I study computers engineering in my college, and even though it is a very important topic to be in a university course such as mine, we don’t have any subjects on information security. I am passionate about it, and having no opportunity in academic means to learn about it discourages me to continue in the university, and since I am full of duties in the course, I don’t have much time to dedicate on learning about information security. In your experience, do you guys think it is really important to have a college degree to work in the field, or do I just have to be good at it?
Having a college degree generally looks good to employers. If nothing else, it shows you’re mature and dedicated enough to stick through something long-term.
Also, college costs (a lot of) money. Employers understand this. They also understand that someone who paid for a college degree will naturally be “worth” more money. People with a Master’s degree, for instance, will typically earn a higher salary because the employer is forced to pay them that much or risk losing them to a competitor who will pay that much.
Certs are also important. They show that you’ve acquired a diverse knowledge-base. Even if you have this diverse knowledge-base without certs, it’s difficult for an employer to quantify without something “tangible”.
That being said, there are exceptions to everything. Nothing is universal. You may very well be able to find a great job in the industry that you enjoy with no degree at all, it happens more than you’d think. The degree is there to help convince the employer that you’re going to be a good investment for the company. You might be able to convince them of that without a degree.
My long answer:
I have been working in the information security field for a few years and my degree is not in “security” specifically (although I have had a few classes in it). However, I have met many people who work in this field that both have a degree in computer technology and some that don’t have one in computer technology, but in something else. What I can say about this is that the interactions I have had with others has shown me that a degree in specifically “security” is not a “make or break” factor that determines if you will be successful in the field especially because out of what I have learned, I learned the most important things myself through self-study and practice on my own time. That being said, most jobs will be expecting a “degree” of some sort and although some do not “require” it, the candidates with a degree are more likely to catch an eye over a candidate without one, if experience is not a factor. There are many more factors of course such as experience, certifications etc… but a degree can help prove credibility. It is also a basis for your pay seeing as studies show a clear differences in education level vs. pay grade and the way that employers calculate pay definently takes it into consideration. I have seen many scenarios as well where employers will be willing to substitute experience for some education, but that depends on the company. If you feel that you are in the wrong field, then try to transfer, or look for ways to expand your curiculum in any way that you can. My degree is networking focused but I took multiple classes in programming because I love it and my curiculum didn’t offer much there. I have a much more “well-rounded” perspective on the field now because of it. Being on this site is a great way to learn, look for some school clubs revolving around information security, or go to some seminars or conventions, meet people and work together to expand both your resource pools and there are plenty of online courses and certifications to go after too. But keep in mind as well that computer engineering also has it part in security and there are many employers who would love to hire someone with that passion.
My short answer:
No it isn’t needed. One of my former bosses and one of the most talented security architects I have ever worked with only has a degree in business. But that didn’t stop him, and he could knock me out of the water any day when it comes to this stuff.
And @Skunkfoot is dead on the money. Couldn’t have said it better.
My two cents: agree with the last two posts. If you can obtain a degree (any degree) it will help you. For a hiring manager like me, skills and experience matter most. Certs are good but again, skills and experience are better. Degree and certs will help you check the box and meet “minimum qualifications” in many cases but what you have done and what you can actually do will be the difference between any job and a job you love.
So basically, the only use I see for a degree is to be well seen in the market. I agree to that. But I still am discouraged to insist on it. We don’t have any support (none at all) to study Info Sec in my college. As a matter of fact, me and a classmate of mine are starting to bring this topic to the university for the first time. But there are no teachers willing to help us. We are on our own. My true will is to drop the course and dedicate entirely on Info Sec. Take some courses, train on Hackthebox, trade experience with people that actually have the same interests that I do. I still have 3 years ahead of me in the college, but I don’t think I’ll be able to make it.
The only degrees worth a damn are the STEM. All the ridiculous info security/management degrees are a joke and a waste of money.
Learning the fundamentals of why something works will always serve you well.
Regarding your specific question “do you need an infosec degree”, today I believe the answer is “no”. You need a certification or two to get by the HR firewall, and be honest and be yourself at your job interviews. I believe CISSP is still the “main cert” to get noticed on the job boards and get the opportunity to interview.
The only tangible skill I got from college degree was learning how to write. If you see yourself in a leadership position in InfoSec, you could see yourself writing proposals, policies, plans …ect… You may benefit sticking through the college and “flavoring your course-work with Infosec”. After all, no infrastructure or application is worthwhile without security as part of the design.
It also depends on the country you live in.
In many european countries like France, at least 90% of the job offers in infosec requires a master degree. It does not seem to be the case in the United States for example.
Having a degree absolutely helps. Imagine you are applying for a job and the HR dept. – who don’t know jack about your particular field – get to do a first selection of “potential candidates”: They will look for verifiable accomplishments and experience. If you want to land on top you’d better have a degree, one or more certs and relevant experience. No degree, regardless of certs and experience doesn’t make it impossible, but will often set you back when compared with those who do.
If you don’t have the degree you will have to demonstrate extensive experience in the most job offers. If you started my advice is to finish. It won’t hurt you