Re: To go to University - For the CISSP etc. - Good idea/Bad idea???

[Todd Haverkos <infosec () haverkos com>]

Hy Zaret <hyzaret () gmail com> writes:
> Greetings & Salutations to all!
>
> I've been training myself for a while, and have recently came to the
> conclusion that University would be my best choice.
>
> The main reasons I made this decision are;
>  Social reasons
>  Educational advantages
>  Takes years off the experience needed to take the CISSP
>
> I'm writing on these mailing-lists for two reasons;
>  To find out what you think of my choice (not locked in yet!!!)
>  For advice on which course to go for (Sydney, NSW, Australia)
>
> I am wishing sometime in the future to begin a career in IT Security.
>
> Although being under 18, I have still found time to achieve various
> certifications; including CompTIA's Security+, three Cisco
> certifications & a Microsoft accreditation.
>
> Also, for the last 4 months I've been working full-time on the 1st
> Level of an IT Helpdesk.
>
> Am very open to ideas, so would be interested in reading & answering
> your replies!

Hi Hy, 

It depends.  There have been many good points raised by the flurry of
responders your topic has gathered.  It's a hot button issue in the
industry since
      o there are a bunch of really really sharp security folks out
        there who happen to not have a degree but nonetheless are
        outstanding 

      o there are also a bunch of folks with degrees and lots of
        letters behind their names who still manage to stink
        (i.e. "paper tigers")

The reasons for this situation is that the skills needed to be great
at security are not taught in colleges, and what's worse, it's hard to
find a college whose curriculum might even make you even _passable_ at
security as a fresh out.  But, since the same can be said of so so
many professions that require niche skills, this shouldn't be
tremendous news to anyone.

A few bits I'd add to the discussion:
      o You may have heard the economy (at least where I live) isn't
        so hot right now.  It's really not a bad time to hide out
        doing something useful in school...

      o Sadly, there are some employers who simply won't consider
        someone for a new hire without a degree.  If you want to be
        part of a mid - to - big company at some point, consider that.
        Conversely, I can't think of situation where having a degree
        is ever a minus.

      o Unless you actively seek out a school that actually has a
        faculty that knows jack about computer security, don't expect
        to learn much directly applicable security in your computer
        science course work.  You will gather useful skills and
        background, no doubt, but the odds of you graduating and being
        useful to a security consultancy immediately based on what
        your professors may teach you is next to 0.  So don't lose
        that intellectual curiosity, do take every opportunity to
        learn the coding skill, take an OS course, take an assembly
        course, take a computer architecture course, take and
        information theory or systems course, hell take a digital
        design course.  But keep active on the side too, because by
        the time yer done you might have the next killer must have
        security tool or appliance to uncork on the world.  It seemed
        to work for Chris Klaus. 

      o Don't go to college with the thought of shaving a few years
        experience off some certification's requirements.  CISSP won't
        hurt ya, and it's probably the certification out there with
        the biggest name recognition, but going to college with the
        CISSP in mind is not a good reason alone.  Countless other
        good reasons to get a degree and go to college, but to shave
        years off an industry cert is not one of them.  You seem to
        have a good handle on the other benefits, though. 

      o If you are in emerging market where the security space I'm
        told is still quite hot, and if you have any strong "start
        your own business" or "get involved in a startup"
        leanings... you might consider the opportunity cost (in terms
        of time and startup capital) of being in school for 4 years

Finally, 

      o If you're truly outstanding at what you do and network
        effectively, you'll be hired and useful in any economy, with
        or without a degree.  I also don't see security as getting any
        less important market wise in the next 6 years.  Businesses
        don't like losing money or being sued, so they'll continue to
        be seeking these skill sets.


The skills I learned in college that I use directly daily are:

  o the discipline to slog through and finish something even if it's a pain
  o the ability to quickly determine what I do and don't know  (and to
    sense when someone doesn't know what they don't know!)
  o how to learn/research what I don't know quickly
  o technical problem solving
  o English written communication 

There's a long long list of other things I learned in college that
have enriched me, but don't get used on the job every day of course,
and if I had it to do all again, I'd probably do it similarly, except
getting into security much earlier! 

Best of luck in your decision! 

Best Regards, 
--
Todd Haverkos, LPT MsCompE
http://haverkos.com/

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------