When I'm teaching classes, speaking, or out networking around town, I'm often asked what I think is the best thing to propel one's career in the information security field - security certifications, a college degree, or general work experience. The answers can be both simple and complex - I'll make it the former.

For starters, I believe the real traits that determine whether or not one succeeds (regardless of their career path) are positive personality traits such as motivation, tenacity, and the burning desire for achievement, but that's for a different discussion. With everything else being equal, here are my thoughts on what's best for your information security career.

Let's start with certifications. There's CISSP, CISA, CISM, Security+, SANS GIAC, Cisco-specific, Microsoft-specific, and on and on. One or more of these certifications - especially the popular CISSP - are a definite must for your career. They are used as a baseline when employers and potential clients are hiring. Does this mean that everyone who has an information security certification is a true information security expert? Most definitely not!

IT certifications such as the highly coveted Novell CNE back in the early 1990s used to mean something but they've unfortunately lost their luster. The whole certification process has become watered down. I'm convinced that, with a few exceptions such as the Cisco CCIE certification, certifications don't prove much any more. So, should you get an information security certification? Absolutely! If your competition for the jobs and customers you're going for is playing the game then you must play it as well if you're going to keep up. Go for an entry-level certification such as Security+ at first and then go for your CISSP once you get the experience under your belt.

Now let's talk about degrees. Will a bachelor's or master's in computer science, engineering, or information security help your career? Somewhat, but they're not the silver bullet. Again, they're being used as a baseline by hiring managers, and if you don't have one, it could be a strike against you. Unfortunate? Perhaps.

I, like a lot of other IT professionals, have spent many long years earning my degrees. Do I think they prepared me for what the real world had in store for me? Yes, somewhat - especially my more technical undergraduate degree. Do I believe my degrees have helped me in my career? I think so, to an extent - especially getting past those initial resume screeners earlier in my career and now potential clients to whom I send project proposals. Having said all of that, think about some of those people we've all worked with or have been the patient of - you know, those people with the Ph.D. or M.D. behind their names. Many of them have are very book smart but have little or no practical knowledge in their field. A college degree can show (at least on paper) that you have made an effort to better yourself. That kind of stuff impresses people. Remember the personality traits I mentioned above? Just remember that a degree is not everything.

This leads me to my final point of discussion - experience on the job. I know many information security "experts" who have seemingly dozens of certifications and even some with a degree or three from some fancy schools who know absolutely nothing about hands-on, practical and real-world information security. They'd feel more comfortable pulling their fingernails out than performing a penetration test, or calculating risk, or describing what a firewall ruleset allows in and out of a network. These are the "paper people" who look good in print but haven't one iota of hands-on experience.

Who would you trust to teach you a subject, manage the financials of your organization, or even perform surgery on a loved one - someone who has simply studied or researched a subject or someone who has actually gotten their hands dirty doing the work? The same goes for information security.

When it comes to certifications, a degree, or good old-fashioned experience, I'll choose the latter every time. Don't be a "paper person." It's okay to get those certifications and degrees. In fact, I encourage you to do so. You pretty much have to in today's competitive market. But the biggest favor you can do for your career in information security is to get some hands-on experience.

If you're having trouble landing a job in information security at first, don't fret. You can always volunteer, tag along with a friend in the field, or even play around with security tools on your current job (just be careful!). Another great way to get some experience is to setup a network at home, buy a good book or two, and just start playing around.

Work with what you've got, get those certifications and degree(s), but, by all means, get your hands dirty and prove you're up to the task - that's really what people want and need the most.

Kevin Beaver is the founder and principal consultant of Atlanta-based information security services firm Principle Logic, LLC. He is the author of Hacking For Dummies by Wiley Publishing and the free ebook The Definitive Guide to Email Management and Security by Realtimepublishers.com and the co-author of the book The Practical Guide to HIPAA Privacy and Security Compliance by Auerbach Publications. He earned his bachelor's degree in Computer Engineering Technology from Southern Polytechnic State University and his master's degree in Management of Technology from Georgia Tech. He also holds CISSP, MCSE, Master CNE, and IT Project+ certifications but he wouldn't trade a single bit of his decade and a half of hands-on experience for any of it. Kevin can be reached at kbeaver@principlelogic.com.