CISSP vs Master's: How to Advance Your Cybersecurity Career
Frederick Scholl, Ph.D., Cybersecurity Program Director, Quinnipiac University
Students often ask if they should pursue an MS in Cybersecurity degree or a Certified Information Systems Security Professional (CISSP) certification. My answer is: “It depends”. In this post I want to analyze the factors that might lead you to choose one or the other, or both options. These factors include: where you are in your career path and where you want to go on that path. Either option should be just one step in the continuous learning process you need to keep ahead in the cybersecurity field.
First, let’s look at what you need to succeed in the cybersecurity field. The best analysis of this has been provided by NICE, the National Initiative for Cybersecurity Education. Their Cybersecurity Workforce Framework describes exactly what professionals in the field should be able to do. NICE describes the Knowledge, Skills and Abilities (KSA’s) needed to succeed in each of the possible security roles. It is important that all three attributes are needed to perform a role. According to NICE:
- Knowledge is a body of information applied directly to performance of a function
- Skill is defined as competence to apply tools, frameworks, processes and controls
- Ability is competence to obtain an observable product.
So, comparing to home repairs, knowledge can be acquired from YouTube, skills can only be acquired by using real tools, and ability is the competence to finish the job, like repair a plumbing leak.
In cybersecurity, as in home repair, the most valuable commodities are abilities. These include both hard and soft abilities. Hard abilities include things like ability to execute OS command line and soft abilities like ability to communicate effectively when writing. Abilities rely on skills such as capability to identifying cyber threats which may jeopardize the organization and on knowledge such as knowledge of virtual machine technologies. Both certifications and advanced degrees can help you acquire needed KSA’s.
Let’s look at the CISSP requirements. You must get a 70% or better on the CISSP exam and must have five year’s work experience in two of the eight CISSP domains. These are:
- Security and Risk Management
- Asset Security (Data security)
- Security Architecture and Engineering
- Communications and Network Security
- Identity and Access Management
- Security Assessment and Testing
- Security Operations
- Software Development Security
The CISSP provides inch deep, mile wide knowledge and is great at what it is designed to do. To pass, you answer multiple choice questions in a timed test. Interestingly, you can get 30% of them wrong and still be a certified professional. The CISSP requires very specific test taking skills. Most security professionals cannot pass the test without preparation.
Now let’s look at an MS Cybersecurity program; I will use Quinnipiac’s program as an example. Ours includes 30 credits spread across 27 courses. Those courses are grouped into nine neighborhoods:
Quinnipiac University's MS in Cybersecurity Program
|Security Neighborhood||Course Number||Course Name|
|Security and Risk Management||CYB 501||Foundations of Cybersecurity|
|CYB 502||Introduction to Cyber Threats|
|CYB 503||Introduction to Cyber Defense|
|Security Technology||CYB 540||Introduction to Secure Networking|
|CYB 509||Operating Systems Security|
|CYB 517||Introduction to Cryptography|
|Data Security||CYB 524||Introduction to Secure Networking|
|CYB 526||Non-relational Database Security|
|CYB 670||IoT Security|
|Programming for Security Professionals||CYB 506||Introduction to Programming for Security Professionals|
|CYB 560||Programming for Security Analytics|
|CYB 661||Programming for Security Automation|
|Building Secure Applications||CYB 662||Security Web Applications Design|
|CYB 663||Secure Web Applications Engineering|
|CYB 664||Web Applications Security Testing|
|Identity and Access Management||CYB 665||Workforce Access Security|
|CYB 667||B2C Access Security|
|CYB 669||B2B Access Security|
|Resilient Systems||CYB 683||Resilient Systems Design and Development|
|CYB 684||Resilient Systems Testing|
|CYB 685||Operating Resilient Systems|
|Capstone||CYB 691||Capstone I|
|CYB 692||Capstone I|
This program is also designed to create a well-rounded cybersecurity defender. It has some additional topics beyond the CISSP: cloud security, resilient systems and programming for security professionals. Cloud security is a huge issue for security practitioners; the number of cloud jobs has increased 650% since 2012 and shows no signs of slowing. Resilient systems are now the gold standard for security practitioners. These are systems that fail gracefully when attacked. We included programming for security professionals because often professionals are asked to develop security solutions and not just validate developers’ code. With our one credit hour framework, we revise each course once or twice per year. The CISPP is revised every three years.
The biggest difference between an MS in Cybersecurity and CISSP is that the master's degree offers knowledge, but also hands on skills training and opportunities to acquire new abilities. Each master's course includes hands on skills development and deliverables that test your ability to complete a project on time. The CISSP exam itself is a test of knowledge only.
With that as background, which can be more valuable to you, CISSP or MS in Cybersecurity degree? If you already have 5 years of security experience across multiple domains, then acquiring a CISSP next is a no brainer. You will be able to get certified in a short time. Should you then pursue an master's degree? If you already have exposure to leadership positions on the job, then that may be unnecessary. If not, then the MS in Cybersecurity degree will give you opportunity to enhance those abilities and move up in responsibility on the job. This also depends on how your company values advanced degrees. Companies differ on this topic.
What if you have little or no security experience? The MS in Cybersecurity program will expose you to all the security domains, develop skills and abilities so you can make a better case for moving into a security role. This can be done in 18 months with our online program. The CISSP is a much longer road, which will take 5 years of your time.
What about ultimate goals? Do you aspire to be a CISO? My research shows that there are multiple paths to this position. Neither a master's degree or a CISSP is a sure path to the executive suite. Lack of either isn’t a barrier either. Recruiting firm Heller Associates has a nice summary of what it takes to move to the CISO role. Here’s my take on which of those skills you can start to obtain from a master's degree. The others you will have to acquire on the job or in other training programs.
Skills Aquired in Quinnipiac's MS in Cybersecurity Program
|Ability||Aquire in MS in Cybersecurity Program?|
|Communication and Presentation Skills||Yes|
|Policy Development and Administration||Yes|
|Knowledge and Understanding of the Business||No|
|Collaboration and Conflict Management Skills||Partly|
|Planning and Strategic Management||No|
|Regulation and Compliance||Yes|
|Risk Assessment and Management||Yes|
Hopefully this post gives you some ideas on how you can use either the MS in Cybersecurity degree or the CISSP to advance your career to the next level. For other questions, you can reach out to me at email@example.com. You may also find more information about Quinnipiac's online MS in Cybersecurity here.