Self branding, or why your boss should not know your handle

In recent times, where most people work on their own (entrepreneurs, contractors, etc.), the field of branding has gone from being a thing corporations and companies do to something everyone should think of. However, in this post, I would like to explain the polar opposite I am striving for: Being a ghost (and leveraging that as branding).

TL;DR: Brands are bullshit. Who needs your name and your work experience? Your potential employer. If you share everything as yourself, they will find some potentially unwanted info and may not hire you based on that. If you separate your social shenanigans from your real name, you can limit what you tell your employer and what they could ever know about you. Also, I can say from experience that a “data void” is an impressive feat in today’s world and may get you hired more easily.

Branding for individuals

The usual grind today, if you want to be noticed and having opportunities thrown at you left and right, is to have a brand around your name. Having your name as well-recognized as Lenovo, Google, or any other tech/banking giant is the peak of a career. There are people whose reputation precedes them. If someone like Jenny Radcliffe, Deviant Ollam, or Tracy Maleef walk into your office, there is a high chance that at least one (most likely more) of your IT people will know who they are. That is a reputation built around skills and visibility. There are podcasts, videos, appearances, talks, so you get a good idea about what these people excel at. In short, these people are celebrities in their niche.

It may take years, maybe decades, of training, honing skills, as well as putting out content, to acquire the visibility needed to achieve widespread recognition. In some areas, this fame is positive (as in the above examples), but it can be negative as well (stealing millions from a bank might get you fame, but not necessarily in a good way). Both may be leveraged to get well-paid positions, but it all depends on which route you want to take.

As the old saying goes: If you work hard, you can be a well-paid security consultant in 15-20 years. If you go to jail for a high-profile attack in IT, you can be a well-paid security consultant the day you get out of jail.

Security turns reputations upside down

One thing I notice, particularly in the security circles, is that reputation does not necessarily have to be tied to your name, your face, your country. Some people in information security don’t need a face. They don’t need a name, a public image, they do not need to represent their company, and they still get offers. I know several people who I could never meet unless I contacted them first. These people have no face, no name, just a handle.

What are the main pros? Your name is safe and secure. Your name is not tied to your handle (unless you want to). The experience you acquire is still going to be yours, no taking that away, but having your online persona separate will give you numerous perks:

  1. You can get good at storytelling
  2. Your actual personality stays safer from negative impact
  3. You are a ghost, and that counts for something in security!

All of these points may sound similar, and in many ways, they are. However, you may take each point individually. Mix and match, try two or three tips at once!

Storytelling level: 100

Once you detach your person (name, age, history, race) from your online handle, you get much more freedom to what you want to say. Some of the aforementioned may be beneficial to you, but this depends on you. Where in your real life you cannot hide any of these, a handle is a blank slate. You can build anything on top of a handle, and you can omit anything.

Furthermore, since your handle can omit everything, your sole way to a successful “brand” is by actually being good and having something interesting to say/share with others. You may take your experience for granted when starting out, but then again, all of our experiences are different and your spin can be something unique. This is what matters. Unique, new information. Writing anonymously may set you free from any negative impact you may be subjected to. Your work will stand on merits, and merits only.

Sure, you may want to tie certain aspects of your life to a handle, but consider the following point.

Keeping yourself safe

Let us assume you run a blog, and amass a certain following. However, times change, and what was once allowed and okay (talking about government overreach, pointing out injustice in any area that impacts you) may no longer be considered A-okay. If you’re running under your name, building your brand, that may cause you to get into trouble in the future. Having a handle with no solid connection to yourself? That’s easy, just burn it and make a new one. You may lose what internet clout you had, but as mentioned above, you keep everything you did. The only thing you lose is a list of followers.

The absence of information may be more telling than being everywhere!

This is actually the way I tried to go (and probably failed at this point, I may have to burn m4iler and start over, or move to the other side of the Earth and find a new employer): Not doing squat under your real name. This is by no means a necessary thing to do, you can always put your name to something you are passionate about, but me being a paranoid person, I took this route.

I don’t have a Facebook account, I no longer have a LinkedIn account, and I don’t have any social media anymore that has my real name on it. Sure, my history may be still logged somewhere and people who I told my real name to still know my name (I haven’t changed it in a while). Now, it may be hard to network in normal life (I cannot point to my LinkedIn where a recruiter may see my employment history, what I did, what I trained), but consider the following:

NOTE: This applies to security specifically, but I usually write about infosec, so you may have expected that already. Putting it out there.

You apply for an interview. Since you don’t have LinkedIn, you have to find a company some other way. No worries, your google-fu is good, so you find some e-mail addresses and openings on several sites. You send your CV (I use my real name, your mileage may vary) and wait. Now, you did not include anything too identifying in your CV or cover letter, so you are calm knowing that only the important stuff gets to the people in charge of hiring.

What happens between you sending a mail and a recruiter inviting you for an interview? Since your CV looks interesting enough, the recruiter will look you up. You must have a footprint, right? Some social media where you share your likes, some professional portfolio, anything that may sell you to the company better, or disqualify you for an interview (if you see that someone drinks too much and has a rep for stealing office supplies, they may not be a good choice). A lookup is usually quick, recruiters look into social media, search engines, LinkedIn, and any other source they may be using, usually free of charge. Sorry to break it to you, but most companies will not care about you enough to put a private eye to tail you and find some reasons not to hire you.

Every recruiter usually finds something. Very often, something you may not have willingly shared with the company, but if it’s out there, someone will notice it.

You were one of any number of applicants, but instead of putting your name out there and building a brand, you keep all your fun under a handle. If properly separated, nothing leads from $LEGAL_NAME to your handle. This means that the internet footprint for Jimmy McJimface is extremely, almost disappointingly, small. There is nothing on this person, does that person even exist? After hours of digging, all that was found was a high-school photo, but ever since this person started in infosec, there is no public information. This person does not exist online, as far as some light OSINT is concerned!

What does that signal to a security company that you applied for? Either that you are using a fake name (Jimmy McJimface did sound fishy, after all), but in cybersecurity, why would you not? We all hear about the attacks on people using what they willingly share, and by sharing nothing, you keep your personal life separate. To someone like me, that is a definite sign of that person walking the walk.

In closing

Although it may be very beneficial to build a brand around your name, it is your only shot. Any future employer will look you up, read what you post online, and may decide not to hire you based on your views. Sharing a lot online may also put you under more scrutiny, since if you run your mouth, it may not be good to hire you as a consultant.

If you are afraid these may be an issue, try “ghostmaxxing.” Get a handle if you don’t already have one, and do all your clout collection in there. We all crave attention, and this way, you can do whatever you want and still go to an interview and not be asked about those frequent midnight tweets about “cute femboys, cocaine use and your programming socks collection”.