Getting Started in IT Security: Experience or Education?

Teacher working with college kids in computer class

Information security careers offer IT professionals compensation, benefits and job opportunities that exceed those of many other technical disciplines. The high demand for skilled security experts fuels tremendous interest in this field and many aspiring security professionals find themselves wondering the best way to get started. Should you invest four years in earning a degree in security or are you better off diving right in and getting some hands-on work experience?


Each of these approaches offers both benefits and drawbacks and there is no one correct path to an information security career. In this article, I address each of the alternatives and provide you with the questions that you need to ask yourself as you approach this significant career decision.


Building an Educational Foundation


The traditional path to an information security career begins with a four-year degree from an accredited college or university. Many institutions offer bachelor's degrees specializing in information security and many of the field's subdisciplines. Others feature security as a specialization within a computer science or IT management program.


These programs offer students a solid foundation in both technology and security and graduates find themselves well-prepared for entry level positions as security engineers and developers.


The major benefit of this approach is that it prepares you not only for your current position but also for future roles in IT. While a degree is not necessarily required for a security career, it will jumpstart your career and help you reach the highest levels of IT management.


While you'll find many IT professionals who lack a four-year degree, you won't find many IT directors, CISOs or CIOs without undergraduate credentials. In fact, most senior IT leaders hold graduate degrees that they earned along the way. A bachelor's degree checks that box and serves as a long-term investment in your career.


The drawbacks to this method are cost and time. You'll need to invest either four years as a full-time student or an equivalent amount of time in a part-time program before earning your degree. You'll also need to finance the cost of your education, which will likely reach into the six figures.


Diving Right in with Job Experience


If you're able to find a job in information security, you might choose to pursue real-world experience in lieu of formal education. This is certainly a valid path toward a career in information technology and many IT professionals lack formal educational credentials. It's difficult to find a job without either experience or education, but if you're able to do so, it's worth considering this approach.


IT engineer in the server room on the phone

The obvious benefit to this path is that you'll begin earning money immediately and won't rack up the debt associated with a college education. Future employers will value your hands-on experience and give great credence to those who have "been there and done that." If you choose this approach, try to align yourself with great mentors along the way who are willing and able to help you learn the tools of the trade.


The downside to the experience-first approach is that you'll probably start at a lower level than someone with a college degree. You might find yourself in a technician position that pays significantly lower than the development and engineering slots offered to college graduates.


You'll also probably find that lack of a degree limits your ability to advance to bigger and better roles in IT. There are, of course, people who have risen to the director and CIO level without a degree, but they are the exception, not the norm.


If you find yourself in the position of choosing between a job offer and formal education, ask yourself whether you might be able to pursue both paths simultaneously. Can you work in a full-time position and use your salary to help finance a part-time education?


This approach offers the best of both worlds, providing you with income and experience while giving you the formal educational background needed for long-term success. You'll emerge from this path as an extremely strong candidate for senior IT positions.


Certifications Pave the Way


Whichever path you choose, you should also consider earning security certifications along the way. This is especially important for those who lack a formal degree, but certifications demonstrate your dedication to the profession even if you hold a college degree.


There are many specialized certifications in the security field, but two stand out as strong credentials for any information security professional: the Security+ certification from CompTIA and the Certified Information Systems Security Professional (CISSP) certification from (ISC)2.


The Security+ credential is an entry-level security certification that only requires passing a computer-based test on security fundamentals. Those with a bachelor's degree in a security-related field can probably skip this credential but it's a must-have for those lacking formal education. You may choose to attend a Security+ training seminar or use self-study books and online materials to prepare for the exam.


The CISSP is the premier credential in the information security field and is often compared to the more well-known Certified Public Accountant (CPA) credential. Earning your CISSP requires passing an exam that demonstrates knowledge of the eight CISSP domains and proving that you have five years of full-time work experience in the field.


Aspiring information security professionals should set their sights on the CISSP early in their career and work toward certifying by the time they hit the five-year point. This credential is often a screening criterion for senior-level information security positions.


Once you've earned one of these certifications, consider pursuing advanced certifications in one or more subdisciplines of security. The SANS Institute offers a wide variety of information security certifications in almost every technical area imaginable. These are well-respected credentials and help round out your information security resume.




Whatever path you choose, the world of information security provides tremendous potential for career development and advancement. It is a rapidly changing subject area and anyone interested in security must be dedicated to lifelong learning to stay at the top of the profession. Bringing a combination of education and experience to the table will help you build a solid foundation for career success.


Would you like more insight into the history of hacking? Check out Calvin's other articles about historical hackery:
About the Author

Mike Chapple is Senior Director for IT Service Delivery at the University of Notre Dame. Mike is CISSP certified and holds bachelor’s and doctoral degrees in computer science and engineering from Notre Dame, with a master’s degree in computer science from the University of Idaho and an MBA from Auburn University.