Last Updated on January 23, 2022 by Dave Farquhar
From time to time I get questions from people looking to break into my field. Here’s a good one: What’s better to get, a cyber security degree or certifications?
If you’re in school now, get the degree. But if you’re not currently in school, and can learn on your own, the certification route is much cheaper, and probably faster. The key is having something on your resume that gets you through HR, and most companies know they can’t demand both.
What kind of degree do you need for cyber security?
I see all kinds of degrees in this field but if you’re in college right now and this is what you’re looking to get into, major in cyber security if your university or college offers it. If it doesn’t, get a degree in a related field. Anything related to information technology, computer science, or computer engineering qualifies. Data science would also be a good choice, since security pros do have to deal with mountains of data. It also puts you in the enviable position of being able to work in two high-demand fields.
If you want bonus points, minor in business or accounting or psychology. Any of those three are useful. Security professionals have to understand the needs of the business to balance the need to stay profitable against the need to stay secure. An accounting background can help because security professionals often work alongside auditors. Everywhere I’ve been, I’ve found auditors are my best friends when it comes to getting things done.
A background in psychology is even more useful. There’s a whole field of security we call social engineering. I hate that word, because social engineering is nothing but psychology, independently discovered. Why not study the existing field instead? It’s existed 125 years. For even more bonus points, take a class in organizational psychology, so you know how to work across departments to get things done.
Those are some ideas I’d consider if I were starting over again today from scratch. You’ll find yourself using all kinds of stuff that didn’t seem relevant at the time, eventually.
Is a certificate better than a degree in cyber security?
You can get a certificate more quickly and more cheaply than a degree, sometimes as little as 12 months. That makes it better for you in the short term. In the long term, the stuff you’d learn from a four-year degree will make you a better security professional.
All other things being equal, the degree is better. We can’t always do the ideal of course.
What are the best cyber security certifications?
If you’re already working and don’t want to go back to school, but you’re looking to get into security and can study on your own or learn from an intensive boot camp, you can take the certification route instead. Rather than being issued by a college or university, these certifications are issued by organizations of security professionals.
For your first job, Security+ is as good to get as any, since it covers a lot of fundamentals that you’re likely to come across in any security job. If you know what area you want to specialize in, the relevant SANS certifications for that area of specialty are extremely helpful. At higher pay grades, certifications like CISSP, CISM, and CRISC are helpful, but you don’t need those starting out.
Getting your first cyber security job
I see a lot of people getting their first security jobs working in a SOC, or security operations center. These are typically outsourced pools of people who form the first line of defense for large organizations. It’s hard work, but you get a ton of experience in a short period of time, and you meet a lot of people. Since the jobs are entry level, they don’t require a ton of experience. What you demonstrate in the interview process will be more important than which particular credentials you have.
SOC work tends to be high turnover, but that’s not necessarily a bad thing. Stay in touch with the colleagues you worked well with. As they move on, that creates opportunities for you in the future. It’s only a matter of time before their new organizations need someone else. Talk with the more senior-level analysts too. Most senior-level analysts should be happy to answer questions and share their perspective and experience.
The hardest thing about that first job is getting it in the first place. Chances are it will take some perseverance, and you may have to deal doing time as a right to hire. It can take a year, and even when everything falls right into place, it usually takes about two months. But in the end it’s worth it. It gets easier once you have a track record.
Why not both, eventually?
Eventually you may want to have both certifications and the degree. It just depends where your career path takes you. I know security professionals who only have one or the other, or even neither. Some jobs, especially the more senior positions, may want both. Or at the very least, they’ll want a 4-year degree in something halfway relevant, plus a relevant security certification.
But the most important thing is to never stop learning, and keep imposter syndrome at bay. None of us knows everything. If you know you don’t know everything, that’s a good thing, not a bad thing. While I know of people who think they know everything who’ve been rather successful, that attribute always limited their success.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.