Well, the infosec community has done it again. We’ve gotten good and riled about something, with (maybe) good reason. In case you’ve been under a rock, here’s the breakdown:
- Equifax suffered a massive breach of consumer credit data (started in May 2017 and was announced in September).
- The CIO and CSO resigned from the company in the wake of all this.
- Many accused the company of being negligent for hiring the CSO, Susan Mauldin, because she has degrees in music, not infosec.
Well, this whole debacle relates to #3. HOW DARE THEY SUGGEST A CISO OR CSO NEED AN INFOSEC DEGREE!!?? OR ANY DEGREE!!?? Blah blah blah.
Look, I agree to some extent – but with a caveat. To be candid, I think the mill of “infosec bachelors degrees” is bogus. Just unbelievably immature and sending ill-equipped folks out there to do jobs they’re unprepared for. Here’s why this doesn’t work well for many people: Infosec is NEVER an entry-level job. It just isn’t, and the reason is simple:
You must know what you’re securing.
Not at an expert level, necessarily, but reasonably well. So if you don’t know networking, Windows, Unix, some code, and so on, you really aren’t ever going to do well out of the gate, and you could actually impact your personal credibility (and the security organization’s) severely. The whole damn industry is partially at fault for this – we should really sign up bright young Bachelor degree folks and immediately run them through some on-the-job training in operational areas, if we care enough and can afford it. But this is tough. And it’s been debated a LOT. So rather than repeat a lot of other smart folks on this topic, I’ll get to the caveat.
The caveat: Higher education has a ton of value. A masters degree or higher in infosec could actually augment your knowledge and skills dramatically. In full disclosure, I am on the Board of Directors for the SANS Technology Institute masters program. I’ve worked long and hard, along a lot of people much smarter than I am, to create a program that actually means something and proves a Masters degree holder can actually DO some shit. But this kind of degree comes with experience – we don’t have any real “junior” people getting that degree. Could they? Sure. We don’t block people because they’re younger, etc. But an infosec “degree” should really augment your real-world experience and ride alongside it, perhaps filling in gaps, improving your personal and career maturity, etc.
Which brings us back to the issue. There ARE no “correct credentials” for infosec. Curiosity, problem solving, and a track record of actually doing good work in the field – that should really be it.
As usual, Daniel Miessler has done a far better job than I ever could really nailing down this issue – check out his blog here for more information, which is really a good (short) read.