College and Infosec: To Degree or not to Degree?

So, you love to hack, and you’re going to get that dream job in infosec! Except, now what? A wide array of certification firms and colleges are willing to sell you an infosec program, with shiny advertisements and clever sales pitches. Unfortunately, college is massively expensive in the US, and the learning environment isn’t great for everybody. Is it worth the money and effort to get that Bachelor’s in Cybersecurity? Will a degree in an unrelated field do the trick? Will not getting a degree come back to bite you years later?

***

College degrees. I’ve found few topics aside from vulnerability disclosure in information security which raise so much raw emotion and fierce debate. In the interest of giving a well rounded and diplomatic answer about their value, I’ve once again asked several exceedingly qualified people to join me in sharing their time, experience, and ideas on the subject. Through a series of ten questions, each of us has weighed in on some hefty questions about the value of college education in learning about information security, getting an information security job, being promoted, and showing credibility.

Please allow me to introduce today’s contributors, who have generously contributed their time and thoughts:

Daniel Miessler, I’ve been in information security for around 18 years, with most of my time in technical testing (thick, app, web, mobile, IoT) and consulting. I lead OWASP’s Internet of Things security project and run a website, podcast, and newsletter where I talk about infosec, technology, and humans. More at https://danielmiessler.com/about.

Tarah M. Wheeler, Tarah Wheeler (BA, MS, CSM, CSD) is Principal Security Advocate & Senior Director of Engineering, Website Security at Symantec. She is the lead author of the 2016 best selling Women In Tech: Take Your Career to The Next Level With Practical Advice And Inspiring Stories. She co-founded and now serves as board chair for Fizzmint, an end-to-end employee management company. She has led projects at Microsoft Game Studios (Halo and Lips), architected systems at encrypted mobile communications firm Silent Circle, and holds two agile development certifications through the Scrum Alliance. She founded Red Queen Technologies, LLC & Infosec Unlocked. She acquired her startup funds by cleaning out poker rooms in the Northwest and Las Vegas. Reach her at @tarah.

Robert Sheehy, @helpmerob. Helping “people” with “stuff” while holding a senior management role in infosec.

Space Rogue, Looks like everyone else is putting their corporate bio here, uggh. I’m just some guy, ya know? I’ve been around for a while and I’ve done some stuff. I currently work as a Strategist for Tenable, [@spacerog http://www.spacerogue.net]

Chris Sanders, Chris Sanders is an information security author, trainer, and researcher. He is the founder of Applied Network Defense, a practitioner focused information security training company, and the Rural Technology Fund, a nonprofit devoted to providing technical education resources to rural and high poverty schools. He is the author of the best-selling security books Applied Network Security Monitoring and Practical Packet Analysis. He also hosts the Source Code Podcast., [@chrissanders88, http://www.chrissanders.org]

Jessica Hebenstreit (@secitup),  I’ve been doing security for almost 17 years.  I got a lucky break early in my career at Motorola as an Intern and have been doing InfoSec ever since. I’ve done a lot of different roles in a few different verticals.  I always come back to Ops and IR. Creator of the DREAMR framework, speaker and volunteer.  I am active in the security community and enthusiastic about making the industry more inclusive and accessible. https://twitter.com/secitup/  https://www.linkedin.com/in/jessicahebenstreit/

Without further ado, let’s launch into some of the most contentious questions about career paths in the industry!

***

  1. First of all, the elephant in the room – did you go to college or university yourself? If so, did you get your degree before or after you started formally working in security?


    Jessica: In short yes.  However my academic career was varied, and longer than a traditional “4 years”.  I started at Iowa State University in the Computer Science program.  After a couple of major changes (because I am not great at coding and suck at math), along with study abroad experiences and transferring to Arizona State, I graduated with a Bachelor’s degree in Interdisciplinary studies with a focus on International Business and Spanish.  I was fortunate to start working in security as an Intern at Motorola for 3 years prior to graduation.  I was offered a full time role that I began prior to actual graduation.  I also have a Master’s degree that I obtained in 2012.

    Space Rogue: I started school like everyone else but quickly ran out of money despite the GI Bill.. I was able to get good paying IT jobs anyway and figured I didn’t need a degree. Then one of the many recessions in my career hit, I found myself out of work with few opportunities. I could almost always get an interview based on my resume and experience but on more than one occasion after the third or fourth interview I was asked, “So I don’t see a degree on your resume, do you have one?” I would answer truthfully, “No, but I have years of experience and have done all these great things, blah blah.” and I was told “Thank you very much, we’ll call you.” After the fourth time in a row that this happened I decided I needed to get a degree. It took me several years of online and night classes but I finally graduated.

    Chris: I had an opportunity out of high school to take a computer network consulting job that would have put me in the top 1% of earners in Mayfield, KY. Of course, that was making 40K/year as Mayfield is a very rural, high poverty area. I’m fortunate that I had a few teachers who really cared about me and got it through my head that my ceiling was much higher and a degree would help me realize that. I ended up completing my bachelor’s, master’s, and am currently working on my PhD. I couldn’t afford college and didn’t receive nearly enough financial aid to pay for it all, so I worked full time (and then some) while working through all of my degrees.

    Robert: I received a two year degree in computer programming, although I have been considered a hacker since my early teen years. I’ve undertaken a significant number of independent studies since getting my degree, most of which did not result in a formal credential. I’ve taken and passed well over three dozen various IT and infosec certification exams, with close to a dozen still being active. Most of them demonstrate a minimal understanding of baseline requirements and not of advanced expertise. I feel that some people are way too proud of their credentials and certifications.

    Tarah: I went to college before formally working in infosec, though I’d been doing hardware assembly and servicing since 16 and coding since I was about 19. I got degrees in international relations and political science with quantitative elements. I have a BA and an MS, and in my experience, no one at all cares if those degrees are in cybersecurity or not. They’re an absolutely indispensable box tick when it comes to getting past HR, however.

    Lesley: I hold two Associate’s degrees (Avionics and Electronics) which were more an accidental byproduct of completing a lot of coursework than anything else. My Bachelor’s is in Network Engineering. I received it before working in infosec formally and after joining the military (thank you, G.I. Bill!). There weren’t really any security specific degree programs yet at the time.

    Daniel: I did go to college, for four years, but I left before graduating to start my professional career in infosec without a degree. I’ll be completing my bachelors soon and moving on to a Masters. At this point it’ll be just to check the box and for the fun of it.


  2. Based on your experiences hiring entry to intermediate-level infosec professionals and working in the field yourself, where do you fall on the spectrum of extremely pro-college, somewhat pro-college, neutral, somewhat anti-college, or extremely anti-college?


    Chris: Somewhat pro-college. I think everyone can benefit from being surrounded by a group of people who are devoted to learning. However, I recognize that it isn’t for everyone and finding the right faculty/college/program is non-trivial. All things being equal, if I’m choosing between two candidates I will go with the person who has a college degree.

    Tarah: Somewhat pro-college. I don’t think in any way that college is a prerequisite for being in security. I think it’s a startling leveller when it comes to diversity in technology, and one of the challenges employers are always facing is how to justify hiring someone who doesn’t “look” like a hacker or coder. I have, in my several previous positions, had to fight like a dog to get a woman or a person of color or someone queer to get hired, and sometimes the only ammunition I have is that they have a degree, and the more stereotypical (and often less-well qualified or experienced person) doesn’t. When I’ve been the CEO, I could just say “you’re hired,” but when I’ve been in a hierarchy, I have had to, in the past,  justify my decisions to a structure that doesn’t always understand the hacker mindset.

    Space Rogue: Neutral. Personally I would rather hire someone with at least some experience than just a college degree. I am always looking for someone who has done something, anything, real as opposed to just book learning. But I also realize when it comes to hiring managers I’m probably a bit of an anomaly. As infosec as an industry matures it is becoming more and more difficult for entry level people to stand out amongst the crowd. There is a lot of talk about the talent shortage in infosec but that really only applies to the mid and high level. The entry level is awash with people just finishing college with their newly minted degrees all looking for some way to stand out.

    Robert: Neutral. There needs to be experience outside of school for anything beyond entry level. Without experience, a credential can help to demonstrate that the candidate can see through a formal curriculum program to completion.

    Jessica: Somewhat pro-college, I believe some are “late bloomers” and that college right out of high school may not be for everybody.  I think more doors are opened for college degrees. I also think college gives one a variety of experiences and challenges one might not encounter otherwise.  I also realize college is expensive, at least in the US and for that reason alone can be out of reach for some folks.  I am still deeply in debt for my degrees.

    Lesley: Somewhat pro-college. I see more benefits than negatives, but it’s not for everybody and it’s extremely expensive in the US.

    Daniel: Somewhat pro-college. There are skills you can get from university that you don’t usually get other places, but it shouldn’t be considered a must for most infosec positions. This is something Google figured out when they did their big study of what variables make people successful. They expected to find that great colleges produced the best workers. Or people with the best grades, or who interviewed best. But no–they found few correlations with any of this stuff, and they were forced to accept that there’s no magic variable to any of it. Their people who went to college or didn’t, or went to a small school vs. a big famous one, didn’t show much difference in their performance. It turned out to be all about the management of the team that made the difference, but that’s a story for another day.


  3. What are some skills, motivations, and credentials that stand out to you the most on a entry level infosec résumé (before the first phone screen)?


    Space Rogue: I look for anything done outside of school that is relevant to the job. I want to see some kind of passion for the work, at the entry level it doesn’t have to be much but something. If the resume is nothing but degrees and certs and zero extracurricular things they will unlikely get an interview from me. If a person has no relevant work history at all then I want to see non-relevant work history. To me work history, any history, beats formal education every time.

    Chris: I don’t expect much out of an entry-level resume and put very little stock in them. I rely much more heavily on the interview and wind up interviewing most of the people who apply to an entry-level posting. Hiring is the most important decision I make, so it’s well worth the time spent. As far as resume content, it’s an entry-level job, so I don’t expect them to be passionate or display that on the resume yet. I want them curious, and then as their manager it’s my job to help them evolve that into passion. That said, if someone has already started learning about the field I think it’s great to list what they’ve been learning, how they’ve been learning it, and who they’ve been learning it from. I also value resumes that show involvement in service projects. People who have a servant leadership mindset and are willing to give of themselves are the type of people I want to work with.

    Tarah: Have they built a computer from parts to booting? Have they contributed to an open source project…even so much as a pull request to fix a typo? Have they built a website? Have they tried to harden their home network? Have they ever demonstrated that they’re willing to help others by posting blogs or information or answers? I don’t much care if they feel like they’re good people or if they love animals. I care what they can *do*. No one can hire solely on potential; you must demonstrate some of your ability.

    Jessica: Passion for the industry is something I definitely look for.  Personal projects that one can speak to such as those on github, or a blog.  Competing in things like CTFs or other contests, volunteering and other involvement in conferences, competitions or other projects show a passion for industry.  

    Robert: Personal initiative and interest in information security. The best professionals are passionate about what they do.

    Lesley: Speaking, presenting, competing, or working at infosec conferences. Other participation in the security community through projects or meet-ups. Some type of dedicated coursework that demonstrates good systems and networking fundamentals, or equivalent work experience in another IT field. Some college is a plus, but the degree doesn’t have to be technical. Overall, I look for motivation to learn and succeed.

    Daniel: Having a website or other home for projects you’ve created or helped with. Projects show passion, and passion is a powerful force for improvement. If you’re actively working on projects in your field there are few things that are more compelling to a hiring manager than seeing actual fruit of that curiosity and skill.


  4. Can you think of a situation in which you might recommend that an entry-level person who is interested in security not get a degree?


    Space Rogue: I don’t think I could recommend anyone not get a degree ever, not in today’s job market. In the 90’s and early 2000’s almost nobody had an infosec degree because infosec degrees did not exist. Everyone was self taught so if you didn’t have an infosec degree you were no different than anyone else. Infosec or more accurately ’cyber’ degree programs exist at just about every college and university today. If you decide to not get a degree you will be at a pretty big disadvantage compared to everyone else competing for the same entry level job. That said, if your resume makes it to my inbox I won’t really care if you have a degree or not if your resume shows that you have the experience and or skills for the job. But then I’m probably not the hiring manager for the job you are applying for.

    Chris: I had to work 60+ hours a week to pay for college and even then I still have fond memories of standing in Wal-Mart calculating what foods had the best dollar/calorie ratio so I could spend as little on food as possible. You have to REALLY want it sometimes (or just be deathly afraid of failure). If you have hardship to deal with, whether financial or family, you have to figure out how much pain it will cause you and whether the upside reward is worth it. For some people, it simply isn’t.

    Tarah: No. Sure, save money and do some at a community college, do the GI Bill, do a state school and be a big fish in a little pond…but I simply cannot in good conscience knowing what today’s job market looks like and how overheated cybersecurity hiring is going to be for the next ten years recommend that someone not get a degree. Note here that I don’t give a damn what your degree is in. Neither will anyone else past possibly a couple of people in your first entry level jobs. Just get one. And get an MS if you can. It’ll pop your earnings drastically long term and is  a HUGE leveller for diversity in tech.

    Jessica : No, I’ve spent quite a bit of time thinking about this question recently and I really cannot come up with a scenario where I would recommend not getting a degree. Even if you have to go part time while you work and it takes years and years, I strongly believe you will be better off in the end with the degree.  I think there are definitely outliers that find vast success on skill and reputation alone, but those folks are few and far between (you know “outliers”).  I’m seeing more and more organizations that are putting in hard and fast degree requirements, particularly in healthcare and high education, without which you will quickly reach a ceiling.  I’ve seen this ceiling as low as not going past a Senior Analyst/Engineer without a degree.

    Robert: College degrees are only one way to show that you’re well rounded and take your professional development seriously. An individual’s personal situation and experience must be considered in respect to what is the best focus of their professional development efforts. Particularly if student loans are involved, the long term debt accumulation might not be worth it. Focusing instead on a certification could serve as a first helpful step towards gaining that first position in infosec.  If working as a contractor it might be wise then to defer schooling even further in your carrier until obtaining a permanent position that offers tuition assistance. With professional momentum and outside self study, you might get to the point in your career where your professional experience are accepted as substitute for the formal accreditation. World travel, for example, can be used to demonstrate educational sophistication in lieu of a degree.

    Lesley: If they’re only interested in the money or prestige as opposed to the work, or they haven’t done anything to learn about the field before launching into a degree. Also, if they already have a strong network of infosec contacts and going to school would interfere with taking a great opportunity immediately. Lastly, if it’s a significant long-term financial burden, college may simply be unfeasible.

    Daniel: If they already have some significant level of skill that makes them competitive and they’re being offered a job in the field similar to what they’d get when they graduated. Even then, if it would be relatively painless, I’d say get the degree just to have the checkbox, but if it’s overly difficult and you already have the skills required to get a job, go for it. It all depends what you’re looking for. If you just want to get into the field, you can do that. But if you want to make it to the top at a big company, you’ll probably need a bachelor’s and/or masters.


  5. If an entry or intermediate-level infosec person chooses not to get a degree, what are steps do you suggest he or she take to mitigate this when applying for jobs or promotions (which may state college as a requirement or preference)?


    Space Rogue: My first bit of advice is to realise that without a degree there are some jobs where your resume just won’t make it past the first level of HR. However if it is a job that I am hiring for and your resume can actually make it to my inbox then I will want to see some sort of experience. Something that says you are really interested in this line of work, volunteering at an infosec conference, a github project, contributions to an OSS project, participating in the local citysec meetup, something, anything.

    Chris: While this may be an unpleasant fact of life, not having a degree may affect your ceiling because some organizations value it. However, for the job seeker there is a benefit that infosec is in a skilled worker shortage. If you can develop skills in areas where need exists, you can find a job. However, you need to be able to show those skills in some way. For some people that might be a certification, for others it might be a github repo showing a project, and for others it might be a blog. Once you establish one or more of those things, focus on connecting with real people instead of relying on HR gatekeepers and automated systems. Do your research, find people working in or hiring for roles you want, and reach out to them. Even if it doesn’t lead to an immediate job, you might find a mentor or build a long-lasting relationship.

    Lesley: Network, network, network. You’re going to get blocked at a number of HR filters, which are automated and unforgiving. So, your hopes lie with name recognition with hiring managers who can tweak postings for you or somehow bypass the computer. This means proving your competence through projects, community participation, and being articulate. Currently we’re in a skill shortage, which plays in your favor in this scenario. This gap is decreasing, starting with entry level as more people graduate from cybersecurity training and degree programs. Certain geographic markets will take longer to catch up than others, so looking outside your local area may help.

    Robert: It is not a degree by itself that makes someone qualified for a senior position, rather they serves as a proxy to be used by the hiring managers to measure capability. This requirement can be substituted, but constructing the best argument to support your personal experience as a worthy substitution is completely on the individual. Non-traditional education can stand for formal degrees, but it may require a substantial effort to make the case for your specific goals, and are likely to require repeating every few years.  Always address any concerns about an educational deficiency in your resume head on when pursuing a new roll. It can go a long way to submit a well written statement in response to any concerns that you’re willing to obtain whatever credential is expected while working in the position, along with spelling out in detail how your specific personal accomplishments and experience directly address the traits your target is hoping are demonstrated by having the degree requirement.

    Tarah: Get good and get well-known for it. Get a CISSP, which is the bareass minimum you’d need to get past HR without a degree at some infosec jobs. Network your ass off because without a degree, you’ll suffer for recruiters contacting you. Figure out how to get some publicity. You must, must, must begin speaking and teaching widely.

    Jessica: First of all take a long hard look at where you want your career to go long term.    I think these decisions are made with a short to medium term outlook.  Come to peace with the fact that you are likely closing doors and limiting your upward mobility.  That said, get certs CISSP is a must to get past HR, I also recommend several SANS certs, maybe the OSCP, depending on which area in security you want to be.  Lastly, get your name out there, network, get on twitter volunteer and/or speak at every conference you can.

    Daniel: If they’re just starting out and don’t have a degree they’re going to need to show proof of existing skill. That usually means blogging and projects showing your abilities. Show vs. tell is a powerful concept in today’s market.


  6. Conversely, can you think of a situation where you might suggest to an infosec candidate that he or she should get a degree? If so, which skills would this most enhance?


    Daniel: I’d say get a degree if it’s at all easy for you to do so. If it’s paid for. If it’s an easy program. If your friends are there anyway. Etc. If it’s not going to put you out too much, or if you don’t have any skills at all and you need to learn fundamentals in a structured way. The other advantage is just rounding out your writing, general education, etc., which are important for advancing to later career stages.

    Space Rogue: Getting a degree is not going to hurt you. You will never be disqualified from a job because you have a degree. It is possible to get a degree without spending fortune and going into debt. You can either get a degree to actually learn something or you can just get the piece of paper. Either way a degree can only help you. If you are going to spend the time and money to get the degree you should try to actually learn something. I would focus on any hands on classes where you can actually work with production systems, even if they are simulated. Learn to code. Any class that allows, no, encourages you to break things.  

    Lesley: When you can’t fill more than half a page, single spaced on your resume with IT-relevant skills or experience, it’s definitely worth considering. Also, some companies and government agencies value degrees very highly as a corporate culture, and degrees may be tied fundamentally into future promotions or pay raises. If you’re looking to join one of those organizations, or you want to stay in one, it may be time to start planning ahead. Finally, if you have G.I. Bill or your employer pays a significant portion of tuition fees, it’s prudent to not waste free money.

    Chris: If you are capable of getting a degree, you should do it. There are immense benefits to being surrounded by people whose goal is to both teach and learn. Not only might you actually learn something, you’ll also learn how to think differently and be exposed to viewpoints differing from your own. In real life you have the option of filtering out people who you don’t agree with. In academia, that is a lot harder and it forces you to think about things you’re not used to thinking about. This also makes you better at debating, presenting information, and incorporating new information into your existing viewpoints.

    Robert: College can be fun, you can learn a lot, and start networking with other future professionals early. What degree you get likely does not matter for a career in infosec, but I would recommend sizing any opportunity to get a degree if it does not come with a significant debt burden.

    Tarah: Getting a degree cannot possibly hurt you. The Pareto-optimal solution is to get a bachelors in any field as cheaply and as rapidly as you can. Unless you are graduating top of your class in CS at Stanford or MIT, no one cares.

    Jessica: Getting a degree, any degree is not going to hold you back. If you have a desire to someday move into leadership a degree is going to help to facilitate that.  I know a lot of folks in security that do not have technical degrees; archaeology, accounting, psychology, business, women’s studies to name a few. I also know several folks that didn’t get a degree and are now finding roadblocks to advancement because of it and are now going back in their late 30’s and 40’s to get the degree while also now balancing a job,  spouse, kids, etc. which makes it that much more difficult.


  7. Assuming an entry or intermediate level infosec person has decided to get a degree, do you find more value in non-technical degrees or technical degrees? Is there any value in a minor in a different field? Does it matter at all from your perspective or management’s?



    Daniel: I think technical degrees are preferred. CS is preferred but CIS (what I did mine in) are also solid. The more you get away from those the less value it’ll have for infosec jobs. But keep in mind that many companies are just looking for the bachelors checkbox. This matters most if you’re looking to a formal hiring process at a very large or prestigious company, where CS and CE are preferred.

    Space Rogue: If you just want to pass the first entry gate of HR then get a degree in basket weaving or creative writing or philosophy. The automatic system scanning your resume won’t care and will sort your resume into the ‘with degree’ pile. Assuming you focus on a ‘cyber’ degree your minor will depend on what your long term goals are. If you want that CSO/CIO job in 20 years then look at a business or even accounting minor but I wouldn’t discount an art history or western civ minor either. You might be surprised at what lessons from other fields can be applied to infosec.

    Lesley: What you gain from a degree is much more fundamental than technical minutiae, which becomes obsolete quickly. Lots of skills one learns in college are ubiquitous across majors. Business, language, and communication courses provide important insight in our field. From a technical degree, you should concentrate on gaining a solid understanding of how things work at a fundamental level: programming, the telecommunications infrastructure, attack vectors, and common system architectures. Learning how to use a specific tool is rarely helpful after a couple years, and I see few course curricula that aren’t already several years out of date. You should be learning how to think logically, continue learning, and express your thoughts professionally.

    Chris: The unfortunate fact of our industry is that most university degrees don’t actually teach the skills necessary to do the job well. There are a few pockets of excellence and great instructors scattered here and there, but they are rare. Traditional computer science is great at building engineers and programmers, but not information security practitioners. Dedicated programs for information security are often dramatically out of date and focus on the wrong things. For that primary reason, I urge people to get degrees in other things while studying infosec through non-traditional means. This also has an added benefit of bringing “outside” perspective into information security, which is much needed and helps set you apart. I perk up when I meet someone who has a degree in physics, psychology, engineering, english, or something completely unrelated to tech. I can’t wait for the day where I feel good recommending people pursue information security degrees, but that day isn’t today. You can come from anywhere and be an effective infosec practitioner, but the ability to think in a way that is unique from your peers will help you move up quicker in many cases.

    Tarah: There’s a hack here. The hack is to get your degree in whatever you can get paid for or most cheaply–and to take research methodology or EECS or applied math courses alongside. This is what I did. I have a decade and a half of technical coursework that bumped my skills to next level in math, data structures, computer science, electrical engineering, social network and complexity theory, etc. You can pick and choose what you emphasize as you speak to employers. I personally find that people with philosophy degrees make magnificent programmers, and people with math degrees make magnificent philosophers.

    Jessica:  Get any degree.  I think there is something to be said for applying ideas and learnings from one field to security.  I started out in a technical program (computer science), but had a hard time with programming classes (I took intro to C++ 3 times) and math classes (Calculus I 3 times as well!) and it wasn’t feasible for me to continue this path.  I went into my manager at Motorola where I was interning and she said something along the lines of:
    “Jessica – you have a job here but you have to graduate at some point.  I can’t hire you without your degree and you can’t continue as an intern without being in school. You work for a multinational corporation get ANY degree that could be applicable.”

    I then scoured the course catalog and settled on International Business and Spanish.  There is a lot to be said about being well rounded and not having all of your knowledge in one basket.  I’ve also never had an interviewer ask “why International Business and Spanish; not CS/CIS/MIS/etc.?”

    Robert: Since any degree is unlikely to actually provide you the core skills you need to be successful in infosec, the degree pursued is insignificant. I’d recommend taking a topic you find interesting that you will see through to completion.


  8. Considering candidates you’ve interviewed and current cybersecurity curricula at a variety of institutions, would you recommend cybersecurity-specific degrees at all? What would you consider some indicators of a good and/or a bad infosec degree program?




    Daniel: I generally judge programs by big vs. unidentifiable names. If it’s a big name school, or a big CS school, that’s a plus. If it’s a no-name school then it’s just a CS checkbox, which is still positive. Most of the benefit of someone from a big name school is the fact that they got accepted in the first place.

    Space Rogue: To be honest I am not super familiar with the various programs that are out there. I know some are a lot more hands on than others but if I am looking at a resume I am unlikely to research your school to see how good of a program they have because frankly I don’t care. However, if you are looking to actually learn something then look for a program that has additional certifications. Something like the NSA’s National Centers of Academic Excellence in Cyber Defense or other certification.

    Lesley: I see too much focus in most “cyber” programs on specific tools and minutiae, as opposed to critical IT fundamentals which are so important to being a good hacker or defender. Also, I see an unfortunate tendency to gravitate towards the cool, theoretical, and “sexy” as opposed to less exciting but more relevant skills. For instance, my ongoing gag gripe is about every Forensics major I meet doing their thesis on steganography, which is relatively rarely seen in real practice. The same people often aren’t comfortable with memory forensics or timelining. There’s a lot of pragmatism in real life infosec. Overall, ensure that the program has plenty of general IT courses that build a good understanding of how systems work, and references real life cases.

    Chris: Our industry is really good at building excitement around topics like breaking and hacking. Unfortunately, those aren’t the skills you learn first and they aren’t the areas where the most jobs exist. Most cyber security programs gravitate towards those areas and skip over the fundamentals. The ones that do see a need for the fundamentals often think those fundamentals are computer science. While computer science is foundational, you don’t need to be an expert in mathematics or embedded systems to be successful in the vast majority of infosec jobs. For these reasons, I have a hard time recommending cyber security degree programs. I’m hopeful this will change at some point when more experienced practitioners find their way to academia, which is happening. Universities needs more instructors who have been in the trenches, but also understand academics and what foundational knowledge is critical for our field.

    Tarah: Only the power of your alma mater’s network matters here. Unless you’re going to UW, CMU, Stanford, MIT, Berkeley, or a similar program known for tech, your best  move is to learn what you love and add tech as tools for you to use. That will be reflected later in your work and career.

    Jessica: I feel like a lot of the “cyber” programs are reminiscent of the MCSE bootcamps from the early 2000’s and other certification mills.  If that is the program you want, then find a quality one.  Otherwise go for another degree.  Cyber programs also need more folks that have been actual practitioners to teach actual skills that will be used.  Having a good foundation, rooted in theory is fine and in some cases needed; however  I see too many candidates now that can memorize the buzzwords and talk very shallowly about a concept but cannot apply it in a meaningful way.  Additionally, critical thinking and analysis skills are sorely lacking.  Those are hard to teach but it’s really hard to be a good Security practitioner (particularly in a role like SOC or DFIR or Red Team) without those skills.


  9. At this time, (or in the near future), do you foresee any potential benefits in the infosec field in going on to get a graduate degree?



    Daniel: Yes, if you’re interested in working in any sort of formal field. Like government, or a big company in a specific department, like data science. Other than that, the bachelors is usually quite sufficient. The other thing a Masters is good for is that it’s somewhat important for senior roles in big companies, or top roles (CISO) at any company, if you think you might want that later on.

    Space Rogue: If you really want to differentiate yourself in the job market then yes, get a graduate degree. But this really depends on your own personal long term goals. If you really want to be a scapegoa^H^H^H CIO/CSO than a graduate degree will be a big help in achieving that.

    Lesley: I can see two situations where this would be desirable. The first is when it is likely to be required for a desired promotion in the future (I do see Master’s Degrees, especially MBAs, preferred for senior leadership positions). The second is when one’s intention is to stay in academia or dedicated advanced research. I rarely see graduate degrees greatly preferred over a Bachelor’s degree in entry-to-intermediate level infosec hiring.

    Chris: If you are thinking about a masters degree then you should have a sense of how much you enjoy your current work and where you want to go with it. For example, if you want to get into business leadership then something like an MBA might be helpful. The thing here is that you shouldn’t just pursue another degree because you feel it’s a requirement to get someone you want to go. Chances are, with persistence you might be able to get there anyway. You should pursue another degree because it will introduce you to new ways of thinking and teach you things that will be more fulfilling to you on a personal or professional level. I pursued a master’s degree in homeland security because I was interested in national defense and public policy. That provided valuable perspective that I apply in multiple areas of my life. The more successful people I’ve seen often pursue master’s degrees in things a bit outside their normal comfort zone. The key is that it should be about learning, not about checking a box.

    Tarah: Hell, yes. It’s definitely put me at the top of lists. And my MS is in political science, don’t forget. It’s just a box to check. Get a law degree or an MA in English–it just doesn’t functionally matter.

    Jessica: some industries are now requiring this in order to be in a management/leadership position.  I would not have gotten my job at Mayo Clinic without my master’s degree, they require it for Director level positions.  I think there is going to continue to be more rigor there. I know my Master’s has opened other doors for me as well.  I do wish I would have gotten a JD or MBA instead of my MSIT.


  10. Anything further you’d like to add on the topic?


    Space Rogue: In the ongoing twitter debate there have been a lot of comments about the cost of college. While a traditional name brand four year school will cost a pretty penny there are ways to get an accredited degree without going into huge debt and spending a fortune. Without going into super detail here are some thing for you to google on your own.  Look at your state school, often much less expensive than a private institution. Don’t forget you can start out at a local community college and transfer the credits later. Also depending on what program you are looking at many schools will offer credit for life experience, if you know who to ask. One of the best ways to get credits for little money is the College Level Examination Program, again depending on your school you can get up to two years worth of credits for $80 per class. Anyway if all you’re looking for is to check a box and get a degree cost is not a valid excuse.

    Tarah: Either the hiring manager wants to bring you aboard or they don’t. If they do, they might need extra ammunition for their choice of you over someone else. Make it easy on them by sticking every letter you can behind your name (on LinkedIn, not in your Twitter bio). I want to emphasize one last time: degrees and certifications are the big leveler in diversity. I have a growing body of anecdata that is burnishing my now gold-plated theory that women, POC, and queer people benefit disproportionately from getting degrees and certs. That typically manifests itself as a drastic uptick in recruiter approaches at each career level when you update your LinkedIn in a way that doesn’t seem to happen for people who stereotypically look like the media’s conception of hackers. If the hiring manager doesn’t want to hire you (based mostly on the first fifteen seconds of your impression on them) no degree will help you. But chocolate and career coaching might.  🙂

    Jessica:  College is expensive in the US, and the cost is only going to continue to increase.  It will open more doors than would otherwise be opened.  Think of it as future proofing.  I’ve always known I want to be in leadership, but I have colleagues that came to that conclusion later in their careers and are now going school to check the boxes.  Set yourself up for success and an easier path now.  I think as our profession matures it is only going to become a more steadfast requirement, like many professions there are some minimum requirements and I see ours continuing in that direction.  We’ve moved past the infancy of the infosec profession; along with that comes a threshold, which often times and more in the future, means a degree.

    Chris: Most knowledge-based professions have a really well prescribed paths for getting into the field and finding success. If you want to get into medicine, accounting, or law you know exactly what you need to do. Our field couldn’t be farther from that — there is no single path. The beauty of that is you don’t have to go to college. However, like those other professions, you do have to learn how to think. Being aware of how you think and effectively applying that (aka metacognition) is the most critical part of gaining expertise and ensuring you are capable of learning effectively. The beauty of college is that it is the perfect environment for your metacognitive ability to flourish…if you let it. If you view college as an opportunity to do this and seize it you will benefit tremendously. If you view it as merely a checkbox to get a piece of paper, you’ll be disappointed in how far that paper gets you.

    Daniel: Credentials have the value that others place on them. Understand that and you’ll understand a lot about degrees. Make a clear distinction between the education and the credential, and realize that while you can self-educate you can’t self-credential. Understand that you’ll find a full spectrum of respect for degrees in various populations, countries, verticals, sectors, etc. Some will not even notice if you have a degree or not, and others won’t take you seriously unless you do. That being the case, it’s always better to have it than not, so the question is really about what you’re sacrificing to get it, and whether or not that’s worth it.

Starting an InfoSec Career – The Megamix – Chapter 7

 

Chapter 7: Landing the Job

So, we’ve come this far in your infosec journey. You’ve studied hard, attended conferences, played a CTF or two, updated your resume, and networked a bit within the information security community. Great work!

Let’s prepare for your very first information security interview.

 


=== What to Say ===

There have been nigh infinite pieces written on the subject of interviewing, but I’d like to briefly share some basic interview skills that have really served me and my candidates well:

  • Make sure spend at least 30 minutes researching the organization you will be interviewing at. What are their strategic goals or products? Where do they have offices? What’s their corporate culture like? Consider what interests you about their mission, and how you feel you could benefit them as a security professional.
  • Always bring several printed copies of your resume and references to your interview, formatted the way you intended. HR systems will often remove formatting and line breaks before routing your resume to a hiring manager, and your copy may be more pleasant to read. You will also want a copy to reference, yourself.
  • Bring note taking materials to your interview, and make sure you’ve written down a few relevant questions to ask your interviewers about the position and the organization.
  • Arrive 15 minutes early for your interview, and be polite to everybody you meet. You never know if the person you make eye contact with and say “good morning” to in the hall will be interviewing you, later.
  • Make eye contact, and pay attention during the interview. Most of us are introverts, and this can be a challenge. Make the effort to be personable and show that you are listening to your interviewers.
  • Put your phone away and on silent. I shouldn’t have to say this.
  • Answer questions honestly. Most of my colleagues and I would very much prefer, “I’m not sure”, to an evasive answer or an outright lie, particularly on technical questions. Often, knowing where you would look something up is an okay answer to a technical question. When we ask you questions about where you could improve, there should be a real response that verifies you are a human. Everybody has some area they can improve in, and we will never believe you’re utterly perfect.
  • The initial interview is not normally the appropriate place to ask about compensation. Yes, infosec is an understaffed and in demand field. You have better chances than most at landing the job. No, your Masters in Information Security does not guarantee you the position immediately in lieu of a technical interview.
  • Do talk about your (legal) infosec-related hobbies and activities! We want to hear about the security lab you built in your house, the book you read, the CTF that you participated in, or the security related talks and projects you’re participating in. They show you are an interested and involved candidate, and a good fit for our teams.

 

 


=== What to Know ===

The previous chapters in this blog series suggested ways to build your foundational skills in the key areas of networking, systems administration, and security, so I won’t dwell too much on the necessity of knowing the fundamentals of these things such as common ports and protocols, malware types, and operating system functionality in an entry level infosec interview. Suffice to say, this is where the free educational resources, formal training, and your home lab really come into play.

You should ensure, before going to an interview, that you are up to date on the basics of current threats and security news. What you learned at your university is almost certainly not current enough for most interviews. There are a lot of great resources that provide information on ongoing threat activity. For instance, I really like the exploit kit status dashboard at (ProofPoint) EmergingThreats. SANS ISC posts botnet and scanner activity from publicly submitted data, and Sophos posts a nice free malware dashboard that shows their overview of currently detected malware. Threat trackers, coupled with the blogs, news services, and educational resources we’ve previously discussed, should enable you to go to your interview ready to answer general questions about the top threats that are currently plaguing organizations.

 


=== What Not to Say ===

 

 

In May, I surveyed a broad swath of security professionals to share the statements they hear from interview candidates that are the most indicative that the person is inexperienced in professional information security work. I’d like to share a few of the most popular, and why they carry that connotation. Keep in mind, the selected statements by candidates aren’t necessarily technically wrong; they more often tend to oversimplify or ignore administrative and business-related problems in security. It would be wise to choose your words diplomatically before saying any of the following things:

“Antivirus is obsolete, and a waste of money! Get rid of it.”

We can’t all be Netflix, dramatic headlines or not. It’s true that antimalware programs have a lot of problems to contend with in the 2010s. Between a cat and mouse game with well-funded malware authors, and polymorphism and regular botnet updates, simply maintaining a library of static signatures is indeed not effective anymore. Most decent antivirus vendors recognize this, and have implemented new tactics like heuristic engines and HIPS functionality to catch new variants and unknown threats. Antivirus is one component of a solid ‘defense in depth’ solution. It has a reasonable potential to mitigate a percentage of things that slip past network IPS, firewalls, web filters, attachment sandboxes, and other enterprise security solutions.

“Why are you wasting money on $x commercial product? I can do the same thing with this open source project on GitHub”

We love the philosophy and price tag on open source projects, and it’s great that commercial vendors have open source competition that drives them to improve and enhance their products. This doesn’t mean that free tools are always a viable replacement for commercial tools in an enterprise environment. There are intangible things which usually come with the purchase of a good quality commercial security product: support, regular updates, scalability, certifications, and product warranties. Those intangible things can have a tangible cost for an enterprise implementing an open source product in their stead. For instance, the organization may have to hire a full time developer to maintain and tweak the tool to their needs and scale. They may also be solely legally liable if a vulnerability in free open source software is exploited in a breach – a risk many organizations’ legal teams will simply not accept.

“They deserved to get breached because they didn’t remove Java / Flash / USB functionality / Obsolete Software…”

Most organizations exist to provide a product or service, and that’s usually not “security”. As security professionals, we’re just one small part of our organizations and their mission, and we never function in a vacuum. Oversimplified assertions like this are a dead giveaway that a candidate is not used to compromising and negotiating inside a business environment. Yes, in an ideal security world, we would use hardened operating systems with limited administrative rights and no insecure applications. Few of us actually operate in that ideal world, and many of us work at an operational scale alone that renders this unfeasible. We do what we can; navigating the political risk management game where we must to provide the most secure environment we are capable of.

“Just block China/Russia/x… IPs.”

Once again, this indicates a candidate is thinking only as a security person (and a biased security person) and not as a member of a business. Unfortunately, it also shows a lack of technical knowledge, as many attackers use large, global networks of compromised hosts to launch attacks.

“Security Awareness is a waste of money. Users will always be stupid.”

This is an appalling lack of confidence in your own ‘team’. Yes, some end users will probably always click / ignore / fail to report. (Most security people will also click when properly socially engineered.) The point of security awareness is not to create a perfect environment where nobody ever clicks on a phishing message or ignores an alert window – if your management has made that their measure of success, they’re doing security wrong. The point of security awareness is to improve awareness of threats, encourage some employees to report potential threats so you can respond, and decrease day to day problems so you can focus on the more severe ones.

“[Fortune 100] should have already have gotten rid of $OS and gone to $OTHEROS, because it’s more secure / real security people use $OTHEROS.”

This is dogmatic elitism without real business or technical foundation. Any up-to-date operating system can have a valid use case in business and in security work. A good red team or blue team security professional should be able to secure, compromise, and use tools on OSX, Linux, and Windows effectively (and indeed, there are valuable tools unique to each). It’s okay to have an operating system preference and to intelligently discuss the merits of $OperatingSystem for your specific use case. Don’t assume everybody else’s use case is the same.

“Hack them back / have the attackers arrested…”

We all crave the movie ending where the black hat hackers get their comeuppance and are thrown in jail. Unfortunately, unless we work for a LEO, the military, or a huge global telco, we’re rarely likely to get it. “Hacking back” of any sort is usually wildly illegal (especially because attacks are almost always launched from compromised hosts that belong to law-abiding people). Arrests happen when time-consuming coordinated efforts between security firms, global law enforcement, and lawyers are successful. Even the terrifying financial spearphish to your CFO is likely to not be chased down by law enforcement for some time. When permitted, absolutely do share your threat intelligence with law enforcement and working groups to aid in these important efforts. Expect any response received will take significant time.

“Don’t you monitor every brute force attempt against your perimeter? I count the dictionary attacks against my honeypot every night!”

No, monitoring this would be a waste of time in most large organizations. Behavioral trends and specific sequences of events that could indicate a compromise are more valuable to monitor. Time is money.

Any statement beginning with, “Why don’t you just…?” or “It’s simple…”

It pretty much never is that simple, so don’t personally insult your interviewer by assuming it is
.

 


***

This concludes the InfoSec Career Megamix! I hope you’ve enjoyed this blog series and that it has been helpful to you in furthering your own security career. Many thanks to everybody who has commented on my blogs or provided input and suggestions. Please do check out the links to other peoples’ wonderful work on the subject which I have included throughout the blogs.

[You can find the previous chapters in this blog series here:

The Fundamentals

> Education & Certifications

> Fields and Niches

Blue Team Careers in Depth

Red Team Careers in Depth

Self-Study Options]

The Worst InfoSec Resume, Ever

I do quite a bit of InfoSec résumé reviewing and critiquing, both personally and professionally, so I’m repeatedly asked for tips on common problems. In order to ensure that these problems were not exclusive to me, I recently had a lengthy discussion  with a number of InfoSec professionals involved in hiring (thank you!). We discussed our “top 10” pet peeves when reading candidates’ résumés.

So without further ado, here is an illustrated example of some common problems we see on many résumés, and some suggestions about how to fix them.

(If these images are hard to view on your phone or at a specific resolution, you may click them to view them full screen.)

file-page1

file-page2

Hair Dryers, Hacking, and Us

In case you’ve been living under a rock for the past several days, IBM posted, then ultimately removed a video promoting STEM fields for women via “hacking hairdryers”, to a great deal of public outcry from STEM professionals. The unhappiness stemmed not only from perceived sexism, but also tremendously poor timing as the ad was released close to the anniversary of the École Polytechnique massacre of 1989.

I will apologize from momentarily veering away from my usual structured technical guides. However, I’d likely to briefly state my own experience and thoughts on the matter, because I feel there are a couple things that still need to be said.

Before I continue, I’d like to make it clear that I see no purpose in badmouthing IBM further regarding their campaign. I genuinely believe they meant well, and I have many exceptional friends (both male and female) employed in STEM fields there. I’m not offended by their campaign; I merely feel disappointment. The ad (probably generated by an unrelated advertising team) was symptomatic of what I perceive as a systemic misconception about how to interest girls and women (and in a larger sense, minorities) in STEM fields.

I’m fairly straightforward about my interests and experience on social media and my blog. I hope I have properly expressed over the years that I truly have keen interest and skill in an array of tech, without compromise. Tech isn’t merely a career for me – it’s something I live. I also publicly enjoy a fair number of things that are often traditionally categorized as ‘feminine’. I own a gratuitous amount of makeup. I enjoy subversively playing with the ‘sparkly’ and ‘pink’ tropes. I will admit that it took time for me to reconcile these things as a young adult. These things are not mutually exclusive, nor are they particularly interrelated apart from my persona.

I’m not a girl hacker – I’m a hacker. I am not a hacker because somebody taught me to hack on a pink keyboard. I learned to hack, code, and solder the same way most everyone else did. I don’t personally know any female hackers or technical professionals who state that they owe particular success or interest to being approached with anything pink, sparkly, or remotely associated with Barbie. Your mileage may vary.

I owe my skill at tech not to campaigns targeted at me as a girl, but to the fact that by the time that people told me that I could not do things because I was female I was already confident in my ability to do them. By the time my sixth grade science teacher reminded me to, “Remember what happened to Joan of Arc”, I had coded my first text based RPG and soldered circuit boards, and I had found that it was something I enjoyed.

My parents never gave me any presumption of advantage or disadvantage in life to being female. It had no bearing. There was an expectation that I would learn to play a musical instrument and appreciate fine arts, but also help fix the car or TV when they broke and have a solid fundamental understanding of science. My parents both firmly held the assumption these were things an informed human being should do. If I showed an interest in something beneficial, they encouraged it.

Outside of my immediate family, who I firmly believe were instrumental in me freely pursuing an interest in a variety of fields, I also can point directly to youth organizations like the Girl Scouts. Although I can absolutely name cases where I’ve seen them stoop to the same fallacy, even in the 80’s and 90’s, their youth programs still offered a wide array of science and tech teaching that was presented in a great, unbiased, non-condescending way. Our telescopes never needed to be sparkly. We just had to know that we were looking at Saturn through the eyepiece in a cramped observatory on a chilly night, and that was enough.

In my experience it’s absolutely an unfortunate reality that women and girls often do face negative pressures, preconceptions, and lack of encouragement from many sources when they demonstrate any real interest in science, technology, engineering, or mathematics. Trying to advertise these fields through gross gender stereotypes is probably not the way to fix this problem. The ability to excel comes from being told it’s OK to pursue almost any interest by the formative people in a child’s life. This includes family, teachers, mentors, and the community. It comes from being provided exposure to varied interests at a young age. We have to counter the societal negative pressures with positive encouragement for everybody.

Give the kids and young adults in your life the exposure and support to explore and pursue things they wish to.

Get involved with the many great organizations like Hak4Kids and DefCon Kids that provide so much education and motivation to youths.

If you’re able, mentor and sponsor people in your community who don’t have support to grow and learn in tech fields.