Is a Master's in infosec required to break into the security field?

Question

So I'm going to be graduating college in January 2013, with a double major in Compsci and Cell Biology (don't ask...). I'm really looking to break into the information security field as a consultant. (Ideally, risk management)

I would like to start working straight out of undergrad... I'll have been in school for 6 and a half years when I do graduate, and I'd like to take some time off and visit the real world before I decide to jump into a Master's degree program. So I guess what I'm asking is, to pursue a job as a consultant, would I necessarily need to complete my master's?

In terms of certifications, I have my security+ right now, and I'm going to see about getting my CISSP as soon as I get my bachelors (I believe the pre-reqs for the CISSP are either 3 years of work experience or a college degree), and I'll probably look into getting my GISP next summer (unless I get an internship).

The reason I list my pedigree is because I've heard arguments back and forth that relevant certifications are never a bad idea. On the other hand, I've also heard that getting too many certifications in a field gets kind of redundant... like the CISSP will cover a very decent chunk of what's covered in the GISP, minus some management stuff.

So I guess this turned into kind of a long-winded, two part question with no real definite answer:

1) To an experienced security professional/hiring manager, will my resume get flushed down the proverbial toilet because of my lack of a Masters?

2) Are my efforts to grab several big-name certifications worth it?

Thanks in advance for your help.

Answer 1

Your lack of a master's degree won't make any difference, but your lack of any relevant work experience will kill you (unless you've got a few years working in IT security that you've not mentioned). Before you can work as a consultant in any field, you need to be able to demonstrate a track record of proven achievement, not just academic study.

Answer 2

Have a read of this question on key attributes for a security career and this one on professional certifications for some good answers which provide background.

Edit: This one on "How useful is the CISSP" may also be relevant

A degree is only useful (in my opinion) to prove you can learn, and for junior grades within these firms it may be a necessity to get past the HR filter. The same goes for a few of the certs - as you can see in the question I linked to.

As Mike says, what is key to employers is experience and being able to provide evidence that you bring value to the role. If you haven't had any experience in security, experience in IT is a good second, as a lot of the disciplines are related.

Answer 3

I agree with the other two answers here, that lack of a degree is not so much an issue as lack of experience is. But then, sometimes you can get lucky. Don't expect to jump in as anything much above a Junior level without experience or a degree, though.

I'll give myself as a bit of a case example. I've been in an IT Security role for a few years now, but I do not currently have (nor am I actively pursuing, though I'm told I should be) any college degrees. What I did have prior to this was a few years of work experience in desktop support, and a CompTIA A+ certification. What got me from there to here can probably be summarized as a cross between being a squeaky wheel and having a little bit of luck. I definitely was started on the bottom rung though. Since then, I've moved a little bit upwards and added a few certifications to my resume.

Whenever I ask about what might be keeping me from moving up to a more senior level though, I'm usually told experience is a factor and the lack of higher education doesn't help. There's a lot that can be learned on the job, but there's a certain level of depth that can't really just be picked up along the way in the midst of your 9-5 hustle and bustle.