This is a question that gets asked constantly. Whether on Twitter/X, YouTube, or just at conferences…this debate just keeps coming around. Folks with a degree will swear by its abilities, while those without one will also tell you that you don’t need it. It’s directly in the best interest of each party to say their side is right (i.e. nobody wants to say they took the “wrong” path), so it’s made actually coming to a conclusion quite difficult.
What College Will Teach You
College obviously has a goal of teaching you enough to have a standard knowledge base within your desired field. Cyber Security degrees from most schools that we have observed will teach you theory for the most part. The offensive security side of classes (usually 400/500-levels) will focus on tooling, which is a bit of a downside. Some classes at the start of the degree program will go over essential topics like networking and fundamental scripting.
By the time you get to your core classes, while technologies like SIEMs, EDRs, and a plethora of other pieces will be touched upon, it is simply not enough time. The average length of a college class is around 75 minutes, which might be enough to get the foundations for something, but it isn’t to the level of “I’m going down this rabbit hole in front of my computer for 8 hours tonight” vibes.
This does not encompass every college though, as some universities and schools will cover certain topics at a larger depth, but this is just meant as a broad overview as to what we have seen out there at the moment.
Putting Yourself Ahead Without A Degree
The degree portion is usually out of reach for folks for a wide variety of reasons, with the bulk of them either being cost or attendance limitations (i.e. you can’t pivot into cyber by going to college full time if you have to be at work from 8 in the morning to 6 at night). So how can you get ahead doing the “nights and weekends” approach?
- Certifications
- This goes into the most obvious bucket we have. Taking even just 1-2 hours a day and being consistent over the course of a couple months can land you something like the CompTIA Security+ or similar.
- Quick Recommendation – Watch all the Professor Messer videos once, then go back and take notes. Use an alternate learning resource after like the All In One guide to reinforce the learning. Take practice tests too! Once you’re at around 85-90% success rate on your practice tests, book your exam.
- This goes into the most obvious bucket we have. Taking even just 1-2 hours a day and being consistent over the course of a couple months can land you something like the CompTIA Security+ or similar.
- Projects
- While most folks are getting certifications now, they are still lacking in projects. These can be anything you can physically document in your resume and talk about during a job interview that shows you can bring a concept from theory to actuality.
- Quick Recommendation – Setup a blog on something like Medium and do some simple things. A good first project might be making a YARA rule for a piece of malware you got from Malware Bazaar and then writing about it. Be sure to link the blog to your LinkedIn/Resume.
- While most folks are getting certifications now, they are still lacking in projects. These can be anything you can physically document in your resume and talk about during a job interview that shows you can bring a concept from theory to actuality.
- Networking
- We don’t mean the TCP/IP type of work here (although that’s still good to know!). Knowing more people increases the chances of a direct job offer, or being at least known by reference for someone that is hiring. A lot of times you will be able to skip that application line and just start talking to a hiring manager! Worst case scenario you meet people and learn a few things at a minimum.
- Quick Recommendation – If you’re already working help desk or system administration, start just speaking with your organization’s cyber team. Outside of that, make a LinkedIn account and start using the platform. Recruiters are constantly on the platform, and you’d be surprised how far you can get just by messaging people.
- We don’t mean the TCP/IP type of work here (although that’s still good to know!). Knowing more people increases the chances of a direct job offer, or being at least known by reference for someone that is hiring. A lot of times you will be able to skip that application line and just start talking to a hiring manager! Worst case scenario you meet people and learn a few things at a minimum.
Best of luck with your job search! If you’re in college, don’t drop out, but include some of these other items we have mentioned! Overall, a college degree helps, but the other items listed here should be something you are doing that will be dramatically more impactful in getting a job in cyber security.
English