answer to this question in a later question kind of thing. And so , so that was how it worked back then. But what that meant was, and like I said , this was years ago, back when, you know , I did an exam by going to an exam center, but when the system crashed, they were able to still pass me because I had submitted enough questions 'cause it was right at the end. It was almost like the second to last question or the last question kind of it crashed right at the very end and it actually submitted , um , all of the questions. So , um, that was a horrible experience, but worked out well. And the other time that an exam crashed on me again, I was in the center and they actually changed the computer that it was on. So like the computer failed and then they moved me onto another computer and restarted on there. So I lost time. But again it , I was able to, to recover it. So it wasn't so bad.

Morgan:15:23

That's an atrocious approach there from Cisco , by the way, that's like the , the most waterfall approach to exam like I've ever heard .

Holly:15:32

I like it because in that instance it solved a problem, enough questions were submitted that it was okay, but that wouldn't work at all for me now because like I say, speed run the exam right? So I'd be clicking through, I'd be spending 10 seconds. Do I know this? Yes, no. You know , ABCD, whatever, I'd get to the end and then I would be like, oh, what do you mean? I can't go back . What do you mean they're submitted?

Morgan:15:54

Can't build fast and iterate when you're sitting old Cisco exams. Yeah.

Holly:15:58

I dunno if they're still like that. It's been a decade since I've done one.

Morgan:16:02

Probably use WebEx.

Holly:16:04

Oh God.

Morgan:16:07

How did you find the Security Specialty compared to your Machine Learning Specialty then?

Holly:16:13

I much much preferred the Machine Learning Specialty. I'll give you my impression of the two exams. So they're both scenario based questions and the questions are very long. Several of the questions, you know, there's three paragraphs of text in the machine learning exam. I felt like it was setting up a scenario to see if you could work out what technology was best placed for that scenario. So you're kind of working through this thought process of what is the problem, and then what is the solution for that? So if it's talking about, you know, choosing an algorithm and it's saying things like you have labelled data , you'll be like, okay, it's labelled data so we're , we're probably gonna be using this kind of algorithm and you can kind of work it through as a series like that. Whereas with the AWS Security Specialty, I felt the whole time they were trying to catch me out. And very often the questions have something that sounds correct, but it's, it's technically inaccurate, like they reference, an option that doesn't exist in the menu or something like that. Although they reference two technologies interacting in a way that they can't interact with. And I , I , I felt like it's the opposite thing. Instead of building towards the answer, I felt like I'm reading the whole thing, trying to, to catch where is the technical inconsistency? Where are they trying to catch me out? So I answered the questions completely backwards and it made me feel really uncomfortable the whole time. So I much much preferred the experience of my machine learning exam than my security exam. Even though I have a hundred times more experience in security than I do ML.

Morgan:17:45

Yeah. I found something similar. Something else that's really interesting as well is because of the design principles of AWS and like the well architected framework in a lot of scenarios, they were asking you to choose the most cost effective option or the, the solution with the lowest operational overhead. And if it's a service that you're not like intimately familiar with, or you haven't looked at like the costs for in detail, how are you supposed to know which is the most cost efficient? You know, there might be a service that's horrendously expensive, but you're not aware that it's horrendously expensive. So that kind of catches you out. Or there's some scenarios where the answer sounds more complicated than it needs to be, or you're layering load balancers or something that you wouldn't historically consider to be good practice. Or if you're a small company it's just unnecessary. So yeah, I found that difficult as well. I did feel like some of the questions were designed to trick you.

Holly:18:41

Yeah. The , there definitely was instances where I was almost- so , so in some of the practice questions that AWS give they mentioned this cost effective thing as part of a question, I'll ask you a scenario and then it'll just end but pick the most cost effective solution. That was something that when I was studying, I was looking out for almost a hierarchy of KMS is cheaper than cloud HSM and kind of remembering things in that way, which is helpful on one hand because you know that of your multiple choice answers more than one is gonna be correct. And you can almost look for those keywords in terms of, oh, it mentions KMS and it mentions Cloud HSM . So it's probably gonna be KMS that it's looking for or something like that, or Parameter Store versus Secrets Manager.

Morgan:19:27

Unless it's asking you for like a specific level of FIPS compliance and then it's probably Cloud HSM , yeah.

Holly:19:35

Same thing. Yeah. If it mentions FIPS L3, then you're gonna go the other way. So yeah, I did have, in my notes, some of those details if FIPS L3, then Cloud HSM, if cost effective , then KMS. I did write several of those down. I was also writing things down where technology has had prerequisites. If it mentions Security Hub, Security Hub requires AWS Config. So it's kind of joining lines in a way that was very much for the exam and not a way that I would think from a deploying technology point of view. I don't know if other people would, but that's not necessarily how I would be thinking.

Morgan:20:10

I think that makes sense . There is a couple of things that I made notes of like last minute that I needed to remember before I went into the exam as well, just had that kind of soothing half an hour where you drink water, no more caffeine, like sit down, make sure your desk is clear and just look over like the key points that you need to remember because you think they're gonna come up. And then obviously there are no questions that relate to the things that you actually need to remember or stuff that you revised like, earlier.

Holly:20:39

I- I've a very different experience with revision considering I do 40 hours of revision in the 48 hours before my exam. Yeah . So there's none of this revised earlier thing. It's just, I , I do it all in one go. So it's very, very different mentally.

Morgan:20:54

I've been studying for this one for quite a while. Not, not in like an intense way, like you do, where you kind of shove it all into a really short period and then your brain just retains all of that knowledge for the rest of time, you're like a human WORM drive. I can't do that. Um , I originally I think did classroom based learning for the Security Specialty exam in like 2019. Um , and it's iterated many, many times since then, way, way more services than there were at the time. Um , more maturity in the services are available and it was one of those things that I just kept meaning to get to. But for a while, I wasn't working at an organization that used AWS anyway. And now that I am, it's like, it's not a startup , it's a scale up , but it keeps me busy enough that I've had like other priorities. So eventually I kind of built out some time and was like, I'm gonna do this. This is like one of my personal objectives for this year before all of my uni exams and things that are in like the next few months. And I sort of wanted to sit it this month and get out of the way and that's not gonna happen now, so cool.

Holly:22:00

Yeah. This, this weird way that I have of doing exams. So I'll just do like very, very intense study just prior to the exam. It , it is good and bad. It's, it's definitely good if you have to get a certification on a deadline, if the certification is a prerequisite for doing something else, it works for that. Um , but I think very often when people hear about the way that I study, they don't hear the detail that I'm saying, like, some people have this impression of me of, oh, I'll flip through the book a couple of times before going into the exam kind of thing. And that's it, it's like, oh, you know, Holly only started revising for this exam yesterday. And it's like, that's not at all what I do. It's like, yes, I do it in a short space of time, but I do an , an incredibly intense amount of study. And it it's almost like physically painful it likely damages me doing this 'cause like I won't sleep enough. And I'll just do like a , yesterday I got up very early and went to bed very late and I did nothing other than study for that exam. Right, so I did like 18 hours of study yesterday, something like that. And it works and it's effective. And certainly if you just need to pass the certification, it's , it's a good thing to do. But if you are learning the content or you're moving to use it on the job, it's not the best way. But just to , just to compare, if you were to say, oh, I studied every day for six weeks and I studied for an hour in comparison to me, who's like, you know , 35 hours or whatever I did over the last two days in terms of number of hours, it's the same. It's just a condensed it in a really aggressive way.

Morgan:23:30

Have you ever failed an exam because of that approach?

Holly:23:34

Uh , I've never failed an exam because of that approach. I have failed exams before. This is one of the , the funny things. So about a decade ago I failed my CCNA security the first time around.

Morgan:23:45

Yeah?

Holly:23:45

So yeah, so I , I did my CCENT, my CCNA and my CCNP route and switch. So all of my routing Cisco certifications, and then I did the security specialty for the CCNA. And I failed that one, which is really funny because my entire career I've been doing security and it was like, I passed all of the other ones just for, it was the security specialty that I failed, but it just happens. There's a lot of reasons why you might fail an exam. You might just be having a bad day. You might not be very well or maybe you didn't sleep enough, and all of those kinds of things, there's loads of reasons that you can fail an exam. Other than you didn't prepare well enough, the exam software might crash and you might lose time because of that. Right?

Morgan:24:24

<Laughs> Oh, I hate you .

Holly:24:25

These things happen. So, you know, you shouldn't, you shouldn't ever kind of beat yourself up for failing an exam or having a bad exam experience, but directly I think for what you're looking for there is no, this method for me does work and I, I do pass these exams and I do pass them in really short order. Yeah. In some instances that's because in actuality, I'm working in this field, I've been doing security for many years and I'm just getting certified. I use AWS every day and I'm a security professional. I'm just being certified on the thing that I do every day . Or sometimes it's just a real tight niche, like machine learning, where you can just focus on that, that tight niche. So yeah, it's different to, if you are learning, if you're trying to break into the or something like that, certainly the thing is with the, with the exams as well, like I mentioned before is you don't necessarily when you're doing the exam, like I've never gotten to the end of one of these exams and felt confident and felt like, oh , I'm about to end exam and that's it, I've , I've smashed it. Or I've passed really easy kind of thing. Even with exams that I've done before, I've recertified my PenTest+ recently that I've held that for many years, that's expired and I re -certified it, I re-certified by redoing the exam, I'm a pentester doing a , an intermediate pentest exam. I wasn't even sure that I was gonna pass it because yeah. You just don't know .

Morgan:25:40

Yeah. I think the reason I'm, I'm most annoyed about the Security Specialty exam situation is that I didn't even really get the off opportunity to fail that exam, it was taken away from me.

Holly:25:53

Yeah. That it was , uh , I don't, I don't nec- I don't wanna say the exam was tough because I don't really think it was, I think the content was great . I think the questions were great . I think the spread of things that they ask is really good. I think the is really well put together. I do think it's a hard exam though, because of like the way the questions are asked as opposed to the content or the difficulty of the content itself. So yeah, I definitely didn't get to the end of that exam and , and feel confident, but then, then I passed it so done .

Morgan:26:24

I think it's really interesting. So I I've done a teeny tiny, tiny bit of Microsoft Azure, online learning and stuff recently, their offering in terms of security services looks really mature compared to AWS, AWS go for a breadth of services rather than the depth within those services. And Azure seem to take like the complete opposite approach and they do that-

Holly:26:46

A- Azure is a great platform. It's the second most popular platform.

Morgan:26:52

For now.

Holly:26:55

It's second, second's respectable.

Morgan:27:00

Okay . I'm not biting. Um, anyway, something that I find about , um , is Azure exams that I'm interested , uh , to explore a little bit more is that they break the specialisms down into A, various levels and B, components. You'll have kind of sort of entry level exams that are, for some reason, unbeknownst to me, the there's like a , a two letter kind of AZ or something, and then the dash 900. And then they have like various other levels, like 700 or the , the more advanced exams, which are 200 and you can sit security exams at several levels there. It's not like AWS where it's all just kind of condensed into one big security exam and security is featured on like all of the other exam syllabuses as well. Syllabuses? Syllabi? What's that one?

Holly:27:50

Oh don't worry. The audience will let us know.

Morgan:27:53

I hope so. Yeah. So I think that's really interesting from, from an Azure perspective and I , I haven't done too much ofwith their platform yet, but I have found it really interesting.

Holly:28:06

I like generally the idea that the , the specialties have different levels because, you know, look at something like security, there should, there is a , there's an entire career there, right? You should be able to start at something relatively practitioner and then build up. I do think it's a little bit strange that with, with AWS, there is just a security exam. I don't know if that'll change in the future, but it does seem odd to me.

Morgan:28:29

Yeah. I think it's a bit difficult. 'Cause the prerequisites or what they recommend that you have for the exam, something like two plus years of hands on experience deploying workloads in AWS and five years security experience. So from that perspective, it's almost akin to like the AWS equivalent of the CISSP. And it can feel like that when you're taking the exam, because you do also need a lot of underlying foundational knowledge about kind of networking and ports, which if you are from a compliance background, you might not have-

Holly:29:02

Do you think you needed five years of generic security experience?

Morgan:29:06

Absolutely not. Well , I don't have five years of experience. Not yet. Technically I'm about a four and a half , almost five years.

Holly:29:14

That's why your exam crashed. You were four fifths of the way through.

Morgan:29:19

Yeah. They , they looked me up on LinkedIn and like found out that I didn't have enough experience. So they were like, no , kill it. No. Um , I haven't, I definitely haven't been building , um, not in a work environment anyway , production like AWS workloads for two years. And I don't think that that was reasonable because some people will have, you know, six months in their job as like , um , a security analyst , um , in a cloud ops function. And they might pass that first time and it'll be just fine. And some people will have much more security experience, but maybe aren't as familiar with AWS or aren't as comfortable with exams. It's gonna be different for everyone. But yeah, I don't think that it's particularly accessible for an industry that is growing so quickly and with like public cloud being leveraged increasingly I think they need something that's a little bit more accessible, like maybe a , an entry level or an associate security exam.

Holly:30:13

I, I definitely don't think you need five years of security experience to do that exam. The exam is very AWS heavy . It is true, you need to know CIDR notation and you need to know like the fundamentals of security, you know, the protection of confidentiality, the protection of integrity. It would definitely help to know some cryptographic basics, so the difference between symmetric and asymmetric, cryptography, those kinds of things, but nowhere do you need five years of experience and it's very, very AWS heavy . So I would say you need more AWS experience and you need generic security experience, but that's not what they recommend.

Morgan:30:46

It'll depend, which set of questions you get. But yeah, overwhelmingly AWS being an AWS exam, but some questions are gonna require a lot more generic security and networking domain knowledge.

Holly:30:57

It's what 26% IAM? So that's AWS entirely. And then it's like 20% , uh , logging and monitoring. But what it means by that is knowledge of CloudTrail, that kind of thing. It's all AWS stuff. It's all very, very AWS heavy.

Morgan:31:12

Can I just like take a minute as well to call out that some of the names that they give their services are ridiculous and like-

Holly:31:18

Macie's a great name.

Morgan:31:23

Oh , the people names they , yeah, no, it definitely wasn't that, but it , it like, they're not like axiomatic.

Holly:31:32

I think that AWS services are perfectly named. Give me an example of a poorly named AWS service.

Morgan:31:39

Lightsail. What does it do? Elastic Beanstalk , what does that do? I , I know what Elastic Beanstalk does by the way, just like, would you know, from the name of the service, what it does? 'Cause I sure as hell wouldn't. Oh, the acronyms are another thing that really annoys me actually. So CMK- no KMS CMK - customer master key or customer managed key?

Holly:32:03

Give me some examples of badly named AWS services.

Morgan:32:07

I just did.

Holly:32:07

Give me 10 examples.

Morgan:32:09

10 examples. Do you want me open the management console right now and tell you? I'm not doing that.

Holly:32:14

Or if they renamed a service like system manager, which used to be simple system manager.

Morgan:32:19

Oh, I hate that one! It's because it had a bad rep when it was SSM I think, it didn't work properly. It wasn't very good.

Holly:32:26

That's frustrating.

Morgan:32:28

I'd rename that as well to be honest.

Holly:32:30

I'm trying to think of poorly named AWS services off the top of my head now, 'cause I know there's some really cracking ones. Cognito. I don't like that name.

Morgan:32:41

Yeah. That's again, not particularly like self explanatory as a service name. And I think they've got so many services now and the , the size of the , the offering and the catalog is pretty crazy. So if you're getting into like cloud or AWS for the first time, you have very little chance of actually understanding which services you need. Do you know anybody who knows the whole service catalog?

Holly:33:07

Well , there's about 2000 services now , so um definitely not, but yeah, you are right about a lot of the services having strange names or names that don't necessarily lead you to know what , what they are. They do sound cooler like Snowball Edge, Snowball Edge.

Morgan:33:23

<Laugh> Oh the Snowball, Snowmobile, Snow Plow situation. Like-

Holly:33:28

I wonder how long you could go talking to somebody about AWS and just making up services without them, without them noticing kind of thing. I did actually have a conversation , uh , quite recently with somebody where in context, it was important for me to mention uh AWS EMR . And I was very sure that they had never heard of that service based on like their facial expression when I mentioned it , but they kind of went, oh yeah, yeah . As if they just had like the-

Morgan:33:54

You're gonna have to remind me what that one is because the acronyms do throw me-

Holly:33:58

Oh , EMR is for big data, which is one of the reasons why I'm like, you've probably never come across this because person worked in cybersecurity, not in Big Data. So it isn't a service they've likely come across. Um, but, but I said it and they , they pulled a facial expression and kind of went, oh yeah, yeah. EMR. It's just like, you've definitely never heard of that before.

Morgan:34:16

I love it when people pretend to know things that they definitely don't know so that they don't look stupid because, sometimes you have got something wrong , you know you have, or you've mentioned something that you've not used much and they probably haven't heard of it all and they just go along with it and I'm like, hmm...

Holly:34:32

Start just using Pokemon names .

Morgan:34:35

I'm just gonna, I'm just gonna , just gonna check now to see if you knew what that was or if you were just pretending because it , it's not something you should do. You shouldn't pretend to know something if you don't know. And I know that like not everybody is gonna have the confidence to do that, but you are effectively creating like a personal brand at work or in that environment. And people need to know if they can rely on you in like an emergency situation or if you have the knowledge required to support, if something urgent is occurring, if you pretend to know things that you definitely don't, that's kind of dangerous.

Holly:35:07

It , it is. It is also sometimes that you just don't know it by that name. So you might have only ever heard it referred to by its full name. So if I say EMR, you might have never heard of that. But if I say Elastic Map Reduce, you might be like-

Morgan:35:21

Oh yeah, I've heard of that one. Exactly.

Holly:35:23

Exactly. So when it comes to exams, then do you have like a list of exams that you aspire to get? Do you have a timeline that you're working through of just like, oh, I'll get this one this month and then, you know what the next one is? Or do you just kind of wake up and think, well, I started a company yesterday, so I might do a certification to , to mix it up a bit-

Morgan:35:42

Honestly, the way that you approach exams and certifications has always, always stressed me out always. And I've known you for like a decade.

Holly:35:50

Why does it stress you out the way that I approach exams?

Morgan:35:57

Probably because I don't like exams very much .

Holly:36:00

I don't like exams-

Morgan:36:01

And the ones that I- well you act like you like them- the ones that I want, I tend to place more importance on. So I'll spend a while working up to them and they'll be kind of on my plan, on my roadmap , I'll have like a personal development plan or something, some objectives. So there are some that I wanna get this year and I haven't really planned kind of for next year. I've got sort of like a six to nine month immediate development plan and like, partly that's because I'm finishing my masters this year, come hell or high water. So I don't really wanna plan for beyond that because a lot of this is all gonna kind of converge over May, June kind of time when I'm sitting university exams. And then my dissertation's due shortly after that plus AWS exams. And anything else that I wanna learn. And honestly, I think I'm just gonna take a couple of months off from all of that at the end of the year. I think I'm gonna need a break, but yeah, I definitely do kind of keep a couple in mind of things that I want to achieve and pass. And then there's like second, but they're not particularly a priority, like Azure. I don't use that at work and it's not a vendor that I've ever really needed to know much about, but I think it is gonna be useful for me to have an understanding of Azure services or another cloud provider generally just from like a market awareness perspective. What services cloud providers have, if anything is driving maturity in that space, or if something besides AWS would be a good option. So that's not massively, it's not like a priority, but it's something that I'd like to do.

Holly:37:31

Sometimes it's nice to just learn another vendor's terminology as well. Isn't it? So that if somebody's talking about the workloads that they have in their cloud, but they're using different terms, like how we would say EC2, right when we just mean virtual machine, it's nice to , to have that level of understanding. So if somebody is talking about something that they're doing, you can't understand what it is without having the vendor specific. Me though um , I, I have like two main reasons that I would do exams and I definitely never have like a timeline of, okay, I finish this one and then in three months, I'll do the next one. The only time that I might like surprise do a certification is where one's expiring. So-

Morgan:38:07

Surprise exam.

Holly:38:09

Yeah. So I don't necessarily think about it, but , but several of the exams expire every three years and you have to redo them and you can do continuing education. You can, you can collect your points and you can fill in the forms and that stuff. Whereas I would just tend to just take the exam in part, because I'm lucky and I don't get exam anxiety or anything like that. So there's no negative reason to do an ex- an exam. And also when you're re-certifying, well, you've done it before. So you know what you're in for? And you know what the content's gonna be like, yes, it'll have been updated, but you know what the experience is gonna be like. So that's an example, you know, the PenTest+ that I did recently and I , I got that three years ago, it had expired and then I got it again. But the other thing that , that just sometimes come up, I have previously got certifications where it's, it's been like a work requirement or something like that. So I've very, suddenly got a certification and in truth that's, that's like it was for my AWS Machine Learning Specialty, we're working on some machine learning projects. So it's, it's a good thing to get to demonstrate experience within that or previously , uh , an example from many years ago, in fact, I did a job interview with a company. This company used Cisco throughout they are a 100% Cisco company, all of their kit is Cisco, on my resume to work for that company. It's here's all of my Cisco certifications. And then at the end of the job interview, they were like, oh yeah, it's great. You know, we like you, we wanna advance you forward in this recruitment process, by the way, oh, you are Juniper certified, right? It's one of their requirements on their JD that everybody must be Juniper certified, which audience note is ridiculous. They don't have any Juniper, it's a hundred percent Cisco at that company, but it was a requirement for recruitment that-

Morgan:39:41

I always wondered why you did that exam!

Holly:39:43

I did that exam because on Monday, when I'm in this job interview, they say you are Juniper certified, right? And I'm like, yeah, don't worry about it. And then the next stage of the interview is on Thursday and I'm like, I've got 48 hours to pass the Juniper certification.

Morgan:39:56

That's amazing.

Holly:39:57

So I did my , uh , JNCIA, which is Juniper's equivalent to the entry level network technician. Um , honestly, so sometimes it comes up like that, where, where somebody's just like, oh, you do have this certification. We presume you've got this certification. This isn't gonna be a problem. Right. And you're like, definitely won't be, It ruins the rest of your week.

Morgan:40:19

Yeah. I dunno why you do this to yourself, to be honest,

Holly:40:23

As long as in context, it , it doesn't matter if it's just like a requirement that they've added for no good reason. Like I said , if you know, the they're not actually using Juniper, but just HR has decided that you , you must the certification for some reason, like the knowledge isn't necessary, the certification is then yeah, I'll do it. I'll sit down and read a book and pass an exam. But yeah. Doesn't necessarily help me in my career.

Morgan:40:49

Yeah. I'm not really sure how much I agree with , um, HR , um , feeding into job descriptions when it comes to technical skills, they don't know what somebody needs to do that job. Typically it would be the team, I guess it depends on the , the company and the company structure, but I , I don't agree with technical and certification requirements being fed in by a team whose role is completely unrelated to the technical ongoings in like day to day business of that role-

Holly:41:16

In , in fairness to them as well, I don't know that that requirement came from HR . All I know is that the requirement didn't fit the job. Um , so I'm kind of like presuming, well , this must have been hit HR , right? Yeah . I , I , I don't know, but it was a requirement that wasn't necessary.

Morgan:41:32

You do see a lot of that now though. I think like, especially with like alleged entry level in air quotes, entry level roles within cybersecurity, there'll be a sort of entry level or junior cybersecurity position where they want you to have like a CISSP or a CISM or CISA or some like ISACA management qualification , um , or an ISC management qualification. And it's completely inappropriate for what it is that they're asking for a candidate to deliver what the , the job responsibilities are, the , the pay is and like the total remuneration and compensation or that package for that job .

Holly:42:08

Do you wanna try that word again?

Morgan:42:11

Remun- Renumer- No, sorry.

Holly:42:13

You'll get there-

Morgan:42:16

<Laughs> Don't pick on me today. It's been a rough, it's been a rough week.

Holly:42:20

I , I think the CISSP requirement within cybersecurity is a very common one where you see entry level jobs requiring the CISSP. It really wouldn't surprise me. If you could very quickly find a lot of entry level , uh , cybersecurity , uh , role that require the Security Specialty, even though AWS themselves say you should have five years experience for that. So ,

Morgan:42:41

Yeah. Or like 10 to 15 years for like Kubernetes .

Holly:42:47

Do you wanna try that word again?

Morgan:42:49

No. How do you say that one ?

Holly:42:52

No , you got it right . I was just messing with you.

Morgan:42:54

Oh , you are horrible to me. I'm taking applications for a new podcast co-host who doesn't bully me. You can DM me if you're interested-

Holly:43:04

Must be Juniper certified.

Morgan:43:07

We'd like you to have a CISSP as well, please.

Holly:43:12

I presume I'm no longer Juniper certified. I list it as expired, but don't actually know if that exam does expire, I look , I looked at Juniper once. It was for that exam of literally two days of experience, technically certified, but have never used it.

Morgan:43:25

If you can get a certification with only like two days of experience though, like why are people placing weight on that?

Holly:43:31

Um, in , in that instance to , to be fair to that certification it, because it is a , a routing and switching certification because I was very highly Cisco certified and all that I'm learning is Juniper's terminology for the same stuff or Juniper's commands for the equivalent. So it wasn't learning the content as much as translating from what I already knew it in that way that I imagine a lot of the Azure stuff is very similar to the, you know, if you did the Azure security versus the AWS security, I imagine the fundamentals are , are very much the same. They don't call them security groups and they don't call them EC2s. But the principle of what you're trying to do, stateful firewalling, would be the same.

Morgan:44:13

And that makes sense. Yeah. But like, I think when you're talking about networking, like not to, to denigrate network specialists or engineers or anything, but the cable goes into the box, does it really matter what you call it? <20 seconds of laughter>

Holly:44:35

Oh God , it's just nothing you've said has ever hurt me more than that statement.

Morgan:44:45

Excel's a really good password manager.

Holly:44:47

Even that didn't hurt . Oh geez . Oh wow . We , we can't be friends anymore.

Morgan:44:59

Are we friends now? You pick on me a lot.

Holly:45:04

Wow. Not that badly though. Gosh.

Morgan:45:08

Consider it revenge for like 10 years of bullying.

Holly:45:12

I do think , um , that is one of the reasons so that , that some people might grab a whole bunch of certificates. Um , especially if you're getting your certifications , uh , subsidized or paid for in some way. If your company has a budget for doing certs, or if, you know, if you're lucky something like the, this AWS scheme, where you pass an exam and they give you 50% off the next exam kind of thing. I , I could imagine somebody who's trying to build up their career or trying to advance doing the AWS Cloud Practitioner, the CompTIA Cloud+ the Azure , uh , whatever they call it, fundamentals-

Morgan:45:46

AZ-900.

Holly:45:47

Uh , Azure fundamentals. Right. That's what that's called. Yeah. Uh , and doing all three, because they're all about the same level. They're all about the same. It's just , um , some vendor terminology that differ that differs. Um , I definitely would think that would be a good thing to do. Presuming you're not paying yourself. You're certainly not paying all of it yourself. 'Cause it would get very expensive very quickly. But um , yeah, I think there's nothing bad with that.

Morgan:46:09

No. Well I think also actually that can be useful if you don't yet know what kind of company you're gonna end up working for or, or what the , um , company that you end up at uses as like a primary provider.

Holly:46:23

It's definitely, if you're at that point where you're not sure, you know, you're not working for specific companies , so you don't know what your future company is gonna use in terms of tech stack . It would be a good idea to diversify. And you know, if there's no point getting super high AWS certified to then go somewhere, that is a hundred percent, you know , um , Azure or one of the other alternatives.

Morgan:46:43

I mean there's not really alternatives is there? You , some places use Google, no one really uses anything else.

Holly:46:49

What's Google's market share 5%?

Morgan:46:52

Tiny.

Holly:46:53

Yeah . AWS is 33, Azure is second, second's admirable.

Morgan:47:00

Um , Azure's not kind of far behind, but they did have quite a lot of capacity issues sort of the beginning of the pandemic. Sort of 2020 time.

Holly:47:09

Yeah. It's what I thought. AWS is 33%. Azure is 21%. Uh Google's 10% now apparently as of Q4 2021.

Morgan:47:19

I don't think they like prioritize it. Um , in terms of what their core offering is like , uh , they don't push cloud platform as aggressively as Microsoft push Azure, and AWS, that's basically all AWS do, right? It's not like they have like secondary products like Microsoft.

Holly:47:38

There's no , there's no secondary associated business. Right. It's Amazon Web Services and that's just, that's the whole, company so. That's all that they do . Oh , sorry. I've I've completely forgotten. Of course. Uh , they own, they own Twitch. That's their two , two main revenue streams. Presumably the web services and Twitch.

Morgan:48:04

No, that's terrible. Oh, well.

Holly:48:12

One of the things that, that often comes up when it , when I talk to people about the , this way that I do certifications or I just like really aggressively, like I'm gonna do 40 hours of study in this 24 hour period is, and people often say, oh, that's a bad way to approach certifications because you're not learning. You're just trying to pass the certification. And my response to that can only be yes, of course, because if my primary and sole goal is to learn the content, why would I take the certification, learn the content. So there must be some , uh , explicit individual value to the certification itself. Now that'll differ per person , right? Like we've mentioned a couple here, you're going for a certain job and it's a requirement there, or you're doing a certain project or, or even just, you know , personal aspiration, you want the credential and those are all fine. But sometimes people talk about certifications as if getting the certification should never be the point. And, and if it, isn't why you sitting the exam exams are horrendous, they're stressful, you're uncomfortable. You're three hours in and you need a wee . Nobody would do the exam if getting a certificate-

Morgan:49:21

Did you make it three hours before you needed a wee? You have the bladder of a small child. I'm very impressed. Yeah, no , I , I get that. Sometimes a certification is what's important to me and other times it it's that I've spent all of this time learning the content and being familiar with the syllabus to a point where I'm confident to use those services. And I want some kind of like barometer of that. I wanna know if I like understand that as well as somebody who is certified would, so the goal for me isn't to get the certification or to use it's just to kind of tick the box that I know everything I need to know for that.

Holly:50:02

The- there's three reasons that I do exams. Um, the most common for me is because it's a third party requirement, a customer or a project has that as a requirement. So I have to if want to work on that work, that is for me the most common, especially at this point in my career. But the second one definitely is what you are saying here, which is I am learning this thing and I need to know, is it going in? Am I understanding this stuff? You know, I've been reading this book for however long, but remembering and understanding it and certifications are good for that. Just your own personal kind of line in the sand . And then the third thing, and I think this is controversial for some people is because I passed it previously and I want to hold onto it. A lot of people talk to me in a weird way about prior exams that I've done when I recertify them. So the PenTest+ is a prime example of that. They're like you CREST certified, you've been a pentester for 10 years. Why are you doing the PenTest+ exam? And it's like, 'cause I'm re-certifying right. It's like it expired. I'm getting it back. Like , like very often people talk like you should pass an exam and then never like don't hold onto it. Just let it expire. It . It's not worth-

Morgan:51:06

What's the point though? You spent like so long studying for that exam. And then you took it maybe when it was more relevant to your, your day to day responsibilities and you needed that for your role and you perhaps don't anymore. But I think letting it lapse, unless it's a disproportionate amount of work for you to keep that-

Holly:51:24

If it is a disproportionate amount of work, then that's probably an indicator that you are getting skill fade on that and you are forgetting those things. And if it is still relevant to your role, even if it's a minor part of your role, then it is still good to recertify. But I mean, something like a good example would be the Network+. It's been a long time since I was like a network engineer or working purely in networking and , and yes, very, very often, you know, we're using CIDR, we're using routing and all of those kinds of things. And I very much need those skills, but not to the degree of sitting and passing a certification kind of thing, but it's like, I've done it previously. I'd rather hold onto to it.

Morgan:51:59

Yeah. So I mean, disproportionate, not in skills fade and that you're not using it, but I mean, disproportionate in, you only have a certain amount of time or a normal person only has a certain amount of time and might have to prioritize other certifications or might be, you know , founding a company and they don't need that certification anymore. And they really just can't spare the time to, you know , do the CPEs or resit the exam or whatever it is. And so maybe it's worth letting some things lapse, but in some situations, you know, you're gonna wanna keep hold of those or like in your case, what you are building and what you do is like at the convergence of so many different skill sets , um , like development, machine learning, security, networking, all of that, pentesting specifically. You're not a human though, are you?

Holly:52:44

Certainly sleep less than you lot do.

Morgan:52:50

Do you run ARM?

Holly:52:52

That sounds risky.

Morgan:52:56

You're definitely a robot.

Holly:53:00

Yeah. I , I just think it's one of those things where it's like, you , you get the certification, you should hold onto it. There are certifications that are lapsed. I don't hold any of my Cisco certifications anymore. I haven't had held them for a long time, I still hold the , the Network+. Cisco does have a really good scheme if I remember correctly and forgive me, it has been a long time since I did them. If you do a certification above the certifications that you currently hold, it, renews them all.

Morgan:53:24

AWS do that as well, where you take an exam and it renews all of the exams that you've done previously. I'm not sure if it's just exams that are kind of at a higher or more advanced level than the ones that you've done previously, but it definitely renews them.

Holly:53:39

What , what are your thoughts generally then in terms of companies requiring certifications for positions? I know you , you mentioned the frustration around entry level roles requiring a CISSP, and those kinds of things, but how do you think more generically when it's not something silly like that?

Morgan:53:54

I think in some situations it makes sense. You know, if you do want to test or, or kind of have a bit of a barometer for what a candidate understands about a particular service provider, or if they have roughly the same sort of knowledge as the last person who did that job, then it makes sense. You know, or if you are kind of hiring for quite a critical role, say if you have key person dependencies in your engineering team, as an example, and you wanna make sure that- that that meets specific requirements, or if there is a compliance that you need those certifications, then it makes sense. I think there's a lot of overkill though. Um , and there's a lot of talk about the tech talent pipeline and how we have a bit of a pipeline issue, especially in terms of diversity and there isn't enough junior talent and all of that. And I think to an extent that's sort of our own fault because we aren't willing to compromise on the requirements or the criteria , um , that we expect from a junior candidate. And there also, isn't a great deal of support in helping junior candidates progress and develop. And especially in some roles, there's a lot more focus on developing technical skills than in developing professional skills- so that what some people call soft skills required to sort of work as part of a team and all of that so, certifications are important, but I think that we, we overdo it and not everyone needs them. You know, if you are a CISO, you don't need an AWS Security Specialty in all likelihood, you hire experts to make those decisions for you. So I really think it depends on the company, what their needs are and what they're hiring for.

Holly:55:29

One , one of the things that I see very often within the industry, I'm sure that this comes from a good place because it comes from so many people seeing requirements on paper that do not match the requirements of the actual job. We've given some examples here, right? This company, that's all Cisco requiring me to be Juniper certified, completely pointless, never once touched Juniper whilst I worked for them. So I think so many people like see that stuff and they're turned away so frequently from certifications. And I see some really strong sentiments. So people say things like, oh, you should trust the candidate, or you should , um , review the candidate's experience. Look at what their prior role was to see if they're capable of doing this job. And the difficulty with that is a hiring manager is I think those people don't realize that some people lie on their CVs.

Morgan:56:10

I was just thinking that.

Holly:56:11

And I've definitely, I've definitely had experience of that where , where candidates, and , and even people have been at the stage where cert and things are being reviewed, who have just very evidently lied. You know, these companies allow you to , to verify those credentials. Um , and yet people just out and out will , will lie.

Morgan:56:28

Yeah. People lie on theie CVs, and people have imposter syndrome as well. So some people go in the opposite direction, usually minority candidates, people might say, I worked for this company and I didn't, or I'm really familiar with this tech stack and I'm not , um , and people might have worked with something quite a bit, but not feel confident enough in their abilities to put that on their CV. And that immediately kind of counts them out. They're sort of disregarded as a potential applicant or a potential candidate for that role before they've even really had a chance. So certifications can be really good for that I think.

Holly:56:59

Very , very often have experience candidates counting themselves out during the process. And it's quite difficult actually, when it comes to writing job descriptions and things to explain to a candidate where you're drawing the line of what's required for the role without putting something in there that would , that would make them feel that they can't do it. If we were talking about a role that required experience to the level of AWS Security Specialty, doesn't necessarily required to be certified, right . We have no hard requirements for certifications, but sometimes I do get the feeling from candidates that , um , oh, I haven't that exam, so I won't apply kind of thing. And it's like , no, no, no. It's like, that's , it's not required at all. It just-

Morgan:57:35

That's literally the point, like we haven't put it on the role profile deliberately so that you don't like kind of count yourselves out. Yeah , yeah , sure. I think like fhere's a culture or an attitude where we disregard or undermine the weight that , uh , certifications can provide to minority candidates who otherwise probably wouldn't get a foot in the door or who do have kind of imposter syndrome or who aren't offered the same opportunities. So yeah, I think that's something to consider as well, provided that the exams and the certifications are accessible to candidates. 'Cause that's not always gonna be the case, but they can be beneficial for that one.

Holly:58:11

One of the things, sometimes people take their personal experience as being entirely representative of the entire industry. I very often hear the question will be, you know, do you require a degree to be a pentester or do you require a degree to be a software developer, something like that. And you'll hear somebody very vocally say, you know , I've worked as a software developer for 25 years and I don't have a degree, so you don't need a degree. And you have to be very careful about how that, that is interpreted because not having a certain certification or not having a degree can disadvantage you in that if some companies have it as a hard requirement, you can't apply and be selected for those roles. So it is both true that you do not need a degree and it can still benefit you, right?

Morgan:58:56

Yeah. Yeah, definitely. But I, I think that one's a difficult one. I, I know people who work in security who don't have degrees at all, and I know people who skip their A levels and their bachelors and just did a masters-

Holly:59:09

Who would , whoa, who would do that? That's ridiculous.

Morgan:59:12

And I know people who-

Holly:59:17

Absolute hero.

Morgan:59:18

I don't know . I've , I've heard that the master degree was really easy as well. I don't know what Cardiff are doing these days, to be honest-

Holly:59:26

Top 200 university in the world Cardiff, it's a fantastic institution.

Morgan:59:30

Yeah. And I am-

Holly:59:31

I'll hear no bad word said about it.

Morgan:59:34

Is that 'cause you're an alum?

Holly:59:36

No comment.

Morgan:59:41

Um , I also know people like myself, who've done a degree in something unrelated and then moved into it afterwards or are career changers. So sometimes another degree or a masters or some other post-graduate certification can benefit them or provide like foundational support in moving into the industry. But I know people who, who kind of come from all sorts of backgrounds, some people do just straight have a computer science or digital forensic ethical hacking degree. And it's gonna depend on everyone's individual circumstances. But I don't think that degrees are accessible to everyone. It's not possible for everybody to do a degree at 18 years old. So I don't think that they should be a hard requirement for jobs.

Holly:1:00:21

What is your experience of having a degree that's unrelated to your work then? Do you find that there's a box that says you must have a degree and it's ticked and it's never really mentioned, or do you feel that because the undergrad is not industry specific, do you find that a problem? Does it come up?

Morgan:1:00:37

Nobody asks. What I do find is that I have to, I have to, I have to fight to get technical experience and I have had issues getting technical exposure before. So I did a graduate scheme and uh , there were three of us that started, it was me and there were two guys who had both gone to universities kind of around Coventry. And this is, it's an interesting one, 'cause there are multiple factors that play here, but they both got to do placements on service desk and in the ops monitoring team. And I did placements in risk compliance and audit. And I really, really, really wanted to do a service desk placement and work in ops before moving into technical security teams, and I wasn't allowed.

Holly:1:01:18

Shout out to the guy this week who apologized for having to ask me a technical question.

Morgan:1:01:22

No.

Holly:1:01:22

As if I'm not a technical person. Yeah.

Morgan:1:01:25

What was the question?

Holly:1:01:27

Uh , I don't even remember. It was something to do with uh , tech stack of how our , um , SaaS product is built. It was a technical question, but it wasn't a particularly difficult one at all, but yeah, they were like-

Morgan:1:01:37

Especially not if you built the product.

Holly:1:01:39

Yeah. Like Just, it was , it was a very weird experience to me that the guy, like not only had the presumption that I was non-technical, but thought it appropriate to highlight that he's got that presumption. 'Cause you could, if you've got a technical question to ask somebody, you could just ask the question and if they don't know , they'll get back to you and say I'll , I'll hand that onto the appropriate person and get back to you, but like making the presumption that the person you're talking to is non-technical.

Morgan:1:02:03

But instead he was like, sorry to inconvenience you little lady, I know you've got a really small brain, but could you tell me about your tech stack please?

Holly:1:02:12

Yeah.

Morgan:1:02:13

Yeah. What a guy.

Holly:1:02:13

Really, really can trust me. So yeah , it was such a weird of just like I gotta ask you a computer question. Is that okay? Yeah, dude, crack on.

Morgan:1:02:30

I love that. Um , actually in my first role where I was looking at kind of cloud infrastructure and probably needed some certs, I took my Cloud Practitioner exam and I was on a team with somebody else who had taken his Cloud Practitioner exam and was more experienced with AWS and knew what he was doing, but was really nervous about exams . So hadn't taken the next exam. So I said, I've booked my Cloud Practitioner and my Solutions Architect Associate exam straight after right in the same day. And he said, oh, you shouldn't do that 'cause if you don't pass the first one, then the second one doesn't count. And he made it sound like it was gonna be really difficult. So I canceled the Solutions Architect Associate and took the Cloud Practitioner. And when I passed it, I took a screenshot of my score and texted it to him and said that's like 94% right? And he was like, yeah, it is, I got 95, better luck next time slick . And he hadn't got 90- 95% , he was just kind of messing . Um, it was just completely fine, but it was like, he made it sound like it was gonna be really difficult because he found exams intimidating because his , his background had been different.

Holly:1:03:33

That is the normal thing, right. That is the normal thing. Like, like people should find exams just awful generally. 'Cause not only like the anxiety of, you know , having to do the exam and it being important, but they're expensive. That's one thing I don't wanna resit this exam 'cause it cost me hundreds of pounds. Very often when I do exams, I'm in an uncomfortable environment. If I'm in an exam center or something like that, I remember doing one where it sat me next to the aircon and I basically came out of there with like cold burns. 'Cause I'd been sitting next to the aircon in a t-shirt for this whole exam. And it was like , a four hour exam or something . It was just horrendous. Yeah. So anyone listening to this and hearing like my approach to exams of just being literally that absolute nightmare of not spending enough time working on it and then going in and hail marying it. Uh , yeah, that's the normal reaction of just like exams are awful.

Morgan:1:04:26

And Holly's approach to her exams is especially awful. So she makes it worse for herself and for everyone else, like , um, Holly decided two days ago to take her Security Specialty exam. I've spent ages studying for this and mine went horribly wrong, but the universe really likes Holly she's someone's favorite. So she passed hers and I didn't pass mine, which is the TL;DR of this , um , chaotic episode. And I hope you all enjoyed it. Hey everyone, it's Morgan , I've got a bit of a post edit addendum for this episode. I just spent the last hour or so complaining to you all about how I didn't pass my AWS Security Specialty exam because the browser crashed two hours into my three hour exam. Um, I checked my emails a couple of hours after we recorded this episode and I had an email from AWS training and certification saying, congratulations, you've earned the AWS certified Security Specialty certification , um , and a link to my Credly badge. So I was super confused about that. But then I got a transcript through the next day showing that I'd got enough points in the first two hours from the questions I'd answered already to gain the certification. It was a bit of a close one because I didn't have the , the full three hours to kind of finish all of the questions and check my answers and everything, but really, really relieved to have passed that. So luckily don't have to take it again. Um, and hopefully that brightens up the end of this episode a little bit. And if you are studying for your AWS security specialty at the moment, best of luck.

Holly:1:05:57

It turns out she did pass her exam because she's an absolute hero. Congratulations.

9 views

Recent Posts

See All