Note: I hesitate to post this for a variety of reasons. I have concerns it will be mistaken for bashing higher ed or academics, which is not my intent. I highly value learning and education. However, I also think we have to be honest about the current state of higher ed. There are no easy answers. So, pardon my rambling and incomplete thoughts on the matter.
I’ll admit, I bring a lot of bias to this discussion. I have 3 degrees (BS, MS, PhD – all kinesiology/exercise science related). I spent a good chunk of time as a tenure-track (assistant) and then tenured (associate) professor. Why the assistant/associate caveat? Because in the US, Professor implies full professor which means earned tenure and then got promoted again, associate professor is someone who got tenure, and assistant professor is before earning tenure. I generally try to avoid explaining all of that in polite conversation because really, who cares? Yes, I know – some people care. A lot. I love a lot of things about academia/higher education. I love learning, so it’s hard to argue against the pursuit of knowledge. However, I also recognize that things are…complicated when it comes to college.
I was listening to The Coolest Nerds In The Room because Stephanie is awesome and while I haven’t met Reggie yet, I greatly appreciate his love of sports and music as a person in tech. I may or may not have been talking back to them during this discussion. Because the issue is massively complicated and nuanced and not remotely the same for everyone. I could soapbox for days on this and talk about higher ed in general and all whole mess of other stuff. But in the interest of brevity, here are my thoughts on whether a degree is “needed” to succeed in IT/information security (infosec).
Spoiler Alert – It depends.
Let’s face it, there are still segments of society where you need a college degree. I’m not just talking about jobs, though that’s the easiest. There are places where not only are you looked down upon if you don’t have a college degree, you are looked down upon if you don’t have a college degree from a “proper” university. Can you hear the eye roll? I’m not going to pretend there’s not a difference between Ivy League and State schools. Heck, I won’t even pretend there’s not a difference between flagship universities and regionals. But I think the question we have to ask is what purpose does the degree serve?
In theory, a degree validates that you have a certain level of knowledge, skill, and ability relative to a certain subject. Plus theoretically a well-rounded general education from core requirements. You learn things in college. Hopefully. You learn the intended things that are in the curriculum. You learn the unintended things that are part of becoming an adult. You learn about people and time management and self discipline and how to learn and all kinds of great things. If you can afford the traditional residential college experience. And if you manage to get on a campus where you fit in. And if you manage to find your people. And if you manage to avoid succumbing to the host of foolish decisions that young adults who feel invincible in their independence are known to occasionally make.
I loved college. I loved college so much that I kept going until there really wasn’t an option to keep going. I was lucky. I had funding. I had a very different experience than many I know because I wasn’t starving or at the pay a bill or buy food point. I wasn’t rolling in money, but it wasn’t bad. So yes, doing college the way college is idealized is a great idea if you can do it without digging yourself too much of a hole in terms of debt and experience.
What about going the non-traditional college route? Night classes, online classes, community college, etc. Side note – if this is not yet the more typical college experience, I expect it to be in the near future because I don’t know how people will continue to pay for the traditional experience. Getting a degree this way definitely has value. There are people who will look down on it. I can say that some of my best students were those non-traditional students who went to college once they figured out what they wanted to do or after doing other things, like military service. If you’re in a situation where you need the piece of paper to move up, this may be your best option. And it might be possible to do it without a ton of debt if you can spread it out. But taking 1-2 classes a semester can take (seemingly) forever to graduate. I would actually like to see more people able to spread out their degree. I watched a lot of students struggle with working 40+ hours because that’s what was required to pay bills and taking 12+ credit hours because that’s what was required for financial aid. This resulted in students who were stretched too thin and unable to do their best (or often even acceptable) work because each class could not be a priority. I get it – I would have done the same in their situation. I wonder if it would have been better for them to be able to take fewer classes to give them a load that was more manageable with all of their other life responsibilities.
Recently we’re seeing competency-based education, like WGU, gaining some traction. I think this is a great option for a lot of people. It’s the option I’ll probably pursue if/when I decide to get a degree in infosec. It seems odd, but really it’s a throwback to the days of apprenticeships where learning took how long it took. I think many of these programs (and online programs) require a level of self-discipline that is not present for many 18-22 years old people. One of the things I like about the competency-based programs I’ve looked at is the embedding of certifications. While I also have a love/hate with certs, they can help. The caution with many of these programs is that they may have experience requirements or other things that keep the normal college demographic from going. So fantastic for people wanting to get a degree after being in a field, not necessarily a good fit starting out or to change paths.
To Not Degree
So why not degree? Because it’s expensive. Yes, loans are available. But that doesn’t change the expensive part – just pushes payment back. Plus to get loans you have to take a certain number of hours, which often seems to be a higher number than many students can handle given their other responsibilities. Or at least not carry and perform well in classes. Costs also just continue to rise. There are a lot of reasons why, but it’s not because the professors (teachers) are getting rich. And keep in mind many classes will be taught by adjuncts. This can be great – I know a lot of adjunct professors who are wonderful teachers and very dedicated to their students. But when you have to teach a lot of classes (and potentially at several schools) to make ends meet, there isn’t a lot of time left for the out of class activities necessary. If you want to get annoyed, do some digging into the adjunctification of higher education. (Yes, I recognize the irony of that statement given I was just saying I found competency-based education appealing.)
Then there’s the curriculum. We need well-rounded, educated citizens. The core/general curriculum is important. It develops a lot of important skills when done right. But a lot of students aren’t interested in it and approach it as a chore that has to be completed to do what you want. Which are the classes in your major. That you hope aren’t being taught with outdated information. But you might just encounter outdated info in your major classes. Rarely this is because the prof just doesn’t care. Sometimes it’s because to get a class through the curriculum process, you may have to be oddly specific about what’s going to be covered. Which means you are locked into the content for the most part. Which means if something develops in the field, the prof may not be able to change the content to adapt. Because if the prof doesn’t match what’s in the course catalog description, someone might have a case to get their grade changed or sue the university or some other horrible sounding consequence. How many times have you heard about graduates who have to unlearn a lot once they graduate and go into the “real world”? Plus professors are often people who are very much theory-based, not practice-based. And there’s often a huge gap between what works in-theory and what works in-practice. I’m not saying theory isn’t important – I think understanding the why is often an incredibly critical thing. But if all you’ve done is talk about the theory of how networks work, it could get really interesting when you have to actually start laying cable. So internships happen – except for some bizarre reason, internship often means unpaid. Which means life can get complicated very quickly. But students have to get experience, so we make them do internships. Don’t get me wrong – I’m not knocking professors or the type of focus most professors have or even internships (though I do think they should be paid). College is not intended to be vocational (job) training. Except now it’s expected to be. So it gets complicated.
So without a degree, how do you demonstrate that you know stuff? In IT, certifications. Of course you have the chunk of the industry who think certs are worthless and only for people who don’t really know what they are talking about. That thinking may work if you are some kind of prodigy, have some amazing network that will just hook you up with a job, or manage to stumble into a situation that works out. But there’s a whole lot of people who that doesn’t apply to. So certs demonstrate some basic capabilities. But even certification costs are out of reach for many, much less the cost of training. I know I couldn’t afford to pay for the training courses for certs. I learned through books, Cybrary, YouTube, etc. Plus many certs have some gatekeeping requirements (such as years of experience). This can make sense – I totally understand why CISSP has a 5 year experience requirement. For the cert to be what it’s supposed to be, some experience is needed. But people writing job descriptions need to also realize this – say it with me: STOP MAKING CISSP A REQUIREMENT FOR ENTRY LEVEL POSITIONS!!! Of course, it would also be nice to stop seeing job descriptions with 5 year experience requirements for entry level positions, but that’s another rant.
Boot camps are also becoming more popular. There are boot camps out there for a variety of options, but when are they a good option? My biggest issue with boot camps is cost. I think they can have use for certain areas. Coding boot camps seem to be fairly well received. Makes sense – I think coding lends itself well to the intensive study environment of a boot camp. I’m not convinced about infosec boot camps. I can understand the appeal, but I’ve yet to see the acceptance of infosec boot camps that I’m seeing of coding boot camps. I’m sure there’s a segment boot camps would work well for, but I would probably opt for doing one of Cybrary’s career paths over a boot camp.
The other big thing without a degree is experience. But how do you get experience when even the entry-level positions want experience? If you are interested in IT, one way to get experience is being IT for friends and family. You’re going to end up becoming the help desk once people find out you are in IT anyways, so why not start now? The tough part is documenting it. Consider charging a nominal fee if you can manage the business side of things (which would be good experience) so you can make it “official” for your resume. Developing a solid home lab is also essential. You can do a lot with a basic computer and virtual machines. Collect old machines from friends and family to repurpose/take apart/whatever. Then remember you have to translate this to your resume as well.
It can feel impossible to break into infosec. I see people struggling every day to get that first job or pivot over from another career. Not everyone has the luxury of waiting the 2-4 years necessary to complete a degree, nor the funds to do so. Not everyone has the funds to take certification prep classes. I like CompTIA certs because they are not horridly expensive and you can prep using books and resources that let you keep costs down. I also like the eLearnSecurity classes and certs because the courses include the certification costs and the certs are practical rather than theoretical. Granted these certs aren’t as well known, but I think they are going to become more widely accepted as people get to know them. Plus there are resources that all you need is an Internet connection.
So is a degree “necessary” – no. Can it be helpful – yes. Is it a complicated hot mess of a dumpster fire determining whether you need to get a degree or not? Absolutely. Are there convoluted societal issues at play that make some people need a degree more than others? Yes, unfortunately. I can understand why people would choose either given their circumstances. I think like many things, you have to look very carefully at your current life situation, where you want to go, how quickly you need to get there, and your abilities/learning style. The best thing you can do is learn to learn and become comfortable being an autodidact (basically teaching yourself using the tools available to you) because infosec is a field where you have to continuously level up.
I have hope that things will stabilize as the discipline matures and people figure out how to write job descriptions that make sense. Descriptions can vary greatly for the same title from company to company. Maybe at some point the NICE infosec Workforce Framework will gain acceptance. It isn’t perfect, but at least it provides a common starting point.
I also recognize that there are lot of issues that need to be addressed. Higher education may have hit a point that is unsustainable. Certs are expensive and carry the perception of just being able to pass a test. It can feel like there’s no way to get where you want to be. For all the talk of a shortage in infosec, I see a lot of people looking for a long time. I’m not entirely convinced there is a shortage, but that is an entirely different rant. So what’s the bottom line – knowledge, skills, and abilities are very important. How you acquire them is less important. No matter how you go about it, you’re probably going to need to network like crazy and hope to get lucky. That may not be the most encouraging thought to leave on, but that’s what I’m seeing.