Certs vs. Degrees. vs. Experience
Updated: Jun 29, 2020
Author Jose-Miguel Maldonado
A common question that is often asked by people trying to either get into the cybersecurity industry or pivot into the industry is whether or not they should focus on getting a degree, certifications, or simply focus on getting hands-on experience.
Oftentimes, this is a “chicken or the egg” question because there are so many variables that dictate the answer. Regardless of what your reason for asking this question is or what type of job you’re trying to get into, the following tips can be used as guideposts on your journey.
First and foremost, you should determine what type of cybersecurity you’re interested in because the cybersecurity field can be thought of as a mile wide but an inch deep. Are you interested in Network Security? Pentesting? Application Security? Malware Analysis? DevSecOps? Cyber Generalist? By answering this question, this will help give you a starting point.
Next, you should look at the types of jobs and requirements in the cybersecurity niche you selected above. Based on this niche, you can hone in on the skills needed to do the job. Let’s use Network Security as an example – if you want to get a job in this field for the government, there may be certain hard requirements (e.g. X amount of experience or degree) whereas if you are interested in a Network Security job at a startup or small company, they may care less about degrees and certs and are more focused on experience and the skills needed to do the job successfully. If your end game is to end up in the C-Suite as a CISO or CSO, you may want to explore the CISSP certification.
In tandem, while you’re determining what the requirements are for the job(s) you’re looking into, it is also a good idea to leverage the vast number of resources available online. At a bare minimum, any cybersecurity job will require a solid Networking foundation. Be sure that you are familiar with the OSI model and understand how data flows through the different layers because if you are in Network Security or a Pentester or any other cybersecurity field, you’ll routinely reference this model. YouTube, Networking forums, the library, Udemy, and cyber meetups are great resources you can leverage for little to no money.
If you do go down the certification route, I highly recommend sticking to agnostic certifications like CompTIA/ISC2 unless you are specifically trying to advance with a company that only uses a certain vendor (e.g. Cisco, F5, Juniper, HP, etc.). If you wind up in a situation where you are laid off and only have vendor-specific experience and certifications, you may be limiting your other job prospects if they use completely different technologies. That said, a Network+ certification will give you a foundation you can build on and that would be the only cert I would confidently recommend.
Thinking about the recruiting I’ve done over the years, I rarely look at certs or degrees on a resume because I’ve encountered a lot of smart cybersecurity people with no degrees or certs and a lot of clueless cybersecurity people who have dozens of certs and several degrees but have no idea how to solve a simple Network problem. Sure, certs and degrees are nice to have, but when I’m recruiting, I’m more focused on if you have the critical thinking to solve problems quickly and efficiently because real-world scenarios do not match what you learn in a book or a controlled lab.
The bottom line is that you will get a different answer to this question of certs vs. degrees vs. experience depending on who you ask. There are the rare company gems who are willing to take a chance on someone who has no experience and teach them everything they need to know on the job. If you find yourself in a position at this type of company, I would highly encourage you to learn as much as possible because that experience will certainly help you down the road.
About the author: Jose-Miguel Maldonado is the VP of Business Ops & Security at Rubica, a cybersecurity startup, and has acquired a reputation for creating cybersecurity champions out of non-technical people.