Postgrad qualifications: Are they worth it in Cybersecurity?

It was mid-2013 when I found myself looking over options for postgrad degrees in IT, I had been in IT since I had graduated high school (1999 – wow that makes me feel old) when I started a basic technician job at a small IT services company. I stayed in that position for five years and made a move to the city to expand on career opportunities. However, I found that it was a little difficult to get a good job because I didn’t have a degree, I was confused and couldn’t understand why I couldn’t get a job just because I didn’t have a piece of paper to say, that I could do what it is I could do, in many cases much better than most candidates at the time who had actually completed a degree. It was just perplexing to me.

I did do well and scored a pretty decent job with Gold Coast Tourism as an IT Support Engineer (It was an awesome place to work, People and culture were second to none), but it has always bothered me about that piece of missing paper. I moved on and after a few years was invited to come back and run the IT services company I had started out in all those years earlier. It felt pretty good to have earnt that respect from my old boss and be given such a great opportunity to manage and provide my input to an organisation which I had such fond memories. During my time as the General Manager, I had the privilege to be able to help some great young techs start their journey in the industry and after a while, I came back to that thought train of my missing formal qualifications and decided that I wanted to fix it.

I started looking at options available for bachelors in computer science or management and they all seemed to cover knowledge I already had from actually doing the work, instead of just reading about it. So a bachelor was out for me, it just wouldn't be worth the money and effort in my opinion but then I found some information on a couple different masters programs that would consider my experience as part of the entry requirements and would allow me to bypass the undergraduate study and enter via a graduate certificate arrangement (If I successfully complete the 4 units of the grad cert they would allow me entry to the masters degree with full credit of the four units towards it). There were a few places that offered similar programs, but I personally chose the IT Masters program through CSU (Charles Sturt University).

IT Masters and the CSU’s partnership in my belief were a little in front of the curve with their offering, as it was a mix of both industry modules with academic modules which would help me improve academically and expand skills/abilities (really liked the industry units).  I chose to go down the Master of IT management degree path as I was working as GM at that time, but I had been interested in IT security for quite a long time so just for fun I chose digital forensics as my major.

That choice of major was a changing point in my career and it is what gave me the security bug once and for all (I was well and truly hooked after my first security module). I graduated with my first masters in 2016 (yes, my first – I will get to that in a minute) and I felt that the foundational skills that I had learnt coupled with the industry related skills were worth every bit of my time and the cost (I still think university is ridiculously expensive but we won’t get into that argument now). It really did improve me as a person and a manager/IT specialist. I finally understood why people wanted that piece of paper.

In 2017 I decided that I wanted to dive deeper into that security rabbit hole, I had caught the bug for back in 2013 and signed myself back up for the master of information systems security (Again with CSU and IT Masters – I thought why change it If it worked well so far). I am currently almost finished my second last unit (one more to go next session then I am done :D), its been a little tougher this time around with the arrival of my first child but possibly more rewarding because of the extra effort required to get through it each session (certainly not a cake walk that is for sure with full-time work, expanding family and a pretty demanding study schedule). Please take my advice and don’t try to do two units at once it is a pretty horrible experience (I think my wife thought I was a zombie some days during that regrettable session).

Now I understand that I have gone off topic a little, giving you a bit of my history but I wanted to set the tone for my personal experience which I’m sure many of you in the industry will find similar to your own.

I have been in dual security and IT roles for 7-8 years now with a move to a primarily security position almost two years ago now, I honestly believe that both the first masters and my current one made me a much better leader and security professional. Not just for the security skills that they helped me to develop but the improved writing and communication skills, helping me to think outside of my own world and the ability to go out and find answers to the problems I faced is undeniably a huge asset to me personally but in my career moving forward as well. 

Successfully gaining my current position at Davichi was certainly helped by these qualifications, coupled with my hands on abilities (mostly self-taught while doing the degrees) in both security operations and penetration testing. Without these qualifications, I would not be in the position that I am today that I can say for certain but I want to make It clear this is about more than just the piece of paper it gives. The security bug, of course, gave me drive to push my boundaries and learn more of my current skills but the education has changed me for the better and I feel that they are definitely worth the pain you have to endure to gain them but is that enough?

Some in my industry won’t agree and say that industry certs are more important than a university degree. I disagree, I feel both play a big part in our industry and it would be my recommendation that anyone looking to gain entry should not focus on just one but actually gain both through a program like I have chosen or separately if that works best for you to ensure that you get a coverage of both the formal and industry skills. Do not narrow your vision, see what is out there and do what feels best for you.

In my case, I feel that signing up to the degrees via CSU/IT Masters was the best thing I have ever done but what you need to figure out is where you want to go with your career and will the skills you get from either post-grad degree or an industry cert make you more desirable to hiring companies or will it do nothing to get you into the position you want to ultimately end up in?  If it isn’t going to get you where you ultimately want to go, then you might as well through your money out of the window of your car moving down the high way, it won’t benefit you or anyone else on that highway (might cause a few accidents if you throw to much out but certainly no benefit). 

Okay, that's enough from me, let me know what you all think, do you feel that post-grad qualifications are worth it or what do you feel would be best? Comment and let me know, let's start a conversation and help budding Cyber recruits out on deciding what path they should take.