I Don't Like Cybersecurity Degrees  

live on twitch! twitch.tv/lowlevellearning

To be fair, bachelors degrees are very broad and shallow in general. It's masters degrees and above where you actually specialize in something.

"a little bit about everything" isn't that just a normal CS degree?

This is a bad take. A degree does not, ever, in any field, indicate that you know everything in that field.

"a little bit of everything" describes literally every technical degree (engineering, medical, computer science etc). The only time anybody expects someone to walk out of university as a subject matter expert of some aspect of a subject is when they walk away with a PHD. Employers want to see you understand the basics and have the capacity to learn concepts related to your degree and grow into a sme

My boss told me something along the lines of "you don't have to be the best in everything, you just have to know when something is bad. If you can't do it better, then you can always find someone who can" So find someone who knows a bit of everything and teach them how to lead a team, because it's always going to be a team effort.

It's also not about the degree. Job descriptions and the whole application process are often trying to filter for "rockstars" who at least sell themselves as experts at everything, because if they don't, someone else who does sell themselves better actually gets the job.

To be a jack of all trades, but a master of one I think is the best way to do anything in IT. Everything touches everything else so it's good to have an overview of more than just your chosen specialized niche.

All bachelors degrees are a “congratulations you know a little bit of everything”. Every single one of them. There is no bachelors degree for IoT or embedded systems. There is degrees for software engineering or IT. Only generic concepts. It’s the masters where you have to pick an area and specialise in it yourself while working through your thesis. You become your own expert by working on a project you selected for several months.

I disagree completely with this take. You're overloading the word "professional". By this argument, no one can be a professional engineer, professional mathematician, professional physician, professional physicist, professional lawyer etc. That's just silly. You become a professional in a field by having enough knowledge, experience, and skills to get paid for labor or works done in that field. That's it. At a certain level of depth and complexity, just being able to get a handle on a single problem in the field is good enough to make you an expert. That's why every complex field of knowledge has specializations, like being a mathematician, engineer, doctor, or lawyer, or hell even a computer scientist these days. This is just one massive L take.

In my opinion this take is wrong. Almost any field of study is general at first to give an overview, to be able to talk to each other, get the connections between the fields and figure out what interests you. Later on in the studies, you specialize in a field and then become a specialist in that field. Asking to know all details about everything is just the wrong expectation from your end - that is not the goal and never has been. A medical doctor also specialize and noone expects a specialist for eyes to be able to perform heart sugeries.

A counterpoint: I'd rather hire someone with a little bit of knowledge of everything, a knack for conducting good web searches, and the humility to go "actually, I don't know that offhand, let me look it up." That last one is a rare trait.

" A bit about everything" can be a good foundation to grow and develop. Oh and just because you don't know someone that is a "true master" does not mean they don't exist. Usually they either focus on a specific sub field or they become mangers to watch over the entire process.

I feel in cybersecurity the most important things are to be analytical, curious, and slightly paranoid. Finding an outside hobby away from computers is important as well so you don’t burn out.

I work cybersecurity. There has been an influx of Cyber degree holders with comptia certs who have zero interest in the field, zero interest improving the organization. Considering leaving the field altogether

I don't agree at all. A generalist will catch a lot more of the obvious flaws like SQL injections, XSS, not salting and hashing passwords when you store them, etc. Those are all the basic of the basic. If your company doesn't have anyone with security basics, there's going to be so many holes for a new-grad generalist to fill. If that's not the case, a generalist will at least be able to cover whichever parts you need more people on.

I think you are discounting the true value of generalists who can specialize. There are not many of us out there, but there are some of us. The only real bulwarks to our knowledge is just what we are interested in at any given time.

Also lets not forget that a lot of classes in cybersecurity is stuff like: dont pass user input into this sql query . Binary exploitation, getting RCE out of a vuln, fuzzing, etc... Is never touched upon.

you missed one: you also need to understand the human security aspect (which is like 50%+).

It's the same as the medical field. Being a doctor doesn't necessarily mean you are a master of all medicine. Which is why part of being great in a field is either being a specialist or being really good at using the internet to research and understand it lol. That's my take anyway.

My friend is in school for cybersecurity. A good chunk of the degree is fluently explaining to corporate how and why IT security is important, and quantifying cost-benefits of fixing security issues.

Tangentially, most US colleges are not actually "for profit" entities. They are not actually businesses even if they are poorly run and managed. However it does cost money to operate them.

My ICT degree had a cybersecurity major which focused primarily on penetration testing and e-forensics. I learnt how to use metasploit, nmap, medusa, etc. On the e-forensics side I learnt how to use FTK (imager, registry viewer, etc) and some of the psychology around finding evidence, how someone might hide evidence, that sorta stuff. All my CS major units were very focused and always felt relevant. The bachelors degree was generalised and taught a bit of everything.

My major was initially cybersecurity. Switched to electrical engineering almost immediately after I saw what cybersecurity as a major really was.

+ Psychology is also important. Taken from Ross Anderson's Security Engineering book.

Same in the UK, I've got team members who have Masters in cyber but actually know very little about testing in the real world. What's more scary is that some of these people treat the reporting element of pentesting as an afterthought and can barely string a professional report together. I mean come on, that's literally the client deliverable!

It’s not possible for me to agree more, and if I could, I 100% would.

"A little bit of everything" includes a lot of fundentals, tier 1 degrees are not meant to specialise. They are meant to introduce you to the areas of the field well enough you can get a basic job and learn there, or go into a more specialised masters degree.

From my years of experience, being able to understand everythng atleast on surface level goes long way as in understanding one specific thing. It is good that you have bigger knowledge on atleast something, but the necessity to understand the whole process is a must have.

"A little bit of everything" is quite generous, sir. Usually a cyber security degree will just push a student through training with proprietary forensic tools and a SIEM. And telling people to not open email attachments.

Yep I’m getting a network & user support associate, network engineering bachelors, and then I’ll probably get a bunch of security certs and maybe go back to college for cyber security if my next job gives me money for it. I love networking and want to improve security in our network infrastructure.

As a Junior PenTester who recently graduated with a CIS: Cybersecurity degree, I'd say it's better to become a Subject Matter Expert (SME) in a certain pillar of cybersecurity such as web applications or cloud (just an example, like he says it's necessary to have a base level of knowledge in everything almost lol)

It’s good to know a little bit about a lot of things so that it gives you a base for understanding some particular things more in depth.

A little bit of everything can be very useful, especially for someone coordinating a team of much more specialized people.

I’m a cybersecurity major in college, and I do agree that it teaches you a little bit of everything. On the bright side, the major allows people to pick their niche to a degree. For me personally I enjoy programming and hacking so I’d take more programming and hacking classes than maybe the student who’s really into operating systems or really into networking. Also as the major grows, the more of a standard it will become I believe. Especially since security is a large demand now.

Cyber sec professional here, you absolutely dont need this

I agree, I don't also believe in the terms 'penetration tester' or 'cybersecurity expert'. you are either a computer scientist who uses their knowledge for security purposes or just a regular guy who runs basic commands in a penetration testing linux distrobution

I usually say that learing computer science is like learning a dictionary. You can’t learn everything but it helps to learn the alphabet and grammar first. The more words you know, the easier it is to pick up new words. And soon enough you can know words without ’knowing’ them just by context and how close they are to other words. It’s unrealistic to say you know or can learn every word in a dictionary, but it definetely helps if you know and have used 20% of them. And especially if you know your abc’s first.

A little bit about everything is a good starting point and that's what most degrees in most fields are. Then you can zero in on one thing. The problem I have with degrees is the cost and time investment is too high but if you're on a full ride, get that degree.

Imo cybersecurity is more than just the technical knowledge. In fact, I prefer the term "information security" because it shows how broad the scope is. Having a good understanding of risk is fundamental. You might be great at implementing firewalls but you will be very limited if you a don't understand VERY WELL the fundamentals of information security, because that's what's applied across the full scope, even in offensive security.

Thank you for saying this. I’m a senior and still refining sections of my knowledge and building on it.

I was told when you enter the CS field find a road and stick to it, because CS is so broad it is damn there endless.

My boss is pretty close to knowing it all. I think he lacks a bit on cloud, but the dude is a genius. I'm studying everyday and clawing my way closer on red team side currently. I'm a tier 2 cybersecurity engineer

There's so much breadth in cybersecurity that you can have dabble in a lot of things and be an effective cyber security professional. Vast majority of issues in the space is not technical, it's human and business. Most issues also more or less repeated in every single company to some degree. Even those specializing in cyber security. You need really good technical people to do things like automation, forensics, reverse engineering and systems, but a lot of the work is actually just trying to explain laymen on basic hygiene and recognizing social engineering attempts both in person and on the internet.

This is why you bring on a team with varying skillsets. my company was looking for "masters" for a while, everything seemed fine. Hired an attack specialist and they found 3 major vulnerabilities in a month

So in short terms, on top of knowing embedded systems you need a software degree plus a cyber degree. So in short term you’re paying to become a doctor for computers. Also becoming a doctor is extremely expensive 😂

Indeed, to secure something you need to understand it first and be good at.

Tbh cyber security should not be individual subject, it should be embedded into every subject, like if you learn networking then you need to know how to protect your own network and not someone else to protect your network

That's what Masters degrees and PhDs are for

I can also stretch this to feilds like Biology, Electrical, Telecomunications and so on. It's tbh an unending argument between generalists and specialist, which one is better than which. And who is "correct" is wrong in the eyes of somebody else. Only feild that works it out somehow is medicine yet we all know the incompetence of people in that feild, mainly because of how broad even the specialisations are.

He just put the cyber security certificate above the Computer Engineering degree lmao

That seems like a rather common academic education approach, engineering or otherwise. You're taught general view and tools to learn, your employer should train you to the task at hand. Unfortunately these days jobs demand highly specialized skills and don't have any ability to teach a new employee, sometimes they're hiring people without even knowing what the employee should be doing and the employee should know enough to figure out what their job should be. Nobody wants to hire a smart learner who knows stuff, they want to fully fledged professional. Even for starter jobs sometimes. Well, that's just my view on how here in engineering bachelor's alone doesn't really exist, you can flush that from the toilet, it's only bureaucratical step to masters. And what I said applies to masters here.

Well u re right it s almost impossible to know every single detail and information in cybersec cuz we all know this field is very wide and it always gets updated

I think you missed the point of a university degree.

The value of knowing a little bit of everything is that you’ll be able to better understand which corner you’ll want to pursue

I was going to potentially get hired by a guy so I was at the interview, they wouldn't stop bragging about how they're self-made and you don't even need an education. I asked if they require it and they said obviously of course I do and I wanted to leap across the table. I didn't get the job because they genuinely couldn't comprehend that "i'm good at computers" doesn't mean that I can do literally everything with a computer. Which is exactly the kind of useless incompetency you would expect from a self-made business tyrant who spent 90% of the interview talking about himself.

I agree, I also used to think it is impossible but I think it is doable after many years actively doing hands on work in all the fields

A degree always represents the fundamentals and an understanding of how to learn. You will always develop further skill and learn more after that. That's not unusual or unexpected.

Cybersecurity degree should cover the basics of all "the things", which most institutions doing an ok job of covering in their program. A bit of coding, networking, computer/OS architecture. I'm against degrees in general because of all the added fluff non-tech related. But I think cybersecurity degress need to stress the importance of specializing in a hyper specific niche.

The saying goes "the jack-of-all-trades is the master of none but is still better than the master of one" You're just thinking with your American-side brain where they raise bots to stay in their lanes for a reason.

Useless ranting. The primary "issue" is that college is about academic study, not job training. And it has absolutely zero to do with the topic. There's almost no reason for an academic degree in cyber security, UNLESS you are going to make it a multi-discipline program that aims to educate about human behavior and thinking, the nature of security (in general), how computer can promote or hinder security, and so on.

as other people have said, this is just how bachelor's degrees work. Masters degrees are where you specialize in a given area, but no one can pay for them because we live in a third world country with a gucci belt.

I mean you can say the same about computer science, mathematics, biology, chemistry, etc. Of course it's broad and shallow in comparison to somebody who's spent 10 years in the field, naturally, it would be absurd to aim for that

I think there is real value in knowing a little of everything. Specialising in an area is good but you also need someone who has an overview across disciplines as a bridge between the different areas of discipline.

Like the saying goes "Jack of all trades, master of none, better than master of one"

I am in a niche speciality of cybersecurity, automotive cybersecurity, and even in our niche we have specialties. I think that it's good path to have a skill like programming or networking and then you can apply the cybersecurity craft to it.

I am a master of cyber security, sounds like to me a classic case of “skill issue”

I nearly wrote an implementation of rijndael encryption algorithm. I was going to run it on different MCUs to see if some side channel could figure out what the key is...

I'm addicted to your channel. Can't wait for the next upload!

Dont get a useless non STEM degree they said. Now: STEM degree is worthless too

You have forgotten to mention Psychology. Psychology is extremely important in cyber security.

I work in cybersecurity and yes, 1. You simply can’t be a jack of all trades, but you totally need to be informed and mildly educated on most everything enough to provide some value and 2. Build rapport with the people you are sharing reports with they are the true heroes behind “your success”.

I'm a low level game developer because I always wanted to learn how a game engine is made and how programs communicate with my CPU. And now I learn the low level security for Gaming industry and now I stop using AntiCheat like Vanguard, EAC, etc... It's like a rabbit hole and if you have a passion, you always go deeper.

Never seen you in my feed before. Nice to meet you!

The same argument could be made to almost all fields of study: mathematics, biology, physics, chemistry and so on So there is no reason to exist a general course of them?

Never seen an IOT or embedded bachelor's or master degree in any respected college. IMO it's best to major in Computer Engineering or CS and go deep into one of the specific fields u said. Computer Engineering and CS are the only majors where u will have the broad range of knowledge to be able to go into any subfield pretty much in computers once you are a junior/senior in college. IMO Computer engineering is better for embedded and IOT though

well as someone who dropped out, school helps with laying the foundation knowing something about everything is better as a start then knowing nothing about 99% of things

Absolute facts. The amount of people just out of college that come through our door knowing absolutely nothing about real world IT is astounding. We're talking absolute 101 basics, they're lost

Jack of all trades master of none, though oftentimes better than master of one.

"Jack of all trades, master of none"

I know enough about computers that there is no longer problems I come across that I can't easily solve or quickly find out how to solve

I went through a degree in cybersecurity, dropped it as soon as I realize the main core of what makes a hacker a hacker is....almost practically gone. These days, everything is just about tools..etc..etc Education, learning and everything else has become so fixated......that people rarely think outside of the box anymore, just comfortable sitting in whatever. Yea, you might have some of the skills I don't have, but what difference does that make you if you're just another corporate figure? ....back in the 90s, this type of mentality would be consider a script-kiddie.

thats like beeing a fullstack developer somehow

Disagree with your take on this. Cybersecurity at its core is about risk management, auditing and compliance. Actual hacking is a small subset of skills needed and there are lots of specialization. No one should expect to specialize in a bachelor or even master. Cyber is learned with real world experience.

I know all of those fields and I’m in cybersecurity. I spent many years in each. Programming is probably my weakest but I am decent enough to make useful things and be able to understand what developers are telling me and trying to accomplish and the dangers of their choices.

I learned a little bit of everything in technical school. I’m far from being an “expert” and to make matters worse, they said they would place me in a job after school. THAT NEVER HAPPENED. This was a 2 year associate’s degree in specialized business - Network Administration.

I’m currently three years into a 5 year masters in cybersecurity program. My masters research is going to be in AI phishing and vishing. My professor that is assisting told it to me like this: No one will ever know everything. This is why you have a team to pool your knowledge together with.

You're describing the problem many doctors face. Like "oh you're a doctor?", "then perform this neurosurgery". Like yeah, "I would if I wasn't a podiatrist." A problem with the tech field is that you're somehow supposed to bridge an incredibly difficult gap between hardware, software and the human element (which includes working with others, and being very honest and aware of your own short comings). As a doctor you might end up in a more technical role perhaps dealing with a specific machine you specialize in. Or exist in a sort of limbo between residency. As an engineer or "developer" you get penalized for being upfront and honest about what you lack. I see it as in one field your overall base of knowledge is still valued. While the other everything you learned is wrong, the way you learned it is wrong, and therefore you need to go back and relearn everything the way your boss did. For me it's become, "what can I practically accomplish with a skill?". Which led me away from verilog and back to C and Assembly. I like PLAs, FPGAs and low level logic stuff, but I'll never find a job doing it, and dedicating more time to learning it will never aid me practically in day to day life. While there's tons i can do now with microcontrollers, motors, lCDs, and even networking; if i take learning all of the ins and outs of C more carefully, and Assembly too particularly of the RISC variety.

I have a BS in cyber security and I agree. I learned a little bit of everything. But my speciality went onto proactive OS security. What I believe is the degree gave me a stepping stone so if I go into application security for example, I have a starting point

That’s what an emphasis is for. Even then, it doesn’t mean and never was supposed to mean that you are an expert in the field. Degrees are just skill checks to show employers that you have the ability to complete tasks in your desired field or sometimes it doesn’t even need to be in your field. It shows you have the capability of starting and completing something that isn’t easy.

God I love this rant so much, most cyber security professionals just know nist standards and nothing else. The last type of security profession I worked with made a reference to the "deep dark web" which had me cringing very hard like it's some fairy tale or something. Wild paradigm we live in today.

Just like B.Stroustrup said, being expert on every domain is ideal, but nobody is really expert for everything. Atleast, a group of people from different dicipline works together to resolve a real world problems.

Yeah, hard disagree. Nobody (who isn't delusional) has the impression that their degree means they know everything. It's a foundation of the key skills required to pursue a career in a field, where you will then aquire expertise through experience.

There’s nothing wrong with leaving school with a little knowledge on a lot of topics. It gives you far greater flexibility when entering the job market and once you get a job, you begin to specialize in what it is you do every day. The reality is sometimes you don’t know what you don’t know, knowing a little bit about a lot helps you understand what there still is to learn and how that’s connected to other topics/technologies.

The "Masters" also have a interesting habit of publicly disclosing their security clearances on LinkedIn.

As a cloud security engineer i don’t fully agree, I think bottom line it’s important to know a little bit about everything (most things) and still be specialized in one thing. Security implications and attack paths require broad spectrum general knowledge.

I have a master in cyber security MANAGEMENT. My bachelor was in civil engineering. In my master program they teach me to write program in python, cloud, machine learning, malwares, etc. Everything on surface level. I eventually wrote my thesis on cryptography, and I probably gonna stick on this because it's the only thing I'm interested in. But they still gave me a cyber security degree.

I've never commented on a video before, but I had to for this one. It's that good!

In my career so far I can certainly attest that at the beginning I knew a little bit of everything like an inch deep a mile wide, However I found its helped my career and just my performance at work to deep dive and learn as much as i can at a deep level across the board. Not saying I am a master of all but I would say I have a very high level in a few fields (Cloud, Networking for instance id gladly say i know very well) but i do have weak spots like Coding though i am attempting to fix those sometimes i feel like its an unwinnable game as im bound to forget things but im doing my best.

The idea of a degree is to show that you know enough and moreso show you are able to learn. It's your driving license into your desired career. A bachelor's is your standard car license and master is like truck license. Learning doesn't stop after the licence it only proves you can build on the basics. Finding a niche is good but being able choose what niche you need to know for the task and can effectively understand and use it makes you flexible and shows potential in growth. Broader knowledge also gives you a lot of tools at your disposal and understanding of the broader picture, which i'd say is pretty valuable when it comes to cybersecurity.