I recently received my CISSP certification, and look forward to expanding my skillset and developing my career further. I've received some encouragement from a CISO I trust to consider getting an MBA. I've given it some thought and am undecided if an MBA is worth it for me. I have almost 20 years of experience in the software development industry, and wonder if an MBA at this stage in my career will be a good return on my investment of time and money. I want to be able to better communicate with the C-suite, and maybe join them one day.
I would appreciate any thoughts the ISC2 community has to offer.
Personally I went with a Masters in Information Security and Assurance. I have seen it said a number of times that it is much harder to tech security to a business person than teaching business to a security person. I have watch a few day in the life of a CISO and they have just scared me! One person had a background in sales, another said they don't understand the technical stuff but have people for that, and they can put together a 3-5 year strategy like no body's business! Ok, explain how you can put a strategy together on something you don't really understand! I think this is one of the major issues we are having right now, people in CISO position that might understand business but don't really have a clue when it comes to the actual security they are supposed to be in charge of. I keep learning new things regardless of if I will be hands on with it or not, but rather to have a better understand of things, how they work, and how the different parts fit together. How many of these people don't focus on backups and updates? Umm isn't that step 1?
I am very interesting to see other peoples ideas and points of view on this...
You can't go wrong with the MBA route but I'd also look at the different concentrations, e.g., Security or IT, they offer. As others have stated, communication and leadership skills can be learned by simply reading books and practice. If you need the discipline of the structured University route, then by all means do that. A graduate degree is a common education hurdle for the C-Suite and that may be the best path if you do want to join them one day.
FYI, most Cyber/IT/CS degrees at the grad level will offer or require business classes. We need more people at that level who are not only business savvy but also have a solid technical background for perspective. The World needs less MBAs and more STEM degrees. Elon Musk and I both agree on that issue at least.
MBA is actually getting expensive nowadays.
Talking about value, everyone has different values. I use myself as example
I graduated in bachelor in computer engineering more than twenty years ago, I said to myself at my 20s, I will not take a "tech" master further like Master in computer science (now I am taking another semi-tech one for cybersecurity). At my 30s I took my MBA, Msc in finance together.
To me, I think it's worth, because I am lack of business background and knowledge. And you can get the good part of networking as well.
So depending what is your objective and background. If you are looking for business knowledge and languages, and you are not business major, then I would say you will be getting the most out of it.
If you are already business major, yes you might get some more knowledge, but more important to you is networking. You are getting part of the value but does this worth... I will leave this to you.
If it's financially affordable and you have the time and energy , family support, then go for it.
Hope answer your questions.
Remarks, As a CISO, does my MBA helps.. maybe yes. I did not ask my boss why she hire me or exactly what make her hire me ( I mean MBA, security certifications or experience). But I believe it comes with a total package.
It is almost impossible to answer your question because I do not know what you value. I'm sure you've noticed that the CISSP covers a number of technical security domains. The most useful practitioners are those who have actually worked through the problems that arise in one of those domains. I do not know how an MBA will help you become a better security professional -- on-the-job work experience is often the best teacher.
If you are looking for money, expect your salary to top out at a certain dollar value regardless of how many degrees you have. The people who make the most money in this field are those who are executive consultants or disaster/crisis folks who can charge a mint for their work. If you desire to be among those people, seek them out and do what they ask of you. Chances are good that "getting an MBA" is not on that list.
My opinion is, It depends on where you see your career going. If you want to be a CISO, I would say that an MBA is well worth it. Having had 20 years of technical experience, I believe you already have a solid technical background. The job of the C-suite is not technology and a lot of IT and Security professionals have a hard time dealing with this fact. The job of the C-suite; CISO, CIO & CTO inclusive is BUSINESS. As a CISO you should be able to understand what is most important for the business (business savvy) and how you can use security to enable the business achieve these objectives (security savvy). You should understand business strategy, marketing, leadership, corporate finance, financial & managerial accounting, economics e.t.c. When you sit in the boardroom with other C-level executives you won't be discussing technology or vulnerabilities but business and you cannot drive a successful security problem (including implementing technology controls) if you cannot sit comfortably at this level and justify how security will improve the financial bottom line. Remember, what is most important to the business is to make money, not to be secure.
I just want to add something but I don't know the best way to get this, hopefully others have some ideas. The most valuable thing to me is the ability to convey technical info in non technical ways. This is how you speak to the C-suite. I am lucky because this seems to come naturally to me, but being able to talk tech when needed and explain things without using a single tech word is very important. It makes it easier to get buy in from others. If they glaze over by things they don't understand you will not be able to make things happen...
I like to think I can explain almost anything to anyone...
Let me give this a shot... what is docker?
It lets you have something in it's own little box that isn't dependent on anything else. If something happens to it you can easily destroy and recreate it. If one box isn't enough you can add more boxes to help handle things.
No this doesn't fully cover things but it might be enough to a non tech person can get a basic idea...
right or wrong.. lets hear it!