Security Basics mailing list archives

Re: University Degree or CISSP

From: "Dave Aronson (SecBasics)" <sfbasics2dave () davearonson com>
Date: Tue, 30 Aug 2005 15:02:55 +0000

soumyadipta_das () yahoo com writes:

Is it better (in terms of technology and industry acceptablity) to get a
university degree on information security than certifications such as 
ccna/ccsp, ceh (or security+) and cissp?

It depends on a number of things.

First, what do you want to DO? Are you intending to be a security analyst, a writer of security-related software, a
pen tester, or what? The attitudes towards degrees and certs vary widely between these fields. The closer the job
gets to black-hattedness, the less important BOTH of them become, but degrees more so.

Second, do you have a degree already, of any kind? I don't know about elsewhere, but here in the USA, that is an
absolute requirement for most regular corporate technical jobs. Some also demand it be in an area directly relevant to
the job; for security engineers, this could be specifically computer security, or possibly computer science,
information systems, software engineering, etc. However, the *added* employability from having *higher* degrees is
generally small, except in the federal government, or sometimes their contractors looking to put you in contract slots
that require specific degrees.

Third, it depends what you've done with the knowledge that the degree or cert claims you have. If the paper is fresh,
people might think it's still fresh in your mind and give the paper more weight. If it's been quite a while, though,
they're going to look more at what you've done, which will thus be reinforced in your mind, and assume that you've
forgotten pretty much everything else.

Fourth, it depends what other experience you've got, that is at least tangentially relevant. For instance, if you want
to write security software, it would help to have a good background in programming, or at least using popular pieces of
security software.

Last, it depends on the person you're asking to evaluate you. Some view certs as a good thing, some as neutral, and
some even as *negative*, especially MS certs.

Long story short, there are no hard and fast rules. You can probably get the certs much more quickly and cheaply,
possibly with just self-study and a day or two off to take exams, so in my position (CompSci-degreed, in the US, with
about 20 years experience), I'd go for that first. YMMV. Either way, try to get an employer to pay for it! :-)

-Dave

Current thread:

Re: University Degree or CISSP, (continued)
- Re: University Degree or CISSP Pukhraj Singh (Aug 30)
- RE: University Degree or CISSP David Gillett (Aug 30)
  - RE: University Degree or CISSP tbost (Aug 31)
  - RE: University Degree or CISSP Mark Teicher (Aug 31)
- Re: University Degree or CISSP Kelly Martin (Aug 30)
- Re: University Degree or CISSP Leif Ericksen (Aug 31)
- RE: University Degree or CISSP Kumar, Snehal (HP Security Services) (Aug 30)
- Re: University Degree or CISSP nds2a (Aug 30)
- RE: University Degree or CISSP Brunner, Mark (Aug 30)
- RE: University Degree or CISSP Nidschelm, Robert (Aug 30)
- Re: University Degree or CISSP Dave Aronson (SecBasics) (Aug 30)
- RE: University Degree or CISSP Christopher Carpenter (Aug 30)
- Re: University Degree or CISSP bgreene (Aug 30)
  - Re: University Degree or CISSP Steven Kalcevich (Aug 31)
- RE: University Degree or CISSP Spahn, Louis (Aug 31)
- RE: University Degree or CISSP Francis Kaitano (Aug 31)
- RE: University Degree or CISSP Christopher Carpenter (Aug 31)
- RE: University Degree or CISSP McKinley, Jackson (Aug 31)