Part 4 of 16
Degrees? To hell with them.
“Only those with a BS or MS need apply.”
Talk about an arbitrary discriminator of zero value. By that standard, I am worthlessly unemployable. By that standard, a majority of my personal business acquaintances will never be able to work for many with the ‘corporate’ or ‘the government’ label. Not all, but all too many.
I’ve asked the following question hundreds of times in public presentations. “To the geeks in the room. How long does it take you to determine if a potential hire you are talking to is worth your time?”
The answers always, and I mean always, range from 30 seconds to 5 minutes.
To our way of thinking, skills come first. Programming, pen-testing, debugging, network administration, router configuration, server management … but, how many of these jobs seriously require a college degree?
Last year my company interned a kid from an esteemed university with a 4.0 GPA and a full-on CS degree. I wanted to fire this kid at hour one. Somehow he came through a four-year degree program and did not know the difference between pixels and vectors. And, it got worse from there. How did he earn a degree with zero knowledge of basic file formats and compatibilities? He knew nothing about crypto, or access control or if the mail in the snail-mail box was outgoing or incoming… oy! The fundamentals were completely lacking.
But he had that damned degree.
We couldn’t even have a simple discussion using a common technical language. This kid went to college for four years and graduated, cum laude, without learning the most basic buzz words to talk geek, IT, or security. His school swore to his outstanding abilities. I had to keep him for 89 more days and pay him—it was absolute torment.
And then we have certifications. Should you hire a security person who doesn’t hold a CISSP? What about an MSCE or CNE? I have zero certs, making me, according to many industry hiring guidelines, unhireable.
Industry certifications are a legitimate issue. Should you have them? Should you not have them? Should they be required? Must it be another one of those check boxes, along with a bachelor’s degree or a master’s degree or whatever? Should it be required? I’m arguing absolutely not! We’re locking out a huge amount of talent because of another element of binary thinking.
I am not against any education or degree or certification. Far from it. Certs demonstrate certain baselines of knowledge in many disparate disciplines, and that is another measurable criteria in evaluating potential talent; perhaps to counter-balance no university degree. But I have also met entirely too many CISSPs who openly admit they ‘bought’ their certification with personal trainers, and who are close to clueless about security.
What I am against is the binary culture that dictates that you or I are useless unless we are in possession of a degree or specific certs. Let’s keep it flexible. Use common sense. We will certainly examine some of the arbitrary discriminatory policies enforced by restrictive policies and processes, which are hurting our collective security.
The first level of HR filtering should be based upon a geek-to-geek skill chat. 2 minutes.
“Yeah, he’s got a clue.” Or, “He’s a tosser.”
REPEAT: Before you put a potential geek-hire through a tortuous process, let him spend just a few minutes with one of your existing geeks. (Not the manager, please.) True geeks will turn a 2-minute convo into an hour long white board or napkin discussion. There’s your answer.
Save a ton of hassle, time and money and gets you better geeks.
What’s next? Let’s Fail!
Winn Schwartau is the CEO of The Security Awareness Company, the author of Information Warfare, Pearl Harbor Dot Com (Die Hard IV), and the upcoming Analogue Network Security.