Friday, June 13, 2014

Education & InfoSec

Yesterday the question was asked, "do you see a bump in pay-grade commensurate with the cost of a Masters?"  This got me thinking. There are numerous blog posts on how to break into security but I've rarely seen a blog post on education, especially given how often this question is asked. In this day and age there are numerous options available. Below are my experiences with the various forms of education and recommendations for someone new to the InfoSec industry.

"Traditional" Education

To begin, I did go to college. Back in the 90’s there was no such thing as an Information Security degree. Even IT degrees were still somewhat scarce. The best option available was a Computer Science degree that more or less taught programming fundamentals. At the time, classes were simplistic. One actually began with the professor holding up a 3.5" floppy saying, "This is a floppy disk". I often found I could complete the lab assignment and homework before class ended.

Recommendation:
Is a degree needed to "make it" in IT or InfoSec?  In a word, no. Some of the smartest, most technically competent people I know have no formal education. Nevertheless, I would recommend getting a degree. It can be difficult to make it past keyword filters and HR gatekeepers without this check box. Ideally, when you graduate you'll also walk away with soft skills that many IT/InfoSec professionals are lacking.


Internship

After a few years bouncing around different colleges I entered into an internship. I had a good mentor and learned more in those 10 weeks than in all my classes combined. At the end of the internship I was offered a full time position. Not wanting to give up on my education I transferred to the University of Phoenix and completed my last year online.

Recommendation:
Do it. Find an internship or take advantage of a mentorship program. There is no substitute for experience and you will never learn more than when you get your hands dirty. These are the times when you have more leeway to make mistakes and if you're not making mistakes you're not trying hard enough (or are not being challenged, in which case get a new mentor).


"Advanced" Degree

After completing my undergraduate degree I decided that if I was going to pursue an advanced degree I shouldn't wait. I was already in the student mindset and it would be easier to stay in "college mode" rather than return later in my career. I took a year off, then after an additional two years of education, I walked away with a shiny new Master's degree.

I'm often asked if I see value in my degree. Honestly, I'm not sure I do. Outside of positions with a college or university (or in executive management) I have not seen many InfoSec jobs that require an advanced degree. I also have not seen higher wages as a result of my Master's. In fact, I've been told I was passed over for a position because the company felt my education overqualified me and they believed I would not stick around.

Recommendation:
I've said publicly in the past that an advanced degree may have been a mistake on my part. Education is expensive and I can't say there is an adequate ROI. Even with employer contributions, I will be making student loan payments for many more years.

When deciding, take a good hard look at what area of InfoSec you want to work in and which industry. Look at job listings and talk to people in those positions to determine if an advanced degree is worth it. Also, take your time looking into a degree program. There are a lot more options than when I was in college. Find a curriculum where you will actually learn something and not just walk away with an expensive piece of paper.

Final thought: I still consider my career to be relatively young (13 years). I may find that my degree has greater value later in life.


Certifications

Certifications are another highly debated topic in the InfoSec industry. Over the years I've accumulated a handful of them at my employers' behest (CISA, CISSP & Six Sigma Green Belt). Realistically, I probably wouldn't have picked these up on my own dime but they do have some value.

Recommendation:
Not all certifications are created equal. Some have far more value than others. If you want to learn something and earn a certification that is respected, look at SANS training and certifications. If you are interested in a career in pentesting look at the OSCP and the other Offensive Security certifications.

The value of the CISSP is hotly contested. While many people believe it has no real value, this sentiment has started to sway. I attribute this to the election of Wim Remes (@wimremes), Dave Lewis (@gattaca) and Jennifer Minella (@jjx) to the (ISC)2 Board of Directors. These individuals have taken up the challenge of making the CISSP relevant and not just a check box to get passed HR.


Conferences

The value of InfoSec and Hacker conferences is immeasurable. Not only is there the opportunity to learn, but the networking possibilities are endless. The InfoSec community is one big family and you will likely make many friends and possibly meet future coworkers.  I make it a point to attend 3-5 a year.

Recommendation:
Conferences are a must. Don't worry about expensive events like RSA or BlackHat unless you can get in with a student or press pass. Even if your company is willing to pay for it, you'll likely have a limited education budget that can be stretched further at other events. Many quality conferences only cost $150-$200. BSides events are held all over the world and range from FREE-$20.

Training at conferences is also a bargain. You can usually get 2-3 days of quality training for $1000 (which includes entrance to the conference).

If you can't afford travel, check out SECore.info for conferences near you. If you can't afford the cost of registration, consider volunteering. The organizers can always use help and it's a great way to network. You'll have plenty of time to see talks as well.


Independent Study

People who are successful in this field are people who enjoy what they do and spend a significant amount of free time learning. In addition to my day job I spend 15-20 hours per week absorbing new material.

Recommendation:
Find an RSS reader you like (some suggestions here) and subscribe to InfoSec blogs. Listen to podcasts. Spend time on SecurityTube.net and YouTube (I highly recommend Adrian Crenshaw's channel). Join twitter and follow other security practitioners. Learn to code in Python or Ruby and open a GitHub account.

Build a lab. You'll learn by doing. Download tools, spin up VMs (check out Kali and Metasploitable) and spend time familiarizing yourself with them.

Lastly, explore. There's much more information out there than you will ever be able to learn.