Certainly in the company i work for (and have been here for 18 years now) to be hired in a "technical" role a bachelors degree is required.
That said, I don't have a degree. I started with the company as a Technical Support guy, became sysadmin, then operations manager, then UK operations manager, then EMEA and now find myself in the US and one level below the CIO.
Would i have progressed in the company quicker if I'd had a degree? I doubt it. Once you have your foot in the door hard work, commitment, relationships you make and the profile you build for yourself are quite often enough to help you move on. However if I'd chosen (or been pushed) to move to another company it would've been much harder to reach that next rung on the ladder without a degree. For sure, if my company were to hire someone external to replace me in the role i'm in now the baseline requirement is a degree and CISSP.
I don't plan on leaving the company i work for (i am a true "company man") but sometimes loyalty doesn't swing both ways and I actually plan on starting a degree next year just in case anything ever happened that meant i needed to find another job, i have it. I was really intrigued by the Capella University stand at the Security Congress this year and the fact that CISSP can be counted for credit towards certain degree parts
To be honest, I do not even look at degrees on applications. I want to see that someone put in the effort to get the certifications for their field and stay current. I want to see meaningful job experience and a desire to grow. I will take a CISSP over a candidate with a 4-6 year degree. If they both are CISSP and one has a masters, it will almost never be the determining factor that gets them hired. Degrees hold zero credibility in my eyes for this field. Traditional classroom education with a rigid curriculum cannot keep up with the current technology, so many of these students are learning outdated methods and tools. There is a reason the Air Force is abandoning structured schools for IT fields in favor of the "Agile Airman Concept" focused around on the job training and vendor led training.
Hi, Joseph,
The Agile Airmen - great! But the relative unagility of classical education has its advantages too, methinks. Firstly, the basic concepts of information security haven't changed that much and will not change much either, in as far as I can see. E.g. I recently did some research in the field of IoT and it struck me that most of the vulnerabilities we see nowadays are still very much the same ones we saw 20 years ago. Botnets nowadays run on IoT hardware, but still exploit weak passwords. In 1995, BS7799 (now: ISO27002:2013) already mentioned these as a major vulnerability and suggested (best practice based) controls. And doing risk analysis is still necessary, even when one is an Agile Airman. Knowing concepts like the CIA triad, how a Von Neumann architecture works, networking theory, how encryption works etc. etc. - all constants in our turbulent InfoSec world. And exactly the stuff they teach you at Universities.
Also, a classical education is more than just learning facts, it's also a training in independent, critical thinking, in writing in a clear and concise way and learning how to do research. And as much as I respect my (ISC)2 peers, and as proud as I am of my CISSP designation - you don't really learn either from studying and knowing the CISSP CBK.
So, both have their merits. But I think it is safe to say that any person that is able to complete a formal education in our field (e.g. BSc or MSc InfoSec) has the intelligence and stamina to become an Associate of (ISC)2 - and if he or she has obtained sufficient work experience, a CISSP. However, not necessarily the other way around.
I think the relevance of a four (4) year degree matters only if you're aiming for a senior management level. The management or the HR team would often advise you to complete your bachelor's or take your master's when filling these upper positions. It won't add up if you're contended to perform from a technical perspective or even a mid-management position.
A person's technical experience and collaborative skills in general, will always be the driving force to the success of an enterprise and not the credentials that you hold but it should not hinder you from completing your academic journey as well. It's fun to accomplish something that you've always wanted to accomplish and this is my reason why I finished mine. For me it took 15 years to get my engineering diploma and as far as those people whom I conduct technical interview, I don't really look at their academic credentials.
Remaining technically hands-on is not an option but a requirement. I think this is not due to competition (outsourcing, contracting, etc.) but due to the demand of emerging technologies that soon, will rise into power and change the way we live. Think of Blockchain as an example, when it was 2009 and when it is today. This will increase the demand for professionals with sufficient experience in IT security.
It will be beneficial to identify your long term career goal like 20 years from now, take a deep breath and then think if you want to complete it or not.
Go on indeed.com, monster.com, usajobs.gov, dice.com, etc (any other job websites you can think of) and look for jobs that you would want to apply for. See what they requirements are. If you find that most of the jobs that you would want to apply for require a 4 year degree, then you may need to go get one. I do know that for higher level jobs most of the applications require a degree or substantial amounts more experience. I recently just got a new CISO gig and during the interview they admitted that it really didn't matter to them what the 4 year degree was, just that you had one. In the screening out process if you did not have a 4-year degree your resume never even made it to the hiring officials. So if you are finding that the jobs you would be applying for all require it, you may have to get it. This applies for other skills as well. If the job postings you look at mention Python programming skills a lot, then go learn those. Same goes for those looking to advance to higher levels. Go look at those job postings of jobs that you do not currently qualify for and see what skills/experience you will need to acquire in order to be able to apply in the future. Start building those skills now.
The easiest way to know what you need is to see what other people are requesting. I always liken the job search to a basketball game. A basketball game has a specific set of rules to govern it. You cannot show up with a football and expect the other players to play the game of basketball with your football as the ball. I don't care how nice the football is, how good you are with it, or how much experience you have playing football; your ball just isn't going to work for this game. A job search is just like that. As a hiring manager I have seen lots of people complain like this:
"I don't have a degree but I have X number of years doing IT. I shouldn't have to have a degree. I could probably run circles around those people with the degrees....." They are trying to bring a football to a basketball game. Think about what a degree potentially shows an employer:
1) College is not mandatory so you showed some initiative to complete a 4 year course of study which was probably not easy. (Initiative)
2) You dedicated 4 years of your life to improving yourself. (self-Improvement)
3) You hung in there long enough to graduate so you potentially have the willingness to stick things out. (Ability to complete long-range tasks) (Dedication)
4) You know your language well enough to pass tests. (Competency) (communications)
5) You are considered educated. (Knowledgeable)
There are other things too, but you get the point. Now that I am higher up in the management chain I see most of the job postings I look at require it, especially for the CISO positions.
Dear Joseph,
Of course people have a vested interest in protecting their "brand"! They appreciate what they had to do to achieve their titles or designations and hence also appreciate the hard work that others had to put in to obtain their titles, grades and designations. But to label that as just 'selfish' is a bit stark, IMO. Professionals can not improve the world just on their own, they need other professionals to do so. And such formal grades and designations are indeed a very good way to filter out the chaf from the wheat. Yes, occasionally some babies are thrown out with the bathwater, but in general the system works.
You talk about folks that completed a formal study as if they did that to serve an "antiquated hiring processes" and say they are merely "fitting a mold". You label this "mediocrity" and "blending into the crowd". Well, I don't know.
I myself am, according to your definition, a very good example of a person that "fits" that "mold". A bit late, perhaps (I was 57 when I graduated) but - I finished a formal education. Now, let's see: I know that roughly 8 percent of Americans has finished a Masters. NINETYTWO percent of all Americans hence have not, so - how common is that "mold" that I do fit? And of those eight percent, only a minor percentage studied information security. Of these, only a minor percentage passed with distinction. Of these, only a minor percentage is a CISSP, which proves that they have at least 5 years of relevant working experience and are "in good standing" - well known to others (with that "vested interest" to protect their "brand", indeed!). And then, of these, only a minor percentage has obtained other relevant and current certifications.
I did all that - and I am proud of my achievement. And if there are others that did what I did, I know EXACTLY how hard they had to work, kudos to them. In my opinion we, the "old school graduates" have sufficiently managed to stand out of the crowd, and we sure as hell do not fit that common mold you mention.
Please note, Joseph, that I do NOT say that people that did NOT do all that - the other 99.9something percent of the population - are not fit to work in our profession. Nor that there aren't better professionals then me (actually: some of them well beat me in knowledge and skills). However, my grades and certs do exactly the opposite of what you say they do: they make me stand out. I don't fit the mold and I'm proud of it.
BTW: yes, you CAN learn anything you learn in a classroom on-line nowadays. I even completed my Masters on-line.. but only after my knowledge was properly scrutinised by an old-fashioned British University using an old-fashioned written exam, and after writing a dissertation in which I proved to be able do DO something with what I was taught 🙂
I like this very much and thank you for the contribution. I guess what we are all saying it that it is very much "horses for courses", but I think the main comment is that the profession needs a balance of skill and experience. Yes, having a degree does say a lot about an individual (and still opens doors), as does a good CV with relevant experience.
The world is changing, and more people than ever are being educated to degree level - and that is good - but, as with all things, that puts you in a "crowd" of potential assets. The question, as always, is what makes you stand out from that crowd: be it the crowd of degree holders, the experienced people crowd, the wider crowd of the IA/IS/cyber profession, or a "mix crowd". What it boils down to is a good targeted CV demonstrating knowledge and experience relevant to the role supported by demonstration of career progression, broadening of experience, and continued knowledge development.
There are no right and wrong answers in the development of an individual, just life choices based on good information, opportunity, and yes, luck. Thank you all for a stimulating line of thought.
So, what makes you stand out from the crowd, and why should an employer be interested in you? Now - how do you get there?
As another line of discussion it might be worth asking how well does the degree syllabus map to the needs of industry to fill, what we are being told, is a skills gap? This may also drive the decision to take a degree based on relevance to your chosen career path and the business needs of your employer.
To all those who contributed to this discussion, I salute your achievements and wish you well in your chosen career paths.
And to further expound on this. I got my BS degree 20 years ago. I am 47 and going for my Masters degree. The courses have taught me more about how to be an effective leader. I am truly learning useful skills in my Master's courses, more than I learned in my Bachelor's courses.
For example, I learned about organizational culture and how it affects your ability to get your ideas accepted. I fought several agencies for years not realizing I was battling a culture war, not a cyber security war.
I also learned the intricacies between leadership and management and when to apply them.
I learned to be an effective CIO/CISO you have to be able to tie strategic goals to your initiatives in order for senior management to buy in to them.
I'm only halfway through but I am learning real skills to make me a more effective CISO. BUT I would not have been able to partake in this opportunity without my BS degree having been already completed. There have been times in my career where just me having my degree has benefited me because of some "check box" system. The same can be said for my CISSP certification. They higher you go, the more an agency wants to see that someone else has provided a "validation" of your skills.
You can choose to fight against the system and complain that it is unfair or you can play the ball game with the correct ball.
I live by this saying" I would rather have a skill mastered and not have to use it, than to need a skill and never have been trained in it."
You will never find me complaining that a system is unfair, mainly because whether something is "fair" or not doesn't matter. I think you summed up this entire subject here " ...I was battling a culture war, not a cyber security war." Certs vs Experience vs Degrees currently is a "culture war."
I always find it interesting to hear people refer to something so important as "playing the game." This wording is frequently used in reference to credit scores, performance reports, promotions, resumes, etc. It may benefit to ask oneself if the system has to be referred to as "gamed, or playing the game" how much value is there in defending it?
When faced with such a question I have found this tenant to be a valuable moral compass ,"Where the progress of knowledge reveals that any belief is or becomes untenable, it should be abandoned."
Your belief system commits the fallacy of post hoc, ergo propter hoc. (Latin: "after this, therefore because of this") is a logical fallacy that states "Since event Y followed event X, event Y must have been caused by event X." Colleges operate an 1.9 trillion dollar industry based on the fallacy that buying their product is a one way ticket to the middle class.
Statistics support that over 30-40% of people with a 4 year degree are "underemployed" and 20% of college graduates work "part time." The current consensus is that it takes on average 10 years to pay back a student loan and a bachelors degree has expected lifetime value of $275,000 IF you get it directly after high school. If you really wanted to get down to the statistics, then there is a lot more evidence supporting that you are playing the game with the wrong ball. Furthermore, I would venture to guess that the majority of your success can be attributed to your character, personality, experience and life circumstances than the degree that you hold.
I think it is great that you feel you are getting your moneys worth, but we will always find ourselves at odds on this subject.