A few thoughts on both options:

1. the Solutions Architect could be lucrative with the right company. However, they may require at least a BS, unless you have internal contacts at the company. You may also consider an Sales Engineer for a security company. SE's do very well.

2. There are a LOT of offensive security guys in the industry that don't have a college degree. (Some of the best in the field in fact.) The offensive role is obviously highly technical but can lead to things like directing a group of pen testers etc.

Another option to consider, since you're young, is to get into a company that has an education reimbursement benefit and just begin to chip away at your BS to get that "monkey off your back."

If you went the offensive route, you would then have the defensive skills AND operational skills which is a nice blend. You could take that into an SE role or SA role and probably have a little more pull if the job required a degree.

Just a few ideas.

Welcome to the forums.

I see cd1zz responded while I was typing out my response. +1 to everything he said.

I think something else that you need to keep in mind is that offensive security requires more time dedicated to research, experimentation, etc. outside of normal working hours to truly be good at it. It's one thing to be aware of a vulnerability and mitigate it in some manner, but it's quite another to understand the technical details behind a vulnerability and be able to exploit it successfully. Granted, this is often made easier by exploitation frameworks, but I still think you need a broader and deeper level of knowledge compared to other disciplines within infosec.

The point  I'm trying to make is that if you're not genuinely interested in the material and treat it like a hobby, you're probably going to feel like you're working all the time and become overwhelmed (I guess you could alternatively just be a mediocre pen tester that relies on automated tools for everything as well). If you don't have any significant experience on the offensive side of the fence, register for PWB/OSCP and dive in. That's probably the closest experience you'll get to the real thing. $1000 and a few months of your time is a minimal investment when it comes to deciding which career path you'll be on for the next years/decades.

With the experience you have, the lack of a degree is probably not going to hold you back for a lot of positions. Experience seems to trump degrees and certifications over time. Granted, being strong in all three areas would obviously be ideal. I don't have a degree, and I know many others that don't. However, I think the fact that I have one in-progress helps fill that void to some extent.

Although, depending on how high up the food chain you plan to go, you may find the lack of a degree to be a limiting factor. It probably won't be necessary for a pen testing position, but senior management is a different story. You may want to look at a school such as WGU if you're looking to remedy that situation quickly. It seems to have avoided the stigma commonly associated with online schools, and it appears to be generally well-respected overall. You may also be able to earn some credit based on your existing certifications, and can work at your own pace.

You should do the CISSP regardless of what path you choose. It will open doors no matter what type of position you have. Even if it may not be directly applicable to your current/desired position (i.e. pen testing), you may find yourself in a position where your clients require anyone who works with them to have a CISSP.

Finally, if you find yourself in a position where you're going on to a masters, consider an MBA instead of an MSIS if your goal is still to bridge the technical/business gap. With your experience, you'll probably have limited returns in terms of actual education from an MSIS, and you'd still be in a position where all your credentials are strictly IT and infosec.

Edit: Oh, Hayabusa also responded before I could finish. That's what I get for making breakfast mid-post...
 

If you're going to do a bachelor's get it in IT/CS unless you feel compelled to do something else.  Some employers are picky enough to want a directly applicable degree.  Do you have any college credits now?  If not, look for a community college where you can pick up your lower division requirements cheaply.  Don't pay an expensive private school thousands of dollars to take English 101 unless money isn't an issue for you.

At the MS level, you could go technical (IT/CS again) or get an MBA depending on what you want to do.  If you're looking for a CISO or CIO spot eventually, get the MBA.  If you want to stay technical or maybe do some lower-level management, get the technical MS.

Should you get a degree at all?  I don't know.

I'm was in a similar spot and I decided to go back to school two years ago.  I'm finishing my BS in IT in two months.  I'm also 31 and have worked in IT since I was 17. 

There are a lot of ways to stay in the field and make good money without a degree, but it's a much harder road.  I work in higher ed and have some interest in staying in that area or possibly working for the federal government so the degree is a hard requirement for me.  Colleges and public employers usually have rigid hiring requirements so you'll get rejected for a lot of those jobs without the hiring committee ever seeing your application.  Some companies are more flexible, especially if they are small, but many aren't. 

On the downside, a degree may mean taking on a lot of debt if you don't have a tuition reimbursement plan available to you.  I'm paying my own way and I'm going to have debt so I need to move into a higher paying job in the near future or my family is going to have to tighten our belts.  In this economy, that's not a fun spot to be in.

As far as your choice between SecSA or Offensive Security.  First ask yourself, what do you like doing more?  Fixing things or breaking things?  If you are a fixer/builder then you may want to stick to the path of SecSA.  If you like to break things, then on to the roll of the pen tester. 

Now I think, if you want to truly be great at the SecSA role, then learning more about how to break things will only add to your arsenal as a SecSA.  Training in Offensive Security will give you a deeper understanding on how attacks are carried out.  You can then take that information and use it toward your architecture projects.  Besides defense is hard, and we need more able body engineers to build us better solutions or help us use the stuff we already have (which is my personal mantra).

As for the degree, well ajohnson is right. If you want to go for a senior management position some day, you will probably need that degree and if you can get a position that will pay for, then that will be a bonus.  Depending on if I plan to stay at my current job, I may consider their education program and get a masters in IS.  If you have a good amount of job experience, there are some programs that will use that toward credit and may not require you to take all those underclassmen requirements like history and such.

Good luck with whatever you choose and keep us posted on your endeavors.  Welcome to the boards!

Thank you all for the input.

I will update my post once I have made my decision ie. direction and my plan forward.

Couple things I am considering;

- Complete CISSP regardless
- OSCP regardless
- Formal education depending on decision

Do it all. Use today and tomorrow to get your brain, your current contract job and everything you need settled in order to get started Saturday morning. Have a nice meal Friday night as your celebratory meal on the start of your new life. Don't go out. Don't stay up late. Get a good night's sleep and get up Saturday with a purpose of a thought locked in your head that this is it. This is your time.

As for planning, which exam are you most prepared to pass right now? Do that first, update your resume and let that good felling sink in. Use the new updated resume with a new cert and also be sure to add to your resume that the second is in the works. Get it out there to start the wheels turning immediately for new job prospects. Even better if you can pick the company of your dreams, find out what they have available, and market yourself to that company and that specific job. Be the one in charge of your career. Don't just take what is available. Go get what you want.

Have another celebratory dinner, take a couple-day break, then the next step is to make your plan to finish the second. Stick to it. You're more than halfway there.

Stick around EH-Net, let us know your plans and how you're proceeding. Trust me... we're all here for you and will push you when you need the extra energy.

But make no mistake. This is YOUR decision. After all, it is YOUR life.


People say life is short. It's not. If you focus on accomplishing something every minute of every day, you'd be amazed at what can be done. Even if a minute is spent resting your brain or going to the bathroom, it's a minute planned with purpose for a positive outcome. Belive it or not, every minute in your life already has purpose. But is it positive? Is it pushing you to be your best? Is it a minute that you let be determined by others or circumstance? Either way it has purpose and you chose it. Now it's time to choose everything based on a positive outcome.

People have made billions in the span of just a few years. That's empirical evidence. Amazing things can be done and will continue to be done. The only question is whether it's you or not.


Don

Thanks for the motivation Don and H1t M0nk3y!

I really appreciate it. 2013 is the year that I need to find my direction and be more positive and results driven.

I have just re-scheduled my CISSP for the 2 April 2013. That gives me more or less 12 weeks of preparation.

I will keep updating my post as I go.

thanks again.