Several years ago the company I worked for sent me to several training classes on topics including Cisco routers, CheckPoint FW-1, TCP/IP and forensics. I was mainly a developer and still am. When I changed jobs, I tried unsuccessfully to move into information security because, despite this great training, I had little experience.
I am considering trying again and have considered a Master's degree in the field. What are your thoughts on the Master's? If I choose not to go back to school, what are some options for breaking into the field?
Thanks for your recent e-mail. You raise a perennial debate in the IT training and certification space -- namely, comparing and contrasting the value of relevant on-the-job experience to certifications and/or degrees. As your own experience shows, employers tend to value on-the-job experience more than certifications, and in many cases, to value it more than degrees as well. Thus, it's not clear that your success in finding work would necessarily be enhanced by obtaining a Master's degree in certification topics, though if you do obtain a degree from a top-flight computer science or MIS/IT school, it certainly won't hurt your job prospects, either.
If you do decide to go back to school full-time, expect to spend upwards of $20,000 on training (not to mention the opportunity costs of foregoing two years of income). For part-time programs, expenditures remain about the same but are typically spread over four or more years instead. I'd urge you to remain active in the IT field even if only part-time and to try to focus your work efforts on security related topics, tools and technologies if you do decide to combine work and school in any form or fashion.
Should you decide to forego chasing a Master's degree, I'd recommend that you either work with your current employer or find another employer who's willing to put you in a job where you can have some security involvement (even if it's initially unpaid work, on your own time, as a way of demonstrating your commitment to the subject matter and the work itself). Over time you can address your experience deficit and can start migrating into your chosen field of technical specialization.
For more information on this topic, visit these other SearchSecurity.com resources:
Ask the Expert: The value of a degree versus certification
Ask the Expert: Best graduate schools for network security
Ask the Expert: Experience versus certification in today's job market