Sunday, May 3, 2015

College degrees in infosec

I hear people rant on Twitter and at conferences all the time that college degrees aren't needed for infosec jobs.  Of course, for those making this argument, certs aren't required either.  It should be all about what you know how to do - actions speak louder than words in infosec after all.

Note: I have great respect for Lesley and Sam cited above. Both of them are awesome contributors to our field and Sam has a Twitter headshot eerily similar to my own (reason enough to like him).  I don't know Jasper, but I'll assume he's cool.  Buy any of them a beer if you are lucky enough to meet them in person.
There's an obvious question of how to economically hire infosec candidates if I adopt a no cert/no degree model.  Should I interview everyone who applies to find out what they really know?  If not everyone, then who?  I'm sure I'll hear the usual "you should look at their research."  And I do this, but only when a resume gets to me.  To get through the HR gauntlet and get your resume in front of me you have to:

  1. Have the qualities HR understands to be valuable
  2. Know someone

Now that I've got that part out of the way, let me voice what I know is a very unpopular opinion.  I think college degrees do matter in infosec.  I heavily consider a BS (and much more so an MS or MBA) degree when I'm looking at a candidate.  Note that I didn't say BA.  If you got a BA and now want to do Infosec, you'd better be bringing it somewhere else.  Getting a BA and then deciding to do infosec tells me you are either newly passionate about science or have bad decision making skills.  Good news though - Starbucks needs another barista and your BA will serve you well there.

Why do I prefer a degree?
The first reason is pragmatic.  Many clients still have old hiring policies where degrees matter for their employees.  All things being equal, they'd prefer their consultants to provide staff that fit their organizational structure.  Degree++.

Reporting is critical in infosec.  Writing a quality report is at least as difficult as doing the technical work.  If the verbiage of your report suggests that the draft was written in crayon and then input into MS Word, then we have a problem.  I ask for writing samples of most candidates to avoid any surprises later.  Great side note: if you have a blog, I get a chance to see your writing style and we can avoid that.  Another great side note: if your blog posts look like the drafts were in crayon (or the final product is in comic sans), I've seen all I need to see.  How is this related to a degree?  Well, to get your BS or MS, you had to write... a lot.  Yes, we all know the story of the college grad who can't write for anything. But in general, I am more likely to find quality writing from someone with a degree.  Degree++.

What about background?  Every time I talk to a CS major in infosec who says "I didn't learn anything about my job in college" I call shenanigans.  Did you learn SSLstrip to help you in pentest?  $MFT parsing to assist in forensic investigations?  Probably not.  But you did learn how to think about technology.  Most importantly you learned to program.  You understand (or have an exposure to, depending on your school) computational complexity calculations.  Does query complexity matter?  Yeah. What about memory management?  Yes, even if you never write a memory manager.  This is basic, but important stuff that most without a degree lack.  But based on your degree and the school you went to, I know you have a minimum level of understanding about foundational topics that most self taught "infosec pros" simply do not have.  Degree++.

Weak rigor in research is another area that college degrees help.  Too many infosec researchers fail to apply any standard methods to their research and their results have more holes than swiss cheese.  Oh yeah, and I can't read their freaking reports (see above) so in many cases I can't even understand how badly they've failed.   Degree++.

Don't get a degree from just anywhere to check a box
I'm a huge fan of non-traditional education.  But there are some schools with a really bad reputation.  Investigate them before dumping your money into a school that sucks.  Choosing the wrong school may actually hurt you.  And for goodness sake, before wasting your time, do some OSINT.  You may find some people will exclude you based solely on the poor reputation of your education.  If you have other experience, education, research, etc. then your school matters less to me.  But I know what most popular degree programs include and more importantly what they do not.  Choose a good school  or you'll regret it as Lesley notes below.

The End
I could keep writing on this all day, but I'll stop here.  I've made my case and nothing you can say will dissuade me.  Have I hired people without a degree?  Sure.  But they are seriously bringing it in some other area.  If you are entry level without other credentials and lack a degree you should probably talk to someone else.

Footnote: If you ever interview with me for a threat intel/OSINT job and haven't read at least some of my blog/other research and presentations before the interview, you are not very good at your chosen job.


  1. I love this article, thank you. This is exactly why I have returned to school. I've been working in Info Sec for 8 years+ and I knew that I needed more. SANS is awesome but it can't help you fill the experiences that a good college program brings. I'll have my degree finishing in another year and will happily add that to my resume along with my Info Sec experience and certs.

  2. This comment has been removed by the author.

  3. This comment has been removed by the author.

  4. "they are seriously bringing it in some other area" /me grins


Note: Only a member of this blog may post a comment.