Infosec Without a Degree

I’ve seen plenty blogs from people who got into infosec through the academic route, so i figured I’d cover the other side and try to answer the three most asked questions I get via email and twitter: “Do I need a degree to get a job in infosec?”, “Will a degree help me get a job in in infosec?”, and “How Did You Get Into Infosec?”. Though I don’t have a short answer to these questions, I felt I could cover all the topics fairly well in a blog post, including my personal experience.

Do I Need a Degree?

The answer to this one is a resounding no, unless of course I’m about to wake up from a dream to find I actually don’t have a job, in which case this article is pointless anyway. Although this answer applies to a lot of the tech industry, I will focus on infosec, and more specifically the security research side.

To really understand why you don’t need a degree in infosec, we first need to understand why you would. In most industries companies hire a HR department which are responsible for vetting candidates, these people generally couldn’t tell a mouse from a monitor and have absolutely no way to validate a candidates actual suitability for the job, so instead they rank them based on a combination of qualification and attitude. The tech industry is different, here the majority of companies have a very different recruitment method and I’ll go over the two I’m familiar with.

Government
The first and only job I actually applied for was for the government, specifically GCHQ. My application went through two checks: first was the minimum eligibility check, followed by a technical preference check. In most companies the minimum eligibility check is where they’d feed your application to the dog because you don’t have a degree, though in the case of government it’s where they check you meet the minimum criteria (age, nationality, not a terrorist, etc).

The second check is how job applications should be: they give your CV to someone who works in the department you applied for a job in and they decide if they think it’s worth interviewing you. In my case my CV was a bunch of links to my blog and “5 meter swimming badge” jokingly listed under the qualifications section, I got through. Supposedly, according to some people I’ve spoken with, there can be a second step where they might ask you to go for testing at their test center, though I was never put through this and can’t attest to if this actually exist.

The invitation to the interview stated I’d go through a HR interview and a Technical interview, which of course had me thinking “oh god, HR”, though this wasn’t the case. Within about 5 minutes of starting the interview it was clear that both the HR guy and the tech guy worked in the same field, my field. What they’d basically done was grabbed two employees from the department I’d applied to work in who had skills in the same area I did, gave one a HR form to read and the other a tech one. The tech part of the interview covered in depth my actual skills I had stated on my CV (It’s important to note that in the tech you can’t bs on your CV like you can in other industries), then the HR interview mostly just asked how I’d handle various situations like having to work with terrible employees (obviously I had to lie and say I wouldn’t stab them). Interestingly there was not one mention of qualifications of any sort.

Although I was actually offered the job, I was given a better offer by my current employer before finishing security clearance; however, it was a great experience and nowhere near as scary as I expected.

Private Sector
Unfortunately I don’t have any experience with the actual application process here, though in 2015, about two years after I first started this blog, I began getting job offers from companies. Most of the offers I got were serious and came from people at senior positions within the company, not the normal kind of job offers usually sent by some ‘recruiter’ on LinkedIn who’s been hired to spam job offers to anyone who owns a computer.

In general most private sector security companies have scouts (generally normal employees who work in a department that you might be suited to), scouts will look for blogs and papers by independent researchers to pass on to their boss for possible recruitment. The main alternative to scouting is to hire recruitment companies, these just crawl LinkedIn for certain keywords in profiles and send automated emails offering the person a job; if you put on your profile that you are a leading expert in the field of raptor taming, don’t be surprised if you get a job offer highlighting said skill. The most important thing is knowing when a job offer is from a scout or a recruiter: recruiter offers are merely invitations to apply for a job, whereas with scout offers you can usually skip a lot of the application process and in some cases even start straight away after a short Skype interview.

Something to remember is that there is such a huge demand for talent in the infosec industry and such short supply, it’s insane for a company to turn down skilled applicants because they don’t have a degree. If you have something online that serves as proof of your skills (whitepapers, blogs, websites), you shouldn’t have a hard time finding a job without a degree. Another thing worth your consideration if you speak fluent English is working remotely for American companies: the average salary offer in my home country of Great Britain Alright Britain was £45,000 ($66,000 at current rate), however the average offer from US companies was £68,000 ($100,000), not only that but there is a much higher demand for infosec talent in the US than my home country, making it even easier to land a job (and you even get to work from home).


Will a Degree Help Me Get a Job? 

This is a question that’s very difficult to answer, at school I was always told “If you apply for a job and someone with similar skills applies but has a degree, who do you think they’re going to hire?” In infosec the answer is probably both, because of the huge demand, but nonetheless it is a valid point. Some things that can be assumed about people with a degree is that they can self-study, they can dedicate themselves to something for a long period of time, and they are capable of writing up their findings; these are all good qualities for an applicant. 
One of the main drawbacks with a degree is it doesn’t ensure competency, this is the reason that in the current age you hear hundreds of complaints from people who have degrees that despite this, they are only being offered entry level positions (this is for a good reason). In IRC i often tell the story of a run in I had with a bachelor of computer science, a friend had asked what to do about a low FPS (frames per second) in online games (specifically Battlefield 4), and obviously my response was that he needed to upgrade his graphics card as it’s a demanding game which requires very heavy graphical processing. As soon as I’d finished my recommendation, I was told I was wrong by a very smug CS grad who explained that an SSD was needed because hard disks are slow and the computer wasn’t able to read the frames fast enough.
Although it’s true that some games such as minecraft load parts of the map from the hard disk during gameplay, it’s common knowledge that the relevant data is loaded into the RAM and disk I/O until the next load is minimal; for disk speed to affect the FPS rate, we’d need to be loading data from the disk hundreds of times per second (the whole purpose of ram is to stop exactly that).
People like this are the reason there’s the good old catch22 of needing experience to get a job but needing a job to get experience, this is not something that’s as much of an issue in security. Providing you have the ability to teach yourself (which you’re definitely going to need in a research based position), it is entirely possible to gain work experience in security without ever actually having a job; if you have a good online documentation of your work or research (and a good amount of it), you can even step straight into a senior role without any job history or academic qualifications.
What you really need to ask yourself is will you learn more relevant skills in university or on your own? If you’re expecting to start a university course and learn the latest about vulnerability development or malware research you can forget it, in most cases there isn’t even degrees in anything to do with infosec (when i was due to go to university the closest thing was computer science, which is almost entirely irrelevant skill wise), but saying that, university will teach you many other valuable skills such as research and academic writing. My personal choice and advice is if you already have a good understanding of the area you want to work in, take a gap year or two, get a part time job or an internship at a security company and spend your free time expanding your skillset, if you haven’t landed yourself a full time job at the end of it you can head off to university (if you’re still in school, start expanding your security knowledge now).

How Did You Get Into Infosec?

To some of you it will be obvious I don’t have a degree, given that I’m 21 years old (It’s my birthday in 22 days and I like cake and malware). In the UK education system people finish our version of high school at 18, which means had I gone straight to university I’d still be a year or two away from a bachelors degree. 
Like most people, I was brought up to believe that if you don’t go to school and get good grades then attend university, you’d end up working at McDonald (Of course if that were true, there’d be a McDonald on every block in my town), I was terrified of not going to university, so it’s actually dumb luck that I figured out I didn’t need a degree before I ended up going. Due to some bad luck and bad decisions, I had a gap year before high school and another after; during the first i spent time teaching myself more programming languages (I’d been learning C since the age of 12) which i continued throughout highschool, at the very start of the second gap year I started MalwareTech (June 2013).

When I first started blogging I had no interest in becoming a blogger or any ideas the kind of opportunities a blog could bring, the only reason I created this blog was to post about how awfully coded some of the malware sold on a forum i frequented was, without the admins being able to censor me. Over time the blog evolved from humiliating the authors of crappy malware to analyzing real and current threats and this is where things started to get interesting. After my analysis of Vabushky and blog about various rootkit hooking techniques I got a couple of really good job offers from some international security companies; unfortunately, all of the offers were to work at offices in London, which I absolutely hate, and even on a senior security researcher salary the cost of living there meant the best housing I’d be able to afford is a sleeping bag in some dude’s shed.

Around September 2014 I’d still not gotten any job offers outside of London so I’d decided to apply for GCHQ. It wasn’t untill about 6 months later I got a response to my application to invite me for an interview and a further 2 months to be offered the job. I then had my vetting interview in later summer and was told it’d take at least 6 months for the process to complete (spoiler alert; it was actually 10 months), during this time I continued blogging and started receiving job offers for remote work.

January 2015 was when I received the offer which simply couldn’t be turned down. I’d been reverse engineering the Kelihos peer-to-peer botnet protocol and created application which would request peer lists from all the supernodes in order to find all those online, which I then plotted on a world map (example below).

I wasn’t familiar with threat intelligence at the time, but similar systems are run by most threat intel companies designed as a way to track botnets and notify companies should their systems become infected. I was contacted but one of such companies who offered to pay me a salary as well as provide the financing to maintain and expand the system (which, of course I accepted). Four months later my hobby project is now my full time job, i work from home, and have the very prestigious title “Director of Botnet Stuff”.