Every now and then, I slow down long enough to realize that I’m getting the same questions from multiple people in my inbox. Most of the time, I’ve already answered it on my blog, so I just provide the link.
Recently, I’ve had people reach out saying they did not find the answers they were looking for, so I’m making my responses public here.
#InfosecTwitter: I won’t talk to you if you have degrees/certs
Also #InfosecTwitter: I can’t take you seriously if you don’t have degrees/certs
Some of the people saying this have blue check marks. Which influencers should I believe?
The small number of people raging against degrees and certs…what is the likelihood that they will give you a job?
Now compare that to the infinite number of opportunities you could likely forfeit or be disqualified from because you do not have degrees/certs or do not display your hard earned credentials in your profile.
Which option positions you for a higher probability of success?
That’s your answer.
There are some valid complaints about the quality of candidates getting certs and degrees. However, we cannot blame the continued breaches on the credentials without acknowledging the role of the following:
- Technical debt
- Focus on time to market w/o security
- Lack of SDLC
- No management support
- The many security staffs that lack the power to affect change
- Current business approaches towards cyber
- Complexities of borderless networks
- Hybrid environments & legacy systems
- Public policy attitudes around the importance of cybersecurity, etc.
Fun fact: over 90% of executives who responded to a 2016 Goldsmith survey said they cannot read a cybersecurity report and 40% report feeling that they are not responsible for their companies being hacked.
The people you admire are blaming breaches on certs/degrees without acknowledging the other major contributing factors.
Let’s start having that conversation.
And of course there are people who succeed without credentials, but let’s not conflate that with being the norm.
Do you feel the CISSP helped make you more marketable? How has it impacted your career?
The CISSP opened doors for me that had previously been shut. While there are a few loud industry voices raging against the cert, it continues to be the gold standard & most recognizable to hiring managers. It also continues to be highly regarded by other holders of the cert, most of whom are in a position to influence hiring decisions.
More than that, the credential boosted my confidence and gave me a greater appreciation for fellow professionals who work in domains that I may not interact with regularly (or at all). The complexity of the discipline requires us to have some understanding of all the moving parts.
Depending on the role and size of the company, it may be necessary to specialize with a red team, blue team, or vendor specific cert. However, the CISSP still has the highest demand. This translates into making candidates more marketable.
Another overlooked value of the CISSP is the code of ethics. We’re in an industry that could impact people’s lives, so having a set of standards helps establish shared values and boundaries.
Do you feel that getting your M.S. in Cyber Security has helped your career?
I had a positive experience at UMUC and would recommend the program. The ROI from my degree was evident in the doors it opened just by virtue of me being a graduate student in this discipline.
I was recruited & continue to be pursued because I publish content, volunteer at conferences, and my peers vouch for me.
Notice that I did not get my degree and sit back waiting for doors to open. I’m active in the security community, even if all I can offer is time.
Give back before you need a job.
Did you feel hindered by the online format of the classes or they did enhance your instruction? And, were your instructors actively engaged and available to provide feedback on your work, performance, etc.?
No, the online format was an enabler for me. I work FT & have kids, so I would not have been able to get my degree if the online option were not available. The professors were very engaged & available. I only needed a phone convo once during my entire program, but the professor made himself available with no hesitation.
I’ve heard some small talk about the ‘academic reputation’ of UMUC and that most folks don’t respect the school — what’s your take?
The only complaints I’ve ever heard are from the people who could not handle the rigorous coursework. The labs are hands on & it is difficult to succeed if you are not technical or already in the field.
If I do not have IT experience, should I pursue certs or a masters degree first?
As always, it depends.
From a purely economic perspective, certifications are a lot less costly than full degree programs. If you are already in IT, then getting a cert is a cost effective way to demonstrate initiative and show that you have the foundational knowledge to formally transition into an infosec role.
Your cert will also come in handy if a better opportunity presents itself elsewhere while your boss is trying to decide whether to keep you in a position that is benefiting his/her career while neglecting your growth.
If you do not have a technical professional background, then certs are still a better option because you will learn very quickly whether you REALLY want to come into this field. This is an exciting and fulfilling career path, but it is not for the faint of heart.
Also consider this: hiring managers are usually not looking for entry level employees with masters degrees. Likewise, people who complete masters degrees are not fond of coming into new roles at the bottom of the pay or work scale.
Therefore, I don’t believe graduate level infosec degrees should be the default route into the field. Advanced degrees are better suited for people with industry experience who are preparing for architect, lead, or management roles.
By the way, if you wait until you’re gainfully employed in the discipline, you are more likely to have access to tuition reimbursement for that advanced degree.
Be a business savvy security pro.
People reach out to me all the time complaining about not being able to get jobs after completing their masters programs. I shared my thoughts on why on this Tripwire blog post.
That’s all for today. I’ll try to do a better job of posting Q&A more regularly.
But before I go, I want everyone to know that my success was and continues to be a team effort.
I want to take this time to acknowledge my husband.
Paul W. Brager, Jr., my husband, my hero, my rock, my protector, my provider, my strength in my weakness, my everything. Thank you for believing in me, even when I didn’t believe in myself.
Thank you for helping me fulfill a lifelong dream of completing my masters degree, for flying across the country through multiple time zones to watch me walk across the stage.
Thank you for your patience during my graduate school journey. Thank you for agreeing to accept only clean socks for the two year duration of the program.
Thank you for keeping the kids alive when I was pulling all-nighters – for keeping the pantry, refrigerator, and freezer full.
Thank you for helping the kids with homework and ensuring they thrived in my absence. Thank you for teaching our sons how to be men while demonstrating to our daughter how men should treat her.
Thank you for keeping gas in the cars and keeping up with all the maintenance. Thank you for leading by example and showing servant leadership.
Thank you for drying all my tears, encouraging me to keep going when I wanted to quit school and the industry.
Above all, thank you for being my best friend. I would not be the woman that I am today without your love and support. I love you.
I also want to thank the Houston security community for supporting my career, especially the HOU.SEC.CON Team. I am co-organizing a panel at the con with Jessica Patterson from Optiv. We will provide more info in the coming weeks.
Click here for conference details. We hope to see you there!
Keirsten Brager is publishing a security career advice book in 2018. Feel free to follow her on this journey.