F**k Your Degree Requirements
It shouldn't be a decision, it shouldn't be a thought, it should just happen (me trying to write this article, I've got this far).
ALL OPINIONS ARE OF MY OWN AND NOT THAT OF ANY EMPLOYER OR ASSOCIATE.
I am sure some readers (if any) will find this thought-provoking (hopefully). This is my current standing on technical (i know some people debate "technical" but you know what I mean) roles within Cyber-Security. I am going to write this as blunt as possible and no sugar-coating....unless you count the doughnut/donut (no discrimination) crumbs on my keyboard (FYI: I would never let that happen).
If you are just discovering the Cyber domain as a profession or have made your decision a long time ago, that you want to do this, there is usually a few "technical" roles that initially come to mind; Penetration Tester (If you didn't laugh the first time, it's not for you), Security Analyst (Depending where you work, this job can be siloed or the best to learn new concepts), Forensic Analyst (It's not all about recovering deleted files but you will learn how to really "delete" them...or can you?). Other roles may include; Security Architect, Security Engineer, Reverse Engineer, Threat Intelligence roles, etc.
Whatever role you have decided on (you should know), you should ask yourself just one question.........
Why do I want to do this?
Wrong Answers: For the money, it sounds cool, I always hear about data breaches, someone told me to do it, I want to hack my friends (always ask for their permission first!)
Correct Answer: My Grandma was scammed out of my inheritance money and I need to catch the fucker!
Better Answer: It's been my decision for a while, I understand what is required, I understand the role that I have chosen, my toilet reading is Cyber Security News instead of sending creepy messages on LinkedIn. I have the required skills for the role but do not possess this degree you ask for. While they spent 4 years learning that syllabus, I was spending them 4 years gathering Full-Time corporate experience and studying more targeted and focused areas that were to my interest and yours. Such as, ability to communicate effectively with key stakeholders, understanding the bullshit corporate politics, the ability to problem-solve. I possess an understanding of the current trends and developments in Cyber and Information Security. I am also up to date with the current threats and exploits as well as how to defend against them.
I completed the free and readily available vendor certs for the tools you have listed in your job description, I would have done the next level but the portal requires a corporate partner login to complete the next levels. I have also completed relevant Certifications such as Security +, CCNA, etc. With your support, I would like to keep progressing on the current trajectory.
On top of this, I have participated in project x,y,z and have been an active member on Hack The Box for the past year. This allowed me to learn a new tool, application or technique with every box I pen-tested. The recent example being: How to interact with a misconfigured, internet facing Redis server and how easy it is to push your SSH key (assuming you achieved WRITE capabilities) to the server and have initial access. I have since learned how to defend against these problems as well.
Controversial Answer: I want to catch a pedophile.
"It sounds cool"
I have personally picked the "It sounds cool" route previously. With my former experience in financial software and a previous job dealing with finances for a large IT project, I was able to secure corporate funding to complete my ACCA (Association of Chartered Certified Accountants). Why did I make this decision? Obvious....."Stephen Doyle the Chartered Accountant" would've been cool! I wouldn't of worried anymore.
Only 14 exams of something you don't love to get to where you supposedly want to be though.........Oh, I got a pay-rise after completing my first exam, this could be good, 13 more to go.... can't stop either, I will have to pay the money back to the company if I don't complete it.....(contemplate this for a few months).....fuck it...I found out what I want to, I am going to work in nothing but Cyber-Security & I don't care about the initial pay cut.
Do something you extremely hate for a job, force yourself to study it and you will quickly find out what you want to do.
I went back to basics:
When did I have the most fun? When I was younger.
What was I doing to have fun? Taking things apart with the inability to put them back together. J-tagging game consoles, running game code I wasn't allowed to. Getting inspired by seeing someone with a mod I didn't know about....... next is persuading my parents to let me use the computer for a couple of hours straight to figure it out. "No, you can't make a phone call until I figure this out Mum!"
How can this translate into a profession? Well, what was I doing? I would call it "Hacking" the games and enjoying it. What job is going to pay me to do this?
Oh! there are jobs called "Penetration Testers", how do I be one of these?
"Certified Ethical Hacker" this sounds like the certification I need to get! (It is not what you need and I would not advise you to get this. There are enough articles to explain why not).
How do I get the job? Read the "Better Answer" above, why you still reading anyway? + Your goal is to get in the door but if your first Cyber-Security job is a Penetration Tester, you have nailed it!
So why "Fuck your Cyber-Security Degree"?
If you have completed a CS degree or currently completing one, don't let any of this persuade you. However, I do believe that a CS degree is not a requirement for you to get a CS job. The amount of time studying for the degree could be spent a lot more effectively, even the time before you are eligible for University/College.
Take this as an EXAMPLE:
You leave school at 16 to pursue further education in a TEC/College etc. You have picked a 2-year Cyber-Security course. The first year is studying for Security +, CCNA and one day a week is Hack the box. Upon completion of your 2 certifications, you are placed into 1-year work experience (Government funding still available for last year of Further Education, considered an "apprentice allowance" for the student's wage).
Upon completion of the above, the 18-year-old is most definitely entitled to at least a service desk job, if not an entry-level security analyst (The same job people with Cyber-Security degrees are being offered).
So what needs to change?
The recruiting and hiring managers perception of a degree. "This is a specialised field so we definitely need to hire someone with a degree"
The applicant without a degree needs to outweigh this and be able to communicate their studies and non certified studying effectively. Degree holders have a piece of paper to show completion. How do you show that you have obtained more knowledge through countless hours of reading, studying and hands on techniques but didn't get a piece of paper?
Looking forward to all the backlash!!
"Stephen Doyle" - Is a well known dickhead with exceptional roasting capabilities, this is why he is a dick.
Strategist, Researcher, Hacker, Advisor, CISO/vCISO, Architect, and writer (Sidragon at Substack) Please remember Rule No. 1 "Do not act incautiously when confronting small bald wrinkly smiling men.
5 年Interesting read, and coming from a perspective of someone who does NOT have a degree, and who worked their way through the various roles to get to InfoSec it's always been at the back of my mind "would it have been easier WITH one"? NOT too sure... Heck even these days I'm still hit with the "you don't have a degree, therefore you can't apply etc." fun times.
TS/SCI | Offensive Security Analyst | Vulnerability Assessment | Network Penetration Tester | Policy Compliance | ISSO | Incident Response | Enterprise Defense | Network Engineering
5 年Major-fucking-kudos to your, sir, for this fine article of yours. I found it informative, and humorous. Thank you for putting it out there so clear and blunt as you did. And you win all OPs AFAIC today for your closing statement on your character. I relate to that sentiment just as well. Bravo lol!
Focused on delivering measurable solutions.
5 年I agree with your take as a whole. My big frustration in the cyber field at the moment is Cyber has grown in breadth beyond most peoples understanding. What does security generalist even mean anymore. I think we need to create more specializations across the field. Network security is night and day different from application security. To that end security in the traditional IT stack vs public cloud is night and day. I understand the basics of least privilege, etc are the same, but the underlying technologies are wildly different. Everyday I meet people who are “experts” at cyber security but tend to be very siloed in specialization. I think it is time our certification bodies re-tool our industry certifications to better meet the tech requirement across cyber as a whole. More real world cloud and DevOps specializations focusing on app security. Network security certainly should focus on a core understanding of network routing both wan and lan. There are many cyber professionals who lack the basic understanding of layer 2 and layer3 networking. What I tell most people wanting to work in cyber is go work in IT doing whatever for a few years to understand what appeals to you and at that time find a way to transition to a cyber
Mon instinct reconna?t le chemin, mon coeur accepte l'appel à l'aventure, ma contribution est l'empowerment de mon équipe. Ma voix, ma plume, mes idées et ma créativité intenables sont mes armes et font mon unicité
5 年I’m halfway in my CS and Cyberinvestigation degree and there’s no way I would have had the opportunities I have right now if I had remained and outsider learning everything by myself. School has provided opportunities, contacts, a pool in which to dive and from which I can more and more escape on my own even if my degree isn’t finished. It’s become less mandatory to focus on finishing my degree itself (which I will, of course) than to focus on opportunities and recruiters already harassing me on Linkedin! ?? Some find their way otherwise but I can’t say I’ve been losing my time. I can’t either say that most skills that make me an interesting professional come from my past years studying CS. My arts, culture, communication and media background provided me basically with the core soft skills making me a good candidate for cyberthreat intel and OSINT jobs. Love mostly the path I’m on, I think this is what’s most important : love the process you’re engaged in and it’ll work out in the end!
I will take the stance of agreement / disagreement. I have a Russian language and History BA and have been working at the bit/byte level of tech for a very long time without a technical degree)... although in agreement, the title is too “in your face”. You could be a little more diplomatic in your approach. In disagreement because I know several of my contemporaries who are CISOs and managing directors who have taken the tact of working directly with academia/universities to shore up the quality of education and grads. So you don’t need to use the F word just to emphasize a point. You could simply contend that the current system might have faults and here is how it is getting better (or how to make it better).