First, a disclaimer. I am employed by CMU but these views are mine. This is my perspective as a student, but it is impossible to ignore that I am also an employee.
In 2016, I finally decided to return to get a MS after getting a BS in Information Systems Management on an Information Assurance track in 2007. In December, 2018, I graduated with highest distinction. CMU has a good tuition benefits program and one of my incentives when I accepted employment included the possibility of graduate school.
For various reasons, a distance curriculum was best for me, so I ended up taking the GRE and going to Heinz College to get a MSIT: Information Security & Assurance.
This is the description from CMU's page, "Is MSIT Right For Me?"
The Master of Science in Information Technology (MSIT) is a part-time, distance learning program that is ideal for current IT professionals seeking to add business acumen, management, and targeted problem-solving skills to their portfolios. MSIT can also be a great fit for professionals from less technical areas, such as finance and health care, who wish to pivot toward technology-intensive roles and improve their analytical skills.After completing the program, I would say the description above is fairly accurate and useful. In particular, this degree had a few things that appealed to me.
- It was at CMU, my employer, so tuition would be free with the caveat of counting as taxable income.
- It is geared towards working students.
- The degree offered some flexibility in focus and electives.
Technical classes
There were a couple areas involving technology or math where I knew that the CMU classes would be challenging and cover material I wouldn't normally have time to learn through professional development. Some were full semesters and some were half semester classes, called "minis" by Heinz College.I focused on a few areas in my technical classes. These were areas where I thought I could use more formal teaching, might be directly related to my work, or in subjects where I thought justifying professional development would be difficult but the classes would still have some application in my career. The highlights that I think were most useful for me included the following.
- An object-oriented programming class using Java.
- An economic analysis class that started with more general economics then focused on the economics of IT, including implications for management and strategy.
- A useful refresher on statistics covering descriptive statistics, statistical inference, and regression analysis, including applying statistical analysis to analyze IT problems. This also was a prerequisite for some other courses.
- Exploring and visualizing data was very relevant to my current job and this class was focused primarily on exploring data sets using R. I had used R previously, but this class let me do a lot more and I enjoyed the final project.
- Geographic information systems (GIS) was a very fun course, though I'm not sure I will use a lot of the skills directly. It did help me appreciate how much goes into geographic data analysis and information displays and teach me some lessons that apply to information presentation across disciplines.
- Penetration testing was probably the class where my motivation for enrolling was closest to, "I want something that will be technical and fun." It was a fun class, but also very tough and frustrating at times when getting stuck on the challenge labs
Business, leadership, and policy classes
The other classes were in areas I thought would benefit me and my career because they were in areas where I might have had experience, but little formal education or knowledge. Examples include:- Privacy in the digital age was a great class focusing on privacy that, "...combines technical, economic, legal,and policy perspectives to present a holistic view of its role and value in the digital age (from the syllabus)." It was a very useful class for anyone in information security given the privacy issues in today's world, many of them having direct impact on how we do our jobs in information security.
- I learned a fair amount on strategy development for organizations and businesses, which included useful lessons and the history of creating organizational strategies. It used case studies really well to show the impact that an effective organizational strategy can bring.
- Almost anyone will improve by taking a good writing class, so I was happy to take business writing for leaders even though I find writing courses somewhat stressful. I'm used to writing many papers, but writing for a writer, the professor in this case, can be intimidating.
- Several courses covering information security management, governance, process, policies, and risk management. Most of these were required as part of the Information Security & Assurance focus.
Do you need a degree or certification?
Why am I writing about this? Because there is an ongoing discussion through the field of information security ("cybersecurity") about the relevance of degrees, certifications, and other credentials. There are also related questions about how people should enter the career of cybersecurity. My answer to any question about what someone needs will always be situational. Individual circumstances will make a huge difference in any examination of the cost/benefit for a specific degree or certification. Context is the key to answering questions about career transition, degrees, and certifications, because no one answer is correct for everyone.In my case, the pro-degree arguments, benefits, or positive implications were:
- I work for a university, so graduate degrees are encouraged and valued.
- Employee benefits include free tuition at CMU.
- The degree was available online, allowing a flexible school schedule.
- The degree offered many classes that were useful towards improving myself as a professional.
- I saw the potential to make myself more valuable as a mid- to late career professional.
- I saw the potential to refresh skills I already have or learn new skills.
- It provided a chance to take some longer-running technical classes that allowed more depth than typical professional development.
- It took a lot of time out of my life. The recommendation was to budget 12 hours per week per class, and that was fairly accurate. Some classes were a little less, some were much more.
- Despite the free tuition, it still cost me money in books, time, and tax liability.
- It was very stressful for me, particularly since I wasn't satisfied with simply passing but was trying to excel.
- A small number of the classes covered fair chunks of material where I already have extensive experience, making them somewhat less interesting.
What should you consider when trying to decide about a degree or certifications? I covered a lot of it in my benefits and costs, including time, cost, personal situation, professional situation, goals, and intangibles. I think certifications are generally a good way for earlier career professionals to boost their credentials a bit and I had a number of them when I first entered IT. Some jobs obviously require certifications, making the decision fairly simple. Some certifications are also more useful than others, so that can enter into the equation. The costs and benefits of a degree are generally both more significant but the basic factors to consider are similar.
For underrepresented groups, degrees and certifications are often much more important because of disparities in opportunities. I got a MCSE, CCNP, and SANS certifications early in my career but was able to get into IT without a degree and without either of those certifications complete. Not everyone, even when they're capable, will get those opportunities.
I started in IT nearly 20 years ago so my analysis entering the field today would also be different. I did three interviews and got three offers when I was looking for my first IT job, but degrees and certifications have become more typical requirements or wants in recent years. None of my old Microsoft and Cisco certifications are current today and it likely has little impact on my credentials given my experience and degrees. It would likely be a different story if I was still early in my career or switching careers.
I will also point out is that I don't see how having a degree or certification should ever count against someone unless it is literally a scam like a diploma mill or something similar. Someone who earnestly gets a well-known and honest certification should not be looked down upon. The MCSE, CCNP, and SANS certifications all taught me a lot and forced me to also teach myself to successfully pass the exams.
What's next?
One thing we can probably all agree with is that cybersecurity requires constant learning and change to be successful. The IT environment today is drastically different than when I entered the field. While many of the baseline skills remain constant, the evolution of IT, for example from Windows NT to Active Directory to IT infrastructure in the cloud, mean that we better be learning so we adapt to our skills to current environments and technologies. For me, the first step is always self-study, reading, and experimentation, but this is not the only answer for developing skills and expertise.Since I am done with school, I'll likely be pursing professional development in technical areas to improve the depth of my skills. This will likely include a certification or two as a way to set a goal and timetable for learning specific topics. Examples of general topics like cloud security, cloud architecture, machine learning, security orchestration, edge computing, and mobile computing are all areas that are currently in flux and will require professionals to make changes as the technologies continue maturing. Everyone in cybersecurity needs methods to stay current in the face of changing technology.