Education overall is a great tool and to be successful in security you must be a continuous learner. I have come across several people that at some point stopped learning in their career, they decided at some point that the knowledge they had was good enough to keep them employed until they retired and that was good enough to them. This is fine if you prefer to coast into retirement for the next XX years but for people that want to grow, become better and excel in security then learning is a must. Once that is understood the question becomes do I get certifications or do I go get a degree? Hopefully, this post will help with that expensive decision. Education is not only expensive financially but also requires a large investment of your time. Time is the one thing you will never get back in this life and so I attempt to make every decision properly with enough thought so that I do not regret that choice.
When I was trying to get into cyber security I just graduated with my bachelors degree in criminal justice but I was working an IT help desk position. Since I worked in that role in college, it was an easy job transfer after college to ensure I had an income. I ended up finding cyber security when I was at my first role out of college and a colleague told me about it and that I should investigate getting into cyber security. After doing research for a few months I determined not only that I wanted to go into cyber security but that the first step I should take to get into the field was to obtain my Security+ certification. How did I determine this was my first step you might ask? At that time all I had was a bachelor’s degree in Criminal Justice and 2 years of help desk experience. Through my research I determined with my experience the A+ certification would be a waste of time and I bought the Network+ book but I got so bored I could not get past chapter 2. The only thing that held my attention was the Security+ book by Darryl Gibson. Immediately I started reading the book, taking notes, and learning as much as I possibly could about security. While I was studying, I was applying all over the place to any open Security Analyst role. Literally if there was a role titled Security Analyst, Security Administrator, Junior Security…. I applied to it. Every single time I was told I did not have enough experience. I studied for the Security+ certification for an entire year and still didn’t feel confident in spending the $300 to take an exam and possibly fail when I didn’t really know what to expect from the exam. I felt I needed more knowledge in security to finally make the jump into security. I eventually found a cyber security master’s program that was a hands-on program that seemed like it was the best value for the money. I immediately applied to the program, a few weeks went by and I got a call from the dean of the program telling me he would not admit me into the program until I passed the Security+ exam.
At this point I want to pause and assess where I am currently in my career. I am at a help desk position applying to every junior level security opening that I could find with everyone telling me I need more experience. The company I was at had at most 40 people at the company with not a single security tool at the company. Security was something the developers convinced people was built into the product and no one at the company had the skill set to prove otherwise. Eventually at this company I started to handle more DoD clients which required our product to hit a certain standard. While onsite the client would scan my product and find vulnerabilities and expect an explanation as well as a fix for it right then and there while I was onsite. I soon realized for me to be more successful in my role I would have to lead the vulnerability management effort internally at my role. With no experience and only the understanding of security and vulnerability management that I had from my studies I started to download and learn the free versions of Nessus & OpenScap. I would spend days and nights testing new configurations, rescanning the servers, making more tests followed by more scans. I eventually created a comprehensive list of not just every vulnerability we would need to fix to pass the clients scans and tests but every fix that would need to be made along with all my test results. I obviously wanted to make sure that not only could we patch the vulnerabilities but that my product would operate properly with those patches deployed. Eventually these fixes were added into either the default configuration of our product or in the security RPM that was created to harden the servers. This was as far as I had gotten without a degree or a certification and was still being told I did not have enough experience.
Within one week of being told to get the Security+ certification I scheduled the exam and passed the test. Within one week after that I got accepted into the master’s program. The reason I chose the Master program was because from all of the research I did it seemed like it was the most hands on to get me the most experience in security to eventually make the career jump I worked for. Without that experience of getting the degree I did not think I would be able to make the jump into security as quickly as I wanted. With this program they showed us how to set up our own labs to test exploits, perform pen tests, run full network scans, and much more. The key was that the program gave us the skills to choose which area in security we wanted to go into and grow in. The program included everything from vulnerability management to reverse engineering malware. It was this foundational level of knowledge that I got from the master’s that would have taken me much longer on my own working through certifications. For me, the degree in combination with the certification was the right path for me. For others with more experience it is likely that you are only a few certifications away from making the jump into security but I was fresh out of college trying to make this jump and that was path I went down with the situation I was in.
A word of advice, there are some companies out there claiming that you can make over $100k a year within 6 months just by getting one certification that is in high demand that they do not state. This statement and thought is completely false. The certifications that demand that sort of money in the marketplace all require a certain number of years in the industry. For example, the CCSP certification that can demand that kind of money in the industry requires you to have 5 years of experience across several domains of security. ISC2 will also verify that work experience to ensure you have the required experience otherwise they will not issue you the certification even if you pass the exam. On top of that one fact that ruins these scams, the way you get paid over $100k in cyber security is by having a skill set, honing that skill set, and proving that skill set. The only way you get a skill set that demands that kind of money is by experience in the industry for several years. Anyone that claims if you pay them X amount of money and in 6 months you will get a high demand certification and will be making over $100k is plain lying to you. These scams even market themselves as being able to take people that have zero IT experience and giving them the skills and the certifications all in 6 months to get to that level of income. This is a fallacy for the items I just stated above. Here is another item to consider, if you were to get that high paying job with no skills and one certification with no experience in the industry then you more than likely do not want that job and they are setting you up for failure whether you realize it or not. I will dig more into this in an upcoming blog post but use your head. If there are millions of job shortages in cyber security, then why is that? Is cyber security so easy to get into and such an easy job that no one wants it or is it on the other end of that spectrum? Do you need experience and skills in this field to truly know how to do your job in security well or is it like a help desk role that almost anyone can land? Use your head, that will get you farther than some scam of an “opportunity”.
To sum up my thoughts on certifications vs degrees. If you have experience in either IT (years of experience) or security and you are looking to jump into security or make a change in security then a certification should be more than enough to prove your skill-sets and get the job you want. If you are newer, fresh out of school, very young in your career then it doesn’t hurt to get a master’s degree in cyber security but make sure the program is a hands-on program. The best way to get experience in cyber security is by actually doing it. The best way to learn how to break into a Windows 2012 R2 server is by actually doing it yourself and failing hundreds of times until you figure out how to do it. Others will argue that you can learn those skills on your own in a home lab which I will discuss later on and that’s absolutely true and I think it is essential in getting a job in security as well. However, most companies out there will not allow you to get a job solely on a home lab. They want skills that are validated and that is what certifications and master’s degrees do. Those items validate those skills you claim to have because without validation they are just claims you are making with no proof. These are just my thoughts though; this is what worked for me and I have seen it work for others. I have also seen others that do not have degrees or certifications but have been in security since security started… Those people are completely different stories and do not really apply to this argument.