Table of Contents
I asked the Internet how they felt about cybersecurity degrees it today's world. I thought I already knew the answer and it turned out I was wrong. The Times They Are a-Changin’. Here’s a breakdown of what I found.
Many say we need to do a better job of bringing in more diverse talents into the cybersecurity field.
Many say we need new and different perspectives to combat the evolution of threats and attacks.
Many say the thinking that we have today won't help us get out of the threats of tomorrow.
I believe all these statements are accurate.
None of this is new, however.
People in the cybersecurity field have been saying these sentiments for years now. The industry as a whole has become more open and more accepting of diverse talents and backgrounds. This has been great to witness over the past 15+ years!
When it comes to the topic of skills and education, however, the cybersecurity world has been a house divided.
Many believe that a formal degree in cybersecurity is worthless, but a growing number of people are changing that tune.
Is having a formal degree in cybersecurity viewed as valuable? Are jobs looking for candidates that have degrees in this field over degrees in other fields?
I wanted to understand what seemed to be a shifting tide of expectations. So I did what any sane person would do, I asked the Internet.
At a Glance
Here’s a macro-level view of the polls I ran. I asked the following question on two social media sites with three choices:
Do you have a cybersecurity-related degree?
- Not yet, but working on it
- No, and no plans to get one
Here's a chart showing answers by platform:
These numbers were not what I expected, but did help me confirm something I had started to notice.
There has been a tipping point in the field and now degrees are important.
What could have been better with the data gathering?
The poll question needed a fourth option.
There's a nuance that gets lost with the three original choices. This was highlighted a few times in the comments. There might have been a big difference in votes between those people "working on it."
Does working on it mean in two years or less, as in currently enrolled? Or, does working on it mean it's in your general plan in the next 5-10 years?
Both are valid options, but it would have been interesting to capture this nuance upfront.
"All [data] is wrong, but some is useful."
Before diving into each platform, I need to add some historical context to help explain why cybersecurity education has been a house divided.
The Before Times
The cybersecurity field was not always a formal career path.
When I entered the cybersecurity field in 2006 (back in my day!), it wasn’t really even a professional domain. Rather it was a small part of another field.
Here's a chart showing the typical paths for a lot of people in cybersecurity today:
When I started it was the time of firewalls and anti-virus. It was the land before deep domain specialization, researching, and offensive techniques in the field. It was the time when SANS certs reigned supreme.
It was a time of not really understanding the depth of what professionals in the field were up against.
Intellectual curiosity and a relentless drive to understand “why” is what made people succeed in security. There was no such thing as formal school, boot camps, or degrees. There were only classes on using tools and broad certifications.
As such, the field became run by people who didn’t need specialized education to advance. Why would they? They had made it this far after all. The people who took these paths were the bootstrappers of the modern-day cybersecurity world.
This led many to believe, myself included, that formal education wasn't important to succeed in the field. People believed there was nothing a degree could teach you that would be relevant for the field. People believed if you didn't follow the standard path you would miss out on foundational skills.
So formal education was deemed too broad, too bland, and too late to be of value in cybersecurity. Formal degree programs without experience aren't always grounded in real-world practice.
Experience reigned supreme.
The field became too elusive to get into and too profitable to leave.
Fast forward to today and we've got:
- Many specialties, subdomains, and disciplines within security
- A qualified talent shortage
- Skyrocketing salary expectations year over year
- More people trying to get in the field every day
- More breaches than ever before
To me this begs an obvious question:
Is the field accessible?
Many people would say that the cybersecurity field is accessible and there are resources everywhere you look.
If you Google “how to get into cybersecurity” you get ~538,000,000 results.
Seemingly all one has to do is look in the right places and you’ll land a cybersecurity job in no time! (/sarcasm)
However, there is some truth still. The ability to "self-educate" has always been a very important quality for job seekers and job hirers alike.
Showing you have the passion and desire to educate yourself in this space will take you far, but you need more than that now.
OK, so how do you go from the self-made world to one that others can join without the same path as before? What is a common way other fields have made their profession more accessible?
Back to the top people! A formalized education, be it boot camps or multi-year degree programs, is the traditional way to create access. It's the standard way of getting into a field and landing a job.
This level of "access" traditionally takes the form of skill commoditization to create a baseline. This baseline allows people to signal they are ready for the workforce.
But how do you define a "baseline education level" for a massive and relatively new field? How do you create programs, certifications, or multi-year degree programs to capture it all?
Even entry-level jobs required 2-3 years of experience.
At the start, programs either scratched the surface on concepts or tried to commoditize a complex skill like pentesting.
Programs would teach you how to use specialized software, but not teach you the thinking and underpinnings of the field. (Technology is such a small part of the job, honestly.)
On the job, you're dealing with real life.
Real people. Real systems. Real business impacts.
I can't speak from first-hand knowledge, but from all accounts, degrees have come a very long way since the early days of programs. Cybersecurity programs have become more like Computer Science programs now. This makes all the sense in the world.
Now I’m going to show you some interesting poll results
I created the polls on the two social media platforms I use the most:
Let's break it down by platform.
LinkedIn is where I expected to get most of my poll data from. People on LinkedIn are typically there for professional reasons and advancement. People are more willing to share data about their careers and education.
In my experience, people have been more supportive and encouraging here, but your mileage may vary.
The original post can be found here.
A combined 46% either had a degree or were in the process of working on one. You can see my own "No" response here, but the rest of the population was significantly larger than I expected.
More people had a degree on or were working on it than I would have guessed.
This was surprising data to me and I needed to get another take.
I needed to go somewhere that was more c̶h̶a̶o̶t̶i̶c̶ neutral place on the Internet, so I went to Reddit.
Reddit is a special place. Few have figured out how to get the value out of the platform without also receiving the wrath. I had a feeling, however, that I'd reach a different sub-population of people here.
I suspected I'd capture a more transparent view of the world, one that wasn't polished for the likes of LinkedIn.
The original post can be found here.
Reddit was a whole different ball game. Not only were the votes different, but the thread quickly became a place where people were sharing their own education stories of how they got into cybersecurity.
Many of the comments were from people with cybersecurity degrees or those who were actively pursuing a degree. Both of these groups of people who effectively said 'yes' were successfully working in the field today.
I found a spot on the Internet where people are trying to get into the field or advance in the field as quickly as possible.
So what should the aspiring cybersecurity person do? What should the mid-career cybersecurity person do?
As we can see from the anecdotal poll data, more and more people are finding the value of a cybersecurity degree.
Whether they are in the field already or are trying to get in, degrees have already started to make a difference. The field is evolving, and we should all hope for the better.
Soon there will be more people in the field with a cybersecurity degree than without one. That matters for hiring, that matters for those who want to advance, and that matters for the industry.
A cybersecurity degree wasn't an option when I went to college. Times have changed and people no longer are unsure about this profession. If I had to do it again today, I would go for the degree.
In a world where there are excess cybersecurity jobs, but a shortage of talent and skill, people want to differentiate.
If I was in my mid-career looking for ways to advance and I didn't already have a cybersecurity degree, I would strongly consider getting one.
Depending on the path you're trying to take, and where you are in your career, you might also want to consider an MBA or a Master's in Cybersecurity.
Though no path is a guarantee to getting a job or advancing your career, you need to survey the land around you.
Can you find a positive way to stand out?
Flip that on its head - can you find a way to not get left out? A degree in the field might be that entry ticket to ride.
Put the odds in your favor as best you can. Hiring managers and HR alike already use degrees to filter and screen candidates. It's a minimum requirement in many cases already.
Make a bet on yourself.
Let's tell your story
Do you have an interesting story you'd like to share about your journey into the cybersecurity field?
Would you be interested in sharing that story on ReturnOnSecurity.com?
If so, reach out to me via email, and let's chat!
A weekly recap of cybersecurity funding and M&A news.