Tuesday, April 7, 2020

Quotable Quotes

Today I'll share a few of the quotes received in the comments section of the survey.

Let's start with this commentary on PhD and advanced degrees:

"A PhD is a full-time job, not an extension to college/school. During my PhD I've published more papers, gotten more patents & more press coverage, and generally contributed more code, tools, and know-how to the security community then my entire relatively-routine work at my current Top 4 tech company. The distinction between getting a degree and working in the field is not that clear cut while pursuing advanced degrees Note that this is about PhD and equivalent degrees in different countries. A MS degree is indeed an extension to college and it is not an advanced degree."

There were a couple of comments on ageism, including this one:

"Would like more emphasis pointing to employers not using older workers- definitely ageism that no one seems to be addressing."

Here are a couple from women on their challenges:

"CISSP and Masters were paid for by employers/grants and/or federal gov assistance program. Had to get Masters cos as a woman my years of experience was irrelevant and ppl wanted to focus on my art degree from 10 yrs+ ago."

"I was in SF in the 80s. Nobody had degrees in tech back then. IBM gave free classes to PC-buyers. I just grokked PCs and could write and teach. Male employers wouldn't believe my skills, even when I offered to demo. A decade later, an intelligence agency head hunted me."

The topic of who supports and pays for education came up frequently in comments:

"It's frustrating how some employers do not support on-going education for their employees, including allowing them to attend security related association meetings and conferences (some of which are low-cost or free). And sadly that good training, like SANS, is getting so costly that many can't afford unless their company is paying. Which many don't."

"One of the reasons I'm looking at leaving my current company is because of its extremely limited support for educational/continuing education opportunities."

"The cleared defense contractor (CDC) industry in particular continues to deny obligations to train & retain employees... I have worked for multiple companies rating in the top 10 defense contractors, and have yet to experience, influence or benefit from an effective training budget. Lowest Cost, Technically Acceptable criteria seems to always win."

"Tuition reimbursement is a great incentive. 3 SANS/GIAC certs thanks to employer. 7 years active military."

Speaking of military, there was this comment:

"Working for DoD, they were very supportive of my Masters program. My bachelors in music, was earned before I had any notion of an IT career, certainly influenced by family where a college education was strongly expected and encouraged. I don't know if having degrees have helped my career but I learned things in both tech and non-tech programs that have been very useful."

Probably the most succinct comment:

"The GI Bill was my sugar daddy for my education."

Thanks again to everyone who took the survey and helped to spread the word about it. The survey is still open, so please continue to share.

Also, thanks to Tenable. I have worked at Tenable for nine years, and they have always been extremely supportive of my community projects and volunteerism, including Security BSides, The Shoulders of InfoSec, The InfoSec Burnout Project, and this exploration of education in our industry. My lawyer would probably like me to add that my community and volunteer work is done through Tiki Tonk, LLC.

Monday, March 30, 2020

And here's the raw data

As promised, here are the raw data files as of the weekend, somewhat cleaned up:

Here's the .xlsx version:

And here's a .csv

If you play with the data and decide to do anything with it, please let me know so I can share it here and elsewhere.

The survey is still open at https://docs.google.com/forms/d/e/1FAIpQLSfztzGL2ludN9qm7dAcOb6bjUy_Y9WCwHtJd0kg6MlSn4WAHQ/viewform, I will share more data files once the results have grown enough to be significant beyond this set of 438 respondents.

A few more numbers, and a "that's interesting" or two

Of the 61 respondents who ID as female:
89% have a degree, 11% do not.
Compared to the 359 who ID as male:
72% have a degree, 28% do not.

Age/degree breakdowns:
Under 26, 21 respondents, 43% no degree, 57% degree
26-35, 92 respondents, 24/76% no/yes degree
36-45, 168 respondents, 27/73% no/yes degree
46-55, 121 respondents, 26/74% no/yes degree
56 and up, 34 respondents, 24/76% no/yes degree

Age/gender ID breakdown:
Under 26, 21/79% ID as female/male
26-35, 22/78% female/male
36-45, 14/86% female/male
46/55, 9/91% female/male
56 and up, 15/85% female/male

Of 437 respondents, 6 ID as non-binary (~1%) and 9 preferred not to answer (2%)

All demographic data was clearly marked as being optional.

I'll let you decide what (if any) of the revelations above warrant a "that's interesting".

Up next, more-or-less cleaned up raw data files in .csv and .xlsx formats.

Wednesday, March 25, 2020

Initial Survey Demographics

Here are some initial demographics from the survey. Out of 416 respondents thus far (the survey is still open) results are:
Age ranges:
21 are 25 and under (20% of these identify as female)
84 are 26-35 (21% female)
163 are 36-45 (14% female)
113 are 46-55 (10% female)
34 are 56 and over (36% female)

60 female
341 male
5 non-binary
6 no answer
2 other

2 American Indian / Alaskan Native
14 Asian
1 Asian;Caucasian / White
12 Black / African
3 Black / African;Caucasian / White
350 Caucasian / White
3 Caucasian / White;American Indian / Alaskan Native
2 Caucasian / White;Hispanic / Latinx
1 Caucasian / White;Hispanic / Latinx;American Indian / Alaskan Native
1 Caucasian / White;Pacific Islander
9 Hispanic / Latinx

Two notes:
All demographic questions are optional.
This is for respondents of this survey only, it may not reflect the industry as a whole.

Friday, March 20, 2020

Certifications and self-study

Let's take a quick look at some non-degree data, certifications and self study:
What security certifications have you earned (current and/or lapsed)? Please add certs not listed under “Other”.

Which non-security certifications have you earned (current or lapsed)? Please add certs not listed under “Other”.

Have you done any of the following self-study or non-traditional training? Please use the “Other” option to add other methods.

These answer say a lot about many people drawn to the security realm, we study and learn in a wide variety of ways. As the past NOC lead for a hacker con, I am really pleased to see so many folks helping run networks at events, it is a great way to help the community, and to learn in the process. 

The survey is still open, and the answers keep coming in. Next week we will take a look at demographics.

Tuesday, March 17, 2020

Survey Says...

Well, it says a lot of things, and as expected it answers some questions and asks more.

First, thank you to everyone who completed the survey and shared it, there are over 400 responses so far and I plan on leaving it open for a few more weeks.

I will hold off on sharing my interpretations and opinions, I just want to share some data for now. And yes, raw data will be available as a .CSV in coming weeks, I just want to gather more answers and sanitize it before sharing publicly.

Also, thanks to Jay Jacobs of the Cyentia Institute, he has done some data visualization work on the initial data.

The first question was "Do you currently work in a security role? (A role where security is the primary focus, whether defensive or offensive: Red team, pentester, SOC analyst, Incident Response, security admin, security support, etc.)"

Question two is "What is the highest level of formal education you have achieved?"

And here Jay has compared the first two questions:

And jumping ahead, question nine is: "If you are a recruiter or hiring manager, do you require degrees for candidates in infosec/cybersecurity roles?"

More to come later this week.
Note: this post is cross-posted from the project website at https://www.careerstudy.org/

Friday, March 6, 2020

Survey on degrees and education in cybersecurity

I have started a new project to gather information on career topics in information/cyber security. I'm launching with a simple survey on degrees and education in the field. It should take no more than 5-10 minutes to complete, the survey has 14 to 18 questions including optional demographic questions, plus optional additional information and feedback fields. Results will be shared online, including in the blog at careerstudy dot org, and in future presentations. Contact email for this project is: info at careerstudy dot org

Please take the survey at https://docs.google.com/forms/d/e/1FAIpQLSfztzGL2ludN9qm7dAcOb6bjUy_Y9WCwHtJd0kg6MlSn4WAHQ/viewform

And please share the survey with anyone or any group you feel may be appropriate so that we can gather more responses and gain more insights.