If I have seen any trends over the past years, it has been the questions of how to get into the field (digital forensics, incident response, or any sub-field of any sub-field in the realm of “cyber” security).
The first range of responses generally recommended applying to law enforcement and hope to get a rare chance to compete as a digital investigator as this was typically the method that the vast majority of those in the field took, although not be design, but by happenstance.
* Law enforcement is a common route with a small chance of eventually competing for a forensic slot after a decade or so, unless that is something you wanted to do anyway and would be happy if you never got the coveted forensic position.
* College is one way. But plan to spend a lot of money and a lot of time and take a lot of courses that have absolutely nothing to do with computers (like “Zombies in popular media”) and if you choose a less-than-capable school, never get any hands on or be taught by someone who actually the job. College depends on where you want to go. Want a federal job in the field? You probably need a 4-year degree (BA or BS) in practically any major. The feds don’t generally care what your degree is in other than you have a degree.
* The military is another way. But plan to go to basic training and potentially go to combat and potentially not get the promise of the job you were promised. That is also fine if it is something you want to do anyway.
Another method that I have seen lately and becoming more common is the DIY degree. I happen to feel this is probably the best method for more than a few reasons. First off, here is my interpretation of getting into the field by Doing It Yourself.
* Work somewhere doing something with computers. It doesn’t matter what you are doing with computers, but work at a job doing something with them. Fixing them. Maintaining them. Building them. Configuring them. Managing them. Something with hands-on work with computer systems. If you spend a year working on/with computers, that is a year of being paid to learn and gain experience. Volunteer at a non-profit and maintain their website or computer work. It adds up.
* Networking, and I don’t mean computer networking. Get involved in the community in which you desire to enter. Say hello to those in the community. Tweet them. Ask for advice from them. Be respectful but not shy. Join the associations, clubs, and meeting groups. Start a blog. Join in conversations in forums. Be involved or be left behind.
* Training is everywhere. Figure out what you need and take it. Focus on only what you need for the skills you need for the job you want. Don’t take training for the sake of taking training because in the DIY method, money is time and time is money and both are limited. Don’t waste either. To find good courses, research names. Who is presenting at conferences? Who has written books? Who has contributed in research and development? Who have done anything amazing to the field? Who contributes? When you find those names, seek out their training.
This part also includes practice, research, and self-learning. Master what you learn. Uncover what someone else missed. Publish your findings (at least put it on the Internet!).
In the DIY Cyber Degree, the college portion is really only necessary if the job you want specifically requires it. And even then, there is sometimes a chance to bypass it with Direct Hire Authority. The DIY Cyber Degree might fit that direct hire authority.
Without getting too deep in the weeds on the DIY Cyber Security Degree, take a look through the article “A Do-It-Yourself MBA? This Guy Did It – and So Can You”.
I find that the DIY Cyber Security Degree has been used since the inception of the field. Cops, many without degrees, simply worked to solve electronic crimes, gaining experience and researching. But now, you can map out your DIY degree much easier than the earlier forensic folks did because you have so many choices.
I want to go back to the college requirement. If you can afford the time and the money, and be admitted into a good school, and formal education fits your learning style, I say this is a good route. If you are unsure, take a look at this article on the cybersecurity master degrees.
The other thing I want to mention is tuition. One school listed in the article (Carnegie Mellon University) will cost you over $23,000….per semester… That reaches close to $100,000 for 2 years. Be careful because like any degree, a job is not sure thing upon graduation, but any student loans are certainly guaranteed with your signature.
If you choose a lower price school because it is lower priced, be prepared that the degree won’t have as much weight if the program is known to be poorly delivered. The end result is no job, cruddy degree, and student loans anyway.
Now comes the DIY Cyber Security Degree
- Get the experience with computers.
- Get involved with the community.
- Take intensive training.
Document all of this in a manner that will glaringly look to be more impressive than a degree. The benefits are:
- Less money to spend up front
- Less money to repay on the backend
- Earning potential continues while working
- Solid member in the community
- Solid leads and contacts to get the job you want
- Enough certs and training courses to choke a horse
Personally, I have been going to training courses for years and continue. Lately, I’ve been focusing on online courses, mostly because of time. I’ve grown weary of flying and tend to fly only sent somewhere for work. A few conferences I attend, a few I teach, and the rest I catch the slidedecks when they are posted online. The biggest benefit of an online course is that within the first 30 minutes (sometimes less), I can tell the course is either going to be helpful or a waste of time. I can stop watching right then and move to another. In a classroom, walking out of a bad class and rescheduling a flight home is more effect than it is worth. Pick courses that are relevant to what you need for the job you want. Want to work in IR? Don't take useless courses outside of IR unless it can apply to IR work.
I once volunteered to be on a board for interviews with new hires. It took all of one interview session for me to realize who to hire. I have had highly qualified people interview for a job, but the interview simply pulled out that ‘highly qualified’ was just checked boxes on education. Great looking on paper, but that was about it. No self-study, no extra effort to get into the community. And dear college graduates, most of the hiring managers or decision-makers have been to college. We know what it is like. We know how many hours a week of classes are typical. We know how much free time you have. Therefore, we have an expectation of what we want to see what you did with your free time.
I have hired a few workhorses who spent a few years before the interview to self-learn, research, read, train and work ‘on computers’ without having any formal education. I know what it takes to work in this field as far as personality and perseverance. I give extra credit to those who worked their way into the field and seem to know everything that is going on TODAY, not historically 10 years ago. I really like it when they can talk about a software, show me how they use it, and then talk about how to use it in a manner that it wasn't designed to do really neat stuff.
When I see that, I know those persons will be hired on their next job interview, so I want to hire them first.
Before you think I am anti-college degree, I am not. I believe in them, for those who can benefit from them personally or professionally. I just don't believe that a college degree is the sole determining factor in getting into the field, and in fact, believe it is not a factor of competence or potential of competence compared to the DIY method that others choose to do or have no choice but to do. Besides, once hired, you can go degree crazy in your free time and get a PhD if you want.