IT career people, is a degree in cyber security worth it?
Discussion
eein said:
Generally, to the level I need these things done, yes. We don't do bogo cyber solutions like the majority of the industry, so need a fairly high standard - there are of course many levels of architect and developer. I see many CVs with vast experience of configuring and installing a cyber product (eg SIEMs) that call themselves an architect, but they can only follow a reference design, whereas in looking for those that can invent the product and reference design and align it to a cyber technique that's 'new'.
Of course there are exceptions, but it's hard to pick them out at the interview stage, so degree down selection increases the probability of getting what we need
A very blinkered view there. Give me someone with ability and drive over someone with any old degree. Of course there are exceptions, but it's hard to pick them out at the interview stage, so degree down selection increases the probability of getting what we need
Had you said you wouldn’t look at anyone without a cyber degree I could understand but you stated any degree. Are you suggesting someone with a degree in something worthless such as Literature would somehow be able to architect better than someone without?
Welcome to the problem
Vanden Crash said:
A very blinkered view there. Give me someone with ability and drive over someone with any old degree.
Had you said you wouldn’t look at anyone without a cyber degree I could understand but you stated any degree. Are you suggesting someone with a degree in something worthless such as Literature would somehow be able to architect better than someone without?
Welcome to the problem
Concur but the poster has acknowledged their interview process isnt great as they find if hard to identify the talent they need, so fall back to degree as their hiring benchmark. It's possibly an organisational or institutionally entrenched view as much as personal view, perhaps.Had you said you wouldn’t look at anyone without a cyber degree I could understand but you stated any degree. Are you suggesting someone with a degree in something worthless such as Literature would somehow be able to architect better than someone without?
Welcome to the problem
Different orgs have very different views on what an architect is, especially security architects.
There are plenty around who just implement vendor patterns, to be fair most infrastructure roles want that. A lot of places would describe the above one as a senior dev. Doesn’t make it easy to find what you need!
There are plenty around who just implement vendor patterns, to be fair most infrastructure roles want that. A lot of places would describe the above one as a senior dev. Doesn’t make it easy to find what you need!
wombleh said:
Different orgs have very different views on what an architect is, especially security architects.
There are plenty around who just implement vendor patterns, to be fair most infrastructure roles want that. A lot of places would describe the above one as a senior dev. Doesn’t make it easy to find what you need!
True. I did a few interviews recently with an org that had contacted me directly, didn't go anywhere, but it was clear they didn't really know what they wanted but just knew they needed something/someone to lead them toward what they needed. Was definitely a two way interview process in the truest sense, as most should be. There are plenty around who just implement vendor patterns, to be fair most infrastructure roles want that. A lot of places would describe the above one as a senior dev. Doesn’t make it easy to find what you need!
bmwmike said:
Vanden Crash said:
A very blinkered view there. Give me someone with ability and drive over someone with any old degree.
Had you said you wouldn’t look at anyone without a cyber degree I could understand but you stated any degree. Are you suggesting someone with a degree in something worthless such as Literature would somehow be able to architect better than someone without?
Welcome to the problem
Concur but the poster has acknowledged their interview process isnt great as they find if hard to identify the talent they need, so fall back to degree as their hiring benchmark. It's possibly an organisational or institutionally entrenched view as much as personal view, perhaps.Had you said you wouldn’t look at anyone without a cyber degree I could understand but you stated any degree. Are you suggesting someone with a degree in something worthless such as Literature would somehow be able to architect better than someone without?
Welcome to the problem
IMO - Jobs where a degree is stated is often a sign that the organisation simply doesn’t know what it wants.
M
bmwmike said:
Vanden Crash said:
A very blinkered view there. Give me someone with ability and drive over someone with any old degree.
Had you said you wouldn’t look at anyone without a cyber degree I could understand but you stated any degree. Are you suggesting someone with a degree in something worthless such as Literature would somehow be able to architect better than someone without?
Welcome to the problem
Concur but the poster has acknowledged their interview process isnt great as they find if hard to identify the talent they need, so fall back to degree as their hiring benchmark. It's possibly an organisational or institutionally entrenched view as much as personal view, perhaps.Had you said you wouldn’t look at anyone without a cyber degree I could understand but you stated any degree. Are you suggesting someone with a degree in something worthless such as Literature would somehow be able to architect better than someone without?
Welcome to the problem
They need to hire someone with a degree in home economics to review it for them
Relying on a degree at sift clearly is t working and as for the debate about architects, there’s such a bulls
t title like consultant. Very few actually are either but everyone gets the label because it sells. Is it any wonder people put it on their cv if that’s what their title is?OP, my advice is to do a degree in computer science, which is the foundation to everything, then encourage an in interest in security and a deep understanding of Linux and networking - don’t rely on a degree to teach them that depth, because they are focussed on theory. The depth will help them get into the field, the theory will help them work on bigger and more complex things as they seek progression
They will end up with a broader set of skills, giving them more options in future
Planning any kind of technology career path is hard as the field is so broad, hence I encourage to take the deep foundations of computer science, encourage security and see where it goes.
Be warned that security is an aptitude and not one that can be learned, if they really want to get into that field. If they don’t have a hacker mindset, they won’t get far IMO
I don’t believe security easily can be taught as a theoretical subject. It’s not a science it’s an art and one developing all of the time - most “security” is just implementation of a bunch of frameworks. Nearly all of it is learned through experience, with that hacker mindset, where hacker is the traditional meaning of the word (tinkering and figuring out how stuff works) as opposed to the modern use of breaking into things
To help you understand my position - I’m a top level security professional with almost 30 years experience in the field, working in one of the largest tech companies. I help hire (im not a manger) around 20 security architects and engineers a year and have interviewed literally hundreds over the last ten years in this role
I did computer science, was heavily into Unix/Linux as a system admin then jumped full time into security after a few years as a developer. I’ve been a coder, security management consultant, then a security solutions architect and now leader
There are vanishingly few people at my level without a STEM degree of some kind, and they all typically have that hacker mindset, or are maths geeks deep into cryptography
They will end up with a broader set of skills, giving them more options in future
Planning any kind of technology career path is hard as the field is so broad, hence I encourage to take the deep foundations of computer science, encourage security and see where it goes.
Be warned that security is an aptitude and not one that can be learned, if they really want to get into that field. If they don’t have a hacker mindset, they won’t get far IMO
I don’t believe security easily can be taught as a theoretical subject. It’s not a science it’s an art and one developing all of the time - most “security” is just implementation of a bunch of frameworks. Nearly all of it is learned through experience, with that hacker mindset, where hacker is the traditional meaning of the word (tinkering and figuring out how stuff works) as opposed to the modern use of breaking into things
To help you understand my position - I’m a top level security professional with almost 30 years experience in the field, working in one of the largest tech companies. I help hire (im not a manger) around 20 security architects and engineers a year and have interviewed literally hundreds over the last ten years in this role
I did computer science, was heavily into Unix/Linux as a system admin then jumped full time into security after a few years as a developer. I’ve been a coder, security management consultant, then a security solutions architect and now leader
There are vanishingly few people at my level without a STEM degree of some kind, and they all typically have that hacker mindset, or are maths geeks deep into cryptography
nebpor said:
OP, my advice is to do a degree in computer science, which is the foundation to everything, then encourage an in interest in security and a deep understanding of Linux and networking - don’t rely on a degree to teach them that depth, because they are focussed on theory. The depth will help them get into the field, the theory will help them work on bigger and more complex things as they seek progression
They will end up with a broader set of skills, giving them more options in future
Planning any kind of technology career path is hard as the field is so broad, hence I encourage to take the deep foundations of computer science, encourage security and see where it goes.
Be warned that security is an aptitude and not one that can be learned, if they really want to get into that field. If they don’t have a hacker mindset, they won’t get far IMO
I don’t believe security easily can be taught as a theoretical subject. It’s not a science it’s an art and one developing all of the time - most “security” is just implementation of a bunch of frameworks. Nearly all of it is learned through experience, with that hacker mindset, where hacker is the traditional meaning of the word (tinkering and figuring out how stuff works) as opposed to the modern use of breaking into things
To help you understand my position - I’m a top level security professional with almost 30 years experience in the field, working in one of the largest tech companies. I help hire (im not a manger) around 20 security architects and engineers a year and have interviewed literally hundreds over the last ten years in this role
I did computer science, was heavily into Unix/Linux as a system admin then jumped full time into security after a few years as a developer. I’ve been a coder, security management consultant, then a security solutions architect and now leader
There are vanishingly few people at my level without a STEM degree of some kind, and they all typically have that hacker mindset, or are maths geeks deep into cryptography
Agree with most of that except the "vanishingly few" as that's not my experience at all. That said I don't disagree that if I was to get into the field _today_ (I wouldn't, tbh) I'd probably recommend a degree in comp science too. Your part about hacker mindset is key for tech security Jobs and that doesn't require a degree it requires a mindset and a lot of those people have been tinkering/coding/hacking since their early teens. They will end up with a broader set of skills, giving them more options in future
Planning any kind of technology career path is hard as the field is so broad, hence I encourage to take the deep foundations of computer science, encourage security and see where it goes.
Be warned that security is an aptitude and not one that can be learned, if they really want to get into that field. If they don’t have a hacker mindset, they won’t get far IMO
I don’t believe security easily can be taught as a theoretical subject. It’s not a science it’s an art and one developing all of the time - most “security” is just implementation of a bunch of frameworks. Nearly all of it is learned through experience, with that hacker mindset, where hacker is the traditional meaning of the word (tinkering and figuring out how stuff works) as opposed to the modern use of breaking into things
To help you understand my position - I’m a top level security professional with almost 30 years experience in the field, working in one of the largest tech companies. I help hire (im not a manger) around 20 security architects and engineers a year and have interviewed literally hundreds over the last ten years in this role
I did computer science, was heavily into Unix/Linux as a system admin then jumped full time into security after a few years as a developer. I’ve been a coder, security management consultant, then a security solutions architect and now leader
There are vanishingly few people at my level without a STEM degree of some kind, and they all typically have that hacker mindset, or are maths geeks deep into cryptography
bmwmike said:
Agree with most of that except the "vanishingly few" as that's not my experience at all. That said I don't disagree that if I was to get into the field _today_ (I wouldn't, tbh) I'd probably recommend a degree in comp science too. Your part about hacker mindset is key for tech security Jobs and that doesn't require a degree it requires a mindset and a lot of those people have been tinkering/coding/hacking since their early teens.
I’ll clarify - I mean vanishingly few in my company (FAANG) and my experience of those I know in similar companies. You have to have done some really standout things in your career to get past a CV screen without some kind of relevant degree - so it’s possible, but it’s extremely unlikely. I’ve found quite a few who didn’t go to uni after school end up going later in their career as they realised it was impeding them. I typically ask about this if I’m interviewing someone and it’s on their cv. It’s a good sign a lot, shows they wanted to develop their skill in an area they were interested in, so are motivated!I know there is more to the world than just FAANG as well but having worked there for 10 years now, it would be hard to leave that type of environment as it’s typically the cutting edge of security and I love the ambiguity of doing things that haven’t been done before and working with the type of people that attracts. I’ve learned more about crypto than I ever thought I could as well, because I get so exposed to it and get the chance to work with leaders in the field
Edited to add, I’ve never seen a valuable “security certification” either and if someone has done them all, I tend to think less of them as they’re typically using them to make up for lack of skill or experience. There you go! Im sure at some low level for the kind of company who has no idea about security (and thus needs that badge) they are helpful, but meaningless to any kind of experienced position in a large company or tech field
Edited by nebpor on Saturday 24th September 16:21
One of the things that is changing, given the insatiable need for security people, is that the hiring pool WILL start to become much more diverse. Security is a white, male STEM business largely and companies hiring folk with irrelevant backgrounds, but the right kind of mindset and aptitude, are companies growing their talent pool. This means it has to start looking past the traditional background that spawned security people
So basically I’m hoping everything I wrote above changes for the better at some point - the field needs it, as we can’t automate past the talent shortage quickly enough !
So basically I’m hoping everything I wrote above changes for the better at some point - the field needs it, as we can’t automate past the talent shortage quickly enough !
Shrugging for victory said:
I sat on the offensive side of "teh cyberz" and I now work in GRC. I have no degree, but I do have a long IT and networking background, I also have CISM & CISSP and a bunch of other qualifications, but that's purely there for HR filtering. In all honesty though, my last 3 jobs have been in different companies and I got them by being a known good entity. I've interviewed people who had more qualifications than me and looked amazing on paper, but could they explain anything simple and clearly? Nope! Due to the amount of non technical stake holder engagement that you have, soft skills are just as important as the technical skills in this business IMHO.
Also, the skills shortage isn't at the bottom, as there are oodles of people chomping at entry level roles. It's the mid level up roles, where it's difficult to recruit. There are so many training organisations circling like sharks and exploiting this "shortage", it really annoys me.
I'm not even going to go down the rabbit hole of pointless cyber degrees.
NCSC would disagree with your final point BUT I agree with you - there are some excellent degrees out there and there are some dire ones. I had one person work for me on a year in industry (this was year 3 of a 4 year degree) and he hadn't touched anything remotely 'cyber' on his cyber degree and would only do so in his final year. This was at a Russel Group university too so people absolutely do need to do their research. Also, the skills shortage isn't at the bottom, as there are oodles of people chomping at entry level roles. It's the mid level up roles, where it's difficult to recruit. There are so many training organisations circling like sharks and exploiting this "shortage", it really annoys me.
I'm not even going to go down the rabbit hole of pointless cyber degrees.
https://www.ncsc.gov.uk/information/ncsc-certified...
I've worked in cyber for over 17 years in both the public and private sector in techie and GRC roles. I run my own consultancy doing a mixture of GRC consulting and accredited Infosec and 'niche' training - I would certainly urge caution on choosing the correct training provider. There are some utter shysters out there ripping off people left, right, and centre, unfortunately and those who have been teaching content only and not 'doing'. Unfortunately, you will lose currency (and credibility) very quickly in that instance.
The entry level is saturated with applicants and people need to be able to stand out against their peers. Certifications are one way but I've also seen people use the likes of https://www.hackthebox.com/ to demonstrate their competency. I've also interviewed people at relatively senior levels who had multiple CVEs to their names but no certifications - the only thing that was going to stop them having the job was them messing up the in-person interview. Thankfully, they smashed the interview.
The soft skills side of things is overlooked a lot - there's a lot to be said being able to communicate with non-techies and communicating an issue at hand in a language that the stakeholder understands (i.e. most of the C Suite for a start). I've seen this multiple times working in a SOC - yes, there's a load of issues but what's the 'so what'? This is doubly important in a time sensitive situation such as incident management.
nebpor said:
One of the things that is changing, given the insatiable need for security people, is that the hiring pool WILL start to become much more diverse. Security is a white, male STEM business largely and companies hiring folk with irrelevant backgrounds, but the right kind of mindset and aptitude, are companies growing their talent pool. This means it has to start looking past the traditional background that spawned security people
So basically I’m hoping everything I wrote above changes for the better at some point - the field needs it, as we can’t automate past the talent shortage quickly enough !
Where I work is already very diverse. I went to an internal course a couple of weeks ago, covering all the cyber services we do as a business, aimed at new joiners (i'm not a new joiner but run the solutions part of the business so figured I should check out what this area is up to). There were >20 attendees, on gender male was a minority, and on colour white was a minority. This was not curated in any way, it's just who we've recruited recently in to our cyber team.So basically I’m hoping everything I wrote above changes for the better at some point - the field needs it, as we can’t automate past the talent shortage quickly enough !
Interestingly in Asia I deal with more females than males in customer organisations in senior cyber roles. Also at the working level... I ran a training course recently for cyber analysts in a major Muslim country and >50% of the customer team were female.
A question on behalf of myself now guys, if anyone could answer me? My current employer has offered to let me do a degree of my choosing with the open University. I am a plc programmer by trade. I would love to do a degree something related to computers and networking such as computer science, ideally in the future moving into IT as a career.
The OU doesn’t do a Computer Science degree as such but does do one named IT and computing (with various legs off that). From what I can understand it’s only a few modules different to a computer science degree.
On paper do you think it matters in the IT industry if I was looking for an entry level job whether or not I had a computer science degree vs the OU’s one?
Link for OU computing and IT degree list…
https://www.open.ac.uk/courses/computing-it/degree...
The OU doesn’t do a Computer Science degree as such but does do one named IT and computing (with various legs off that). From what I can understand it’s only a few modules different to a computer science degree.
On paper do you think it matters in the IT industry if I was looking for an entry level job whether or not I had a computer science degree vs the OU’s one?
Link for OU computing and IT degree list…
https://www.open.ac.uk/courses/computing-it/degree...
Big Rig said:
On paper do you think it matters in the IT industry if I was looking for an entry level job whether or not I had a computer science degree vs the OU’s one?
Generally doesn't matter if you have a computing related degree or not, so I doubt that makes much difference. Given how long it takes to get an OU degree while working they're generally well respected. You might be better off trying to develop the skills yourself and getting a job now though rather than in six years.Plus 1 on developing skills yourself or get at least a feel for all the domains in info security and see which piques your interest. Background in software security myself though not in that currently and I do know that security has been an issue or rather a blind spot for PLC's so maybe start there are build your skillset around that?
https://gca.isa.org/blog/the-top-20-secure-plc-cod...
Edit to add just like in other software development improving security practices also improve overall quality. I've always argued you can't have quality software if you don't have security. Same rules apply to PLC too, e.g. plausibility of inputs etc, so the overall product quality improves when you've got security in the right places. Get better at security, improve your craft. Win win.
https://gca.isa.org/blog/the-top-20-secure-plc-cod...
Edit to add just like in other software development improving security practices also improve overall quality. I've always argued you can't have quality software if you don't have security. Same rules apply to PLC too, e.g. plausibility of inputs etc, so the overall product quality improves when you've got security in the right places. Get better at security, improve your craft. Win win.
Edited by bmwmike on Saturday 21st January 16:49
The OU degree will look great and no need for pure CompSci
You have valuable real-world experience to augment the degree. As said above, there is an interesting intersection between PLC/Process Control / SCADA / Security - I did extensive work in the space for a major oil firm between 2001-2004
Our firm needs folk with those skills for our large-scale data centres that we operate. We write all of our own PLC stuff as the vendors are too slow - I think it’s a great and important combination of stuff to have in the tool bag and a degree will round those skills off
I’d also agree you should get cracking and self-learn in the interim !!
You have valuable real-world experience to augment the degree. As said above, there is an interesting intersection between PLC/Process Control / SCADA / Security - I did extensive work in the space for a major oil firm between 2001-2004
Our firm needs folk with those skills for our large-scale data centres that we operate. We write all of our own PLC stuff as the vendors are too slow - I think it’s a great and important combination of stuff to have in the tool bag and a degree will round those skills off
I’d also agree you should get cracking and self-learn in the interim !!
Edited by nebpor on Saturday 21st January 16:43
Big Rig said:
A question on behalf of myself now guys, if anyone could answer me? My current employer has offered to let me do a degree of my choosing with the open University. I am a plc programmer by trade. I would love to do a degree something related to computers and networking such as computer science, ideally in the future moving into IT as a career.
The OU doesn’t do a Computer Science degree as such but does do one named IT and computing (with various legs off that). From what I can understand it’s only a few modules different to a computer science degree.
On paper do you think it matters in the IT industry if I was looking for an entry level job whether or not I had a computer science degree vs the OU’s one?
Link for OU computing and IT degree list…
https://www.open.ac.uk/courses/computing-it/degree...
Lookup Pete Addison on LinkedIn, he’s at ofgem The OU doesn’t do a Computer Science degree as such but does do one named IT and computing (with various legs off that). From what I can understand it’s only a few modules different to a computer science degree.
On paper do you think it matters in the IT industry if I was looking for an entry level job whether or not I had a computer science degree vs the OU’s one?
Link for OU computing and IT degree list…
https://www.open.ac.uk/courses/computing-it/degree...
If you’re a plc programmer I would strongly recommend a conversion into OT Security- he can advise on good degrees to undertake toi
Any “digital control” bolt-on modules would be good. I did CompSci with Digital Control but hated the mechanical engineering side of it so went pure CompSci into 3rd and honours year
I still remember the pain of my “fish tank filler” code running on an RTOS continuing to fill right above the top of the tank, soaking the Uni lab!!
I still remember the pain of my “fish tank filler” code running on an RTOS continuing to fill right above the top of the tank, soaking the Uni lab!!
Vanden Crash said:
Lookup Pete Addison on LinkedIn, he’s at ofgem
If you’re a plc programmer I would strongly recommend a conversion into OT Security- he can advise on good degrees to undertake toi
Absolutely this, if you know what you're talking about in the OT Security space you are going to be in big big demand.If you’re a plc programmer I would strongly recommend a conversion into OT Security- he can advise on good degrees to undertake toi
Gassing Station | Computers, Gadgets & Stuff | Top of Page | What's New | My Stuff