Degrees and Credentials in InfoSec

If you’re on InfoSec Twitter you’ve probably seen the recent iteration of the neverending debate around degrees, certs, and InfoSec.

Basically, one side argues that you need college to be taken seriously in security, and the other side says nuh-uh! and proceed to give lots of examples of people without a degree.

For more on this, see The False Dichotomy of Conflicting Ideas

Let me try to express something that applies to much more than this topic: When you have debates with multiple people making good points that are backed by evidence, the answer is likely that they’re all right to some degree.

And that’s definitely the case here.

Let me give you three facts:

1. Recruiting teams at major companies who are looking for cybersecurity talent are largely looking for college graduates. And they’re often looking only at top schools.

2. There are lots of people with no college and lots of desire who can’t get a callback from a company that needs talent.

3. Lots of the best people in InfoSec don’t have a degree or a cert.

These are all true. And they’re all true at the same time.

How is that possible?

Corporate recruiting teams are playing a numbers game, and they’re ultimately looking for safe bets. Getting accepted into a big, well-known school makes you a pretty safe bet, and graduating with a degree in computers from such a school makes you an even safer bet.

That’s for new people who don’t have lots of experience. Basically, if they have no knowledge of how well you’d do from looking at a career, they have to go by what they do have. So, on one hand, they have a top school and a good computer science program, and on the other hand, you have someone who seems eager but doesn’t have that—they tend to go with people with college.

That’s a fact.

But—and this is a huge but—the whole game changes when you are already known for being good at something, and/or if you know someone involved in the hiring.

Unsupervised Learning — Security, Tech, and AI in 10 minutes…

Get a weekly breakdown of what's happening in security and tech—and why it matters.

If you’re a named person, who is famous for being able to find bugs, or manage programs, or run a community, you essentially get a VIP card for entry into the field. If people know you, and someone tells the hiring manager, well now they’re looking at your experience instead of your training.

That’s the trick: these are all just ways of finding a proxy for how well you’re likely to do. College is a proxy. Certificates are a proxy. Work samples are a proxy.

But the best proxy, by far, is experience. And being named is like experience with a gold star.

Anyway, that’s why both of these things can be true at the same time.

If you’re unknown to the world yet, and you don’t have any credentials, you’re not likely to be considered or targeted by corporate recruiting teams, and you won’t stand out even if your resume is seen.

Also don’t forget luck.

This is why it’s correct to say that having a degree in computer science is a good thing for getting into security.

But it’s absolutely not needed. If you’re bright and hungry enough, you can put yourself on the map, at which point nobody will care about your training anymore.

Both are true. The latter proves the rule of the former. Twitter is just really bad at this type of thing.