In recent times, numerous questions have been asked; such as Do I need a degree to get into cybersecurity? At what age should I get into cybersecurity? Am I too old to get into cybersecurity.? These are one of too many, frequently asked questions from those who desire to get into cybersecurity.
The profession cybersecurity is quite a popular search, and has been one of the numerous professions, getting a lot of PR-lately (of cause positive PR from individuals who want to venture into this career path), and slightly negative PR (from those who are in the hiring position of persons in this profession; due to lack of talents).
Image source: fixitgearware.
There are no doubts; a lot of misconception lately has been seen, from individuals who give advice on public forums such as Quora, Twitter, LinkedIn, and reddit.
These opinions most times, come from a little or less exposed persons who might be conversant with an aspect of cybersecurity (mostly ethical hackers or pentester), promoting such recommendations that are only limited to their exposure.
In this article, we are going to address that, and give you a fair comparison on both sides, and the limitations and benefits pending on the direction you choose to walk your path, and the outcome based on the choices you have made, either on a long-term or short-term journey.
Firstly, we ask ourselves what is a career path?
There are numerous definitions of the term career path, however the definition from BambooHR best suit a proper or close definition to what we understand when getting into cybersecurity.
According to BambooHR definitions:
“A career path is a list of steps to take in your professional life for progressing into different or more advanced roles at work. It’s a series of jobs and experiences that help employees reach their ultimate career objectives and future goals.”
A further explanation by BambooHR describes what should be in consideration when making a career path, giving employee a view of decisions on their chosen career path; not just one they think would be beneficial to them alone, but also the employer’s benefiting as well; when they hire the employee, and establishing long-term relationships with their company.
This brings us to the persistent question:
Do I need a degree to get into cybersecurity?
The answer is Yes, I know this response will trigger you in a way that may not be common to the false information you consume out there, but the truth is that this article is meant to expose you on issues and not to make you feel better.
Now when you talk about cybersecurity, we are talking about a list of professional sectors in cybersecurity, you can read them here, and not just cybersecurity as an ethical hacker, even the profession ethical hacking, has its nitty gritty, hacking (not Blackhat’s or malicious intended persons) has its own detailed information on how to go about it, you just can’t grab tools and start testing for companies, or testing at your own convenience, or outside the SOW (Scope Of Work) yes not SOW (Statement Of Work),which might be breaching certain country rules and regulations (rules of engagement), or obstruct business operations if testing are conducted during official business hours of the organization.
I know this sounds funny, but even you are an ethical-hacker you might use a tool to test a server located in Ukraine, but using the same tool to test a server located in the United States, might go against the rules and regulations of the United States, and may attract sanctions to the company you are performing a penetration testing for (I bet most professional hackers who give courses online with regards to ethical hacking, may not tell you this).
I too did not get this knowledge from not taking a degree, I took a degree and that is how I get to know this.
Getting to know the practical aspects of things that works, and not knowing the theoretical aspects of when to make it work, is a recipe for disaster. As a matter of fact, if you know the theoretical aspect, the practical aspects become easier and you start to appreciate the profession the more. The man who rides a horse, and the man who trains a horse have two different skill sets.
One does it for fun (riding the horse), the other knows when not to (knows when the horse is sick or upset). Professionals who have no theoretical knowledge are the riders (they know how to have fun while ridding and as well ride), the Professional who knows the theoretical aspects are the trainers (they know when not to ride the horse).
The professional became professional by getting training on when to make it work, and certified by professional bodies (School Degree) to be called a horse trainer or instructor (Cybersecurity Engineer). They got different experiences with various kind of horses (various course subjects in cybersecurity, computer science, forensic training, and even business report writings), and for sure can be called professionals.
The Castle, The Royal Bloodline, The General, The Peasants Comparison in Cybersecurity:
The Castle, The Royal Bloodline, The General, The Peasants comparison in Cybersecurity should make you understand and appreciate the need to get a degree to get into cybersecurity. It is not to ridicule those who are not academically inclined, or who find it difficult to study for longer hours, but rather to enlighten those who have been misguided by false advice, or who wish to die upon the hill (of cause comes with juicy monetary values) with honour in cybersecurity.
Whether you are a royal bloodline, the general or peasant in a castle there would always be room for all in a monarchy or Kingdom (cybersecurity profession), but the truth is that the benefits and royalty enjoyed by royalties are not similar or might not be experienced by those of a lower community (peasants not meant in a bad way).
The castle (Organization that needs cybersecurity protection) where the king (organization’s assets) rests we know is guided and fortified. However, it has been historically proven, that only one person’s gives undisputed order not just in the castle but across the kingdom. The castle (Cybersecurity), contains different persons from the Chief security officer, down to the cook e.g., Offensive security (Read team), Defensive security (Blue team), Purple-team (Red & Blue team combined), and down to the cleaners (System Administrator).
All these people are important (academically certified and non-academically certified cybersecurity engineers), they co-exist, they enjoy the fun (working as a team).
All the persons who work in the castle (In Cybersecurity profession), work for the protection of the king (Organization they work for), and the safety of the entire kingdom (entire assets of the organization they work for). The lack of adequate team or workers may result into the castle falling (the organization being attacked and losing their assets), and the only way the organization can stand is with people that has been proven (certified academically) to be able to fit into the right and specific positions, and coordinate various team with limited knowledge or experience.
The Royal Blood-line:
When it comes to the Royal Bloodline (Big cooperation’s, Cybersecurity Certifying Organizations, Cybersecurity HR team), their sole aim when hiring a team to protect the castle (Organization’s data), narrows down to different factors.
The Big cooperation (Be it fortune 500 companies or not) when hiring will always have requirements (with Bachelor’s degree being a must, down to even a PHD), these comes as a list of requirements they desire in accepting a candidate for the Job ads they placed on a Job-hunting site.
Cybersecurity Certifying Organizations have a list of certs recommendation for the Big cooperation to lookout for before hiring, a candidate in a specific position (example most pentester job require at least a CEH or OSCP, while a more advance certification like CISSP might even be required, with an unbelievable years of work experience).
Profit yielding cooperation, as well pay extensively for such positions, while other average company might offer a juicy but not much juicy salaries compared to the previous. In the end most average company even have more expectations compared to the profit yielding company with over 80% from both cooperation’s (profit yielding and average companies) requirements being at least a diploma or bachelor’s degree before considering hiring a person.
This makes it a viable position for the Generals (One who has an academic degree and certifications), and a more difficult one for the Peasants (One with just the Certification).
When it comes to leading the battle (presenting to chief personnel’s or board of directors), only a general (Qualified), can take charge of the entire army (cybersecurity team). Even thou he leads due to his status as a result of his bagged qualifications (Degree and Professional Certs), sincerely he doesn’t partake extensively in the uphill struggle (Protecting his entire organization server in different location by conducting the offensive testing) because he has paid the price by acquiring qualifications, certifications, and years of experience, he is super responsible for delegating and supervising the entire process (Instructing the peasants or lower ranking team members).
Most times if not all times he takes the credit (Positive outcome), for a successful battle won (Protecting an organization from cyber-breach). However, this is due to his ability to understand and lead right (Theoretical aspect of cybersecurity gotten from a degree qualification), and of course badges (academic certifications and other professional certifications) he has won from previous battles (theoretical knowledge from degree education and practical knowledge from online courses and certification), he is considered a General by the Royal Bloods (Board of Directors, Certification bodies, and stakeholders of the company).
The General (The one with the academic qualification and professional certifications), isn’t the Royal Blood (Board of Directors, Certification bodies, and stakeholders of the company) favorite’s by an act of personal familiarity; he is their favourite (chosen to be the team leader) by characteristics of his Qualifications.
He the general, does the speaking (Partake in Job interviews hiring team or stake holder meetings), but his Qualifications (Academic certs and professional qualification) does the backings for him. When the General speaks, his decisions are not disputed or maybe receive little criticism, not because he is perfect, rather his badges (Certifications speaks for him).
A General is considered best to all, and second to the highest-ranking citizens Royal Bloods (Company he works for, the stakeholders, cybersecurity certifying bodies, and other high-ranking officers than him). He is well paid not because of what he knows alone, but also because of what he holds as well (academic certification and professional qualifications)
Everyone can be a general, you just have to pay the price (Get the degree and certifications). If you so desire to be recognized, then do what it takes to get what you want or need
The peasant isn’t some poor lad no, in this context he is someone who is restricted by the limitations of not having what it takes to sit among the elites (A Degree or more e.g., MSc. Or PhD, and cybersecurity certifications as well).
If we consider from a perspective, a peasant who takes care of a sheep is limited to knowing how a sheep bleat (Just like someone who took online courses or certification on Pentesting only), If you put him amongst another peasant who knows how to take care of a lion (He might not only be scared but also might get eaten by the lion), In summary a peasant in this scenario is restricted by what he knows (The knowledge of taking care of the pets he is familiar with), and not what he has (The theoretical vast knowledge from a degree or numerous degrees and certifications).
He the peasant, is only paid for one thing that he knows; taking care of the sheep or taking care of the lion depending on his jurisdiction of expertise (Pentesting Job for pentester which most are, malware analysis expert a few are as it requires extensive knowledge on coding and vast system architecture also cloud systems, Security software developer requires extensive knowledge of coding).
The ideal knowledge of one who has not gone through academic qualification is limited to the courses one has taken so far, books they have read, and of cause let’s not forget the limitation of human comprehension and understanding varies from people to people.
A Peasant (One with only the practical knowledge of a specific field), will only have knowledge based on the number of online courses, and practical knowledge they are exposed to. When it comes to yearly promotions and bonuses that comes with a job well done, even thou he works twice as hard, he gets half or less as much benefits, when compared to a General.
There are times that an organization wishes to give promotions, and as well increase bonus pay, sadly most times this comes with tendering academic qualifications, and hence only a few peasants make it past this line to be recognized and promoted.
As top organizations do not want unqualified persons (based on their rules, criteria, and acceptance) to represent the organization head. Every organization want to be the best, and they want the team representing them have loud qualifications (advance academic knowledge, qualification, and professional certs), this earns them a bragging right, when promoting their business or seeking investors.
Therefore, a peasant (One with only the practical knowledge), might just sit and experience the big players (Generals) play, while they pay the price and work-hard with little or no recognition (A limitation due to lack of academic qualification which makes them not to experience top managerial positions).
In summary being a royal-blood decides the extensive power you exert, being a general decides the position and responsibility you hold, and being a peasant demonstrates what level you might be confined in your area of expertise.
All these groups are important in ensuring the castle (Organization they own or work for), is protected (Data Security of the organization), from possible cyber-breach. However, if you so decide to get into cybersecurity as a profession, and want to be a big-player (recognized), I urge you to get a degree and while doing that also get the practical training and knowledge (Cybersecurity Certifications), and if you just want to get into cybersecurity just for the fun and trill of making a quick cash like (Bug Bounty, Pentesting Jobs), as a simple career, then I think wasting your years in getting a degree might not be a wise investment.
Although being a Peasant is not a bad idea, just know that in the long run, you do not get the benefits of a General. Cybersecurity as a career path, or lifelong profession requires a Degree, Cybersecurity as a freelance doesn’t.
The tricks and tips you learn from various lecturers during a degree program can never be equal and will always beat tips and tricks you learn from self-teaching or online certifications only; in comparison.
Taking a cybersecurity degree, exposes you to not just different lecturers, but as well different students, various course-works, and other business-related courses. Speaking of students most if kind, will share tools and scripts that you will not have known getting an online program or self-tutoring to take a certification, and while you are considering to take a Degree Program, make sure you take it from a recognized institution, as wasting resources and years in a wrong or little to no recognition high institutions or universities, is strictly not advised or prohibited.
Here are a few Job interview requirements for your knowledge to decide on what you want or desire.
The image below describes a list of requirements for various Job position in Cybersecurity from a Job hunting site.
Want to know what suitable age to get into cybersecurity? Read our article here.
Put your comments below in the comment section on your thoughts about this.