HR and in-house recruitment types should get rid of the myopic idea that to work in IT you must have been to university, says a Department of Homeland Security honcho. Many "corporate and government jobs actually require a college degree or equivalent work experience," DHS deputy undersecretary for cybersecurity Mark Weatherford …
As usual this isn't clear cut but depends on what you want out of a candidate and what business you're in. I can see it being useful if you design control systems or deal with embedded logic but in the general business environment experience is a far better metric .. but then I would say that wouldn't I ? not having a degree myself.
Re: It depends
Agreed. It completely depends on where and how a degree will be applied.
To be honest, most undergrad degrees these days don't give the degree holder much more than an overinflated sense of self worth. In lots of cases I'd rather have a bright self doer than a newly minted grad. Our research and engineering staff are all college grads but our field staff and over half of our IT staff don't have degrees. Some of the more talented field staff actually make more money than anyone in the organization (except the sales guys).
Which country is the degree from?
Would you trust a security expert from a Chinese college?
Re: Which country is the degree from?
Actually, yes I would. The Chinese have done a sterling job of cracking american systems.
Re: Which country is the degree from?
"Would you trust a security expert from a Chinese college?"
But I hear the University of Lagos is very good.
Schools used to be a magnet for hackers
that was until MIT started grand jury investigations into any student running wild processes not ordained by the suits. Students too busy working on their Facebook profiles now .
No, you can't possibly be any good without a degree. I mean, look at Bill Gates, he dropped out of University without a degree and what did he ever accomplish? Come to think of it, Paul Allen, Steve Jobs, Steve Wozniak, Larry Ellison, Thomas Edison and quite a list of others all dropped out.
Having a degree isn't a bad thing, however there's a lot of extremely switched on people out there who are more interested in getting stuck into the nitty gritty, as opposed to a structured curriculum laid out by bureaucrats. As a result, even though they are immensely talented, when it comes to recruitment they don't get a look-in. So I whole-heartedly agree with Mark Weatherford.
What's equally ridiculous is the stupid list's of do's and don'ts for job interviews. It's almost as if they expect interviewees to be Brad Pitts and Angelina Jolies, without seemingly realising that people suited to technical/engineering roles are quite often quiet and introverted. Just because someone's not a super-confident, eye-contact loving, charmer with the gift-of-the-gab, it doesn't mean they aren't incredibly intelligent.
upvoted, but you went and fucked it all up with edison.
he was a marketing hack nothing more
you went and fucked it all up with Steve Jobs.
he was a marketing hack nothing more
On the other hand...
...if you were a small business owner attempting to expand, would you want somebody who may have only adequately self-taught themselves running critical operations?
Re: On the other hand... @brym
Given what small (and larger,) businesses in my geographical area are willing to pay, they should be grateful for anyone who's wililng to spend the money/time to attend an interview. That applies to all IT jobs around here, not just security. Disclosure - I'm not a security bod and my skills aren't suited to what there is here, but I think my point is still valid
Re: On the other hand...
"...if you were a small business owner attempting to expand, would you want somebody who may have only adequately self-taught themselves running critical operations?"
Typically that is the owner, or their friend/child/sibling.
With very mixed results.
Re: On the other hand...
> would you want somebody who may have only adequately self-taught themselves
No. But that's why they get a technical interview - to work out what they really *do* know.
It is worse than that. You have to have the RIGHT degree
from the RIGHT University.
So for poor sods like me who went to a Poly and got a 1st in Mech Eng, it is rated by many employers as being lower than a 3rd from some 2nd tier uni. They ignore my CEng and the MBA(OU) because I didn't go to the right University or get my MBA from the right place.
Don't even talk to me about the HR droid from BT who spent the whole interview ignoring all of the above and giving me the 3rd degree over why I left school at 15 and did an apprenticeship before going back into education and got my degree.
Lemmings the lot of them.
Re: It is worse than that. You have to have the RIGHT degree
I agree with you. I have 3 degrees none from the right uni or indeed the right degree, I took my time over them with the 3 graduations spaced over 15 years. The concentration of the HR bods questions aren't about what I did during the process of obtaining the degrees but why it took so long. The reason it took so long is that I was working during the entire process of my Postgrad qualifications, not something they want to hear apparently. TBH I'd be more inclined to give the job to someone who had a breadth of relevant experience rather than a green graduate with the 'right' qualifications. I know that after my BSc that I didn't feel competent until I had a few years actual experience under my belt. Besides the number of arseholes you meet with PhDs seems to be relatively high when compared to the general population, just an observation no actual quantitative measurements involved.
Re: It is worse than that. You have to have the RIGHT degree
To quote my grandfather:
"Thermometers are not the only things that are graduated, have degrees, and can't think."
It's not going to change..
The massive problem is simply that recruitment is filtered through people who are in essence totally clueless about what it really takes to handle security, for a number of reasons:
- security is a vertical skill, not a horizontal one (which is also one of the issues with running security in a company in general). If you want to do security right you need to have a feel for the whole corporate structure from the engine room to where it hits business processes and the users themselves. Especially the total lack of empathy with end users (classically propagated by the them-and-us culture that an IT background can encourage) gets in the way of intelligent solutions and leaves cracks. 95% of HR work is finding someone who slots in at a specific horizontal level, but security people rarely do (which means that finding someone who can manage them properly is also hard work - the post is often abused for power play which helps nobody).
- good security people have a blend of skills and must be able to pick up new ones quickly. Getting certified is a tickbox job (and an overpriced one at that) but does by no means guarantee the certified person can see the connection between the various disciplines. You need IT insight, a grip on business processes, a good sense for applicable laws and compliance models (in many cases across various jurisdictions, and cross-jurisdictional law is an art in itself), a good deal of psychology, a developed backbone to stand your ground and enough political skills to negotiate a path through opposing requirements and ensure intelligent conflict resolution. It takes one to know one - that mix is complex and changes depending on the business involved. Rarely have I seen the need for out-and-out hackers - they are only part of the overall picture.
- rear end covering. As HR specialists are not really equipped to identify security people, they hedge their bets and go for qualifications - that way they don't get burned if it turns out they invited a bad apple. Granted, qualification can often give an idea of a skill set, but I have taken on people whose CV didn't include any, and I had to rescue security projects screwed up by people who had all the right tick boxes but could tell an NS record from a hole in the wall (the UK CLAS consulting scheme is in this context a classic, and don't get me started on the expensive "we just hire some cheap contractors abroad and relabel them" Microsoft "consultants"). We ended up not only rescuing projects, but also taking over recruitment to get some brains into the place instead of the ones who were only good at selling themselves. Even screening needs some intelligence applied, and we have by now probably used every depth you can buy, from the mundane criminal records check to the full political monty at £100k per instance to screen a possible CSO).
So, unless you get a wide spectrum security specialist in to set up the department and tightly control the HR process until you have your full complement, you WILL get the tick box merchants who are basically glorified, overpaid administrators. If that's what you want to satisfy compliance needs, fine. If you want actual security, not so much - there is a reason why so many APTs are eventually successful.
I don't know, I'd be happy enough to employ a applications developer based only on talent, however I wouldne't be prepared to employ somebody as a security "expect" unless that had some formal qualification in that area.
Rather intrestenely Weatherford bio shows that he holds a bachelor’s degree from the University of Arizona, a master’s degree from the Naval Postgraduate School and certificates in Certified Information Systems Security Professional (CISSP) and Certified Information Security Manager (CISM).
Weatherford is also a former naval cryptologic officer, a role in which he led the Navy's computer network defense operations and the Naval Computer Incident Response Team so I presume that is post-graduate degree has something to do with cryptology & computer security. Is Weatherford making a statement about the quality of his own training or ability????
Weatherford was appointed as California's Chief Information Security Officer by govanator big Arnie, I'm beginning to think that Weatherford has been watching too many of arnie's films where the underground hacker can hack into the control systems of power stations and let the good guy know that the bad guys and pumping gas into the power station to make it blow up before either the company controlling the gas network knows. Or is that Bruce Willis I'm think of? It's all hollywood horse-shit either way.
Anyway how's any potentail employee with out the relevant qualifications going to get past HR's box ticking exercise (Sorry Mr Richie but were were looking for someone certified in 'C'),
Lots of bear pits here.
So you don't have a degree but 10 years experience.
10 years experience of different stuff or 1 years new stuff done 10 times over?
You didn't follow a curriculum.
Do you know what areas you don't know enough about that can bite you on the ass?
What are you doing about them?
Those last 2 are critical. Self taughts cover the stuff that interests them but can miss the stuff the that does not ("So what if all my variables are 2 characters long. I get bored typing." Bring them back to the code 6 months later and I guarantee it'll be "who wrote this PoS code?")
But really. Set up a test server/network and see if they can break into it or find/fix the (relatively) obvious security fails you've put in the set up.
Do you want someone who can tell you how good they are (even if they are rubbish) or someone who is good, wheather or not they are articulate enough to convince the suit from HR?
sounds like a requirement for
(safe for work)
head of GWB's gestapo not in favour of people trained in critical thinking.
Unfortunately a degree with out practical experience is just a piece of paper that says the holder had the tenacity to stick out the time and regurgitate that which the professors considered essential. The irony of this is that most, if not all, of the teachers have never actually worked in the areas they teach about and as such are unqualified to do do the job.
Before anyone gets upset about what I have said, I am speaking from 50 years experience (and 3 degrees) with the last decade taken up showing those with new degrees that they do NOT know it all.
I got my first IT job...
...without a degree, by asking for the interviewer to give me a break. Bless him, he took a chance, and told me he never regretted it.
I got my second IT job over three other candidates, all of which I been to university, done MCSEs etc and proudly waved their papers before the boss's nose. He would tell me months later that the degrees and holograph embossed paper meant bugger all - the fact I'd fiddled with computers all my life and held down the previous job without blowing anything up did the trick.
I didn't go to university, and have never felt ashamed of that. I never knock anyone who does / has / did - we all go our own way and do things that match our learning styles. For me, that was hands-on break and fix from a young age and it has been nice to find people that value that. I'm just wired that way. This is in spite of all the wagging fingers telling me I was lost without a degree - and I glad I didn't pay that much heed.
I've also been offered / had interviews since where I've been outright told that the degree requirement was 'just a HR thing' and that they'd take experience as an alternative.
I got a degree...
...in Geology in '95. Worked in IT ever since. Mostly non-security, catch all computer/server support/clueless boss support type of job. Now i'm finally working on certificates and a CIS degree to put on my resume so it doesn't get filtered out right away by HR people who look for certs/degrees but not relevant experience.
University and other structured learning environments can be useful for some, not all.
Early on I tried to get ahead without higher education qualifications, but got stuck, so had no option but to eventually do a degree.
University and other structured learning environments introduced me to subjects and ways of thinking which I would not have look at anything like as quickly, if I had stayed self-taught e.g. OOP, RDBMSs, Networks, etc. You can also get detail on areas which do/don't work, so you know why, can recognise them, and have good reasons to welcome/fight them in future e.g. several project management and development methodologies were so hyped, but crashed and burned :)
Degrees are only sensible if you pick something you are interested in, are smart enough, and they provide new insight and knowledge you can use; otherwise they are pointless. Governments need to realise that most people don't need to go to university, because this only leads to excessive drop outs, useless graduates, and a pointlessly expensive education arms race; proper apprenticeships and vocational courses would be far more valuable for most people.
Yes, the right degree matters; early on I saw what a mess a recent Geology graduate made of some commercial computer work because he bluffed a position, but was clueless at development and problem solving, so bailed; I a recent Computer graduate promptly sorted out the software and got it working excellently; I left later, to get more interesting work and money.
Just because there is loads of information on the internet doesn't mean you can learn everything alone, there is still a huge amount of rubbish and deception there too; a lot of relevance, and comprehension still has to be learnt from interaction with other people, and online interaction may not be adequate to provide this. It takes a long time to form good mental BS filters and stuff still slips past!
Turns out, degrees are pretty much essential...
IME, it's comparatively rare for a degree to have any positive effect whatsoever on how a software engineer does his job. Those that can do it would do so with or without a degree.
The trouble is, if you haven't got that degree, you're unlikely to get through the recruitment agency. And if you do, you're unlikely to get past the HR droids.
So typically, you need a degree to get yourself in front of the people who know what they're looking for. Without the paperwork, they may never hear of you...
Some of the best guys I've ever employed have not had degrees. But you find out about them through other people.
 I've seen degrees have negative effects as well. During a technical interview, I've had graduates refuse to answer questions because they've got first-class degrees, and thought the questions were beneath them. My questions were carefully tailored to test a skill I was looking for; these lads didn't get the job.