Re: To go to University - For the CISSP etc. - Good idea/Bad idea???

["Adriel T. Desautels" <ad_lists () netragard com>]

Comments embedded below.


On Aug 8, 2009, at 5:58 PM, Craig S. Wright wrote:

> A degree (if you actually apply yourself and use the experience to  
> learn)
> will provide you with a foundation that you do not obtain through  
> real world
> experience.

Agreed, but a degree in something useful that you can't learn just as  
well on
your own, and whose knowledge won't be dated when you're done.

> Although technology moves on, many of the underlying foundations do  
> not. I
> still use old techniques on a daily basis. Knowing the algorithms in  
> a sort
> function is actually still extremely useful in analysing packers for  
> malware
> reversing. This is not something that you pickup in a normal daily  
> function.
> You can learn it on your own, but the added structure often helps  
> people
> focus.

I think that's a great point but is that something that you need to  
get a degree for?
You can take courses at Black Hat etc.  Those courses are very focused  
and will
help just the same, if not better, won't they?

> I for instance am both a quasi-academic (insert shameless plug for IT
> Masters degree, digital forensics
> http://www.itmasters.edu.au/WhichQualification/MasterofInformationSystemsSec
> urity/DigitalForensics.aspx) as well as working in the "real world".  
> I still
> do degrees. I have lost count as to where I am up to, but I am  
> completing
> another doctorate, a PhD on the quantification of IS risk.

So you can't count that high?  (sorry the wise ass part of me got the  
best of me).

> You can work and study. It is easier to at least complete one degree  
> on
> campus, but there are options afterwards that many people take. Even  
> in
> networking, a good understanding of the fundamentals can help.  
> Knowing OSPF
> in routing is one thing, but understanding how the Dystraka's  
> algorithm
> actually functions is a benefit to say the least.

Or you can learn about calculating (least cost) distances on your  
own.  What you
are talking about here would be learned with a degree in mathematics,  
and IMHO
that would be very a useful degree.

> There are many point and click IT people out there. These people can  
> make a
> good career which can take them into management etc. Here a degree  
> still
> helps (though one with a business/commerce focus is best). If you  
> want to
> really get into the depths of computing, work in a lab, design etc,  
> then a
> degree is definitely not going to hurt.

Point and Click? Isn't that a bit demeaning Craig? There are many  
people in the
IT Security industry that don't have degrees and that out-perform  
people with
degrees.  Sure it might make the people with the degree's upset, but  
then again
it might not.

 I think that its not point and click as much as smarts, talent and  
innovation.

> As for how fast the IT world changes, don't really believe it.

Does anyone else here think that the IT world doesn't evolve?

> The foundations of systems and design are 80% the same today as they  
> where a
> decade ago.

The foundations for cars are 90% of what they were a a decade ago.   
Are you saying
that cars from 1999 are the same as they are today?

> The interfaces and tools have changed, but the principles have
> not.

The principles have changed significantly in may areas. Methods for  
attack and exploitation
have evolved.  If there was no change then the security industry would  
be dead as the
problems would have been solved.

> I come across the same software errors in code now, the same mistakes,
> the same poor coding as I did 2 decades ago. It may be faster,  
> bigger and
> more colourful, but we are still making the same errors.

So you're saying that the IT world hasn't evolved because people keep  
making the same
mistakes when writing code?  Your argument is flawed.  Hell, I can't  
believe that I just spent
this much time arguing about the evolution of IT.  I'm done with that  
subject, its been fun really.


> Regards,
> ...
> Dr. Craig S Wright GSE-Malware, GSE-Compliance, LLM, & ...
> Information Defense Pty Ltd
>
>
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com 
> ] On
> Behalf Of Adriel T. Desautels
> Sent: Friday, 7 August 2009 11:19 PM
> To: Adam K
> Cc: James Copeland; Hy Zaret; pen-test () securityfocus com
> Subject: Re: To go to University - For the CISSP etc. - Good idea/Bad
> idea???
>
> 1-) Fact, technology evolves so quickly that "new" technology is
> considered "old" within the course of one year.
> 2-) Fact, security is one of the most rapidly evolving areas of
> technology.
> 3-) Fact, most degrees take at least 4 years to attain.
>
> If you are interested in becoming a security professional, what you
> learn in school will be out-dated by the time you graduate.  The only
> thing that you will have that will be of any real value will be your
> experience in performing research or in delivering security services,
> or maybe in the creation of security technologies.  A degree can not,
> and will not make you a security expert... only hands on experience
> and bleeding edge exposure can do that.  You get that exposure by
> doing and universities don't "do" all that well.
>
> When I was in college I was also working full time making the salary
> of a senior software engineer.  In doing that I quickly realized that
> college was useless for me as it wasn't teaching me anything that I
> needed to know.  I found that I was learning about the real and
> current technology world while at work, and learning about the old and
> dusty technology world while at school.  Most of the skills that they
> were teaching us at school, especially with respect to security, were
> dated or becoming dated.  The only thing that I found useful was C, C+
> +, and the other programming languages that I learned.  Mind you, I
> wasn't taught by anyone, I was given a book and told to study it.  I
> don't need to pay $45,000/year to be told to read a book, I can do
> that on my own.  If you feel that you need to pay that much to read a
> book then give me a call, I've got a lot of good reading material for
> you.
>
> With regards to technology, most of the time the only thing that a
> degree will satisfy is the emotional and political requirement of the
> old school mindset.  The truth is that some of the best talent doesn't
> come with a degree.
>
> Naturally, degrees are required for doctors, lawyers, etc.  I'm not
> suggesting that they don't have a place.  I am saying that specific to
> security they are nearly useless when compared to real world  
> experience.
>
>
>
> On Aug 6, 2009, at 9:22 PM, Adam K wrote:
>
> > Right, Gates doesn't have a degree, but his career path is an
> > exception.
> >
> > I liken him to a baseball player... Ball players that get drafted
> > early (standout players with skills and sometimes luck) usually
> > don't get to finish their degree. Those drafted later (not standout
> > players) have time to finish their degree.
> >
> >
> > I have never met an individual that regrets their time spent in
> > college or their work toward a degree. I know countless people that
> > regret not getting a degree. Not too mention you typically make
> > social connections that will last a lifetime.
> >
> >
> >
> > On Thu, Aug 6, 2009 at 5:32 PM, Adriel T. Desautels
> <ad_lists () netragard com
> > > wrote:
> > Bill gates doesn't have a degree.
> >
> >
> > On Aug 6, 2009, at 3:11 PM, James Copeland wrote:
> >
> > What I have found is that school is the way to go.  People will look
> > at you with your certifications but without the college degree to
> > "back them up" that is all that they will do.  Another good reason  
> > for
> > college is that some employers will bump that pay up for just  
> > having a
> > degree, no matter even if it is underwater basket weaving.  Good  
> > luck.
> >
> > Jimmy
> >
> > On Thu, Aug 6, 2009 at 03:26, Hy Zaret<hyzaret () gmail com> wrote:
> > Greetings & Salutations to all!
> >
> > I've been training myself for a while, and have recently came to the
> > conclusion that University would be my best choice.
> >
> > The main reasons I made this decision are;
> > . Social reasons
> > . Educational advantages
> > . Takes years off the experience needed to take the CISSP
> >
> > I'm writing on these mailing-lists for two reasons;
> > . To find out what you think of my choice (not locked in yet!!!)
> > . For advice on which course to go for (Sydney, NSW, Australia)
> >
> > I am wishing sometime in the future to begin a career in IT Security.
> >
> > Although being under 18, I have still found time to achieve various
> > certifications; including CompTIA's Security+, three Cisco
> > certifications & a Microsoft accreditation.
> >
> > Also, for the last 4 months I've been working full-time on the 1st
> > Level of an IT Helpdesk.
> >
> > Am very open to ideas, so would be interested in reading & answering
> > your replies!
> >
> > Thank you for reading this,
> >
> > Hy Zaret
> >
> > ------------------------------------------------------------------------
> > This list is sponsored by: Information Assurance Certification
> > Review Board
> >
> > Prove to peers and potential employers without a doubt that you can
> > actually do a proper penetration test. IACRB CPT and CEPT certs
> > require a full practical examination in order to become certified.
> >
> > http://www.iacertification.org
> > ------------------------------------------------------------------------
> >
> >
> >
> > ------------------------------------------------------------------------
> > This list is sponsored by: Information Assurance Certification
> > Review Board
> >
> > Prove to peers and potential employers without a doubt that you can
> > actually do a proper penetration test. IACRB CPT and CEPT certs
> > require a full practical examination in order to become certified.
> >
> > http://www.iacertification.org
> > ------------------------------------------------------------------------
> >
> >
> >
> >
> >       Adriel T. Desautels
> >       ad_lists () netragard com
> >       --------------------------------------
> >
> >       Subscribe to our blog
> >       http://snosoft.blogspot.com
> >
> >
> >
> > ------------------------------------------------------------------------
> > This list is sponsored by: Information Assurance Certification
> > Review Board
> >
> > Prove to peers and potential employers without a doubt that you can
> > actually do a proper penetration test. IACRB CPT and CEPT certs
> > require a full practical examination in order to become certified.
> > http://www.iacertification.org
> > ------------------------------------------------------------------------
>
>
>
>         Adriel T. Desautels
>         ad_lists () netragard com
>         --------------------------------------
>
>         Subscribe to our blog
>         http://snosoft.blogspot.com
>
>
> ------------------------------------------------------------------------
> This list is sponsored by: Information Assurance Certification  
> Review Board
>
> Prove to peers and potential employers without a doubt that you can  
> actually
> do a proper penetration test. IACRB CPT and CEPT certs require a full
> practical examination in order to become certified.
>
> http://www.iacertification.org
> ------------------------------------------------------------------------



        Adriel T. Desautels
        ad_lists () netragard com
        --------------------------------------

        Subscribe to our blog
        http://snosoft.blogspot.com


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------