Masters Degrees In CyberSecurity

I’ve been fairly vocal about my excitement for my recent start of the SANS Master’s Degree In Information Security Engineering. I’ve gotten numerous questions about both the SANS program and my on my thought process for why I decided to go for a master’s degree in cybersecurity when it isn’t a huge factor in getting a job in this field. I wanted to take some time to get my thoughts out on the subject. Please note: this isn’t a “Why SANS is the best master’s program” discussion. It’s more of a “Here is the thought process I had when deciding if I should get a master’s degree.”

$ cat ~/.graham_history

To begin, it’s probably important to lay out a little bit of my background. When I was growing up I was always into computers. I like to say I started my IT career in middle school by running Minecraft servers at home so my friends and I could play together. I had my first real developing/coding experience when I tried my hand at creating video games by using a program called GameMaker’s Studio.

After half a dozen or so half-finished projects, I discovered that I didn’t like programming one project for a long period. Looking back, this was a valuable insight. At the time I thinking about which degree I wanted to pursue in college and this was my first inkling that my current plan of being a full-time indie game dev was not likely to pan out.

Also around this time, I took my first AP computer science class which taught Java. (AP classes are “college level” classes offered in high school). This was an absolute disaster. I made 1 on the AP exam. That is the same score you get if you don’t answer any questions. (To be fair it was my teacher’s first year teaching Java and they gave him the classes because “Well he teaches math so he must be good at programming”).

After experiencing all this, I was not enthralled with getting a computer science degree but I figured I could still use a computer science degree in other areas upon graduation. My initial idea was to spend the first 5 years out of college in a helpdesk/networking role and move into security from there. I did the first year and a half of my bachelor’s by pursuing a computer science degree but ended up only taking the “core classes” (math, science, English, etc) which left my last two years open for my Computer Science classes (Java, Computer architecture, etc).

After struggling my way through Java 1 and 2, I somehow heard that my school had started offering an undergraduate degree in cybersecurity and decided to make the switch, mostly because it meant I didn’t have to take calculus, but also because I was already looking at security as a field that I might be interested in upon graduation. Of course, at this time my plan was still to start with help desk -> networking engineer -> sysadmin -> security.

It was around this time that I began getting my first certifications. I had already gotten my CompTIA A+ and CompTIA Network+ during my first years in college and was pretty disappointed with what I was learning from the security curriculum. Not so much because it was bad per se, but because there were so many people in these classes that didn’t have ANY experience with computers, much of the classes were forced to be much too watered down. This was especially so because many of the classes I needed to take were based off of certifications I already had but could not test out of.

It was also around this time that COVID-19 hit which heavily decreased my school workload since we had more important things to worry about. I spent the last year or so just going for as many certifications as I could get, doing CTFs, building out this site, learning about the security job market, etc. It was from this experience (and many lucky breaks along the way) that I was able to land a job as a pentester a few months before graduating. Upon graduating I had the following certifications: A+, Net+, Security+, Project+, Linux+, eJPT, and eCPPT certifications.

I say all this to give you the context of my decision to start my master’s degree program.

After my lackluster experience with formal education, it might be difficult to understand why I chose to go for a master’s degree when all my relevant experience had been from CTFs, certs, and John Hammond videos research. So why was I so excited to start a master’s program? By this point, I had a pretty good idea of what was and was not worth my time which led me to look into different degree programs out of curiosity. It was important to me that if I were to get a master’s degree, it would have to be for the experience gained along the way and not the degree itself.

$ /bin/which degree_program

The program you choose is hands down the most important factor in deciding if a master’s degree is worth it for you. In my opinion, there are the following tiers of degrees:

• Pay us money and we will say you have a master’s degree:
  • Not worth your time/money unless you for some reason need a master’s degree. I have not seen a good position in security that requires this. Honestly, if a job says a master’s degree is required for the position… RUN. The exception to this is if you want to teach at a university, most probably require a master’s degree.
• Your typical master’s degree program:
  • This would be a degree from your normal college (UGA, Georgia Tech, etc). I don’t really see the point in these degrees unless, again, you just need a degree for some reason.
• A degree from a highly respected school:
  • MIT, Harvard, etc. These would look amazing just because of the renown of these schools plus, you will learn some great concepts just because of the rigor of the coursework, but I’m not sure how practical the experience would be. You also may or may not be expected to follow a synchronous school schedule, complete homework, quizzes, projects, etc.

I think SANS would fall under the “Highly Respected School” but would ultimately outshine any other degree program based on the respect SANS has within the security community and it’s self-paced, asynchronous classes. Sure, having a Master’s in Computer Science from MIT might look fantastic, but if you’re looking to work in a field that does not require that degree, it might not be as good-looking as a master’s degree from SANS that comes with 9 certs built into the curriculum. Looking back, I realized I asked myself the following questions when looking at degree programs:

1. What kind of workload do I want?
2. Will these classes be virtual? Asynchronous? In-person?
3. How much time do I have to invest?
4. How much money do you have to invest? (I’ll touch on this more shortly)
5. Why are you considering a degree in the first place?

So to answer the questions on my own checklist:

1. What kind of workload do you want
   • I don’t mind a large workload for a while. Especially if it will actually be beneficial to me in the long run. I do not want a program with frivolous homework/busywork or “weed-out” classes.
2. Are the classes in person? Virtual? Asynchronous?
   • The classes I take must be asynchronous. I will not go into class physically.
3. How much time do you have to invest?
   • Right now is probably the most “free” time I will have for the foreseeable future. I can commit to investing more time into learning than I otherwise would. Especially because I would be investing time into learning something anyway.
4. How much money do you have to invest?
   • I will touch on this in the section below I’m in a very lucky position where I will not have to pay for my degree.
5. Why are you choosing to get a degree in the first place?
   • I want to learn as much as I can to be as well-rounded as possible. I don’t care about having a “degree”. I just want the knowledge gained along the way.

Choosing a school that will meet all your criteria is extremely important. I looked through dozens of master’s degree programs and the one that stood out the most to me was the SANS Masters in Information Security Engineering. I would like to briefly describe why I ended up choosing this program.

1. Quality
   • It is well known that SANS is some of the best quality security training you can get. SANS courses have a reputation of being an absolute firehouse of information that is only taught by instructors who are working in the job role they are teaching about. This means you get some of the most bleeding edge information from your instructors. All courses include both textbooks, videos, and hands-on labs.
2. Convince
   • The program is self-paced. To progress in the degree you need to pass through SANS certifications. Once you get access to a certification training material, you get the labs, books, and on-demand videos. You can go through them at your own pace and there is no limit to how fast you can go through them. For example, when I took the GCIH course as my second class in the master’s degree program, I went through the entire class in two weeks since I already had previous penetration testing experience (and got a 95% on the exam). When I took the GSTRT class I took almost 2.5 months because I had zero management experience.
   • The program is designed for people who are working full time. SANS doesn’t expect you to take five classes at one time. You simply go through the certification training, take the certification exam (Actually get the cert), and move on to the next one. You can’t take more than one at a time.
3. No Fluff
   • My biggest problem with formal education (besides how prohibitively expensive it is) is that most of it seem like dated or filler content. Sure, you might have a few classes that are great but more than likely not every class will be up-to-date and relevant. Looking at other programs, I saw classes such as “Statistics for Cybersecurity professionals”. Hard pass.
   • There are no random homework assignments/quizzes you must dredge through to get a good grade. There is only one grade in each class; the grade you get on the final exam. (Sort of, getting an A requires you to be in a certain percentile of others who take the exam, it’s explained well at the beginning of your journey but I forgot because I don’t really care as long as I learn something)

Looking back, this is essentially what I had already been doing while in college anyway. My typical week in my undergraduate cybersecurity degree consisted of getting through whatever school work I needed to do so I could make time for what I deemed actually relevant. We can debate whether or not certs/ctfs/etc are more relevant but I seem to be doing just fine.

Just to get it out of the way though because I know people will want to know: Yes, I think SANS offers the greatest return on your investment if you’ve already decided to get your master’s degree and you’re in a similar position to me but no one can decide what’s best for you except you. Don’t listen to anyone who tells you which path to take, especially if they’re selling you a machete and new boots.

Is it worth it?

The short answer: We will just have to see but the answer is almost certainly yes.

The long answer: Currently, as of writing, I am about 42% of the way through the master’s degree program. I have learned more in the past few months than I did in my entire undergraduate degree. For me, there is only one reason why I want a master’s degree: I simply want to learn as much as I can. Right now, I believe that I am nearing my personal limit for how much I can realistically be learning each day while still working and having some free time. This alone makes the degree worth it for me so far.

If you can get close to that limit where you are maxing out how much you can learn without perusing a master’s degree, that is amazing and I encourage you to do so. Personally, I find it really difficult to follow a particular learning path if there isn’t a clear goal in sight which might be why I enjoy going for certifications. Even if I get 0 new opportunities from obtaining my master’s degree (which has already proven not to be the case), I think it would still be worth it for me because the skills I’m learning will help me in nearly any security job I ever work.

Will the actual degree grant me new opportunities? Likely not, however, having a vast body of knowledge obtained from the degree program absolutely follow me around everywhere I go.

“Hello, I like money.” - Universities

I also think that it is important to note that master’s programs (or formal education in general) are unbelievably, ridiculously, prohibitively expensive. They’re too expensive at nearly every school. Period. I don’t care who’s paying for them. I don’t care about the quality of the training. I don’t care about inflation. They’re too expensive. Honestly even certifications such as OSCP are becoming prohibitively expensive which is really disheartening to see.

SANS estimates the cost of the master’s degree is $49,500. I would not even consider paying that out of pocket. With that being said, I am VERY lucky that my company has a program that pays for my master’s program (as long as it’s relevant to my job of course). I’ve often seen this touted as a benefit (which it absolutely is), but it is also important to note that some companies will pay for your degree under the stipulation that you must stay with the company X amount of years after completion. I’ve seen this mandatory period anywhere from 6 months to 3 years after your last class is paid for. It also might be worth noting that many companies that offer to pay for your degree will only pay for classes they deem relevant to your current job role. This can leave you in a situation where you want to take a class but you can only do so if you’re paying out of pocket. I don’t often see these talked about. Let’s run through a quick example scenario:

Let’s say aSecurityCompany.com offers to pay for your master’s degree from SANS. You sign a contract saying you will stay employed there for 2 years after you finish your last class. SANS says it takes students (on average) 3 years to get through their program. That means it is 5 years total that you will have to work for this company. That may be great if you love it, but if you get a better offer, hate working there, or any other reason comes up that you don’t want to be tied to your employer, you will likely have to pay back the money spent on the degree. Additionally, if you are currently working in a auditing/compliance role but you wish to make the transition into offensive security and want to take some pentesting classes; your company may not pay for those since they won’t make you better at your current job (According to them, but they’re wrong). Finally, If you make it halfway through and decide to leave, you will end up owing them ~$25k. It is important to understand that while this may benefit you in the long run, this is absolutely an employee retention tool. Be wary.

Various Questions

I’ve gotten a few more specific questions I wanted to answer here:

1. Do you feel it has supported/improved your career? If so, how?

• Absolutely. My background is more in offensive security/penetration testing. If that is the path I choose to go further down in the future, being well-rounded in both blue and red team domains will undoubtedly prove useful. Additionally, having a broad range of expertise across many domains helps you generate unique insights that can help set you apart.

2. Will these concepts transfer to the real world?

• I can only speak for my degree program but I have taken something that I’ve learned in class and applied it to “the real world” in nearly module I’ve gone through. Not to mention the labs are very useful/realistic. The worst-case scenario is you learn something now before you need it which will just make it easier to learn the next time.

3. At what point in your security career should you enroll in a master’s program to get the most out of it?

• It depends on your experience and personal workload but I started within a year of getting my first role as a pentester. I also had a lot of “time-on-keyboard” doing CTFs, certs, and projects though. I think you’ll learn a lot no matter how far into your career you are. If you’re earlier in your career you might need to spend more time going through the course material though.

4. Would you recommend the course for someone who is building a career towards a red team operator role?

• Yes… but it is certainly not a requirement. If you spend 3 years learning about red team specific techniques then you will probably learn more red team specific knowledge from that than through a master’s program. However, a non-trivial percentage of being a good red team operator is understanding how both the red and blue teams work. If you choose to do the self-study route, I would recommend not spending 100% of your time on learning red team tactics, pay attention to the blue team things too, it’ll make you a better attacker and defender. Know thy enemy.

Conclusion

If you are getting a degree with the sole intent of having the degree on your resume (and not the experience you get from a program like SANS) I do not think it is worth the amount of time/energy unless you have a VERY specific reason (Such as wanting to be a professor). However, if you do choose a more practical and experienced-based program I think it is worth considering if you have the means to do so and/or someone else is paying, and you have the mental bandwidth.

With all that being said, I hope all of this information helps you decide if a master’s program is right for you. You can tell I am partial to the SANS since I picked it over many other programs I looked at. Perhaps I should do a deep dive into my experiences with the program so far. If that would be helpful to you, let me know via Twitter. Also, I wrote this whole post while procrastinating studying for the GCIA.