If you want to work for large, bureaucratic organizations or the US government, you can skip this video. The majority of large corporations and the US government prefer to check boxes (degree, number years experience, etc.) over the value you bring to the organization.
If you are clear on a career in cybersecurity, spending 4 years on a bachelor's degree is more than likely a waste of your time and money. You can learn everything for free on the Internet. And, are "core" courses really going to help you? Political science, art appreciation, history?
But, what about the cybersecurity skills gap? A lot of the skills gap is bogus. One of the reasons there's a skills gap is because those large companies and government entities haven't changed their hiring procedures. They want to hire entry-level cybersecurity people with:
Do you really need all three of those for an entry-level position, such as a position in a SOC, where you monitor logs? That can be taught to you in a week of OJT.
The other contributing factor to the skills shortage is people with college degrees don't want to hire people without college degrees because at some level you may be silently admitting your degree isn't worth as much as you thought.
Some of you may be thinking the only reason I did this video is because I don't have a degree myself. That's not true. I have a Bachelor's and a Master's degree. I dropped out of a PhD program after a couple years because I took a step back and realized it wasn't serving me - it wasn't going to help me in the direction I wanted to go.
4 of the main reasons to not get a cybersecurity degree:
A Bachelors degree will take several years. During those several years, you may not be making any money - you're just spending it on education. What if you started a cybersecurity career year one. How much further ahead would you be in your career after four years?
According to US News (https://www.usnews.com/education/best-colleges/paying-for-college/articles/paying-for-college-infographic) the average cost for a 4-year degree is around $80k. If we consider that for the most expensive school and cut it to $40k ($10k/year), it is still a significant investment. You could get 4 cybersecurity certifications with $10k. Each certification is around $2500 each - with the boot camp, the materials, the exam fees, etc. You don't even need to take a boot camp, you can study on your own and just pay for the exam voucher ($300-$400). You could get the Security+, CEH, CySA+, and CISSP (Associate) in less than one year, land a job and start making money, rather than paying for education.
The value you bring to an employer's eyes is leaning more and more towards certifications. Even if you get a college degree, you will still need to get certifications too, so on top of the $40k or so you spent for college, you will need to spend more for the certifications.
4. Level Up
If you really want to get a cybersecurity degree, which is great, you should do it after you get a job in cybersecurity. The job experience will help you focus on what cybersecurity courses you want to take. The job experience will also add context to the course you are taking. One of the problems getting a cybersecurity degree with no experience is you lack context on how the subjects fit reality, and you may think academia matches reality - this is rarely the case. Another reason to go to college part-time after you get a job is many employer's offer tuition assistance.
The intention of this video is to shine some light on areas you may not have thought about. If you want to go to college, that's great. We just want you to make informed decisions.
College or not, you will still need cybersecurity certifications. If you are passionate about cybersecurity and want to make a difference, consider one of our cybersecurity boot camps:
Skipping a Cybersecurity Degree is Good for Your Career and Pocket Book Transcript
If you want to work for a large bureaucratic organization or the U.S. Government, you can like skip the rest of this video, it's not really applicable to you. Large corporations and the U.S. Government, they care more about what you look like on paper versus the value you bring to the organization. They're simply looking for check marks in a box. Like do you have a degree? Check. Do you have this? Check. They don't really care about you as a person or what you bring to the organization. If you're clear on what you want to do, if you know you want to go into cybersecurity, then spending four years on a college degree is a waste of your time and your money. You can learn everything you need to know for free on the internet, or if you want to go to college, you can spend four years learning a bunch of stuff that is irrelevant to you and your career path.
I mean, do you really need to know like political science, history, art appreciation, all these core classes? Are they really going to help you with a cybersecurity career? I realize the idea is to make you well-rounded, but with cybersecurity, and if you know the direction you want to go, specialized knowledge is often more important than well-rounded. It's also possible to be so well-rounded you have no point. You may be thinking, well, what about the skills gap, the skills shortage. I've heard there's going to be three gazillion cybersecurity job openings by 2025. Whatever. A lot of that is a bunch of BS.
The reason we have like the skills gap is antiquated hiring procedures. Those large corporations, the government, they want to hire people that have a degree, have experience, and have certifications, and they want to hire people, for those three criteria, for entry-level positions. I mean, if you're going to like look at logs in a security operations center or a SOC, do you really need a degree? No. Do you really need experience? No. Somebody could teach you what to do. Do you really need a certification? Not really. It is preferable, but you don't really need it. But we're adhering to the standard that we have to have all these criteria, which is why we have this shortage, because we don't have enough people that meet all three of those criteria for an entry-level cybersecurity position. But what's going to happen is employers will start shifting their hiring procedures and looking at what value people bring the organization, versus checking those check boxes.
Some of you may be wondering, well, the only reason I'm talking about that degrees don't matter is because I don't have a degree myself. That's not true. I have a bachelor's degree, a master's degree, and actually started a PhD, but I'm an ABD, as they say, all but dissertation, because I dropped out of the PhD program because as I was going through it, I realized what I was learning was really academic and it wasn't applicable to reality. So I took a step back and I thought, "You know what, this is not serving me in my career. It may look good on paper, it may look cool to be called a doctor," all that sort of garbage. But the reality was, the stuff I was learning was not really applicable to cybersecurity and the path I was on. Also with my bachelor's and master's degree, I probably use less than 5% of what I learned. And I spent four years on bachelor's and two and a half years on a master's. So to only use 5% of that is not a good investment of my time to get those degrees.
There's four areas I like to focus on on why skipping a cybersecurity degree is good for your career and your pocketbook. Reason number one, or the first area, is time. If you want to get a bachelor's degree, it takes you roughly four years. Imagine, rather than spending those four years going to college and learning like the core subjects, like political science, art, appreciation, all that garbage, imagine if you started out on year one with your career in cybersecurity, at the end of those four years, how much money would you be making versus how much money you owe a university or a college. So time is the first thing.
The second one is money. According to the U.S. News, the average four-year degree costs around $80,000. That's quite a bit of money. Again, if you go back and look at the time, over a four year period, if you're simply spending $80,000 and not making any money, you're going to come out in that four-year period way in debt. But if you started out on year one with a career, you would make more than $80,000 over that four years, instead of spending the $80,000.
Also, let's just assume the $80,000 is a expensive college degree. Let's cut that in half so it's $40,000, or $10,000 a year. $10,000 a year is still a massive investment. Rather than going to college and spending $40,000 over four years, if you spent that $10,000 of year one and got four cybersecurity certifications, because roughly each cybersecurity certification's going to be about $2,500 with the bootcamp, the exam voucher, all the books, all the materials. So $2,500 or four certifications for $10,000, you would certainly come out ahead because you could easily get a job with four certifications.
If you got the security plus, the certified ethical hacker, maybe the certified cybersecurity analyst, and maybe the CISSP associate, you would certainly get a job much quicker than waiting four years to get a college degree, and then even after you go to college, you still have to get the certifications. So you spend $80,000 or $40,000 on college, and then when you graduate nobody's going to hire you because they want a college degree and the certifications typically. Or you could look for the more progressive companies that value a certification over a college degree, and spend that $10,000 as I mentioned, getting four certifications. You don't even have to spend $10,000. You can spend $5,000 to get two certifications. You don't even have to spend any money taking a bootcamp. You could just do it on your own and simply pay for the exam voucher, which is around three to $400 depending on the voucher.
The third area is value. I kind of talked about this a little bit, we were talking about money. But to add value to get employed, you need to have the cybersecurity certifications as well. They add more value to your resume than a degree in most circumstances.
The fourth thing I want to talk about is leveling up. I know some of you are probably thinking, "I need to have a degree. My parents have a degree. I feel like I won't be respected without a degree. I must have a degree." So to level up and get that degree, and I think it's a great idea if you have that ambition, once you get your foot in the door and start a career, a lot of employers offer tuition assistance. So the money is not all yours that you're spending towards the degree. Some of it's your employer's money. So maybe consider that. Also, it's beneficial if you're working in an industry, that when you take a class, you can see the gap a lot clear than taking this class by itself because you're going to school full-time, and then when you get into the career field, you wonder like, "Wait a minute, it doesn't quite work like academia." Having the experience, then taking the class, is very useful, versus the other way around.
My intention with this video is to illuminate some of the different areas you may not have considered. Is it really worth spending four years of your life and going into massive debt, when there's possibly an alternative where you can start making money almost immediately, with a little bit of investment, versus a big investment for college?
Christian Espinosa is Alpine Security's CEO/Founder He holds over 25 certifications, including the CISSP, CCISO, and PMP. Christian is a US Air Force veteran with a BS in Engineering from the US Air Force Academy and MBA from Webster University. Christian holds multiple patents on cybersecurity attack and defense. Major recent projects include penetration testing and assessments of commercial aircraft, medical device penetration testing, and numerous incident response projects. When Christian isn’t protecting us from cybercriminals, he climbs mountains, travels the world, teaches outdoor wilderness survival, and competes in Ironman triathlons.