Category: Education

reflections on a master’s degree

Post author By joemac
Post date January 2, 2025
No Comments on reflections on a master’s degree

One of the things that I heard a lot of before I started my master’s was that it wasn’t really necessary to be successful in the technology space. Since I’ve completed my degree I thought I would put some thoughts together about my experience and offer some perspective on the subject. I just earned a master’s of information technology from Virginia Tech. The program site is here: https://vtmit.vt.edu

The tl;dr is that no, I don’t think it’s necessary to pursue it to be successful in technology, but I have already realized benefits of my degree program, and intangibly it has made me a much stronger leader and engineer, and it has established a deep confidence in my career and my ability to execute, which is the very thing I was expecting to get out of the degree in the first place.

As tangible benefits go, the master’s degree program cost me about $36,000. During the course of obtaining the degree, I have been promoted two times and have secured a role of technical leadership. Between a job change and the promotions (in three years), my annual salary has risen by almost $40,000. While obviously this is not entirely attributable to the degree, part of it certainly is. Since the salary increase is effectively permanent, and there are about 25 years left in my career, this was well worth it for me, financially speaking.

Why I went for a master’s

A high-up cybersecurity executive recently asked me why I was motivated to get a master’s degree. You should have a good sense of your “why” before you commit to a master’s program. Mine was originally practical: it would have led to a pay bump in my previous role and my previous employer would have covered part of the cost. I left that role, but stayed in the program anyway, because I wanted to step up in my career and be able to speak cybersecurity more eloquently to the business. I absolutely achieved that goal through my studies. I also wanted to have an opportunity to teach (undergraduates) part-time, which is really not possible with only a bachelor’s.

In fact, some of the best courses in the degree program were also part of the Pamplin MBA program, and for a brief period I considered switching to the MBA program entirely. In retrospect I am glad I did not do that because I valued the technical content I got out of the information technology courses.

Getting a master’s degree while working full-time and raising children is no joke.

I registered for my first class while we were at the hospital the day after my daughter was born. I knew it was going to be a challenge, but it was a challenge. It is not for everyone. If you want to do this, you will lose almost all of your free time. I also gained weight and my hair grayed.

I am writing this while we are on vacation and I was struck when I looked in the mirror and noticed that I looked younger. I have been walking regularly for a couple of weeks and have been sleeping relatively well for the first time in years. I’m looking forward to feeling like myself again.

It’s hard to overstate how much you give up when you commit to something like this. The feeling of achievement, however, is pretty remarkable.

Not every hiring org values a master’s degree…but most do

I have a lot of opinions about certifications in cybersecurity. Most of them are negative, with the notable exception of SANS – if you can take a SANS training, you should. I have held cyber certs in the past and almost always let them expire. I currently work for a company that, unfortunately, does not have the budget for certifications or professional development. I have taken calls from recruiters in the past few months that have gone like this:

“Do you have any certifications?”

“I have some inactive ones (CCNA, Security+, CompTIA CASP, SANS GCED), but right now I’m working on a master’s degree with a concentration in cyber.”

“Have you considered getting some certifications?”

“I will happily obtain a certification is the cost and time is covered by my employer, but my professional growth is focused on my degree program.”

A master’s degree relevant to the position should carry more weight/have more impact on a resume than a certification. If your organization’s recruiters disagree with this, I think they are wrong. I also think certifications by and large are a money grab, and again – a degree or a cert is not required to be successful in tech. But that is OK. My company also did not help me pay for my degree (I paid cash and lived conservatively, and got support from my wife, who does well for herself being an attorney). Smaller technology companies seem to value the master’s degree less tangibly, but again, I can attribute my promotions at least somewhat to the degree program.

What I want out of my career has changed

My career was already going in this direction, but I am much less interested in highly operational, hands-on work. I have embraced being a technical leader and moving the focus of my work into more strategic and less tactical decision making. I make this pretty clear when I have conversations with recruiters. The day-to-day is just not a good use of my skills anymore – getting a master’s will change the overall tenor of your skillset, especially if you are mid-career like I am.

I still firmly believe that the best technology leaders have hands-on experience, and there are areas of professional development that I neglected (especially in cloud) over my degree program, so there is definitely opportunity cost there. I don’t think I want to ever be completely hands off, because being hands on is what got me into tech in the first place, but I derive a lot of career joy out of mentoring and building, not so much operating.

The degree program amplified that and my desire to work somewhere where what I can offer is more strategic and entrepreneurial. Many people think the goal of education is to increase your “known knowns.” This is partially true, but the real goal is to decrease “unknown unknowns.” Being successful in your career and in business is a product of being able to make accurate predictions and understanding risks. Education reduces the space where those predictions are wrong and enables you to take good risks. You (and I) will still be wrong, nobody is perfect, but you will be right more often on higher-paying bets.

Since placing those bets well is a skill I learned through my studies (and through experience), I want to be somewhere that I have the agency and authority to place them, which will be more to the benefit of the organization than a role that is exclusively hands-on.

Requirements gathering is one of the most difficult things to nail down for any technology project. I happen to be quite good at requirements gathering, to be honest, though I attribute that more to raw career experience than the degree program. Anyway, once you have gathered your requirements you need some way to execute on them as efficiently as possible. If you know what the “dead ends” are in advance, you can proactively avoid them, but the only real way to know what the dead ends are is by experiencing failure. Education distills those experiences into something tangible by turning an “unknown unknown” into a “known unknown.”

This is why formal education is useful even though the coursework is always a step behind the bleeding edge. This is true and something I experienced during my studies at Virginia Tech, however, people who instinctively dismiss the value of formal education because of it do so at their peril.

Of course, when you realize that you don’t know things, you realize how much you don’t know. And nothing bears this realization (that I know nothing) like getting a master’s degree. It is both humbling and weird.

OK, so what?

I’m very satisfied with what having a master’s has brought me both tangibly and not. There are a lot of naysayers in the tech space around formal education. My advice is to ignore them, but also be aware of what you are getting into and have a strong sense of what you are trying to achieve with a master’s degree before embarking on the journey, because it is a long road.

It is also true that a degree (of any kind) is not strictly necessary to be successful in tech. Many people in tech are smarter and more successful than I am without any degree. That is great! But few things have brought me more personal and career satisfaction than obtaining it for myself. It’s hard to put a dollar value on the feeling of accomplishment, capability, and confidence.

That’s all for now. If you have questions about education in your career feel free to email me and we’ll set something up.

Education Serious

Content Filtering is (Mostly) Bad

Post author By joemac
Post date December 29, 2020
No Comments on Content Filtering is (Mostly) Bad

In trying to be at the forefront of my K12 org’s cybersecurity effort, I’ve observed a lot of…stuff. Some of that…stuff…and how to make decisions around it has been interesting and eye-opening, because working for K12 presents some interesting and unique constraints that don’t exist in other organizations, the largest constraint being that students are children and you cannot fire them. Damn.

Some of what I’ve observed is in line with what you see in any org, and some of it is in line (or just par for the course) for what you see in very large orgs, which is what Arlington Public Schools (for whom I do not speak) is. A very big organization. Some of what I’ve seen is highly technical, but a lot of it, and I think this is generally true in cybersecurity regardless of org size or mission, is nuanced and related to how people behave and what we as technologists can do about that.

Which brings me to content filtering.

Let me back up. Handling a request for content filtering, which is “subject cannot go to this URL because reasons” is part of my duties as a K12 technology person. But let me be perfectly clear about this: content filtering is not cybersecurity, although well-intentioned people like to pretend that it is. Nowhere does “xyz is a distraction from learning/working” fit into the CIA triad. “But what about malware/phishing/etc websites?” These websites should be blocked – per a comprehensive security policy – because there’s a risk-based, technical reason to block them. But malware is malware. Phishing is phishing. Content…is internet content, or a thing you want to see on the internet that does not pose a technical risk to the organization.

If I haven’t convinced you, consider where your org’s content policy comes from in relation to its cybersecurity policy. I, as a security professional, may get a report of a website people are using to download torrents. I’m going to block that website because torrent sites are full of active threats, among other legal risks for allowing org members to seed torrents. But I wouldn’t decide to block, say, https://spotify.com, and if I did, it would likely go over poorly.* On the other hand, the CEO of a company might decide to block Netflix because it’s a “work distraction,” even though it doesn’t pose any cybersecurity threat. I’m engaging in cybersecurity, the CEO is engaging in content filtering.

This is actually how it works in my organization, and also for Fairfax County Public Schools, and probably others in this space – from FCPS:

“Only Instructional Services, through their curriculum committees, can determine which general categories to block.”

The cybersecurity team doesn’t make the content filtering policy, which is basically that we have a (reasonable) legal requirement to filter some content, plus an amalgam of loosely joined, well-intended opinions (in other words, a committee) that are melted down, cast, and cooled into a policy.

About that legal requirement. It mainly comes from the Children’s Internet Protection Act, or CIPA, which requires some content filtering on school (K12 only) and library computers in order for those organizations to get preferred pricing on equipment and internet service. It’s pretty specific, but the gist of it is 1: kids cannot look at “obscene material” (porn) on their computers (and the act very narrowly defines porn as something that must be visual, e.g. an image) and 2: schools must have a policy in place to teach kids about being safe on the internet. That’s it. It is a reasonable regulation.

There is another piece of legislation, the Children’s Online Privacy Protection Act (COPPA), that basically governs what information is collected from kids under 13. This rule is problematic in its enforcement and the FTC is “giving it another look.” Basically, online services are limited in what they can collect from kids under 13, which is problematic for them because it makes it hard to do targeted advertising. Most online services’ terms of service expressly forbid children under 13 from signing up for their services, but we all know how effective those terms of service are. There isn’t much of a relationship between CIPA and COPPA for content filtering, but the “13 years old” part is worth noting for reasons I’ll get into in a bit.

OK. So here we go. We have to filter on “adult content” – that seems OK – and we prevent threats to the org with a cybersecurity policy – that also seems OK. But if you’ve used your child’s device at all, you’ll know that way more content than this is filtered out. Why? And what’s the outcome of these policies compared to their intent?

When I was in school, a technologist could have written this post about how content filtering was simply ineffective. You’d try to block…some category of site, say adult content, and you’d end up blocking a bunch of safe sex education or whatever. I don’t think that’s true now, and the actual URL filtering we use (Palo Alto‘s) is pretty effective, and gets it right most of the time based on categories and dynamic updates. But this isn’t 2004, and the nature and method by which students access the internet and what opportunities exist for children on the internet have radically changed.

I didn’t get a cell phone until 2006, and it had 0 internet capability – it was “just a phone.” Now everyone has devices, and if they don’t have one, they will. I have opined at length in other online spaces about how all schools will be 1:1 device schools whether they want to go that route or not, not because of the pandemic (though that has certainly accelerated things), but because educational content providers (textbook publishers) have a lot to gain from simply providing a school district (or college, frankly) with a chromebook for each student included with a content subscription that can be updated at any time and integrated into an LMS. There is real value there as opposed to printing new editions of heavy textbooks year after year and reckoning with the used textbook market. But I digress, my point being, if your child doesn’t have a school-issued device yet, they probably will soon. From the practical perspective of access to the internet, content filtering is really the only difference between a school-issued device and a personal one.

I’m going to pick on my own school district for a minute, because I think this is a particularly heinous example – but my school district blocks YouTube for K-8 students on their devices. The stated reason for doing this is something like “because YouTube’s TOS doesn’t allow children under 13 to use its service” – which is nonsense, because if this standard were actually applied evenly (including to sites like vimeo, which is not blocked but has the same verbiage in its TOS) they would be blocking like 80% of the internet. Anyway.

What is “the thing” a student loses by not being able to go to YouTube, or Vimeo, or any other video site that a school district decides they are going to filter out? Well, it’s a bit of a trick question, and the answer is that most of them don’t lose anything, because they have cell phones. They have had YouTube the entire time.

If they can afford it.

I took a look at VDOE’s most recent spreadsheet for how many students in each school district are eligible for free and reduced lunch (FRL) In Northern Virginia, with Alexandria City Public Schools at 59%, Arlington Public Schools, Fairfax County Public Schools, and Stafford County Public Schools at about 30%, Prince William County Schools at 42%, Loudoun County Public Schools at 18%, and Falls Church City Public Schools at 7%. These numbers, combined with the mission of these districts’ 1:1 device policies essentially being an equity one – “to close the digital divide” – make it pretty safe to assume that a significant number of students don’t have access to technology either at home or in their pockets. For many of them, their school device is the only device they have.

So a school district says – and let me be clear here, that I am not only picking on my district, and that I do think these policies are made with good intentions – here is a device with an internet connection, and we are going to filter the content on it and celebrate our victory over “distractions” and “inappropriate content,” but we know, because we put the program in place, that large equity gaps exist in our communities and can deduce based on real data that these content policies are mostly affecting minorities and the underserved.

I find it hard to have an honest conversation about equity in schooling when we agree that “equity” means “equity of opportunity” when, by overreaching on content filtering, we are depriving the community of people we’re trying to help of the opportunities to grow and learn more. To be sure, there is harmful content on the internet, but determining a standard of “harmful” outside of the obvious (already discussed) is…not really our job as people who work in K12.

(I could write an entire post about how denying access to one harmful resource simply motivates the subject affected by that policy to find their content somewhere else, potentially more harmful, but I won’t even get into it here.)

Consider what capabilities a person with access to YouTube (for example) has compared to a person who doesn’t have access to YouTube, even in YouTube’s beleaguered “Restricted Mode” for K12. If you wanted to know the history of the Cold War, you can know it in minutes. If you want to learn about language, you can. If you want to see the news, that’s there too, and in multiple languages. If you want to become a content creator, you can record a video and publish it, even monetize it. YouTube is not some golden arch through which you will find salvation, and it has a lot of well-researched, well-documented problems, but let’s not make everyone who uses it a victim of “distraction” when the real victims are the people who, by no fault of their own, don’t have phones with data plans or personal devices at home and can’t get to the videos at all. Let’s not pretend that monitoring YouTube content isn’t a weight that literally every parent with an iPad has to bear once in a while in exchange for a few minutes of peace. And there are many K12 districts that block YouTube without considering how they are blocking a technically safe, scalable platform for learning and freedom of expression for lower income families.

Consider also the filtering of online messaging, which many school districts do. It’s a thornier area than YouTube, but consider again who is harmed by blocking a website like Discord. If you rely on Discord to keep in contact with your friends, and you don’t have a phone, you’re worse off than your peers who do. Making students aware of the pitfalls of online communication and providing them the skills they need to become good digital citizens is a harder ask than “well, let’s remove access for everyone” – but it’s the ask we should be answering. Every company is a software company. Every org is a digital org. Remote schooling is here to stay. These skills are more important than ever.

I’ll leave with one last example, and the example that inspired me to write all this up. Earlier this year I was asked via a parent to block a business simulation game called SimCompanies because it was “a distraction.” I took this and understood it to be in good faith, but I played the game a little bit, and stepped out of my lane on it by objecting to the decision to block it. It is a fascinating and pretty deep game from which one could learn a good deal about economics. It was advised that the block remain, and I consulted our firewall vendor to change the content category to the game from “business and economics” to “games.” They refused. I showed the game to some friends – one told me I could probably learn more about business and economics from playing this game than anything I could learn in school, and I agreed. Most school districts would pay top dollar for an educational resource disguised as a game, yet here it was, and the kids were using it, and it was free. But we have the opinion from one parent affecting the filtering policy of 27,000 students.

I think we can do better.

To quote one of my favorite lectures from the game designer of Loom, Brian Moriarty:

“If super power is what people really want, why not just give it to them? Awesome things don’t hold anything back. Awesome things are rich and generous. The treasure is right there.”

School districts need to revisit their content filtering policies. They need to do it through an equitable lens with the understanding that good access to the internet is still, inexplicably, a privilege reserved for those who can most afford it, and that devices for privileged families are ubiquitous while the devices given to them by their school districts are hamstrung by misguided policy. This notion that video websites, social media, online chat, and games are a constant source of distraction for students simply cannot be true when we have an achievement gap correlating with race and socioeconomic status. Districts need to do the hard thing by bringing in community leaders and experts to help train children on the benefits of good digital citizenship and data ownership. Give the kids the treasure. And let’s empower parents by innovating new ways of making school-issued devices compatible with home internet filters.

Reasonable and prudent filtering is OK and good. As obscenity goes in this country, you know it when you see it, but turning people into leaders starts by giving them access to the opportunities and tools they need to grow into the goodness of leadership, not taking them away because we said so.

*I bring up this example because this actually happened to me. Back in the day, Spotify used P2P technology in its application (I believe it no longer does) – the security team on the org thought it’d be a good idea to block Spotify. It got to the CEO, the CEO got upset and overruled us.

Education Serious

On Reopening Schools

Full disclosure: I am an employee of Arlington Public Schools, a K12 school district in Virginia. These thoughts are my own and not of the district or any school.

Two weeks ago, our (then) interim Superintendent distributed (to the public) a presentation about various scenarios of schools reopening in the fall. The scenarios are basically:

Open schools normally, which they say is the “least likely” scenario.
Open schools “sort of” with social distancing guidelines in place and reduced class sizes, a hybrid of distance learning and not.
Open schools with full distance learning, which is described as the “likely” scenario.

As time goes on, and the COVID-19 pandemic abates, and we are engaging in a national discussion about the many parts of systemic racism, and how inequitable access to learning opportunities feeds that beast, I have no idea how we are going to start school with distance learning, or if we can even really consider that a viable option anymore.

Virginia is Reopening Rapidly

As the health metrics for COVID-19 improve in Virginia, the state is continuing its reopening process – we are currently heading to Phase 2 of reopening as defined by the “forward Virginia” presentation from the Northam administration and the Virginia Department of Health. From the presentation, Phase 2 is to last 2-4 weeks or more, which liberally puts us at July. Phase 3, which is more-or-less a return to regular operations, is “10-12 weeks away, or more” – but my interpretation of this is to mean 10-12 weeks away from Phase 1, which is already ending or over for most of the Commonwealth, so we are talking about Phase 3 starting right when school would start.

Risk Consideration

Looking at this timeline, the case for full distance learning seems pretty weak when we consider:

Dr. Fauci is apparently now leading the charge on “thinking about schools reopening.”
The risk of COVID-19 to children is demonstrably low.
The economic impact to at-risk communities of children staying home for distance learning.

Here is the situation: we already know that Black and (especially in Arlington) Latinx communities are disproportionately affected by COVID-19. They are also disproportionately affected by unemployment. They are also (again, especially with the Latinx community, and especially in Arlington County) disproportionately affected by unemployment directly from COVID-19. The children of these communities are the ones who are most likely to receive free or reduced lunches, have no or inferior access to the internet, and are the reason school districts like Arlington’s have an office of equity and excellence.

What about the children?

How do we educate this community equitably when the parents of these children, who have lower-paying service jobs in industries that have been the hardest hit by COVID, are offered their jobs back? The additional funds from the CARES act are slated to expire at the end of July, and when September comes around, Department of Labor guidance isn’t clear on what happens next for primary caregivers of children in the 2020-2021 school year:

“A school is not closed as a direct result of the COVID-19 public health emergency, for purposes of 2102(a)(3)(A)(ii)(I)(dd), after the date the school year was originally scheduled to end.”

Does “the school year” mean 2020-2021 school year as well? If districts move forward with a hybrid opening, this would seem to not apply. It would seem like it does apply for families if districts go fully distance learning, but again, this is after CARES act funding runs out, and $378, the maximum unemployment benefit in Virginia, does not go very far in Arlington.

This is while children of wealthier white parents, who have more of an ability to work from home and have more flexibility to hire caregivers and private tutors, have more opportunities to access a quality education during a full distance learning scenario.

The issue of child care (school) and faced with the prospects of being out of work without access to financial benefits, especially for minority and at-risk communities, seems untenable. It also seems unlikely that we will be able to get children to follow social distancing guidelines.

Our options (assuming a vaccine isn’t completed before September, also not likely) seem to actually be:

Reopen school as normal, and do our best to follow social distancing guidelines, and accept the risk of COVID spread.
If we do distance learning, greatly expand financial and unemployment benefits to families of at-risk communities, which is not something a school district has the ability to do, and with Fauci now calling for schools reopening, seems almost an impossibility.

Neither of these solutions seem good. I don’t have the answers, but we need to be talking about this and figuring it out – quickly.