IT career people, is a degree in cyber security worth it?
Discussion
Vanden Crash said:
Caps lock are currently my go to place for resources. Eager folk that have retrained, the best candidates I’ve interviewed recently had all done capslock.
It combines certs with actual hands on translation of what it means and how to apply it
Would add to this - seeing good things coming out of CapsLockIt combines certs with actual hands on translation of what it means and how to apply it
Cloudy147 said:
I work in a large org with a big IT department.
I recently recruited some apprentices for my IT tech team, and had 81 applicants for my 5 roles. Comparatively, the Cyber team had more than 400 applicants for a single role, and had to remove the ad to stop any more coming in.
It’s definitely a growth area, but also appears to be a very competitive one. If it’s an area of interest then anything you can do to get ahead of the competition I’m sure would be advantageous.
Everyone sees it as the way to make big quids. It will be like IT back in the 90sI recently recruited some apprentices for my IT tech team, and had 81 applicants for my 5 roles. Comparatively, the Cyber team had more than 400 applicants for a single role, and had to remove the ad to stop any more coming in.
It’s definitely a growth area, but also appears to be a very competitive one. If it’s an area of interest then anything you can do to get ahead of the competition I’m sure would be advantageous.
Cloudy147 said:
I work in a large org with a big IT department.
I recently recruited some apprentices for my IT tech team, and had 81 applicants for my 5 roles. Comparatively, the Cyber team had more than 400 applicants for a single role, and had to remove the ad to stop any more coming in.
It’s definitely a growth area, but also appears to be a very competitive one. If it’s an area of interest then anything you can do to get ahead of the competition I’m sure would be advantageous.
Supposedly a skills shortage in cyber/infosec - what was the role out of interest?I recently recruited some apprentices for my IT tech team, and had 81 applicants for my 5 roles. Comparatively, the Cyber team had more than 400 applicants for a single role, and had to remove the ad to stop any more coming in.
It’s definitely a growth area, but also appears to be a very competitive one. If it’s an area of interest then anything you can do to get ahead of the competition I’m sure would be advantageous.
bmwmike said:
Supposedly a skills shortage in cyber/infosec - what was the role out of interest?
Skills shortage, not necessarily a candidate shortage as....Though in my experience working in Cyber, we are finding it hard to find good people to fill vacancies.
We can bring in keen inexperienced people, but at the end of the day you, you do need a level of long term experience in IT and Cyber Security to build solid functions.
I was the CISO at a large uk financial services firm. The team I ran was made up of internal recruits and some external recruits.
The internal recruits were from various teams, predominantly IT teams like networks or MS etc. I also brought in people with good risk skills, not necessarily any IT skills. Some were taken in perm to the team and some were on secondment so that they could take their insights back into their line roles and hopefully spread some good practice. For these role I cared not one jot about qualifications, I wanted to see attitude, aptitude and skill.
External recruitment is more difficult, trying to get the right skills and experience is a lottery. So I used personal recommendation from the team or people I knew, again qualifications were less important.
I did take some unknown externals, and in this regard qualifications were an indicator of application to a task rather than any real skill, if treated in this way it is a useful barometer of the candidate but nothing more. I always asked the candidate to explain their qualification, why they chose that specific one rather than any of the others and most importantly how this qualification helped my organisation. It is likely that any organisation has its own methods so a new hire is going to have to adapt.
Finally worth noting if you are in a highly regulated industry like banking/insurance then the regulator FCA and/or PRA can be very small minded about qualifications in so far as having few people in your team without them can be looked at dimly, I recall a spirited conversation about knowledge and experience versus qualification at a FCA cyber coordination group meeting. Most in business sided on the rather have knowledge and experience in the team, whereas the regulators and other HMG bodies at the meeting sided with qualification. The one exception was the rep from GCHQ who sided more with business.
Equally our Board always wanted to be assured that we had credible people working in the team, and it was a topic at each Board review meeting that I had to assure them of.
So to the question, if you are starting out with no experience or practical knowledge then a degree is a starting point to a conversation, but I always wanted to know how you apply what you had learned in the real world business scenario.
The internal recruits were from various teams, predominantly IT teams like networks or MS etc. I also brought in people with good risk skills, not necessarily any IT skills. Some were taken in perm to the team and some were on secondment so that they could take their insights back into their line roles and hopefully spread some good practice. For these role I cared not one jot about qualifications, I wanted to see attitude, aptitude and skill.
External recruitment is more difficult, trying to get the right skills and experience is a lottery. So I used personal recommendation from the team or people I knew, again qualifications were less important.
I did take some unknown externals, and in this regard qualifications were an indicator of application to a task rather than any real skill, if treated in this way it is a useful barometer of the candidate but nothing more. I always asked the candidate to explain their qualification, why they chose that specific one rather than any of the others and most importantly how this qualification helped my organisation. It is likely that any organisation has its own methods so a new hire is going to have to adapt.
Finally worth noting if you are in a highly regulated industry like banking/insurance then the regulator FCA and/or PRA can be very small minded about qualifications in so far as having few people in your team without them can be looked at dimly, I recall a spirited conversation about knowledge and experience versus qualification at a FCA cyber coordination group meeting. Most in business sided on the rather have knowledge and experience in the team, whereas the regulators and other HMG bodies at the meeting sided with qualification. The one exception was the rep from GCHQ who sided more with business.
Equally our Board always wanted to be assured that we had credible people working in the team, and it was a topic at each Board review meeting that I had to assure them of.
So to the question, if you are starting out with no experience or practical knowledge then a degree is a starting point to a conversation, but I always wanted to know how you apply what you had learned in the real world business scenario.
Edited by skeeterm5 on Friday 2nd September 18:31
Interesting thread over on Reddit specifically about pay in the U.K. cyber security sector. There’s either a few lies being told or genuinely after a few years experience you can earn some serious money.
Still begs the question, computer science degree, cyber security degree or another way of getting a foot in the door? I’m a plc programmer, not sure how/what my route in could be?
https://www.reddit.com/r/cybersecurity/comments/xl...
Still begs the question, computer science degree, cyber security degree or another way of getting a foot in the door? I’m a plc programmer, not sure how/what my route in could be?
https://www.reddit.com/r/cybersecurity/comments/xl...
Big Rig said:
Interesting thread over on Reddit specifically about pay in the U.K. cyber security sector. There’s either a few lies being told or genuinely after a few years experience you can earn some serious money.
Still begs the question, computer science degree, cyber security degree or another way of getting a foot in the door? I’m a plc programmer, not sure how/what my route in could be?
https://www.reddit.com/r/cybersecurity/comments/xl...
Cyber is in a bubble, it will burstStill begs the question, computer science degree, cyber security degree or another way of getting a foot in the door? I’m a plc programmer, not sure how/what my route in could be?
https://www.reddit.com/r/cybersecurity/comments/xl...
Headline figures are just that.
Saying that one of the juniors we hired on a base of 26k just a few months back is now getting approached for jobs paying 3 times that. Will he get one at that rate? I don’t think at the top end but he will certainly double his base. Only been in the industry 8 months after retraining after 20 years in another industry not linked to us.
Fair play to him.
I sat on the offensive side of "teh cyberz" and I now work in GRC. I have no degree, but I do have a long IT and networking background, I also have CISM & CISSP and a bunch of other qualifications, but that's purely there for HR filtering. In all honesty though, my last 3 jobs have been in different companies and I got them by being a known good entity. I've interviewed people who had more qualifications than me and looked amazing on paper, but could they explain anything simple and clearly? Nope! Due to the amount of non technical stake holder engagement that you have, soft skills are just as important as the technical skills in this business IMHO.
Also, the skills shortage isn't at the bottom, as there are oodles of people chomping at entry level roles. It's the mid level up roles, where it's difficult to recruit. There are so many training organisations circling like sharks and exploiting this "shortage", it really annoys me.
I'm not even going to go down the rabbit hole of pointless cyber degrees.
Also, the skills shortage isn't at the bottom, as there are oodles of people chomping at entry level roles. It's the mid level up roles, where it's difficult to recruit. There are so many training organisations circling like sharks and exploiting this "shortage", it really annoys me.
I'm not even going to go down the rabbit hole of pointless cyber degrees.
Vanden Crash said:
Cyber is in a bubble, it will burst
Headline figures are just that.
Saying that one of the juniors we hired on a base of 26k just a few months back is now getting approached for jobs paying 3 times that. Will he get one at that rate? I don’t think at the top end but he will certainly double his base. Only been in the industry 8 months after retraining after 20 years in another industry not linked to us.
Fair play to him.
There is a shortage of good people in mid-top roles. That shortage cannot change very quickly as the roles of this level demand experience, which isn't something you can get overnight. Headline figures are just that.
Saying that one of the juniors we hired on a base of 26k just a few months back is now getting approached for jobs paying 3 times that. Will he get one at that rate? I don’t think at the top end but he will certainly double his base. Only been in the industry 8 months after retraining after 20 years in another industry not linked to us.
Fair play to him.
I've been looking for roles since February - i've seen an uplift in salary within the last 6 months for similar roles. I'd say for the roles i was interested in, salary has gone up by 10-15k extra per annum.
At the lower level - good luck to your example if he can do the job and get a nice increase. Recruiters will be burned in the long run if they are putting inexperienced people in these higher level roles at premium prices and the employee doesn't stick at the job.
sly fox said:
There is a shortage of good people in mid-top roles. That shortage cannot change very quickly as the roles of this level demand experience, which isn't something you can get overnight.
I've been looking for roles since February - i've seen an uplift in salary within the last 6 months for similar roles. I'd say for the roles i was interested in, salary has gone up by 10-15k extra per annum.
At the lower level - good luck to your example if he can do the job and get a nice increase. Recruiters will be burned in the long run if they are putting inexperienced people in these higher level roles at premium prices and the employee doesn't stick at the job.
What/where are you looking for. We are always on the scalp. I've been looking for roles since February - i've seen an uplift in salary within the last 6 months for similar roles. I'd say for the roles i was interested in, salary has gone up by 10-15k extra per annum.
At the lower level - good luck to your example if he can do the job and get a nice increase. Recruiters will be burned in the long run if they are putting inexperienced people in these higher level roles at premium prices and the employee doesn't stick at the job.
I’m considering a move if only to let salary catch up to inflation. In IT the only really viable way to get a proper increase is to jump every few years do you need to start off on more than you want
I would go for the education, but then go broader. IBM would be a place I would look at getting into. Security is big business for them, and they are trusted in the market, but once in there are so many other options for someone minded in technology - AI for instance.
- checked the date of the first post, probably decided by now
Edited by ziggy328 on Friday 23 September 19:09
Telca68 said:
A little bump to the thread. I was discussing cyber security courses the other day with a young relative, who's studying this subject at uni and he mentioned the GIAC courses, which he'd heard about from a friend who works in IT. The GIAC qualifications seem to be well regarded for cyber security but they are expensive and the ideal scenario would be for an employer to pay the fees. Obviously it's the chicken and egg scenario if someone isn't currently working within cyber security and - notwithstanding employers always preferring experience - I don't know how much holding a couple of GIAC certificates would help in obtaining a job in cyber security.
We're US focused as we're based in Bermuda. I have GSLC, GSTRT, GCCC and am now considering either a CISSP, or CISM to appeal to both marketsEdited by Telca68 on Saturday 27th August 19:28
Edited by Telca68 on Saturday 27th August 19:37
The GIAC Certs aren't cheap but the quantity and quality of information is very good indeed.
I'm on the SANs advisory board (a meritocracy) based on scoring at least 90% in the exams and this has been invaluable in terms of topics and subject matter experts that discuss pretty much any Cyber related topic you can think of. All of the SANs instructors contribute so it's a bit like a free mentoring board for anything you'd like to ask as it includes real-world examples and success stories.
We follow the CIS model of defense.
I would add that you need to have CPEs to renew your certs, gained either through taking new classes or work related credits that go towards your renewal. My GSLC requires 36 CPEs (from memory)
Edited by juice on Friday 23 September 19:17
Edited by juice on Friday 23 September 19:21
I'll stand up for the degree side of things. I have >100 people in my team designing, building, deploying, supporting, training and services around a cyber security product - about a third have cyber specific domain knowledge, the rest are just hard core technical of various disciplines. I won't look at CVs without a degree, although it does not have to be a cyber security degree. However, I do need people who can 'architect' and 'develop' in the cyber security industry.
This compares to users or analysts, which you can get good at without a degree. So, if you want a solid starting salary (£30-40k) then non-degree qualifications and certifications are a good way to go, but your career thereafter won't move as quickly. If you want the decent start salary, but 6 figures within 5-8 years you'll more than likely need a subject matter degree to start from.
This compares to users or analysts, which you can get good at without a degree. So, if you want a solid starting salary (£30-40k) then non-degree qualifications and certifications are a good way to go, but your career thereafter won't move as quickly. If you want the decent start salary, but 6 figures within 5-8 years you'll more than likely need a subject matter degree to start from.
eein said:
I'll stand up for the degree side of things. I have >100 people in my team designing, building, deploying, supporting, training and services around a cyber security product - about a third have cyber specific domain knowledge, the rest are just hard core technical of various disciplines. I won't look at CVs without a degree, although it does not have to be a cyber security degree. However, I do need people who can 'architect' and 'develop' in the cyber security industry.
This compares to users or analysts, which you can get good at without a degree. So, if you want a solid starting salary (£30-40k) then non-degree qualifications and certifications are a good way to go, but your career thereafter won't move as quickly. If you want the decent start salary, but 6 figures within 5-8 years you'll more than likely need a subject matter degree to start from.
Do you find people without a degree cannot 'architect' or 'develop' ? This compares to users or analysts, which you can get good at without a degree. So, if you want a solid starting salary (£30-40k) then non-degree qualifications and certifications are a good way to go, but your career thereafter won't move as quickly. If you want the decent start salary, but 6 figures within 5-8 years you'll more than likely need a subject matter degree to start from.
bmwmike said:
eein said:
I'll stand up for the degree side of things. I have >100 people in my team designing, building, deploying, supporting, training and services around a cyber security product - about a third have cyber specific domain knowledge, the rest are just hard core technical of various disciplines. I won't look at CVs without a degree, although it does not have to be a cyber security degree. However, I do need people who can 'architect' and 'develop' in the cyber security industry.
This compares to users or analysts, which you can get good at without a degree. So, if you want a solid starting salary (£30-40k) then non-degree qualifications and certifications are a good way to go, but your career thereafter won't move as quickly. If you want the decent start salary, but 6 figures within 5-8 years you'll more than likely need a subject matter degree to start from.
Do you find people without a degree cannot 'architect' or 'develop' ? This compares to users or analysts, which you can get good at without a degree. So, if you want a solid starting salary (£30-40k) then non-degree qualifications and certifications are a good way to go, but your career thereafter won't move as quickly. If you want the decent start salary, but 6 figures within 5-8 years you'll more than likely need a subject matter degree to start from.
Of course there are exceptions, but it's hard to pick them out at the interview stage, so degree down selection increases the probability of getting what we need
eein said:
Generally, to the level I need these things done, yes. We don't do bogo cyber solutions like the majority of the industry, so need a fairly high standard - there are of course many levels of architect and developer. I see many CVs with vast experience of configuring and installing a cyber product (eg SIEMs) that call themselves an architect, but they can only follow a reference design, whereas in looking for those that can invent the product and reference design and align it to a cyber technique that's 'new'.
Of course there are exceptions, but it's hard to pick them out at the interview stage, so degree down selection increases the probability of getting what we need
Yah following instructions is not what I'd call architecture either, tbh!Of course there are exceptions, but it's hard to pick them out at the interview stage, so degree down selection increases the probability of getting what we need
Gassing Station | Computers, Gadgets & Stuff | Top of Page | What's New | My Stuff