CISSP vs Master's: How to advance your cybersecurity career
January 27, 2020
January 27, 2020
In this post I want to analyze the factors that might lead you to choose one or the other, or both options. These factors include: where you are in your career path and where you want to go on that path.
Either option should be just one step in the continuous learning process you need to keep ahead in the cybersecurity field.
First, let’s look at what you need to succeed in the cybersecurity field. The best analysis of this has been provided by NICE, the National Initiative for Cybersecurity Education.
Their Cybersecurity Workforce Framework describes exactly what professionals in the field should be able to do. NICE describes the Knowledge, Skills and Abilities (KSAs) needed to succeed in each of the possible security roles.
It is important that all three attributes are needed to perform a role. According to NICE:
So, comparing to home repairs, knowledge can be acquired from YouTube, skills can only be acquired by using real tools, and ability is the competence to finish the job, like repairing a plumbing leak.
In cybersecurity, as in home repair, the most valuable commodities are abilities. These include both hard and soft abilities. Hard abilities include things like ability to execute OS command line and soft abilities like communicating effectively when writing.
Abilities rely on skills such as capability to identify cyber threats which may jeopardize the organization and on knowledge such as knowledge of virtual machine technologies. Both certifications and advanced degrees can help you acquire needed KSAs.
Let’s look at the CISSP requirements. You must get a 70% or better on the CISSP exam and must have five years' work experience in two of the eight CISSP domains. These are:
The CISSP provides inch deep, mile wide knowledge and is great at what it is designed to do. To pass, you answer multiple choice questions in a timed test.
Interestingly, you can get 30% of them wrong and still be a certified professional. The CISSP requires very specific test taking skills. Most security professionals cannot pass the test without preparation.
Now let’s look at an MS Cybersecurity program; I will use Quinnipiac’s program as an example. Ours includes 30 credits spread across 27 courses. Those courses are grouped into nine neighborhoods:
|Security Neighborhood||Course Number||Course Name|
|Security and Risk Management||CYB 501||Foundations of Cybersecurity|
|CYB 502||Introduction to Cyber Threats|
|CYB 503||Introduction to Cyber Defense|
|Security Technology||CYB 540||Introduction to Secure Networking|
|CYB 509||Operating Systems Security|
|CYB 517||Introduction to Cryptography|
|Data Security||CYB 524||Introduction to Secure Networking|
|CYB 526||Non-relational Database Security|
|CYB 670||IoT Security|
|Programming for Security Professionals||CYB 506||Introduction to Programming for Security Professionals|
|CYB 560||Programming for Security Analytics|
|CYB 661||Programming for Security Automation|
|Building Secure Applications||CYB 662||Security Web Applications Design|
|CYB 663||Secure Web Applications Engineering|
|CYB 664||Web Applications Security Testing|
|Identity and Access Management||CYB 665||Workforce Access Security|
|CYB 667||B2C Access Security|
|CYB 669||B2B Access Security|
|Resilient Systems||CYB 683||Resilient Systems Design and Development|
|CYB 684||Resilient Systems Testing|
|CYB 685||Operating Resilient Systems|
|Capstone||CYB 691||Capstone I|
|CYB 692||Capstone I|
This program is also designed to create a well-rounded cybersecurity defender. It has some additional topics beyond the CISSP: cloud security, resilient systems and programming for security professionals.
Cloud security is a huge issue for security practitioners. The number of cloud jobs has increased 650% since 2012 and shows no signs of slowing. Resilient systems are now the gold standard for security practitioners.
These are systems that fail gracefully when attacked. We included programming for security professionals because often professionals are asked to develop security solutions and not just validate developers’ code.
With our one credit hour framework, we revise each course once or twice per year. The CISPP is revised every three years.
The biggest difference between an MS in Cybersecurity and CISSP is that the master's degree offers knowledge, but also hands-on skills training and opportunities to acquire new abilities.
Each master's course includes hands-on skills development and deliverables that test your ability to complete a project on time. The CISSP exam itself is a test of knowledge only.
With that as background, which can be more valuable to you, CISSP or an MS in Cybersecurity? If you already have five years of security experience across multiple domains, then acquiring a CISSP next is a no brainer.
You will be able to get certified in a short time. Should you then pursue an master's degree? If you already have exposure to leadership positions on the job, then that may be unnecessary.
If not, then the MS in Cybersecurity will give you the opportunity to enhance those abilities and move up in responsibility on the job. This also depends on how your company values advanced degrees. Companies differ on this topic.
What if you have little or no security experience? The MS in Cybersecurity program will expose you to all the security domains, developing skills and abilities so you can make a better case for moving into a security role.
This can be done in 18 months with our online program. The CISSP is a much longer road, which will take five years of your time.
What about ultimate goals? Do you aspire to be a CISO? My research shows that there are multiple paths to this position. Neither a master's degree or a CISSP is a sure path to the executive suite.
Lack of either isn’t a barrier in any case. Recruiting firm Heller Associates has a nice summary of what it takes to move to the CISO role. Here’s my take on which of those skills you can start to obtain from a master's degree.
The others you will have to acquire on the job or in other training programs.
|Ability||Acquire in MS in Cybersecurity Program?|
|Communication and Presentation Skills||Yes|
|Policy Development and Administration||Yes|
|Knowledge and Understanding of the Business||No|
|Collaboration and Conflict Management Skills||Partly|
|Planning and Strategic Management||No|
|Regulation and Compliance||Yes|
|Risk Assessment and Management||Yes|
Hopefully this post gives you some ideas on how you can use either the MS in Cybersecurity or the CISSP to advance your career to the next level. For other questions, you can reach out to me at email@example.com.
You may also find more information about Quinnipiac's online MS in Cybersecurity here.
Quinnipiac Today is your source for what's happening throughout #BobcatNation. Sign up for our weekly email newsletter to be among the first to know about news, events and members of our Bobcat family who are making a positive difference in our world.Sign Up Now