"Do I need to go to college to get into cybersecurity?"
This, by far, is the question most often asked by folks considering a career in cybersecurity. As it happens, this question is also a source of contention amongst cyber professionals.
The college or no college debate has become an almost religious one within the cyber community. On one side of the debate there are the arguments that real-world experience should be the only that we measure talent against. Given that bar, it is more important to understand what a person has done versus what they have learned. A college-educated individual who has never set up a network, configured a server in the cloud, or looked for vulnerabilities using open source tools is not as valuable as the non-degreed individual who has done any of the above. The argument goes further to state that unless you want to get into management (where a degree is more "valued") then there is no need to incur the debt associated with a college degree since most degrees provide minimal tangible value to the cybersecurity domain.
On the other side of this religious divide is the argument that college improves critical-thinking skills. Critical thinking by definition requires a breath of knowledge and experience beyond the narrow field in which you are employed. A grounding in science, physics, history, and social sciences provides additional context within which technical as well as policy decisions are made. As cyber professionals are often asked to come up with innovative and creative solutions to particularly vexing problems in a short amount of time, the ability to think critically is absolutely key in ideating around out-of-the-box solutions.
College, when it is an option, is a choice point. At this point in our societal history, there is so much rhetoric and political debate around the importance (or non-importance) of academia that any definitive answer given here would most likely be dissected in a manner designed to bolster one particular viewpoint or another. Rather than oversimplify the question into a purely yes/no binary, allow me the opportunity to focus on the relevant themes future cyber warriors need to hone in on:
1. Reality matters, but I don't care how you come across it. Underground forums and dark web sites aren't the only places to learn about the realities of cyber...and contrary to what you might hear from some of the more-vocal nay-sayers out there, college can be a place to experience reality-based training. Some examples:
One of the degree programs that I am affiliated with offers a course on security operations where the students use real-world open-source tools to identify, respond to, and manage simulated incidents. The course is taught by a seasoned security professional who has built and managed security operations teams in the past.
I teach governance, risk, and compliance in the same program. The students' final project is to analyze a past breach using the NIST Cybersecurity Framework. Students must identify the control failures; map the control failures to the framework; recommend solutions; and (here's the fun part) brief their findings to a "board of directors" consisting of current and former CISOs.
Many degree programs are requiring (not just suggesting) at least one semester or real-world cybersecurity work, such as through an internship, as part of their graduation requirements.
How are these examples less "real" than independently hacking?
2. Reality matters, so understand the reality before you choose a path. I once had a discussion with a young African American male who was looking to move into the cybersecurity field. He was considering whether or not to go to college. "I can afford it," he said to me, "but unless you can convince me it's worth it, I've no intention of going." I stared at the young man incredulously. "So," I said, "as one black man to another, let me get this straight: in a career profession where people who look like us make up less than twelve percent of the population, you are going to give folks an excuse not to hire you when you have the means to do otherwise?"
As much as I would love it to be otherwise, diversity remains a problem within the cybersecurity career field (note: this will be the topic of a later blog post). While many folks like myself -- and organizations such as Cyversity.org -- are working diligently to rectify this situation, the reality is that we are not there yet. This problem is exacerbated by the job prerequisites associated with most entry level cybersecurity positions.
The above chart is a snapshot from a nonscientific survey which I conducted on the Pulse networking platform (referred to in previous posts). Pulse is a forum that allows technology executives to exchange ideas and ask questions of their peers. In this survey, I polled over 130 cyber hiring managers as to their education requirements for entry level cyber professionals. As you can see, 53% of respondents require at least a 4-year bachelor's degree (with 50% of that number requiring that the degree be in a technical field); another 9% require at least an associates degree; and only 10% of respondents are willing to hire entry-level cybersecurity professionals with only a high school diploma.
While there are jobs available in cybersecurity to those without degrees, the numbers indicate that your odds are significantly better if you attend college at some level.
3. Reality matters, so remember that the college decision is not necessarily a binary one. If the cost of college is out of reach for you, but something you desire, consider one of the many excellent community college programs which have been built around NSA standards. Community colleges offer full or part-time enrollment options at really affordable price points. Many of these same institutions have created transparent transfer pathways to nearby 4-year institutions to ensure that transitioning to a Bachelor’s degree program is efficient and easy. These 4-year institutions, particularly state institutions, have plentiful scholarships (at one of the institutions with which I am affiliated, there are funds that actually go unclaimed each year because no one has applied!)
It is usually unnecessary to attend college as a consecutive, uninterrupted block of time; you can go to work, go back to school, work some more, etc., as needed based upon your financial, personal and career realities.
4. Reality matters, so remember the realities of the Hiring Pyramid. If college is something you cannot do (or just do not wish to do), the reality is that you must make yourself as desirable a hire as possible.
The above figure is a depiction of what I call the Hiring Pyramid. Those of the top of the pyramid are the most sought-after candidates, whereas those at the bottom will have the most challenges. If a degree is not in your future, then, pursuing some type of entry-level security certification to provide some objective evaluation of your knowledge and/or skills is a way to provide an employer some level of comfort with your actual capabilities and preparedness to enter the field. If even certifications are not an option, that I would encourage any entrant into the field to:
publish their work as (via blogs and industry journals) much as possible;
network with other cyber professionals via joining professional organizations and/or attending security conferences; and
conduct research into security flaws and vulnerabilities with the goal of participating in corporate "bug bounty" programs.
* * * * *
The decision to add a college degree to your resume is ultimately a personal one. You will need to spend time talking with folks in the industry to better understand the requirements and demands of the specific job that you are interested in (remember, it's not just pen-testing and hacking - refer to previous post here). If promotion along a particular path or into a particular job is something you desire, educate yourself regarding the requirements and ensure that you are already the best candidate when that next career opportunity becomes available. Be open to possible twists and turns that might take you along a path you never predicted, but which ultimately brings you personal and professional fulfillment.
My two cents…