So You've Majored (or Are Planning to Major) in Security? Then What?

Happy New Year, everyone! I’m looking forward to making 2018 a great year; my 2017 had a lot of inertia in it and I am ready for a change. As it is the beginning of a new year, I wanted to get some thoughts out I’ve had as of late, in hopes, that they can be heeded by some upcoming graduates or help guide students on their way to graduation.

I often find myself poking around Reddit’s /r/ITCareerQuestions community and there are a few casual observations I’ve made. One is that the debate about degrees versus certifications versus experience is still alive and well. Another is that technology, as a field, probably needs to clean house with acceptable practices and training. But the biggest one is the number of students who are signed up for Master’s or Bachelor’s degree programs in Information Security or Cybersecurity, or are considering taking an IT career towards security. Often times, the advice given is some variance that ‘security isn’t an entry level job’. Not to say that this is bad advice but it carries a lot of nuance that isn’t conveyed. I figured I would take some time to talk about my own experience as an Information Security degree holder and hopefully set some reasonable expectatiions for the job hunt.

What To Look For In A Degree

I graduated with my Bachelor’s of Science in Information Security and Assurance in 2008, which was a great time to start a career in the US. My university had started it’s program as a certificate in 2004 and expanded it to a full undergrad cirriculum in 2006 as a part of its College of Math and Science. At that time, Information Security or Cybersecurity degrees were still fairly new and much of the career advice around getting one then was about the same as it is now - ‘you’re better off going into Computer Science’ and ‘there’s no entry level security job’. Keeping some of that advice in the back of my mind, I still enrolled.

I have a preference for obtaining a full degree from an accredited college or university, as opposed to an online school. While I have a lot of philosophical disagreements with their model, both of cirricula instruction and out-of-control pricing in the US, I still believe that there is a preference towards physical accredited universities than not. That might be changing now but I wanted to be upfront about that bias. With cost management at the forefront of all students’ minds, never turn down a reasonable state school from other big name schools. But chances are you’ve already enrolled in a school and program.

Information Security is a technical discipline but one that often encompasses determining technical impact to other organizational diciplines, such as business units, finance or legal. As such, an academic program should also touch in all of these disciplines. While the primary focus should be on the technical aspects of the field - networking, operating systems, programming - there should also be considerable time spent developing some foundation in business and legal coursework. Security isn’t monolithic; done right, it’s a holistic discipline. In most enterprise companies, security staff are expected to wear several hats with exposure to LOTS of technology, even though teams will have subject matter experts (SMEs) that might be focused in one area or another. In high tech companies, there will be multiple security staffs, embedded or focused in specific technology disciplines: networking will have its own security teams, application development teams its own, corporate/enterprise matters its own, etc. While tech companies have embedded technical staff, security personnel still need to be prepared to work with other teams regarding accounting/finance or legal.

In contrast, a program that is geared towards giving students as many certifications in addition to a degree is focused on technology but less focused on the foundations of the technology they will be working with and replacing it with a snapshot of “in demand job skills”. Likewise, these programs will also skimp on the other skills that security professionals need to be successful in a job. Even roles with a reputation for being highly technical, like penetration testers, spend much of their time writing reports based on their findings. No technical certifications in the world will prepare you for writing technical reports for non-technical audiences!

As students progress with their degree program, students will start planning their job hunt. Industry certainly gives the wrong impression especially by posting ridiculous, “Entry level, Bachelor’s degree required, 2 - 3 years experience” listings. This often times leaves students who wind up working first line help desk and support roles as their first jobs after college. Internships or cooperational education opportunities need to be explored. Well-guided Internships and Co-Ops will have students get these skills, particularly in teams where students can build networks related to their degree and career paths. Students can also do themselves a favor by dropping their part time retail or food service positions by looking for part (or even full) time work at those same help desks while they are in school. As security is a holistic discipline, any technical work where students can integrate their security education will be a bonus for the resume. A couple internships and a Co-Op under their belt, a student can easily have a couple of years of related experience when they graduate.

Security Isn’t An Entry Level Position

Security is often said that it’s not an entry level position but often times, I think this is misconstrued a bit. Certainly, security is a field where there is an above-average technical understanding required to make sound judgement and decisions. But this is not unique in other similar IT fields: many are tiered for different industry experience. As such, Security follows a similar pattern. So what should students in an Information Security program expect? With Co-op and Internship experience, looking for Security Administration, Security Operations or Vulnerability Management would be where I would recommend looking. These jobs are often on the lower-tier of technical requirements of security roles, allow graduates to utilize their related coursework, and can open up doors for advancement into more technical security work. So while your degree won’t guarantee you a spot as a penetration tester, a degree can still qualify a recent graduate for these positions and building the foundation for advancing a career in the information security field.

Lacking in an Internship or Co-Op, then pursuing technical roles that give exposure to a firmer technical foundation before moving to security specific roles. Looking beyond the initial supprt and help desk for network administration, systems administration or similar roles. With a security degree, a graduate should have exposure to securing systems in general and be able to catch up in the fundamentals of systems. When in these positions, it is important to continue developing and emphasising security related experience you can through projects or operational work to build your security experience where possible. Moving into network engineering or systems engineering is very beneficial for a future in security - some of the best network and systems security engineers are former network and systems engineers. Part of this path into security is where the monicker that “security isn’t an entry level job” comes from.

While most positions that are most associated with the information security field, such as engineering or penetration testing, are in-depth, technical roles, their lack of availabilty to recent graduates doesn’t mean the entire field is off limits to new graduates. Having a strong, well-rounded security degree paired with some technical Internships or Co-operative Educational opportunities, can adaquately prepare students to enter a security position after graduation. What’s important, is for recent graduates to keep a realistic expectation of what job opportunities to explore upon graduation and then work their way up the security job ladder. If one doesn’t have that Internship/Co-op experience or are having trouble with their security degree, focusing in a technical area and working their way into a security position with some related experience is hardly the end of the world, either, and is probably just as beneficial in the long run.