When Equifax announced their huge data breach was partly due to the system being secured with the comical user/password combination of admin/admin, the world gasped, and blame quite naturally came to rest on their Chief Information Security Officer (CISO), a woman who it soon emerged had degrees in Music Composition and little else. Uproar soon ensued.

The Cybersecurity community, however, took her side in significant numbers. Infosec degrees are mainly fairly new, they argued. There is a fair amount of math and pattern recognition in Music. A significant number of senior infosec people have no degree at all, in fact. Many have completely unrelated degrees. Experience and ability are far more important factors. The Twitter hastag #unqualifiedfortech sprang into life, where people posted their lack of IT quals and certs compared to their position or seniority. It was pretty validating and encouraging. For some, anyway, since those who worked hard for an expensive IT degree were left out in the cold.

Perhaps the days when you could start without an infosec qualification are now gone, since they do now exist. Though at least within the industry there are still a lot of people who will heavily and vociferously advocate for ability over certs, and will want to see your work. You can watch YouTube tutorials for free to learn, and you can work from home if you can get your hands on a cheap computer and some internet access.

I would like to point out that there are a lot of times you might still need a qualification, though. I’ve sat a few times with teams or team leads for big companies telling me that I’m just what they need, I have all the skills, they will hire me. Can I get my CV through HR with no degree on it? Not a chance. Big businesses want you to have the Certs. Not to prove you can do the work, but to cover their backs in situations just like the Equifax one. If the CISO had been suitably qualified Equifax could put the blame neatly on her, but now they have to shoulder it themselves and look like idiots for hiring someone expensive yet ridiculously unqualified for the post. If you want to work at any large enterprise, those places with the big salaries and the great pension schemes, conference funds and health plans, you are probably going to need the degrees and certs even if they don’t mean you can do the job. Even more so after the Equifax scandal. You still need to go and gain the experience and ability to do the job _as well_. It’s not an either/or situation.

Secondly, I know as a woman I get told I’m not good enough because I don’t have the degree A LOT. I suspect POC get the same thing. Many of the men posting do not seem to have experienced this as much, or at all. There is a _chance_ that getting the certs and quals is part of having to fight harder to prove ourselves. You need to use your own discretion on that.

I’ve spent 39 years of my life with no degree, much of it working for myself, sometimes having jobs in SME’s, occasionally applying for enterprise companies and always being refused on the degree requirement. Now that I’m looking my lack of pension in the eye and contemplating retiring to a cardboard box in the street, I’ve decided to go back and do a Masters to fix that, because I can’t deal with fighting it any longer. No, it isn’t fair. Yes, I hear you in the back telling me it’s changing and lots of enterprise companies will employ people with no degree. Men have been telling me that for two decades now, and it still hasn’t put money in my pension. Just because you can think of two anecdotal women it happened to does not mean it is a trend, unfortunately.