I currently manage security for a government regulator. My aspiration is to be serving an organisation as a CISO within the next five years. Academically, do I need to have a Masters Degree (InfoSec/CyberSec) or will the CISSP plus, say, CISM and CRISC (ISC2 admins, don't censor lol) get me on the interview shortlist?
I currently hold the CISSP and OSCP and am contemplating the next step (academically) towards my goal.
As always, the community's valued advice would be much appreciated!
Actually, recently it became known that the CISSP requires the same intellectual capacity that obtaining a MSc requires.
UK NARIC, the UK’s designated national agency for the recognition and comparison of international qualifications and skills, has found the CISSP Certification comparable to RQF Level 7 Masters degree standard (click here for the full article)
Also, obtaining say a CISSP requires that you prove that you have experience. That's a lot better than being just a paper tiger, which in fact most MSc's are just after they've finished their studies.
That does not mean that obtaining a masters is not a desirable option - it is. I know, I did it. If you are somewhat familiar with the Ebbinghaus curves, you'll appreciate that learners frequently should repeat what they learned in order to maintain their knowledge. So, when I obtained my CISSP in 2011 I decided to go for a MSc (in information security) for two purposes: to obtain a degree that is generally accepted in the EU and to retain and deepen my knowledge. I passed with distinction.
So, you might try that yourself. In the meantime, IMHO, you could be a fine CISO, even without ANY certifications or accreditations, though chances are that you won't be payed as well as others that have the proper credentials. But it happens, and given the huge shortage of properly certified people, chances are that even people without certifications can find a job as CISO, especially when you apply for a job with smaller companies and the government.
But given that you already obtained CISSP, I'd say there is no NEED to obtain a masters to be a CISO. Actually, I know quite a lot of CISO's that never did a masters. But if you want to retain your knowledge and perhaps get a slightly higher salary, by all means go ahead and obtain your masters.
ETA: but it should be a MSc information security or something similar. You already proved that you have the intellectual capacities, so obtaining a masters in say history would not really help you much..
It's probably less about having the domain or technical knowledge, than about having an understanding of the organisation, it's commercial strategy, it's politics and how to drive improvement. I attended the ISC2 conference in 2016 and when the audience of 200+ was asked by the presenter 'who wants to be a CISO' only a couple of people raised their hands. Being CISO is some organisations may not be a role you'd want, as they can have a very short shelf life.
Thanks Heinrich for your insightful and balanced response; much appreciated!