CISSP vs Master's: How to advance your cybersecurity career

Frederick Scholl, PhD, Cybersecurity Program Director, Quinnipiac University January 27, 2020

Fred Scholl headshot

Students often ask if they should pursue an MS in Cybersecurity or a Certified Information Systems Security Professional (CISSP) certification. My answer is: “It depends.”

In this post I want to analyze the factors that might lead you to choose one or the other, or both options. These factors include: where you are in your career path and where you want to go on that path.

Either option should be just one step in the continuous learning process you need to keep ahead in the cybersecurity field.

First, let’s look at what you need to succeed in the cybersecurity field. The best analysis of this has been provided by NICE, the National Initiative for Cybersecurity Education.

Their Cybersecurity Workforce Framework describes exactly what professionals in the field should be able to do. NICE describes the Knowledge, Skills and Abilities (KSAs) needed to succeed in each of the possible security roles.

It is important that all three attributes are needed to perform a role. According to NICE:

  • Knowledge is a body of information applied directly to performance of a function
  • Skill is defined as competence to apply tools, frameworks, processes and controls
  • Ability is competence to obtain an observable product.

So, comparing to home repairs, knowledge can be acquired from YouTube, skills can only be acquired by using real tools, and ability is the competence to finish the job, like repairing a plumbing leak.

In cybersecurity, as in home repair, the most valuable commodities are abilities. These include both hard and soft abilities. Hard abilities include things like ability to execute OS command line and soft abilities like communicating effectively when writing.

Abilities rely on skills such as capability to identify cyber threats which may jeopardize the organization and on knowledge such as knowledge of virtual machine technologies. Both certifications and advanced degrees can help you acquire needed KSAs.

Let’s look at the CISSP requirements. You must get a 70% or better on the CISSP exam and must have five years' work experience in two of the eight CISSP domains. These are:

  • Security and Risk Management
  • Asset Security (Data security)
  • Security Architecture and Engineering
  • Communications and Network Security
  • Identity and Access Management
  • Security Assessment and Testing
  • Security Operations
  • Software Development Security

The CISSP provides inch deep, mile wide knowledge and is great at what it is designed to do. To pass, you answer multiple choice questions in a timed test.

Interestingly, you can get 30% of them wrong and still be a certified professional. The CISSP requires very specific test taking skills. Most security professionals cannot pass the test without preparation.

Now let’s look at an MS Cybersecurity program; I will use Quinnipiac’s program as an example. Ours includes 30 credits spread across 27 courses. Those courses are grouped into nine neighborhoods:

Quinnipiac's MS in Cybersecurity Program

Security Neighborhood Course Number Course Name
Security and Risk Management CYB 501 Foundations of Cybersecurity
CYB 502 Introduction to Cyber Threats
CYB 503 Introduction to Cyber Defense
Security Technology CYB 540 Introduction to Secure Networking
CYB 509 Operating Systems Security
CYB 517 Introduction to Cryptography
Data Security CYB 524 Introduction to Secure Networking
CYB 526 Non-relational Database Security
CYB 670 IoT Security
Programming for Security Professionals CYB 506 Introduction to Programming for Security Professionals
CYB 560 Programming for Security Analytics
CYB 661 Programming for Security Automation
Building Secure Applications CYB 662 Security Web Applications Design
CYB 663 Secure Web Applications Engineering
CYB 664 Web Applications Security Testing
Identity and Access Management CYB 665 Workforce Access Security
CYB 667 B2C Access Security
CYB 669 B2B Access Security
Resilient Systems CYB 683 Resilient Systems Design and Development
CYB 684 Resilient Systems Testing
CYB 685 Operating Resilient Systems
Capstone CYB 691 Capstone I
CYB 692 Capstone I

This program is also designed to create a well-rounded cybersecurity defender. It has some additional topics beyond the CISSP: cloud security, resilient systems and programming for security professionals.

Cloud security is a huge issue for security practitioners. The number of cloud jobs has increased 650% since 2012 and shows no signs of slowing. Resilient systems are now the gold standard for security practitioners.

These are systems that fail gracefully when attacked. We included programming for security professionals because often professionals are asked to develop security solutions and not just validate developers’ code.

With our one credit hour framework, we revise each course once or twice per year. The CISPP is revised every three years.

The biggest difference between an MS in Cybersecurity and CISSP is that the master's degree offers knowledge, but also hands-on skills training and opportunities to acquire new abilities.

Each master's course includes hands-on skills development and deliverables that test your ability to complete a project on time. The CISSP exam itself is a test of knowledge only.

With that as background, which can be more valuable to you, CISSP or an MS in Cybersecurity? If you already have five years of security experience across multiple domains, then acquiring a CISSP next is a no brainer.

You will be able to get certified in a short time. Should you then pursue an master's degree? If you already have exposure to leadership positions on the job, then that may be unnecessary.

If not, then the MS in Cybersecurity will give you the opportunity to enhance those abilities and move up in responsibility on the job. This also depends on how your company values advanced degrees. Companies differ on this topic.

What if you have little or no security experience? The MS in Cybersecurity program will expose you to all the security domains, developing skills and abilities so you can make a better case for moving into a security role.

This can be done in 18 months with our online program. The CISSP is a much longer road, which will take five years of your time.

What about ultimate goals? Do you aspire to be a CISO? My research shows that there are multiple paths to this position. Neither a master's degree or a CISSP is a sure path to the executive suite.

Lack of either isn’t a barrier in any case. Recruiting firm Heller Associates has a nice summary of what it takes to move to the CISO role. Here’s my take on which of those skills you can start to obtain from a master's degree.

The others you will have to acquire on the job or in other training programs.

Skills Acquired in Quinnipiac's MS in Cybersecurity Program

Ability Acquire in MS in Cybersecurity Program?
Communication and Presentation Skills Yes
Policy Development and Administration Yes
Political Skills No
Knowledge and Understanding of the Business No
Collaboration and Conflict Management Skills Partly
Planning and Strategic Management No
Supervisory Skills No
Incident Management Yes
Regulation and Compliance Yes
Risk Assessment and Management Yes

Hopefully this post gives you some ideas on how you can use either the MS in Cybersecurity or the CISSP to advance your career to the next level. For other questions, you can reach out to me at frederick.scholl@quinnipiac.edu.

You may also find more information about Quinnipiac's online MS in Cybersecurity here.

Stay in the Loop

Sign Up Now