IT career people, is a degree in cyber security worth it?
Discussion
I'd echo the point that getting an OU degree while working is always impressive. Shoring up your educational credentials later in life is also always impressive. It shows maturity, real commitment and determination. This applies to any degree course. I'd suggest he did something that interests him, regardless of whether it's a great fit for a job or not. If he's looked at the Cyber Security course's syllabus and it looks really interesting, then go for it. But also consider software engineering, computer science or whatever else the OU offers in the same general area.
Really good stuff posted so far, so to try to avoid duplication. Although we are talking cyber sec' I feel my thoughts are suited to any industry.
There are multiple ways of 'breaking in' and assuming he does not yet know which bits of Cyber Security he will be interested in, it is only with hindsight, that he will be able look back and spot an easier faster way to get to where he eventually wants (a point which he is unlikely to know until he has some experience). So in my mind, if he is not sure - pick the route with the journey he will enjoy the most!
Cyber Security is a vast field, and very few have a cyber sec' degree (though many have a degree of some sort). It is not essential, though it may however help him to walk into a higher paid role, (equally it will take longer, & be more costly than other routes in).
Employers will be looking at his story - From him identifying a desire, building then executing his plan (allowing for change en-route). Whether that plan is a degree, some of the courses listed above, getting a general helpdesk role, or something else, it will certainly impact the 'first role' he can apply for, but each can get him in the door. If he knows what he wants to do, the plan can be tailored for that role, if not it can be kept more general.
Equally important to achieve his longer term plan is to work for a company that offers opportunity. He will be starting with no practical experience, but once he is in, if he is good (at the areas that interest him), I assume he will on the lookout for opportunities to move forward.
In summary - I feel he needs a plan. The degree is one route, but there are others. He also needs to look for a company that offers opportunity. Smaller companies that have good opportunities do not as frequently recruit staff with no experience (I know I am generalising and there are exceptions, but finding that exception can be difficult for somebody new to the industry). Smaller companies may accelerate your progress faster. Larger companies will often be slower to spot potential, but it can be easier to move to a role you are best suited to. Again, it depends if at this stage, he knows what he wants to be doing. The other benefit of a larger opinion, is that once you have a recognised company on your CV, it goes a long way to securing your next position.
Good luck!
There are multiple ways of 'breaking in' and assuming he does not yet know which bits of Cyber Security he will be interested in, it is only with hindsight, that he will be able look back and spot an easier faster way to get to where he eventually wants (a point which he is unlikely to know until he has some experience). So in my mind, if he is not sure - pick the route with the journey he will enjoy the most!
Cyber Security is a vast field, and very few have a cyber sec' degree (though many have a degree of some sort). It is not essential, though it may however help him to walk into a higher paid role, (equally it will take longer, & be more costly than other routes in).
Employers will be looking at his story - From him identifying a desire, building then executing his plan (allowing for change en-route). Whether that plan is a degree, some of the courses listed above, getting a general helpdesk role, or something else, it will certainly impact the 'first role' he can apply for, but each can get him in the door. If he knows what he wants to do, the plan can be tailored for that role, if not it can be kept more general.
Equally important to achieve his longer term plan is to work for a company that offers opportunity. He will be starting with no practical experience, but once he is in, if he is good (at the areas that interest him), I assume he will on the lookout for opportunities to move forward.
In summary - I feel he needs a plan. The degree is one route, but there are others. He also needs to look for a company that offers opportunity. Smaller companies that have good opportunities do not as frequently recruit staff with no experience (I know I am generalising and there are exceptions, but finding that exception can be difficult for somebody new to the industry). Smaller companies may accelerate your progress faster. Larger companies will often be slower to spot potential, but it can be easier to move to a role you are best suited to. Again, it depends if at this stage, he knows what he wants to be doing. The other benefit of a larger opinion, is that once you have a recognised company on your CV, it goes a long way to securing your next position.
Good luck!
The OU degree seems light in any actual cyber security stuff at the moment - all the cyber modules haven't actually been run yet - so no real details of the content
Cyber security (TM256) – planned for February 2022 30
Information security (TM311) – planned for October 2021 30
Systems penetration testing (TM359) – planned for February 2023 30
So i'd treat it as a degree in IT , with some networking and Cyber modules. 30 point course even at l2/l3 at OU arent that indepth tbh. - but its achievable in your/his spare time.
The networking modules cover CCNA material as well so he should plan to complete this as well
I have 2 degrees from OU .. so i rate them highly - OU degree in the relevant subject is almost an automatic interview for me !
I'd recommend he signs up .. gets started when not working and can always change course after the first years modules are done.
Experience is everything though ! Time spent in network roles whilst doing the degree in the background would be worth more than the degree and some of the other courses are pointless without experience .. i've recently finished my CISSP - the subject matter is wide - so although you can cram for it i was drawing on years worth of experience ( pubs were shut so nothing better to do )
Cyber security (TM256) – planned for February 2022 30
Information security (TM311) – planned for October 2021 30
Systems penetration testing (TM359) – planned for February 2023 30
So i'd treat it as a degree in IT , with some networking and Cyber modules. 30 point course even at l2/l3 at OU arent that indepth tbh. - but its achievable in your/his spare time.
The networking modules cover CCNA material as well so he should plan to complete this as well
I have 2 degrees from OU .. so i rate them highly - OU degree in the relevant subject is almost an automatic interview for me !
I'd recommend he signs up .. gets started when not working and can always change course after the first years modules are done.
Experience is everything though ! Time spent in network roles whilst doing the degree in the background would be worth more than the degree and some of the other courses are pointless without experience .. i've recently finished my CISSP - the subject matter is wide - so although you can cram for it i was drawing on years worth of experience ( pubs were shut so nothing better to do )
Some really good content here, especially resources like Cybrary if he chooses not to go down the university route.
As others have said, uni is about more than just the subject knowledge, understanding how to write coherently, working in difficult groups, and debates are all valuable skills that can't necessarily be gained via an online course.
As someone who did an IT and business degree then got onto a cyber graduate scheme in 2016, it wasn't so much about the content of the degree, but having one that enabled me to get on an accelerated path and go from 29k to 68k in 4 years.
One of the most valuable skills I look for when recruiting is the technical skills - while there will always be the requirement for GRC etc - but the technical skills really set candidates apart and if he's tech savvy and finds it interesting that will go far with employers.
As others have said, uni is about more than just the subject knowledge, understanding how to write coherently, working in difficult groups, and debates are all valuable skills that can't necessarily be gained via an online course.
As someone who did an IT and business degree then got onto a cyber graduate scheme in 2016, it wasn't so much about the content of the degree, but having one that enabled me to get on an accelerated path and go from 29k to 68k in 4 years.
One of the most valuable skills I look for when recruiting is the technical skills - while there will always be the requirement for GRC etc - but the technical skills really set candidates apart and if he's tech savvy and finds it interesting that will go far with employers.
A little bump to the thread. I was discussing cyber security courses the other day with a young relative, who's studying this subject at uni and he mentioned the GIAC courses, which he'd heard about from a friend who works in IT. The GIAC qualifications seem to be well regarded for cyber security but they are expensive and the ideal scenario would be for an employer to pay the fees. Obviously it's the chicken and egg scenario if someone isn't currently working within cyber security and - notwithstanding employers always preferring experience - I don't know how much holding a couple of GIAC certificates would help in obtaining a job in cyber security.
Edited by anonymous-user on Saturday 27th August 19:28
Edited by anonymous-user on Saturday 27th August 19:37
Along with a colleague I rewrote our job specs (Capgemini) to specifically remove degree as a requirement.
It matters not to us. Also the quality of candidates since they change (and some other wording) has significantly increased.
If your son is looking into this, my friend heads up our apprenticeship and grad programme. Feel free to message or if you can’t via here I’ll get in touch if you want
It matters not to us. Also the quality of candidates since they change (and some other wording) has significantly increased.
If your son is looking into this, my friend heads up our apprenticeship and grad programme. Feel free to message or if you can’t via here I’ll get in touch if you want
ffc said:
I'd say do the degree, there's more to Uni than the qualification. Cyber security is a very wide field and will be around for a long time. Every aspect of computing/IT will have a security angle so as a discipline it probably has a bright future in IT terms.
University is nothing like it once was. The benefits outside the course just don’t existI do not work for this company but out of all the recent hires I put forward, those that had been on Capslock were miles ahead of the field
Cyber is massive though , bigger than IT for specialties. I personally advocate a CISMP to have a grounding in governance and then do the techno stuff if that’s what he wants.
Any cyber security worker who cannot understand how governance and business operates are limited to just what’s in front of them
In terms of context I’m a managing partner of a cyber security consultancy. Starting salary is massively dependent on the vertical the employer is in and mostly on location. In Scotland they start between £25k - £35k on the lower end of the location/vertical end of the spectrum.
In terms of a career path, as someone who was successful as a ‘generalist’ I’d absolutely encourage him to focus on cyber. Sure a wide level of experience absolutely adds to their capabilities but that’s experience. They should get a job pretty easy pretty quickly. Areas of focus will be influenced by their ability to communicate and articulate why some cyber issue etc is important, in terms the lay person would understand.
Good luck.
In terms of a career path, as someone who was successful as a ‘generalist’ I’d absolutely encourage him to focus on cyber. Sure a wide level of experience absolutely adds to their capabilities but that’s experience. They should get a job pretty easy pretty quickly. Areas of focus will be influenced by their ability to communicate and articulate why some cyber issue etc is important, in terms the lay person would understand.
Good luck.
Vanden Crash said:
Along with a colleague I rewrote our job specs (Capgemini) to specifically remove degree as a requirement.
It matters not to us. Also the quality of candidates since they change (and some other wording) has significantly increased.
If your son is looking into this, my friend heads up our apprenticeship and grad programme. Feel free to message or if you can’t via here I’ll get in touch if you want
Completely agree this is the way forward. I don't have a degree and would have traditionally been overlooked by my employer if I had applied for the role I'm in and not gone in via acquisition. It matters not to us. Also the quality of candidates since they change (and some other wording) has significantly increased.
If your son is looking into this, my friend heads up our apprenticeship and grad programme. Feel free to message or if you can’t via here I’ll get in touch if you want
My background is as a former physical/digital pen-tester and current CISO. I would first ask what specific areas of infosec appeal to them? Infosec isn't really just about what most people would call security, with many of the disciplnes being very documentation, risk and compliance orientated (for example GRC, supplier and third party audit, obtaining and maintaining compliance for things like ISO27k, PCI and SOC2).
These are not very interesting roles in my opinion and employers often require certifications like CISSP or CISSM, which I personally don't put a large amount of value in is they tend to teach you what to think and not how to think.
I, and many other CISO's/CIO's, no longer place a lot of value in degrees or the above certs, and the ones that still do tend to be quite old school in their thinking. I would much rather employ someone who had (sometimes fairly significant) gaps in their knowledge, but has the correct aptitude and problem solving skills and a passion to do the job.
A often quite overlooked aspect of InfoSec is that it can be bloody stressful, and stressful on another level when compared to other IT based roles. Individuals in mid to senior level InfoSec roles quite often end up with mental health issues and addiction and relationship problems, you have to be a very specific type of person to do those roles in general.
like has already been mentioned, having an intrerest in building PC's are hardware doesn't really help anymore. If someone walked through my door though and said that I can pick locks, have a understanding of social engineering and am an ehtical hacker then I would listen. I would reccomend starting with some online courses and building up to something like EC Council Certified Ethical Hacker as a good starting point as it gives a very good overall understanding of the skills needed in most roles.
TLDR version:
1. Most InfoSec role are actually quite dull.
2. The fun stuff is more Security Operations and Offensive/Defensive Security
3. It can be super stressful.
4. "Proper" pen-testing is a hoot of a job, BUT you need to be a very particular kind of person to do it as it demands that you do things your Brain doesn't want you to do.
5. Most employers now will be looking at the person and not necessarily accreditations, if they do I can pretty much guarantee it will not be a great place to work,
6. Don't just do it for the money, if they do they will be miserable and fail. You have to have a genuine passion for it to be successful.
These are not very interesting roles in my opinion and employers often require certifications like CISSP or CISSM, which I personally don't put a large amount of value in is they tend to teach you what to think and not how to think.
I, and many other CISO's/CIO's, no longer place a lot of value in degrees or the above certs, and the ones that still do tend to be quite old school in their thinking. I would much rather employ someone who had (sometimes fairly significant) gaps in their knowledge, but has the correct aptitude and problem solving skills and a passion to do the job.
A often quite overlooked aspect of InfoSec is that it can be bloody stressful, and stressful on another level when compared to other IT based roles. Individuals in mid to senior level InfoSec roles quite often end up with mental health issues and addiction and relationship problems, you have to be a very specific type of person to do those roles in general.
like has already been mentioned, having an intrerest in building PC's are hardware doesn't really help anymore. If someone walked through my door though and said that I can pick locks, have a understanding of social engineering and am an ehtical hacker then I would listen. I would reccomend starting with some online courses and building up to something like EC Council Certified Ethical Hacker as a good starting point as it gives a very good overall understanding of the skills needed in most roles.
TLDR version:
1. Most InfoSec role are actually quite dull.
2. The fun stuff is more Security Operations and Offensive/Defensive Security
3. It can be super stressful.
4. "Proper" pen-testing is a hoot of a job, BUT you need to be a very particular kind of person to do it as it demands that you do things your Brain doesn't want you to do.
5. Most employers now will be looking at the person and not necessarily accreditations, if they do I can pretty much guarantee it will not be a great place to work,
6. Don't just do it for the money, if they do they will be miserable and fail. You have to have a genuine passion for it to be successful.
Edited by CthulhuTheGreat on Tuesday 30th August 14:09
my most promising asset is mid-20s, came in as an apprentice and is absolutely spot on the job. He gets the most mentoring and I try to push him into the fold for some of the more interesting (and challenging) engagements we have. Everything he does is given 100% and he in on a promotion path (again).
I know some of my peers (we're a large organisation for CISO and CSO) are a bit <meh>
I would say if you have a good understanding of technology and the controls needed to secure it all, technical and otherwise, then everything else matters less. I have a Master's in InfoSec plus a CISSP and I can tell you I draw on this little; more interesting is leveraging frameworks and most of all being able to think outside the box - there are things that no framework can address so you must be methodological about your approach to what controls should present and why (because you need to explain why).
Most of all, it's about people management because they are your greatest asset and do the following:
- manage your management (especially because you're a cost centre, always, in a firm)
- be clear that risk and financial decisions have impact and someone has to shoulder the risk
- know who your stakeholders are and ensure they have the "mindset". Half of what I do is driven by people coming to me because I cannot see everything, be everywhere and know everything......
I know some of my peers (we're a large organisation for CISO and CSO) are a bit <meh>
I would say if you have a good understanding of technology and the controls needed to secure it all, technical and otherwise, then everything else matters less. I have a Master's in InfoSec plus a CISSP and I can tell you I draw on this little; more interesting is leveraging frameworks and most of all being able to think outside the box - there are things that no framework can address so you must be methodological about your approach to what controls should present and why (because you need to explain why).
Most of all, it's about people management because they are your greatest asset and do the following:
- manage your management (especially because you're a cost centre, always, in a firm)
- be clear that risk and financial decisions have impact and someone has to shoulder the risk
- know who your stakeholders are and ensure they have the "mindset". Half of what I do is driven by people coming to me because I cannot see everything, be everywhere and know everything......
Telca68 said:
A little bump to the thread. I was discussing cyber security courses the other day with a young relative, who's studying this subject at uni and he mentioned the GIAC courses, which he'd heard about from a friend who works in IT. The GIAC qualifications seem to be well regarded for cyber security but they are expensive and the ideal scenario would be for an employer to pay the fees. Obviously it's the chicken and egg scenario if someone isn't currently working within cyber security and - notwithstanding employers always preferring experience - I don't know how much holding a couple of GIAC certificates would help in obtaining a job in cyber security.
GIAC - That's a bit like jumping in at at the deep end. As others have mentioned, ethical hacking/ threat hunting courses would be a great precursor in many ways. Edited by Telca68 on Saturday 27th August 19:28
Edited by Telca68 on Saturday 27th August 19:37
Threat hunting is not for everyone. It might be cool, but it's hard, monotonous, process driven repetitive work. It gets 'cool' when you are several steps up the ladder, before that it's quite stressful. Many Incident response firms i work with now employ uni grads with Computer science degrees - tell them to forget what they learnt and teach them the art of threat hunting their way. That's the first line teams right there. They are doing that on sub £35k a year even in London. 2nd or 3rd line analysts, malware reversers , forensics - that's where the money is but it takes many years to get that deep.
There are many domains of knowledge within iT, even IT security. I'd recommend to take a broad view and learn many topics where possible but focus where your interests lie. Specialising improves your salary unless the technology is made redundant ( yes i started off my IT career supporting Lotus Notes/Domino but did well on that for a few years)
Experience over certs has always worked for me when interviewing for a role. I've always looked for someone who can communicate too. So many folks in IT have the reputation they deserve because of poor communication skills.
I've worked in IT since 97 so 25 years now. Not a single formal qualification or degree in the topic. Just learnt on the job, studied others, worked hard. Saw opportunities where others did not. Took sideways steps to broaden my knowledge in early years. It's certainly a good career, and as someone who is moving direction within the Security market soon ( from DFIR to ASR) , i can tell you experience is like gold.
Been in cyber for over 20 years in different countries - its a good career path but as others have eluded to, for many of the disciplines within cyber there is a specific mindset that is needed. At one end of the spectrum you have the documentation focussed types and the other end is the super techy types who can do anything they put their mind to, but it can be like herding kittens to manage them (been there done that, never again).
TLDR good career potential but need inquisitive mind for the techie stuff, and definitely be a self starter, by which point they'll sort of already know how to find the info they need and get into the industry (super easy at low end consultancy) so just go do it and see where it leads.
TLDR good career potential but need inquisitive mind for the techie stuff, and definitely be a self starter, by which point they'll sort of already know how to find the info they need and get into the industry (super easy at low end consultancy) so just go do it and see where it leads.
A security specific degree will definitely help, I would expect to walk into a decent job with potential to move up, unless there’s some dramatic market change in next few years. Or get degree then spend some time somewhere like Cheltenham on a govt wage for a few years and you’d have choice of jobs to retirement.
Degree isn’t necessarily, even a bootcamped cert like CISSP will open doors, there’s plenty of clueless security people riding the gravy train!
Degree isn’t necessarily, even a bootcamped cert like CISSP will open doors, there’s plenty of clueless security people riding the gravy train!
If someone was to ask my advice, I’d strongly advise something else.
It’s an almost always on role. The rewards can be great but the impact can be immense. It is a career rife with burn out
It’s a growth area at the minute but so much of it is getting automated too, there will always be a a human requirement but the sectors not as sexy as people imagine.
It’s an almost always on role. The rewards can be great but the impact can be immense. It is a career rife with burn out
It’s a growth area at the minute but so much of it is getting automated too, there will always be a a human requirement but the sectors not as sexy as people imagine.
wombleh said:
A security specific degree will definitely help, I would expect to walk into a decent job with potential to move up, unless there’s some dramatic market change in next few years. Or get degree then spend some time somewhere like Cheltenham on a govt wage for a few years and you’d have choice of jobs to retirement.
Degree isn’t necessarily, even a bootcamped cert like CISSP will open doors, there’s plenty of clueless security people riding the gravy train!
CISSP needs five years demonstratable experience - bootcamp may teach you the answers to the exam, but doesnt get you the cert. Same with all of these e.g. CISA/CISM. Degree isn’t necessarily, even a bootcamped cert like CISSP will open doors, there’s plenty of clueless security people riding the gravy train!
I wouldn't suggest they are the easy routes into the sector, they are the opposite, and not really for the clueless.
An OU degree would likely be quicker, though not as respected as the practical certs.
The best route may be the less complex certs (e.g. CompTIA ones) and getting an entry level role in a similar field.
Basically the first reply to this thread gave the right answer, two years ago.
Unfortunately as with most certs, there are ways and means of gaming the system and no shortage of folk willing to do that for a good wage.
Fair one on the thread age, hadn’t noticed it had been revived. OP still around, if so how is your nephew getting along?
Fair one on the thread age, hadn’t noticed it had been revived. OP still around, if so how is your nephew getting along?
Edited by wombleh on Thursday 1st September 16:19
I work in a large org with a big IT department.
I recently recruited some apprentices for my IT tech team, and had 81 applicants for my 5 roles. Comparatively, the Cyber team had more than 400 applicants for a single role, and had to remove the ad to stop any more coming in.
It’s definitely a growth area, but also appears to be a very competitive one. If it’s an area of interest then anything you can do to get ahead of the competition I’m sure would be advantageous.
I recently recruited some apprentices for my IT tech team, and had 81 applicants for my 5 roles. Comparatively, the Cyber team had more than 400 applicants for a single role, and had to remove the ad to stop any more coming in.
It’s definitely a growth area, but also appears to be a very competitive one. If it’s an area of interest then anything you can do to get ahead of the competition I’m sure would be advantageous.
Gassing Station | Computers, Gadgets & Stuff | Top of Page | What's New | My Stuff