Infosec Without a Degree
Do I Need a Degree?
The answer to this one is a resounding no, unless of course I’m about to wake up from a dream to find I actually don’t have a job, in which case this article is pointless anyway. Although this answer applies to a lot of the tech industry, I will focus on infosec, and more specifically the security research side.
To really understand why you don’t need a degree in infosec, we first need to understand why you would. In most industries companies hire a HR department which are responsible for vetting candidates, these people generally couldn’t tell a mouse from a monitor and have absolutely no way to validate a candidates actual suitability for the job, so instead they rank them based on a combination of qualification and attitude. The tech industry is different, here the majority of companies have a very different recruitment method and I’ll go over the two I’m familiar with.
The first and only job I actually applied for was for the government, specifically GCHQ. My application went through two checks: first was the minimum eligibility check, followed by a technical preference check. In most companies the minimum eligibility check is where they’d feed your application to the dog because you don’t have a degree, though in the case of government it’s where they check you meet the minimum criteria (age, nationality, not a terrorist, etc).
The second check is how job applications should be: they give your CV to someone who works in the department you applied for a job in and they decide if they think it’s worth interviewing you. In my case my CV was a bunch of links to my blog and “5 meter swimming badge” jokingly listed under the qualifications section, I got through. Supposedly, according to some people I’ve spoken with, there can be a second step where they might ask you to go for testing at their test center, though I was never put through this and can’t attest to if this actually exist.
The invitation to the interview stated I’d go through a HR interview and a Technical interview, which of course had me thinking “oh god, HR”, though this wasn’t the case. Within about 5 minutes of starting the interview it was clear that both the HR guy and the tech guy worked in the same field, my field. What they’d basically done was grabbed two employees from the department I’d applied to work in who had skills in the same area I did, gave one a HR form to read and the other a tech one. The tech part of the interview covered in depth my actual skills I had stated on my CV (It’s important to note that in the tech you can’t bs on your CV like you can in other industries), then the HR interview mostly just asked how I’d handle various situations like having to work with terrible employees (obviously I had to lie and say I wouldn’t stab them). Interestingly there was not one mention of qualifications of any sort.
Although I was actually offered the job, I was given a better offer by my current employer before finishing security clearance; however, it was a great experience and nowhere near as scary as I expected.
Unfortunately I don’t have any experience with the actual application process here, though in 2015, about two years after I first started this blog, I began getting job offers from companies. Most of the offers I got were serious and came from people at senior positions within the company, not the normal kind of job offers usually sent by some ‘recruiter’ on LinkedIn who’s been hired to spam job offers to anyone who owns a computer.
In general most private sector security companies have scouts (generally normal employees who work in a department that you might be suited to), scouts will look for blogs and papers by independent researchers to pass on to their boss for possible recruitment. The main alternative to scouting is to hire recruitment companies, these just crawl LinkedIn for certain keywords in profiles and send automated emails offering the person a job; if you put on your profile that you are a leading expert in the field of raptor taming, don’t be surprised if you get a job offer highlighting said skill. The most important thing is knowing when a job offer is from a scout or a recruiter: recruiter offers are merely invitations to apply for a job, whereas with scout offers you can usually skip a lot of the application process and in some cases even start straight away after a short Skype interview.
Something to remember is that there is such a huge demand for talent in the infosec industry and such short supply, it’s insane for a company to turn down skilled applicants because they don’t have a degree. If you have something online that serves as proof of your skills (whitepapers, blogs, websites), you shouldn’t have a hard time finding a job without a degree. Another thing worth your consideration if you speak fluent English is working remotely for American companies: the average salary offer in my home country of
Great Britain Alright Britain was £45,000 ($66,000 at current rate), however the average offer from US companies was £68,000 ($100,000), not only that but there is a much higher demand for infosec talent in the US than my home country, making it even easier to land a job (and you even get to work from home).
Will a Degree Help Me Get a Job?
How Did You Get Into Infosec?
When I first started blogging I had no interest in becoming a blogger or any ideas the kind of opportunities a blog could bring, the only reason I created this blog was to post about how awfully coded some of the malware sold on a forum i frequented was, without the admins being able to censor me. Over time the blog evolved from humiliating the authors of crappy malware to analyzing real and current threats and this is where things started to get interesting. After my analysis of Vabushky and blog about various rootkit hooking techniques I got a couple of really good job offers from some international security companies; unfortunately, all of the offers were to work at offices in London, which I absolutely hate, and even on a senior security researcher salary the cost of living there meant the best housing I’d be able to afford is a sleeping bag in some dude’s shed.
Around September 2014 I’d still not gotten any job offers outside of London so I’d decided to apply for GCHQ. It wasn’t untill about 6 months later I got a response to my application to invite me for an interview and a further 2 months to be offered the job. I then had my vetting interview in later summer and was told it’d take at least 6 months for the process to complete (spoiler alert; it was actually 10 months), during this time I continued blogging and started receiving job offers for remote work.
January 2015 was when I received the offer which simply couldn’t be turned down. I’d been reverse engineering the Kelihos peer-to-peer botnet protocol and created application which would request peer lists from all the supernodes in order to find all those online, which I then plotted on a world map (example below).
I wasn’t familiar with threat intelligence at the time, but similar systems are run by most threat intel companies designed as a way to track botnets and notify companies should their systems become infected. I was contacted but one of such companies who offered to pay me a salary as well as provide the financing to maintain and expand the system (which, of course I accepted). Four months later my hobby project is now my full time job, i work from home, and have the very prestigious title “Director of Botnet Stuff”.