Social media are full of questions that are formulated in a passive, passive-aggressive, or upfront aggressive way, often using common fallacies in a manipulative way to discourage dialogue. It is a human nature to simplify things, yet we live in a complex world and, whether we like it or not, there is a historical evidence supporting the notion that we are better off embracing that complexity instead of running away from it….
A lot of these questionable questions, statements that I have in mind include words and phrases like ‘hot take’, ‘gatekeeping’, ‘X is better than Y’, ‘you don’t need to do XYZ to succeed’, etc. These words and phrases often introduce bias and judgment that they (on a face value) intend to be combating…
Take a discussion about the necessity to have a degree to do a cybersecurity job as an example. To ask for a degree in a domain that is so new, so full of unknowns, and then doubling down on it by demanding it from people who literally created the discipline, or at least contributed a lot to it, and have lived it for decades…. is surely a major faux pas, to say the least, RIGHT??? Yet instead of debating the necessity of having a degree to do a cybersecurity job we can formulate far better questions to ask, f.ex.:
These questions are important. They highlight benefits of aspiring to have a degree. They highlight the intent to know more. They promote knowledge. They promote self-improvement. They promote better careers and salaries. They promote investment in our ability to stand out. And we all need it now. Because the cybersecurity world is not ~100 people who attended Defcon 1 in 1993, but millions of talented people globally chasing the very same goal.
YES! We ALL need to compete today.
On top of that, we live in a strange place today. A place where many people think that their quick google search gives them more credentials than the doctors who studied and practiced medicine for years. Where there is an argument being won by those who ‘I can read a twit or blog about it’ and not those who ‘I studied it for 5 years and I still struggle to get it’. We have charlatans and attention seeking ****** posing as experts who are given access to social media megaphones. We have bots and shills trying to control the narrative around important analysis and events (including cybersecurity). This is not funny. This is actually very dangerous. Mass ignorance is fueled by self-appointed experts and crooks in every domain, ones that skillfully use propaganda and misinformation to their needs, and cybersecurity is not an exception. We, in infosec, need to embrace knowledge. We need more educated people to expose and combat this misinformation. As dramatic as it may sound… to deny someone a degree, to scoff at it, is to deny the whole cybersector more knowledge. And to deny one to yourself, is to set yourself for a failure. And not so Long Term as some of us may think… Over last 12 months we have rapidly moved from Employee- to Employer-driven market. 200,000+ employees fired in a tech sector within last year alone. Are you paying attention now?
In this context, why getting a degree sounds like a non-sense to you? If you don’t have one, how do you know it’s so useless? Why don’t you embrace knowledge, instead of declaring it irrelevant? Persistent, systematic study is what brought math, physics and chemistry to us. With many other milestones on the way, they eventually brought computers to us. That’s because systematic, academic study brings rigor to your thought process. It not only embraces an experiment, but it also empowers self-doubt. That’s why it loves so much the concept of peer-review — better to assume you are not smart enough than imposing your “wisdom” on others. It supports questioning of everything you hear or read. It marries the scrutiny. It unleashes an independent thought. And it will make you a different person, a different professional. And yes, a better hire, perhaps?
How?
We live a fast cybersecurity life. How many of us actually take time to study the internals of many algorithms? Yes, we talk about Diffie-Hellman, Aho-Corasick, JPEG, ZIP compression, K-Means, etc. but how many of us really studied and understood, let alone wrote the implementation of these? How databases work under the hood? How distributed systems do? What is a clustering algorithm? How Machine Learning works in practice? Let alone AI. How did we progress from Eliza to chatGPT as a ‘human impersonator’ user interface? Is python-coding even close to C-coding or Pascal-coding of early 90s (we no longer need to worry about ‘basics’ as advanced libraries are doing all the heavy lifting for us) ? Cybersecurity is built on top of all these fundamentals. It’s never too late to come back to these roots. A degree will give you a foundation to understand many principles of how IT and IT Security areas were built. Did I mention the foundations? Often vendor-agnostic, often unbiased, a pure essence of ‘why would we even do/think of it?’. It will also leave you asking more questions.
20 years of work experience can make you go through a career-expanding path – from a perfect foot soldier, maybe an aspiring Team Lead/Manager role, consultant, then maybe Director and VP level executive. That may be enough, career- and finances-wise. However… times are changing, and what was enough for you 5 years ago may not be enough for the job market of today and tomorrow. Plus, now that we have a few decades of cybersecurity behind us, the academia and certifications do a really good job of converting all this VAST AMOUNT of FRACTURED knowledge into something more digestible, more tl;dr; – allowing elders to keep up, and youngsters to quickly absorb what took these elders (often infosec OGs) decades to create. Yup. Believe it or not, doing a degree, certifications is a knowledge accelerator today!
How do I know?
Over last 20years I had a privilege of working with many people from many group ages. 10-12 years ago I would feel very comfy in many areas of IT Security and today, it’s not the case. In the area that is the closest to my heart which is reversing I am actually shocked how good young reversers are today. Being an old dog, I always felt that I have an edge because I’ve been around the block for a long time. This is not enough anymore. I have worked with people 2x younger than me that beat me in many reversing areas. Yes, I can catch up quickly, but it highlights the very basic need for me to EVEN just stay relevant. And these young people VERY often studied computer forensics, reversing, and computer science in an organized, modular fashion, and absorb everything new very quickly, because they did and continue doing it in a very SYSTEMATIC WAY. Unlike me. What used to be my advantage, today it is not. While I learned via a slow, persistent brute-force, hit-the-wall method, they had it nicely presented in their curriculum program. Unfair to me and my generation? YES! But as a result, they are simply better, more methodical and basically faster than me, and their prospects are now far better than mine. Let it sink in. It’s not even about passing the torch to them, which would be fair. It’s about a game change where quick knowledge absorption is their main asset, plus it becomes MANDATORY for anyone older to learn more quickly, at least those who want to stay relevant.
There is a romanticized version of all of us in Infosec. Yes, it’s a nice quiet place where hooded, tattooed, Mr Robot-like smart people deliver a potent, technically marvelous, socially impactful, mind-bending blow to either defenders’ or attackers’ efforts. Except, these times are long gone. Our individual infosec world has shrunk substantially. There are millions of us, and there is many of “one of us” for SaaS, CD/CI, EDR, SIEM, Splunk, DFIR, Threat Intel, automation, reversing, then reversing for PC, macOS, Linux, then intel, ARM/M1/M2. We all have became a small building block in a grand scheme of things that, to my knowledge, not a single person or org can embrace holistically… anymore.
So, do you need a degree?
Up to you. It’s simply not a question that can be answered by a poll, or some very reasonable argument of a person sitting in a comfortable chair of today. But do look at the history. Many infosec OGs are now in their 50-60s, and often end up being laid off w/o any sentiment. It’s a shocker. And many more or less successful IT security companies that dominated 2000s, 2010s are now gone as well — either dissolved or acquired. Is your very cozy IT Security job going to last more than next 3 years? I doubt it.
Where does it leave us?
You tell me.
Not having a degree is hardly a problem now. Not having a job is. And we will all end up fighting for less of it. Brace for an impact. And get a degree, if you can. Who knows, it may save you one day.
Full disclosure: I have a degree and I encourage everyone to get one.