Study for years and pay tens of thousands of dollars in tuition: just so you can land a job defending companies against script kiddies, who are hacking without any formalized training. Cybernews asks whether cybersecurity professionals can also perfect their craft through hands-on experience.
Cyber bandits are often kids. One example was the Lapsus$ extortion group, which wreaked havoc until the London police arrested seven teenagers. One 18-year-old from the gang even managed to leak parts of an unreleased Grand Theft Auto 6 game using an Amazon Fire Stick in a hotel while out on bail from other cybercrimes.
If self-taught criminals can excel, why can’t dedicated cybersecurity or IT specialists? The rapid proliferation of online resources, coding boot camps, and self-guided learning platforms are supposed to help any self-learning individual become proficient without a formal degree.
But would tech companies hire solo keyboard warriors gathering experience outside walled college gardens? Cybernews asked and received more than 50 answers from IT companies. And we found a similar pattern appeared.
Almost all said that formal education is not required to prove you are competent to do the job in IT or cybersecurity. Yet, some companies prefer a diploma before “the equivalent work experience” in job descriptions, while others say that “degrees open doors in other companies, but we are different.”
So, which qualifications are tech companies actually looking for?
“We frequently hire candidates with no formal degrees,” says Josh Amishav, founder and CEO of Breachsense, a cybersecurity firm. “To be honest, an impressive Github repository or active participation in a Free Open Source Software project carries significantly more weight than a certification or university degree.”
He adds: “When we hire, we want to know that the candidate gets stuff done. Demonstrating this through your actions speaks volumes.”
Trainers don’t insist on book smarts
Corey Hynes, executive chairman and co-founder at Skillable, a training and skill validation company, insists that he considers applicants without any education, as each individual follows their own professional path as they learn how to solve problems and improve on the job.
“At Skillable, we are more concerned with ‘what have you done’ and ‘what can you do,’ versus ‘what have you studied.’ Practical, real-world experience and skills always trump academia in our eyes because how you got those skills is practically irrelevant. It’s having the skills that matters,” he says.
And the company puts its money where its mouth is – Cybernews checked and did not find any requirements for degrees, diplomas, or certifications in its job descriptions, just wide lists of required working experience.
“For candidates looking to get into cybersecurity, software engineering, or similar positions, the main piece of criteria is to have a relevant set of experiences and evidence that you can, and have, performed the necessary task,” Hynes said.
He doesn’t believe that self-education limits career opportunities. As technology is ever-changing, employers need not worry about employees who upskill continually, stay motivated, and are self-starting and self-managing.
“Absolutely not. Skills are the greatest currency candidates can have when searching for a new role, especially in a competitive market like we’re seeing now, so self-education is expected and evidenced,” he adds.
The best assets a candidate can have, together with job and life experience, is a portfolio of projects and solutions to showcase skills, revealing both the breadth and depth of expertise.
While self-learners are often more focused and driven to produce results, Hynes sees them as sometimes lacking the breadth of perspective that comes with having had a formal education. Those who underwent a traditional education tend to have better “big-picture” thinking, but cannot sometimes get things done entirely. These generalizations, he stresses, do not apply to everyone.
“I did not have a formal college education. I self-studied technology, became an instructor, author, and consultant. I founded a company and ‘learned by doing,’ or ‘learned by failing,’ to build the organization and make it what it is today,” Hynes concludes.
Recruiters value a diploma, but it’s not a passport
Travis Lindemoen, founder of recruitment platform Enjoy Mondays and managing director of Nexus IT Group, also believes that skills and knowledge, not formal engineering degrees, matter the most.
“In fields like cybersecurity and software engineering, we evaluate candidates based on their technical skills, problem-solving abilities, and relevant experience. We often use technical assessments, portfolio reviews, and interviews to gauge these competencies, irrespective of whether the candidate has a formal degree,” he says.
While a degree can be beneficial, it's not the only path to success in the tech industry, and self-education “can absolutely open doors in the job market.”
“I've seen firsthand a self-taught software developer who started as an intern at my company,” he says. “Through dedication and continuous learning, this individual quickly became a valuable asset to our team, and they’ve worked on some high-impact projects. Self-educated engineers often bring a unique perspective and a hunger for learning that can be advantageous in problem-solving and innovation.”
But some do put education before self-skilling
Lidia Vijga, CEO at DeckLinks, doesn’t discount people lacking formal degrees, but nor does she assume self-education alone prepares someone for a cybersecurity role.
“These jobs require deep technical expertise plus an understanding of core computer science concepts,” she says. “Self-teaching can develop skills, but structured education builds a knowledge foundation.”
She looks for critical thinkers who can explain their approach and solution rationale when evaluating applicants. Hands-on coding tests reveal problem-solving abilities more than resumes do. Communication and collaboration are also vital skills she is looking for.
“I've had self-taught hires succeed by actively expanding their education through certificate programs and team knowledge-sharing,” Vijga adds. “They combine skill-building with formal learning. For optimal career growth, I always encourage continuing education in all forms – structured or self-guided. But, formal degrees still provide advantages in depth of knowledge. I want candidates passionate about learning, whatever the format.”
Self-taught specialists could fill skill gaps
Security automation company Swimlane recently found that “one-third of organizations believe they will never have a fully staffed security team,” and the problem is worsening as threat actors become more sophisticated, according to Mike Lyborg, chief information security officer of Swimlane.
“I wouldn’t fault organizations who believe a role in the cybersecurity industry requires a college degree,” he says. “However, the reality for many cybersecurity positions is that the skills needed to be successful can be gained via industry certifications, self-guided education, or even on-the-job training.”
Lyborg believes opening a cybersecurity role up to specialists without a formal education could help close the gap caused by a lack of talent in the industry.
True, his company includes a requirement for “equivalent work experience” for job candidates lacking a bachelor’s, master’s, or other degree.
He says that employers, himself included, “search for skills outside of the traditional cyber roles and would likely choose a candidate who excels at problem-solving, time management, and communication, even if they don’t have a cybersecurity or IT-focused degree.”
Following common frameworks, such as the NICE (Workforce Framework for Cybersecurity), could help organizations ensure that all colleagues are on the same page.
Ken Docherty, a multi-certified professional resume writer in Calgary and owner of Docherty Career Management, shares some tips for self-educators to be more competitive in the job market.
They should seek industry-recognized certifications, create a portfolio of projects and hands-on experience to demonstrate skills, attend industry events, and join professional associations to stay up to date with the latest trends, threats, and technologies.
“Self-education can be a valuable pathway to a successful career in cybersecurity and IT,” he says. “However, it may be challenging for self-learners to gain a comprehensive understanding of complex topics without structured guidance.”
He adds: “Many cybersecurity roles require certifications and degrees for the validation of skills and knowledge. And while self-learners can earn certifications through self-study, some employers may still prefer candidates with formal degrees or recognized certifications.”
Traditional education often provides opportunities for networking and internships, which can also be essential to career growth.
"It's a very exciting time for education right now. People who are yearning to learn have a myriad of choices. Traditional paths are no longer the only way to secure essential experience and expertise to build careers,” said Sharahn McClung, career coach at TripleTen, an online part-time coding bootcamp.
She believes that self-education puts learners in the driver’s seat, and people can find what they need to fit their unique circumstances and goals.
“Crafting your education to meet your career goals is a freedom that many people seek, and this path can get them closer to their goals more efficiently and economically," McClung added.
Diploma alone doesn’t define success (but it might help)
David Stapleton, CISO of CyberGRX, says other factors are important, like mindset and attitude.
“Those with a strong work ethic, an intrinsic desire to learn, and clearly defined goals can meet and even exceed the outcomes provided by more traditional education programs,” he says. “The most academically qualified candidate in the world will still be a poor hire if they are not a good teammate, for example.”
He agrees, however, that a lack of a diploma can limit opportunities because many organizations, due to time or other constraints, can't afford to directly engage with applicants in a meaningful way to assess their merit. A degree requirement reduces the pool of applicants to a more reasonable count, even if that means overlooking some high-value candidates.
Camille Sawyer, CEO of HIX.AI, a company that develops AI writing tools, agrees that many companies shortlist candidates based on their documents, so “having a degree gets you into the room.”
And finally, Christopher Osborn, Founder of VectorOne, approaches applicants without traditional engineering backgrounds with “eyes wide open,” as mentoring and guidance will be crucial to help them unlock their talent and get rid of potential bad habits.
“Our company values talent, aptitude, and attitude above all else when considering applicants. We believe that formal engineering degrees are absolutely valuable but not the sole indicator of potential success in our field,” he adds.
More from Cybernews:
Subscribe to our newsletter