During a session of “Silicon Trailer” a couple of days ago one of the people that dropped by asked what they could do once they finished their Masters Degree in Cyber Security. They immediately stated saying that they were thinking of going into Penetration Testing, but were interested in other Computer Security jobs. I immediately groaned and laughed at the thought.
One of the issues with college programs is that the students don’t really understand what they are being prepared for. They have an idea of what they want to do, but many times the program does not teach them how to do that. The students expectations are simply out of line.
If you plan to earn a Masters Degree in Computer or Cyber Security generally you should realize you are earning a degree focused on management. For the most part these are not overly technical degrees where you learn how to perform actual technical tasks, rather they are degrees that teach you to manage people that will perform technical tasks.
So instead of imagining that you’ll be a Penetration Tester at the end think more along the lines of being an IT Director in a company that deals with client information. When building infrastructure different priorities are required for different industries. If the company you work for primarily uses task specific systems and doesn’t deal with confidential data they may want an IT Director with heavy knowledge of network infrastructure. On the other hand if you’re working for a startup company that consumes a large amount of personal data they will care a lot about hackers and data integrity. That company will be looking for IT managers with a background in security not because the managers themselves will deploy the systems, but rather so that they can supervise the people that will.
Beyond the simple fact that most of these programs are not teaching you what you think they are there are some simple concepts in the security profession that are overlooked. The first being that many times security professionals have to have security clearances to be hired. If you’re prior service military with a Top Secret clearance this is not an issue. If you’re a random person who thinks security sounds fun it is. Clearances cost tens of thousands of dollars to receive, and outside of being in the military can be difficult to earn. You can’t just order one, a company or agency has to sponsor you to get one.
Past the security clearance you run into the issue of there are simply not as many jobs as it’s made out to be. All companies need IT support, and large companies IT managers to work full time. Computer Security professionals are generally only called in when they are needed. They will do compliance audits and such, but then they leave. Companies don’t need that many specialized security professionals.
If you really want to be a cyber security professional the main thing to realize is that it will probably take a while to become one. No one with a grain of common sense is going to hire a brand new degree holder to start blasting away at their systems to do penetration testing. You need experience and a track record that people trust before they will allow you to possibly compromise their infrastructure. If this is the way you want to go focus on technical skills such as linux administration, and scripting in numerous languages. Then focusing on obtaining the most technical experience you can get. The best way to learn to compromise infrastructure, is to build a lot of it. When people trust you, and you can trust yourself, then you will have a shot at doing real security work.
Honestly I have found most Cyber Security Masters Degree programs to simply be a way for colleges to exploit ignorant students. If you don’t have a technical Bachelors Degree, or at least 3 years experience in technology there is no reason why you should be in an IT Masters program. A Masters Program by definition is supposed to mark you as a professional in your field, and how can you claim to be a professional if you have no experience?