Marty Tatro has plenty of work experience, but not exactly the experience he needs to get into his chosen profession: Cybersecurity.
By the time he left the Army National Guard as a specialist in 2006, he'd served on active duty and Guard duty, worked in military intelligence and infantry, gone to Iraq, and recycled computers as a civilian. To get into cybersecurity, he would need one more thing: A degree, which he hopes to earn next year from Champlain College in Vermont.
That's not a surprise. Cyber is competitive — CNN calls it one of the top five highest paying jobs for veterans, with a median salary of $133,700 — and academic credentials are a good way in. But what exactly does it mean to earn a cyber degree? It's worth taking a deep look.
Step by step
For Tatro, the cyber Bachelor of Science means mastering math.
"I am doing statistics and financial accounting and microeconomics. Those are fields I have never looked at in my adult life, so it is a bit of a stretch," he said.
Math is just the start. Consider the course breakdown at Rochester Institute of Technology, where 200 to 300 veterans study in a typical academic year.
Year 1: Students start out with the basics, classes such as Programming I and II, Calculus I and II, and mathematics for computing. It's a math-heavy agenda.
"The discipline of computing in general is about solving problems. You can do that in any course, but the math sequence in particular gets people thinking analytically. That's what computing is all about," said Daniel Stafford, assistant dean for academic services in RIT's B. Thomas Golisano College of Computing and Information Sciences.
The first year also delivers basic computing and some security fundamentals.
Year 2: Here students begin to connect those math skills to the real world, using physics classes and statistics to understand the relationships between the math, and the models the math describes. Classes include Concepts of Computer Systems as well as Intro to Database and Data Modeling.
On the security side, students learn system administration, how to set up accounts, how to manage security.
In these first two years, students also will satisfy their basic liberal arts requirements: That's 60 credit hours of writing, history, sociology and social sciences.
Year 3: Here things start to get heavy on the security side, with requirements such as Introduction to Cryptography, Cyber Security Policy & Law, and Authentication and Security Models. "These are the things that all security majors should have. They should know how to keep data secure, and they also need to know the law. There is a great deal of proper ethical behavior that comes with this type of discipline. With great power comes great responsibility," Stafford said.
The school even operates a "quarantined" facility, where computers stand completely apart from the network, ready for students to hack them apart.
"To understand the problem, you need to understand the enemy and its capabilities. So sometimes you need to put on the bad-guy hat in order to come up with solutions," Stafford said.
Electives this year include forensics, malware, mobile security and secure coding.
At the same time, a co-op program puts students out in the real world, with summer internships that hone their skills and bolster their résumés.
Year 4: This is a capstone project, in which students make an in-depth effort to apply what they know to a real-world security problem on behalf of an actual company.
"The overall goal is to establish a solid foundation, to provide a base of knowledge and the learning skills to allow them to go on to a real job and to continue to build on that knowledge over their career," Stafford said.
While RIT's model is rigorous and sequential, not every B.A. track in cybersecurity looks like this.
Take for instance Champlain College. As an online program, its cybersecurity degree track allows students a little more flexibility in how they structure their coursework.
"With the traditional system, we can assume that you don't know anything when you first come in," Cybersecurity Program Director Ric Messier said. With a student body made up primarily of working adults, "we don't make that same assumption, and so [we] don't have that same proscribed sense of what you take first term, what you take second term."
Still, there is a rough outline that follows closely the expectations of more traditional schools. Early on, students will study networking fundamentals such as Internet protocols TCP/IP, as well as basic computing topics such as binary and hexadecimal numbering systems, or mechanical functions of a computer.
A cybersecurity overview will touch on cryptography, risk management and concepts of security processes.
Despite being a distance program, Champlain emphasizes hands-on study. "We have systems that our students can access remotely, so they can do all the labs on our system and we can ensure the experience they get is consistent across all students," Messier said.
Where others may give more weight to liberal arts fundamentals, Champlain's program runs deep into security electives: Mobile Security, Website Security and so on.
"Security is an enormous area, and we don't know what our students will be doing specifically when they leave. Even if we did know that now, two years from now they could be doing something completely different," Messier said. A broad base makes the most sense.
Along the way, students will also study security policy analysis, as well as financial accounting. Beyond helping them to pick up the relationship between security and business operations, these classes help to build an intellectual foundation.
"This is not 'training.' You are not coming here to learn a specific skill or a task. You are here to get an education, and the general education classes help to do that," Messier said. "College teaches you to think about things, to think in a critical manner so that you can troubleshoot and problem solve your way out of any situation you are in."
Whether formally structured or more loosely organized, the Bachelor of Science typically aims for just this mix: An intellectual approach to security, paired with the academic credentials to get into the industry.
For those looking to take things even further, the master's curriculum tends to run even deeper.
The SANS Technology Institute offers two master's degrees, one in information security management and the other in information security engineering. Both run anywhere from three to five years, with classes offered to part-time students already working in the field.
Those aiming for the advanced degree will likely take a mix of high-end courses including a general overview of enterprise security, specific technical security subjects, hacking and incident response, intrusion detection and incident recovery.
Students will test their skills in live computing environments, produce in-depth research papers to be published in scholarly journals and develop the oral communication skills needed to present a plan at the board and CEO levels.
"They really do get challenged technically," said Matthew Scott, who oversees veterans affairs at STI. "We want them to understand the relationship between what they are learning and what they are doing in the profession."
While master's candidates may be aiming for the upper reaches, many students at the other end of the spectrum are simply looking to get a start. With a few certifications under your belt, you can get into cyber, or take a step up the ladder, without having to chase the degree at all. Some will find this a tempting proposition.
At the Cybersecurity Academy at UMBC Training Centers, for example, students can gear up to take a range of industry certification exams in anywhere from five days to six weeks. For those already in the field, certifications can lead to promotion. For those just starting out, "some of these are enough to get you employment," Academy director Homer Minick III said.
Your first job might be at the help desk, but you'll be able to work your way up. "There are lots of organizations that really need people who can come in and have those basic security skills," he said.
Tatro, meanwhile, is looking to the B.A. as the best means for getting that door open.
"I am 47 years old, and I am really behind the times in terms of my peers. Most of them are in their early 20s, so I have to be really good if I am going to make myself more desirable in the workforce," he said. "Thankfully there are a lot of openings, and there will be more."