Do I need a bachelor's degree to break in information security?

Question

First of all, I have a college diploma in computer networking. I tried to get a job as network admin, but because of my lack of experience in that field I did not succeed. So I returned as a help desk technician (I already had 2 years of experience in this).

So here I am, 4 years of tech support and I do not like it anymore. I know I can do something more interesting to me.

I'm really interested in malware reversing and vulnerability research. I have some books that I read, and I would really like to work in that field.

My question is, do I really need a Bachelor's degree in computer science to perform those jobs ?

Because getting this degree won't teach me how to perform malware reversing and vulnerability research. Certifications like GIAC GREM or Offensive Security Exploitation expert is more likely to help me.

There again, 0 experience in the field of information security, so how would I get a job ?

The Bachelor's degree will make me a good analyst and programmer, but is that necessary ? Is someone with a degree is more likely to be hired ? I have tons of questions.

Thanks

Answer 1

No degree guarantees a job, and almost ALL employers will look for experience in the field. @Andre Daniel mentioned free-lancing and participating in open source projects. This is probably the best way to gain experience in the field you're looking towards, and they look great on resumes. They are experiences that you can point to and say "I contributed to this".

While it's great that you can learn things on your own, there is still value to having a degree. But I would not recommend getting a bachelors degree. If you already have a degree in Computer Networking I would suggest going for a graduate degree in Computer Security. Graduate degrees still hold some weight, and can put you above other applicants. However, you only get what you put into it as far as degrees go. You can learn a lot or a little, it depends on the amount of effort you put in. Sadly some things on paper still look better, and this will help set you apart from others.

I've known people without any degrees who were passed up for jobs because they didn't have a degree. I've known people who have degrees and no experience who were also passed up on jobs. You should have have some blend of both. Like Schroeder said, if you want to do malware analysis then just do it. Put on your resume that you do freelance work. They'll ask you in-depth questions to get a better feel for how much you know, and that's where you can impress them. But getting through the initial resume scan I think you need a blend of both education and experience.

Answer 2

I feel your frustration, but degrees do not guarantee a job in any field, as you found out.

You DO need experience, and luckily, you can get that experience on your own, for free. The time you spend doing the work you want to do in your own home labs, reading of books, and participating in forums like this one can translate into the experience employers want to see.

Short answer: you do not need a degree (I didn't).

Long answer: the most important education is the material you teach yourself in your free time. You want to do malware reversing? Then do it. Find a book or video where someone is talking about their own work and replicate it. Then find another, and another. Then help others to do the same. If you do that for a year, then I'd hire you.

Answer 3

You don’t need a bachelor’s degree (BS) but it can help with certain aspects. The main one being that a BS is becoming a requirement to get your resume past HR. Similar to them wanting certain certs before they will talk to you. The best way to get around this is to network. If you can actually speak to the hiring managers and convince them you can do the work, they can bypass some restrictions for you. Or you could work towards a BS. If you’re ok with working for the government and some other strings they may agree to pay for your degree. The bonus here is that you don’t have to worry about finding a job after college. The government will put you to work, and you’ll likely have to get a security clearance. Even if you choose not to stay with the government after you’ve worked your term, you’ll have a couple years and probably a security clearance to bank on. A BS alone can add a lot to your understanding of the subject if you find a college the focuses on the subjects you want. However, it will not give you experience which is the real problem.

I will tell you from having a BS and several certs, that letters after your name only might get you past HR. Hiring managers will test you and if you don’t know your stuff you won’t hired. A BS and/or certs can help you quickly learn subject matter by forcing you to go through focused material enough to get passing grades. That is why I continue to go through them. I prefer focused learning with a deadline to force me through it. This does make the work much easier to do with understanding the theory behind it. But at the end of the day, you need to do the work before you can do the job.

Here are some practical training focused options to get you started. I’m not affiliated with any training organizations, I’m merely adding them for options. If you’re looking for free training I’d start with https://www.corelan.be They’re open source and pretty good. However, you will have to do some research on your own to get through their demos as they don’t completely hold your hand. They also have classes at several cons. They’re around $1000 I think and you’ll have to sign up quickly as these classes fill up fast. I think there are some other open source options as well but I can’t recall them off the top of my head.

Going into paid options https://www.elearnsecurity.com/course/advanced_reverse_engineering_of_software/ is around $1000 depending on their options. I haven’t taken this course but I’m working through others of theirs. They offer more guided learning. Focusing on you trying yourself first but if you can’t get it, they guide you with solutions because they understand that not everyone will learn at the same rate. You mentioned the SANS GREM which I’ve heard good things about. Full price is around $4500 with the exam. However, if you can get a hold of someone who teaches it you might be able to get a discount. Ask about “scholarship seats”. If you can get that it will bump the price to $3400 with the exam. I mention this as an endgame option. Offensive Security has AWE. http://www.offensive-security.com/information-security-training/advanced-windows-exploitation/ I wouldn't look at this for beginning training but when you’re confident in your training this will take you to the next level. Having passed the OSCP I can tell you will learn a ton but it’s more for veterans. Not that a rookie couldn't do it but you'd have a an uphill battle.

I would find some hiring managers that employ malware reversing and/or vulnerability research people. Network with them and ask what they look for. Explain your situation. From the sound of it, you couldn't do the job now. However when you can do the basics and show you have a solid understanding, you're options get better. If you know a manager and you can show him you know your stuff, they might be willing to bypass some of the normal restrictions they have. Getting the first will be tricky and it'll be easier if you know people. Once you get in though, you should be good.

Answer 4

There are some places, such as universities, that require a degree. I don't have one so naturally I skip over applying at those places. Most companies that take technology seriously care more about your skills and experience than any piece of paper. I've seen many people ace technical interviews with no degree, and many with a degree flop. It's more about the individual, though a degree can certainly help you get a foot in the door it's not a requirement.

To your specific situation, I actually originally started out in technical support, then moved on to system administration, and then security. The skills I learned in those positions help me with the infrastructure security engineering work I do now. If there is no room for upward advancement in your current position, perhaps even finding a better technical support job at a security company at a company that has upward advancement could help. Many of my friends who still work at the same place I worked in for technical support have went on to security analyst and engineer jobs within the company. We supported security products there so it was a natural transition.

Answer 5

Yes, and No.

IT -- and infosec in particular -- is one of the fiew fields where the value of a degree is in the education itself, not in the certification it comes with. A full-time college may be the quickest and easiest way for you to get the necessary background knowledge for getting in to software development and analysis. Or it may not. That depends on you (and the school, but mostly you).

But it is fairly well established that tech firms generally don't care about formal education provided you have the skills that a formal education would provide. If you can write high-quality efficient software, then you don't need to go to a class that teaches you how to do so. If you can find security vulnerabilities in production software, then you have a useful skill that is uncommon even among the classically educated, and businesses will recognize that skill on its own.

This all comes from experience. You learn by doing, and that's the beginning and end of it. All of the formal concepts are readily available for you to study on your own, so you don't necessarily need a classroom to learn this stuff. But you do need to learn it.

A classroom will get you the necessary information and a very small amount of experience. It's a start; it can get you headed in the right direction. It's helpful but not critical. But you'll definitely need to also take the initiative to practice your skills on your own.