After two years of studying lunches and weekend/evening schoolwork I have completed my Masters degree program in Cybersecurity.
I thought I would take this time to reflect on what the college did correct and what they did incorrect as far as presentation. Being in the security field, I wasn't interested in a typical MIS or MBA. I wanted something relevant to my field, instructed by people who worked in the industry. One of the difficult aspects of computer and network security, a profession in its infancy, is the lack of precise standards. In other professions you know your role, i.e. in accounting you have to balance, in engineering you develop and simplify. mathematicians formulate and solve complex problems. Security is akin to MacGyver defeating terrorists with a shoe lace, gum, lye, and an oscillating fan.
I was pretty surprised to find degrees focused on security. There's a simple reason for this, technology is constantly changing. New vulnerabilities are discovered hourly, and often times it wouldn't make much sense to base curriculum off of the ever-changing world of security. If that were completely the case, however, all IT degrees would be worthless. We would have to prove our industry knowledge in certifications only, and reserve degrees for historians or other static professions.
I attempted to see what Sac State and Chico had to offer in the way of security degrees. The only programs I found at the time were generalized. My next step was to check for distance education. Holding a degree from University of Phoenix, I'm not a stranger to distance-based education, nor the stigma of being a distance education degree holder. I've always been into the current and developing methods of technological delivery including social networks. (My original ICQ number was in the thousands). I attended one of the first on-line courses that Phoenix had to offer, and determined two things that made me successful with this type of education.
1. You get out of the degree what you put into it. Yes, I found ways that I could be a completely lazy student and still manage to pass. However, this is no different than when I went to Jr. College. I immediately could tell the different between students that were interested in learning to succeed in life, and those doing the bare minimum just to pass. On one hand, I was frustrated to know that people carrying the same degree as I, hadn't put in the type of effort it should take to carry the degree. On the other hand, I reported the shortcomings to the program directors, and often times they would respond immediately with their thanks and change the systems. I've tried this in the past with brick and mortar, best I could get was to talk to a secretary who put my ideas on a post-it and conveniently filed it in the trash can as soon as I was out the door.
2. I paralleled my education with work experience. The biggest benefit that I received from distance education was the ability to work full-time in career positions while attending school. I was able to apply what I learned in class to my job, and it further solidified my education. I was living what most people only learned about in classrooms, and had a more OTJ engineering experience than years that most engineers spent in college.
So what did University of Virginia do right? Study materials were included with tuition. Often times it is a nightmare to figure out the real expense of college. All of my materials and outside reference was an incurred expense above and beyond tuition. It makes it extremely hard to budget. Back when I attended law school, I paid a huge tuition and then even more money for books. VCO provided all books and on-line services paid with tuition.
A few gem classes, a few gem instructors. One thing that caught my eye about VCO is that the instructors had real-world experience and weren't just career professors. I had hoped that there would be more people from government agencies, because unfortunately it appeared that most of the instructors were just experienced with private entities.
Pretty consistent curriculum. The curriculum paralleled with the CBK aka 10 domains of the CISSP Certification Exam. There were some interesting courses thrown in such as Criminal Law and profiling, so it wasn't completely technical. I enjoyed these out of bounds courses, and it helped give me a broad view of many aspects of professional security.
What VCO did wrong:
For roughly 75% of the courses, I had the same instructor. This concerned me because I know in security you cannot possibly be an expert in everything. It was apparent that in a few of these classes that the instructor knew quite a bit for one class, but was merely a facilitator for others. Having different and experienced instructor for each course would have made me feel better about the quality of learning that I received. The experience wasn't as negative as it seems, whenever I had a complex answer the Internet was at my fingertips. One of the things about a Master's program is that by now people should be educated enough to do their own research and come to their own conclusions. Back to rule 1 above, you get what you put in.
Interactive training was reserved for my last class. There were no network simulators, we weren't exposed to vulnerability assessment tools, and no labs. For classes like forensics, this type of hands-on approach is the difference between someone with real experience and book smarts. Thankfully I was already a security specialist and could apply what I learned at work. But for others, this might be a big con for you.
The community within VCO was pretty bland. You would expect people leaning towards a Master's degree would be fairly animated about their courses. For every one person who would participate in discussions, there were seven people who had horrendous spelling, one-liners, or add to the discussion with suggestions that were completely impractical and against best practices. I labeled these people as those who just don't get "IT". I am glad that I put effort into my discussions and work, even though it seemed like much of it went over people's heads or unacknowledged.
I am glad that I went through the course, and will hang my degree proudly on my wall. It was a good experience for the most part, and I'm better for having gone through it. So I pat myself on the back, and look forward to keeping networks secure for our future.
