Is Formal Education Critical for a Career in Cybersecurity?

A look at whether the need for more formalized education in the security sector is necessary

The role of an ethical hacker is only one of the many career paths available in the cybersecurity industry, but it’s worth noting that more than half (58 percent) of hackers are self-taught, according to HackerOne’s “Hacker-Powered Security Report 2018.”

Astoundingly, the report found that fewer than 5 percent of hackers learn their skills in the classroom. In addition, only 42 percent of undergraduate computer science programs offer three or more infosecurity-specific courses, according to research conducted by HackerOne.

If the learning isn’t happening in the classroom, it’s worth asking: Is a formal education critical, or even necessary, for a career in cybersecurity?

HackerOne CEO Marten Mickos answered a firm yes, particularly when talking about the whole of cybersecurity as an industry. “Formal education is absolutely needed and should exist in every computer science program; however, security cannot be solved alone and therefore education should not be confined to computer science programs and graduates,” he said. “The broader connected society must prioritize security, because the cybersecurity skills gap will never be solved in a classroom.”

Whether a person desires to be a white hat hacker or a security analyst, there are so many different paths one can travel to learn, earn and advance in a cybersecurity career. “As a society we have to accommodate the various personalities we find,” Mickos said. “We should let humans learn the way they learn best, and we should not limit or discriminate in any way because we need to bring this education to millions of people.”

HackerOne is doing its part to make cybersecurity education available to all through its Hacker101 – Learn How to Hack program. These types of hands-on trainings are growing more popular across different sectors of the industry as well.

Success Outside the Classroom

Through its cybersecurity scholarship program, Cisco Systems is attempting to address the cybersecurity skills gap. Jenny Guay, an information security analyst at CGI in Ottawa, earned her first Cisco Certified Network Associate (CCNA) certification when she was 16 and recently went through the company’s cybersecurity scholarship program. Guay earned a CCNA Cyber Ops certification, which led to her current position.

“I think the only thing critical for a cybersecurity career is for a person to be curious and passionate about their learning, Guay said regarding whether a formal education is critical to a career in cybersecurity. “Having a constant hunger for knowledge and getting better is enough to get started in cybersecurity.”

While formal education does provide the building blocks for future careers, Guay said that incident identification and response are better learned through hands-on experience. “Having to monitor and investigate security incidents first hand accelerates your learning and understanding of security technology and current threats.”

Alternative Learning Environments

In addition to companies offering scholarship programs, Cybrary, a crowdsourced cybersecurity and IT learning and career development platform, is making it possible for job seekers to quickly and effectively train their way into cybersecurity positions.

Gabrielle Hempel, security analyst at Accenture, held degrees in neuroscience and psychology and had no formal training in either technology or information security but developed an interest in cybersecurity.

Through Reddit, Hempel found out how to get the cyber requirements she needed on Cybrary, and from there she followed the specific assessments and courses laid out to get hired as a SOC analyst. Within three months she landed a job.

“The courses exposed me to the types of environments that I would be faced with day to day,” Hempel said. “It gave me the hands-on experience, which was so much more valuable than reading a book or articles. It showed me that this is what you need to learn, and the labs were all hands-on, which is what set the experience apart for me.”

Leif Jackson, VP of product for Cybrary, said that 22 percent of his organization’s users are actually students who are looking to supplement their formal training. Additionally, 17 percent of their client base is comprised of career changers, as was the case with Hampel.

“We create an environment for learning, and when it comes to landing a job, the people getting hired off of our programs are those that are more engaged—the kinds of people that are able to ask and answer questions and react to situations,” Jackson said.

For her part, Hempel said that she had multiple offers during her job search. “A lot of what they were saying was, ‘We don’t care if you went to school for IT; we are more interested in seeing that you are able to learn, that you are capable outside of your learning environment.’”

Embrace Different Paths

The future of the industry holds a lot of promise, and those organizations that understand the potential of what is to come are interested in blending their teams. That there are many different types of problems to solve demands that people from all different mindsets come together. That diverse collection of professionals will and should learn differently.

“Information security is something that should permeate everything we do in the digital realm. It’s not the responsibility of the few but rather the responsibility of the entire connected society. Those who use software (every human being) should get training in basic cyber hygiene,” Mickos said.

“The policymakers, legislators, politicians, business leaders and others who decide on digital matters need to get training in probabilistic risk management,” he continued. “Those who produce software should have compulsory training in how to design and develop software that is as secure as possible. Those who declare themselves as security experts, ethical hackers, security professionals need varied and specific training and education and practical experience.”

Kacy Zurkus

Avatar photo

Kacy Zurkus

Prior to joining RSA Conference as a Content Strategist, Kacy Zurkus was a cybersecurity and InfoSec freelance writer as well as a content producer for Reed Exhibition's security portfolio. Zurkus was a regular contributor to Dark Reading, Infosecurity Magazine, Security Boulevard and IBM's Security Intelligence. She has also contributed to several industry publications, including CSO Online, The Parallax, and K12 Tech Decisions. During her time as a journalist, she covered a variety of security and risk topics and also spoke on a range of cybersecurity topics at conferences and universities, including Secure World and NICE K12 Cybersecurity in Education. Zurkus has nearly 20 years experience as a high school teacher on English and holds an MFA in Creative Writing from Lesley University (2011). She earned a Master's in Education from University of Massachusetts (1999) and a BA in English from Regis College (1996). In addition, she's also spoken on a range of cybersecurity topics at conferences and universities, including SecureWorld Denver and the University of Southern California.

kacy-zurkus has 62 posts and counting.See all posts by kacy-zurkus