Okay, so I can’t let this one go. I know I’m way late to the
game on this since I wasn’t able to blog about it when it happened. One of my
big takeaways from the Equifax hack is that we still have a long way to go in
the information security community in educating the public and the media about
who we are particularly as it pertains to the digital forensics and incident
response world.
What spun me up this time wasn’t the predictable
post-incident speculative blamestorming and vendor preening. I suspect most of
us have long since grown numb to self-appointed information security experts
trying to bring attention to themselves by speculating on things they don’t
have much knowledge or credibility to speak on.
What vexed me about the post-game analysis on this one was
the freak out in regards to Equifax’s Chief Security Officer having a - gasp - music degree. Not to put too fine a point on it, but
questioning someone’s qualifications in the information security world because
they don’t have a technical degree is flaming nonsense on stilts. There are tools and knowledge that we use
daily in this community that were created and taught to us by people who didn’t
have technical degrees or any college degrees at all. Some of the finest technical people I’ve
worked with didn’t have anything more than a high school degree or had college
degrees that had nothing to do with technology.
What they did have was a burning passion for information security which drove
them to become great at what they did and to contribute to the larger
community. One of the reasons why some
of these people don’t have college degrees is because they just didn’t see the
point in spending time going into crushing debt while languishing in general
elective classes on Babylonian astrology while they could be teaching themselves
skills like networking, coding, and how operating systems worked.
That isn’t to say that we haven’t gained an immense amount from people in our
community who have highly technical degrees.
People whose last names I don’t need to use such as Harlan, Lenny, and
Kristinn all have engineering degrees and we’re all the better for their
academic backgrounds and their contributions when it comes to education and
tools.
I’m all about people who are passionate about getting into
digital forensics and information security taking advantage of all of the
various academic paths and options they have available these days. With the increased demand for information
security talent, we’ve seen plenty of quality purpose built information security
degree programs in addition to the traditional degree programs in computer
science, electrical engineering, computer engineering, and the like. If you are interested in getting into fields
like information security or digital forensics, you’ve got many more options
than I ever did. You’re only limited by
your imagination and debt management.
Speaking of technical degrees, I think one of the things
that really rubbed me the wrong way on this was the lack of understanding on
what a long, hard slog a music degree is for someone to complete. I don’t think music degrees are considered
STEM degrees, but completing one tells me that your brain is formatted for
working in technology because of all of the analytical work you had to do for
the degree. I remember back in the 1990s
when employers were desperate for technical employees and hiring anyone with a
Microsoft certification. The employers
in my area figured out that music majors made for awesome technical hires and
started to actively recruit people with these degrees.
Even the United States Navy has gotten into the act. It doesn’t surprise me at all that in 2016,
they accepted
someone with a music composition degree to their highly selective Navy Nuclear
Propulsion Officer Program. This is a program
where the Navy seeks out the best and brightest people early in their college
careers to get them onto the path of joining the nuclear portion of the United
States Navy.
So, what is the take away for us? Be sullen and angry when
the media gets it wrong? Nope. We need to be happy information security
warriors and just realize when this sort of thing happens, we have to use it as
an opportunity to educate others about our community and all of the wonderful
people with diverse interests, abilities, and career paths who make it great.
I'd really hoped that the news cycle had left this issue far behind...
ReplyDeleteI, and others, have posted the "...how to get started in DFIR..." articles, and I don't remember ever having said, "...start by getting a technical degree...".
Yes, I do have technical degrees, but no, I've never actually had to use them. Sure, in my MSEE program I went through exercises where we actually computed CRC values, the "Hamming distance" (note: Hamming was in attendance at my school, as was Gary Kildall for a short while...), and even MD5 hashes. Beyond that, the degrees have only served to get me past the "gate keepers" of HR and recruiting, because in coming off of active duty, I didn't have a network of folks in the field to turn to.
The simple fact is that, in many cases, the degrees themselves are irrelevant.
If a young Harlan Carvey would have gotten degrees in English rather than engineering, would he have had the same skill set that we have all benefited greatly from today?
DeleteYou could argue that having a degree completely unrelated to infosec may actually been beneficial for your CISO "afterlife" once all the blame has been lumped on your shoulders as the company fall guy/girl, and no one wants to hire you for the next decade or so.
ReplyDeleteMight be easier to find a job as a musician than a job in cyber security.
If I ever see a resume with a major in puppetry with a minor in information security, I'll know someone took this advice.
Delete