Heresy is something that rarely appears on this site (which is my fault). But a column this week by security behavior expert Ira Winkler on how to get a job in IT security certainly qualifies.

To put it bluntly, he isn’t a fan of cybersecurity bachelor degrees. He  believes an IT security job is a position that should be earned with a broad experience in the computer field.

In some ways, this is the same debate that was going on in newspapers 50 years ago, when many editors felt that working at a small newspaper was a better start to a reporting career than getting a journalism degree.

Similarly, Winkler urges young — and maybe not so young — people interested in a cybersecurity career to get an undergraduate degree in any major, because universities and colleges help people learn to communicate better.  Students have to take courses outside their area of interest, which helps them become more rounded. As important, he argues, not having an undergrad degree will hurt when it comes time for promotions.

“That degree on your résumé is a baseline that recruiters and hiring managers are going to be looking for,” he writes. “If you can’t include it on yours, you will need some way to grab their attention and show just how truly exceptional you are at what you do.”

After graduating, he says you should get a job doing general computer work: You can’t protect computers if you don’t know how to administer them, or secure a database if you don’t know what a database management system is. And while you’re at it, teach yourself how to code.

Winkler believes that CIOs in need of security pros should look at people on their staff who have demonstrated talent, then give them on-the-job training to develop security-relevant skills.

Is this a reasonable approach? Let us know in the comment section below.