Talking Point - On Education - Pt. 1

Note: This post is the first of a series of non-technical topics relevant to information security and other aspects of technology at large.

Education’s Place in InfoSec - Or: Certs, Degrees, and Experience, oh my!

Earlier this week on Twitter, Christian P. (@CYINT_dude), Kyle Maxwell (@kylemaxwell), and myself had a brief conversation about education. Education is a somewhat divisive subject in our field and it was nice to hear from them on the issue. Like others, I have very strong feelings about education, shaped largely by my journey and the impact varying types of education have had on my personal development and career. This post and its second part will outline my take on the topic, which is wholly personal and meant as food for thought.

One of the questions I see asked most often in public communities is whether or not a four-year computer science or other IT-related degree is a hard requirement for working in the security field. Let me be completely honest: in some cases, yes. Many positions require that degree as a bare-minimum foot-in-the-door differentiator. Technical degrees such as Computer Science or Cybersecurity provide a great starting point for someone interested in Information Security. That said, I find a hard requirement for a technical degree foolhardy and obtuse.

You’re probably expecting me to say I don’t think a degree is important at all; you’ll be disappointed. While it should not be required in most cases, a degree still has a lot of value. What I do believe, however, is that the degrees sought should not be limited to CS/IT fields. My Bachelor’s Degree is in Political Science with a focus on International Relations and a minor in History. So what’s this liberal arts yuppie doing in InfoSec? What might surprise you is just how valuable that degree has been for me. A degree in Political Science/International Relations will ensure that you can effectively communicate, both verbally and in writing. It will ensure you are well prepared to build, relay, and defend an argument. It will give you the foundations of good research and analytical procedure.

In short, such a degree will give you the ability to enrich and exhibit your technical skills for the better. As an added bonus, a background in International Relations is extremely helpful in understanding the geopolitical aspects of attribution, global cybercrime, and cyber espionage and warfare.

The benefits of non-technical degrees don’t stop with Political Science. Education majors are great teachers and communicators. Marketing, Finance, and Business majors understand the needs and realities of operating a business. Communications and Art majors understand the art of communicating their message to varying audiences visually or in other useful forms. Science majors develop excellent troubleshooting and analytical skills. I could go on for days, highlighting some huge benefits of just about any undergrad degree. So please, if you’re a student interested in InfoSec, or a recruiter or HR person, give serious consideration to non-technical degrees.

So, what about a Master’s Degree? Is it necessary? Probably not. Is it helpful? Absolutely. A Master’s allows you a hone the communication skills you developed in the course of a four-year degree. It often requires you to work in a more “professional” format, communicating less academically, and working in groups to accomplish tasks. Sound familiar? Just like the real world. (Detour: do yourself a favor and get your Master’s as soon as practical. The further out you are from college and the more you have going on at home, the harder it will be.) I recommend you seek a Master’s that’s markedly different than your previous education. If you completed a four-year liberal arts or business degree, go get a technical degree, or vice-versa. I got a Master’s in Information Assurance. This ensures you add context, broaden your horizons, and prove you can tackle multiple disciplines. Information security is a broad domain and it requires tackling multiple disciplines; do the same in your education and benefit!

All that said, are degrees the be-all-end-all? Absolutely not. Some of the sharpest security professionals I know don’t have any degrees. I respect them no less than those with degrees, and they’re just as important to their organizations as those with degrees. Certifications and practical experience also have a role to play, which will be discussed in greater detail in Pt. 2 of this series. In closing, consider a degree, or two! Be open to non-technical fields; enrich yourself and add context to your work. Feel free to give me your feedback @swannysec!

Photo Credit: Got Credit