Mr 1500 got me thinking about whether college was important to my current life. I think it was extremely important in my particular situation, as I work in an industry where who you know is almost as important as what you know. I work in the information security industry – at one point, I was a white-hat hacker, or “hacker for hire” through a consulting company. Now, I specialize in information security risk evaluation, management and mitigation.
When I went through college, there was no such thing as an information security degree, or information assurance, or whatever the hell they’re calling it these days – the closest thing was CERIAS at Purdue (and when I applied to grad school, it was the only such program in the country – no, I didn’t get accepted). Most of the folks in my field don’t have degrees, or if they do, it might be computer science (or french and biology like some of my co-workers). You don’t learn information security by studying it in school, you learn it by doing. Yes, there is now a lot of theory and research about information assurance and how to prove that something is secure (hint: you can’t), but at the time, it was a just developing field.
I went to one of my state’s universities (Texas A&M) in computer science. At the time, I didn’t know what I wanted to do other than “work with computers”. I actually started as computer engineering, because I liked the hardware aspect of it as well, but I ended up switching to a major in computer science, with a minor in electrical engineering – specializing in digital design (yes, I can design computer chips).
While at A&M, I met people who have gone on to be lifelong friends. I learned what Linux was, and learned how to be a unix administrator (for fun), and through one of my friends, I was able to land a student worker position in one of the departments that used Linux extensively. From there, I was offered full-time employment with the university (as a “Sophomore”), which was helpful to my parents, since two out of however many classes I was taking each semester were free, and I got a significant discount at the bookstore. And this was all because I knew the person who was leaving that position because he was graduating.
When I started applying to graduate schools, I had been working as a systems administrator for 3 years at this point (while in undergrad), and I really wanted to continue along those lines. I enjoyed security, and had worked with the university security department – at the time, Texas A&M was one of the only universities with a campus-wide firewall because of some things that happened in 1992. So, I was looking for something that would help me along those lines. I applied to many graduate schools, including CERIAS at Purdue, the Information Networking Institute at Carnegie Mellon University, U of Maryland, MIT, etc.
I ended up being offered a full ride plus monthly stipend at Carnegie Mellon, as long as I worked as a systems administrator for the department 10hrs/week. I took it. It was also very conveniently located for me, since my family is from Pittsburgh, PA, and my grandparents, aunts, uncles, etc were all still there. I probably should have lived with family and commuted (they all live 45 min outside the city), but I’m really glad I didn’t; I spent more time than I care to remember on campus rather than in my apartment. It was a very tough degree program, but I don’t think the quality of instructors (as teachers) was very good. They were all very well known, and knew their topics well though. Meanwhile, I worked in the department as a systems administrator, and then the full-time admin took a different job on campus. The department asked me to take on the job until they found a new full-time person, so I got paid more for a few months :).
Immediately after finishing classes (not my thesis), I took a position with another department (the robotics department) as a research programmer. It was both fun and boring. When I had work to do, I was making Linux kernel networking modifications, kernel modules, other random stuff, but more often than not, there wasn’t much for me to do. I took on admining their (Linux) systems, and still not much for me to do. Once my thesis was done, a classmate (from INI) said I should go talk to their boss when he was on campus as adjunct faculty. I talked to them, and 3 weeks later, I had a job offer as a penetration tester. I was an oddity in that I had not only a degree, but a Master’s degree as well.
As you can see, all of my career options were pretty much based on who I knew – who I happened to meet in college. My current consulting firm gets random referrals from folks I went to college with and keep in touch with. What I learned in college was interesting, and I tend to learn better in slightly more “formal” environments, but most of it could have been learned outside of college, and all of the things I know related to information security were definitely learned outside of the formal environment. College taught me to look at things differently, to not blindly accept things as they are, and to put multidisciplinary topics together to make sense of a whole. It also lets me check that checkbox that says “college graduate”. Also, just mentioning that I graduated from Carnegie Mellon tends to make people sit up and notice me – it opens doors, but I still have to walk through them.
Will I encourage Daughter Person to go to college? YES! Will I encourage her to go to a big name fancypants school? Only if that’s what she really wants and is willing to borrow more for the privilege of doing so. I’ll definitely encourage her to go to whatever the state university is that’s best for her major/personality.
Updated to spell Purdue properly – maybe that’s why I wasn’t accepted? 🙂
Wow, CM and White Hat hacking; those are both badass!
The thing that I find interesting though is that there are sought after hackers that also don’t have formal training or degrees. When I started thinking about the whole college question, some of the computer fields were the ones that I thought of where people can a job without having a degree. I work with a couple actually.
However, I’d also argue that the people who don’t have degrees and are successful are rare. These are disciplined folks who have a passion for computers. These were the kids who were taking apart their parents’ computers when they were 8 years old or writing iPhone apps at 12.
So, I”m still of the opinion that college is the right choice for most.
The field is starting to change as more and more people are interested in security – it has been one of the “hot” jobs in the last few years, and a lot of people are trying to get into the field that shouldn’t necessarily be in it (a lot like computer science around 1999-2000). Formal education is the traditional method for getting into a new field, so there are many degree programs that are “meeting that need”. The government is a big proponent of information security and the “cyberwarrior”, so they’ve approved many programs as Centers of Academic Excellence in Information Assurance. It gets higher pay in the government sector to have such a degree (and it helps get various certifications faster), but folks I’ve interviewed out of those programs are hit or miss. If they took it because they wanted to get into security because that’s where the money is, they wouldn’t have succeeded in many places (except maybe highly formalized companies). But, if they took it so they could check off the “college grad” checkbox, it was just another plus in their favor because they had already demonstrated competency in other areas.
We can charge our clients more for folks that have degrees, so it’s a leg up for applicants with degrees, but we’re looking for the other traits or experience before we look at degrees.
Interesting post! I’m a big proponent of going to college due to the correlation degrees have with higher salaries (in general…there are many exceptions). I think technology is a bit of a meritocracy where exhibiting proficiency is more important than any degree (especially as the information taught becomes obsolete so quickly in IT).
I didn’t realize you went to Carnegie Mellon. Back in high school I was interested in CS and got to spend some time at CMU over a summer in a program called Andrew’s Leap – I think they still run it. Anyway, a few weeks of code and I knew it wasn’t for me…went the other route and majored in English. Go figure, right?
I did a similar program at our local university (part of the University of Texas system), and I loved it. I have to admit, even though I have a computer science degree, I’m a really crappy programmer. I can code and write scripts, but it’s almost always a kludge – and being able to read code is immensely useful in security. Some of the stuff Dad does is just flat out elegant – he’s a “real” programmer (in visualization and graphics).