topic Re: New CISSP considering whether an MBA is worth it in Career Discussions

New CISSP considering whether an MBA is worth it

nielsoncr — Mon, 09 Oct 2023 10:00:23 GMT

I recently received my CISSP certification, and look forward to expanding my skillset and developing my career further. I've received some encouragement from a CISO I trust to consider getting an MBA. I've given it some thought and am undecided if an MBA is worth it for me. I have almost 20 years of experience in the software development industry, and wonder if an MBA at this stage in my career will be a good return on my investment of time and money. I want to be able to better communicate with the C-suite, and maybe join them one day.

I would appreciate any thoughts the ISC2 community has to offer.

Re: New CISSP considering whether an MBA is worth it

JKWiniger — Tue, 12 Oct 2021 20:17:36 GMT

Personally I went with a Masters in Information Security and Assurance. I have seen it said a number of times that it is much harder to tech security to a business person than teaching business to a security person. I have watch a few day in the life of a CISO and they have just scared me! One person had a background in sales, another said they don't understand the technical stuff but have people for that, and they can put together a 3-5 year strategy like no body's business! Ok, explain how you can put a strategy together on something you don't really understand! I think this is one of the major issues we are having right now, people in CISO position that might understand business but don't really have a clue when it comes to the actual security they are supposed to be in charge of. I keep learning new things regardless of if I will be hands on with it or not, but rather to have a better understand of things, how they work, and how the different parts fit together. How many of these people don't focus on backups and updates? Umm isn't that step 1?

I am very interesting to see other peoples ideas and points of view on this...

John-

Re: New CISSP considering whether an MBA is worth it

bkwalker — Wed, 13 Oct 2021 02:30:40 GMT

Depends on where you want your career to go. If you want to 'join' them, it might make sense to pursue an MBA.

Having problems communicating with C-suite folks sounds like a different issue. You may want to spend some time figuring out what areas you are weak which create communication issues and focus on that. Perhaps taking some online business courses would be a good start prior to diving into an MBA Program.

Break it down, and bite off a bit at a time until you have a clear direction would be my advice. Know yourself and all that.

Good luck.

Re: New CISSP considering whether an MBA is worth it

RRoach — Wed, 13 Oct 2021 13:56:14 GMT

Don't know if you are on LinkedIn but there is alot of discussions on certs and degree in regards to career advancement, etc. Worth a look.

Re: New CISSP considering whether an MBA is worth it

tmekelburg1 — Wed, 13 Oct 2021 14:25:11 GMT

You can't go wrong with the MBA route but I'd also look at the different concentrations, e.g., Security or IT, they offer. As others have stated, communication and leadership skills can be learned by simply reading books and practice. If you need the discipline of the structured University route, then by all means do that. A graduate degree is a common education hurdle for the C-Suite and that may be the best path if you do want to join them one day.

FYI, most Cyber/IT/CS degrees at the grad level will offer or require business classes. We need more people at that level who are not only business savvy but also have a solid technical background for perspective. The World needs less MBAs and more STEM degrees. Elon Musk and I both agree on that issue at least.

Re: New CISSP considering whether an MBA is worth it

csjohnng — Wed, 13 Oct 2021 17:47:30 GMT

MBA is actually getting expensive nowadays.

Talking about value, everyone has different values. I use myself as example

I graduated in bachelor in computer engineering more than twenty years ago, I said to myself at my 20s, I will not take a "tech" master further like Master in computer science (now I am taking another semi-tech one for cybersecurity). At my 30s I took my MBA, Msc in finance together.

To me, I think it's worth, because I am lack of business background and knowledge. And you can get the good part of networking as well.

So depending what is your objective and background. If you are looking for business knowledge and languages, and you are not business major, then I would say you will be getting the most out of it.

If you are already business major, yes you might get some more knowledge, but more important to you is networking. You are getting part of the value but does this worth... I will leave this to you.

If it's financially affordable and you have the time and energy , family support, then go for it.

Hope answer your questions.

Remarks, As a CISO, does my MBA helps.. maybe yes. I did not ask my boss why she hire me or exactly what make her hire me ( I mean MBA, security certifications or experience). But I believe it comes with a total package.

Re: New CISSP considering whether an MBA is worth it

joetermine — Thu, 14 Oct 2021 02:49:29 GMT

It is almost impossible to answer your question because I do not know what you value. I'm sure you've noticed that the CISSP covers a number of technical security domains. The most useful practitioners are those who have actually worked through the problems that arise in one of those domains. I do not know how an MBA will help you become a better security professional -- on-the-job work experience is often the best teacher.

If you are looking for money, expect your salary to top out at a certain dollar value regardless of how many degrees you have. The people who make the most money in this field are those who are executive consultants or disaster/crisis folks who can charge a mint for their work. If you desire to be among those people, seek them out and do what they ask of you. Chances are good that "getting an MBA" is not on that list.

Re: New CISSP considering whether an MBA is worth it

CKO — Thu, 14 Oct 2021 06:35:46 GMT

My opinion is, It depends on where you see your career going. If you want to be a CISO, I would say that an MBA is well worth it. Having had 20 years of technical experience, I believe you already have a solid technical background. The job of the C-suite is not technology and a lot of IT and Security professionals have a hard time dealing with this fact. The job of the C-suite; CISO, CIO & CTO inclusive is BUSINESS. As a CISO you should be able to understand what is most important for the business (business savvy) and how you can use security to enable the business achieve these objectives (security savvy). You should understand business strategy, marketing, leadership, corporate finance, financial & managerial accounting, economics e.t.c. When you sit in the boardroom with other C-level executives you won't be discussing technology or vulnerabilities but business and you cannot drive a successful security problem (including implementing technology controls) if you cannot sit comfortably at this level and justify how security will improve the financial bottom line. Remember, what is most important to the business is to make money, not to be secure.

Re: New CISSP considering whether an MBA is worth it

JKWiniger — Sat, 16 Oct 2021 10:02:06 GMT

I just want to add something but I don't know the best way to get this, hopefully others have some ideas. The most valuable thing to me is the ability to convey technical info in non technical ways. This is how you speak to the C-suite. I am lucky because this seems to come naturally to me, but being able to talk tech when needed and explain things without using a single tech word is very important. It makes it easier to get buy in from others. If they glaze over by things they don't understand you will not be able to make things happen...

I like to think I can explain almost anything to anyone...

Let me give this a shot... what is docker?

It lets you have something in it's own little box that isn't dependent on anything else. If something happens to it you can easily destroy and recreate it. If one box isn't enough you can add more boxes to help handle things.

No this doesn't fully cover things but it might be enough to a non tech person can get a basic idea...

right or wrong.. lets hear it!

John-

Re: New CISSP considering whether an MBA is worth it

csjohnng — Sat, 16 Oct 2021 14:05:07 GMT

John,
Totally agree. The ability to convey a technical message to a simple English is key.

I think this is also true for technical professionals when they reach a certain seniority, if you truly understand the matter, one should able to simply tell the story and make your grandmother understand.
John

Re: New CISSP considering whether an MBA is worth it

Select_From — Sun, 07 Nov 2021 03:54:31 GMT

Also a new CISSP. I really appreciate this post and I plan to follow it. I have career ambitions of eventually reaching a CISO level. Been an engineer for 15+ years Looking to head into leadership and possibly bypassing the lower and middle management phases.

Re: New CISSP considering whether an MBA is worth it

JKWiniger — Sun, 07 Nov 2021 16:17:09 GMT

@Select_From It seems we have some things in comment and probably face some of the same challenges. With a hand on background do you think it will be difficult to be hands off as you move up the ladder? And will you miss being hands on? I have been looking into different CISOs and I am shocked by the lack of background I am seeing. One person had a sales background, another said they didn't understand the tech but had people for that, but they could write one hell of a 5 year strategic plan. My thought was how can you write a plan for something you don't understand?

With all the talk of the talent shortage in security I think it creates more problems than it solves. People seem to think they can just go take a course in security and they are qualified to get a job. Just like with the higher level positions I feel that people need a good foundation and understanding, otherwise how can they handle what is needed...

Just a few thoughts...

John-

Re: New CISSP considering whether an MBA is worth it

Select_From — Sun, 07 Nov 2021 18:31:07 GMT

With a hand on background do you think it will be difficult to be hands off as you move up the ladder? And will you miss being hands on?

Hey @JKWiniger, I appreciate you asking those questions. I have spent many years thinking through these exact questions of do I want to give up the hands on day-to-day that I have excelled at for so many years. For me, what really allowed me to excel over the past years is my passion for understanding why things work or why they don't, and figuring out solutions to make them work. That motivation to find a problem and solve it is the key underlying driver for why I've exceled in the IT/IS fields. Moving towards leadership means that the problems and solutions I would be working on would transform from technical into organizational. Also, moving into leadership doesn't mean that I would have to give up technical abilities, it would actually free me up to spend time on personal technical projects outside of work.

I have been looking into different CISOs and I am shocked by the lack of background I am seeing. One person had a sales background, another said they didn't understand the tech but had people for that, but they could write one hell of a 5 year strategic plan. My thought was how can you write a plan for something you don't understand?

I understand what you mean in regards to CISOs, CIOs, and CTOs being less technical and far more administrative. I have seen these executive leaders really heavily depend upon their technical team. In some respects that worries me quite a bit, especially where there is so much legal responsibility on a person in that role.

I have wondered what makes an individual qualified for such a role. Smaller organizations tend to promote or seek top technical talent to run their IT/IS groups. Mid-tier organizations seem to search for SVPs from larger organizations. While large organizations tend to look for already existing C-level individuals who are presently working within the same industry.

I've resigned that breaking into a C-level role will likely mean moving into a much smaller organization, where you wear many hats and juggle a lot of different work. However, if I'm wrong and I'm missing some key piece, I'd love to hear from others.