In this post I want to analyze the factors that might lead you to choose one or the other, or both options. These factors include: where you are in your career path and where you want to go on that path.

Either option should be just one step in the continuous learning process you need to keep ahead in the cybersecurity field.

First, let’s look at what you need to succeed in the cybersecurity field. The best analysis of this has been provided by NICE, the National Initiative for Cybersecurity Education.

Their Cybersecurity Workforce Framework describes exactly what professionals in the field should be able to do. NICE describes the Knowledge, Skills and Abilities (KSAs) needed to succeed in each of the possible security roles.

It is important that all three attributes are needed to perform a role. According to NICE:

• Knowledge is a body of information applied directly to performance of a function
• Skill is defined as competence to apply tools, frameworks, processes and controls
• Ability is competence to obtain an observable product.

So, comparing to home repairs, knowledge can be acquired from YouTube, skills can only be acquired by using real tools, and ability is the competence to finish the job, like repairing a plumbing leak.

In cybersecurity, as in home repair, the most valuable commodities are abilities. These include both hard and soft abilities. Hard abilities include things like ability to execute OS command line and soft abilities like communicating effectively when writing.

Abilities rely on skills such as capability to identify cyber threats which may jeopardize the organization and on knowledge such as knowledge of virtual machine technologies. Both certifications and advanced degrees can help you acquire needed KSAs.

Let’s look at the CISSP requirements. You must get a 70% or better on the CISSP exam and must have five years' work experience in two of the eight CISSP domains. These are:

• Security and Risk Management
• Asset Security (Data security)
• Security Architecture and Engineering
• Communications and Network Security
• Identity and Access Management
• Security Assessment and Testing
• Security Operations
• Software Development Security

The CISSP provides inch deep, mile wide knowledge and is great at what it is designed to do. To pass, you answer multiple choice questions in a timed test.

Interestingly, you can get 30% of them wrong and still be a certified professional. The CISSP requires very specific test taking skills. Most security professionals cannot pass the test without preparation.

Now let’s look at an MS Cybersecurity program; I will use Quinnipiac’s program as an example. Ours includes 30 credits spread across 27 courses. Those courses are grouped into nine neighborhoods:

Quinnipiac's MS in Cybersecurity Program

This program is also designed to create a well-rounded cybersecurity defender. It has some additional topics beyond the CISSP: cloud security, resilient systems and programming for security professionals.

Cloud security is a huge issue for security practitioners. The number of cloud jobs has increased 650% since 2012 and shows no signs of slowing. Resilient systems are now the gold standard for security practitioners.

These are systems that fail gracefully when attacked. We included programming for security professionals because often professionals are asked to develop security solutions and not just validate developers’ code.

With our one credit hour framework, we revise each course once or twice per year. The CISPP is revised every three years.

The biggest difference between an MS in Cybersecurity and CISSP is that the master's degree offers knowledge, but also hands-on skills training and opportunities to acquire new abilities.

Each master's course includes hands-on skills development and deliverables that test your ability to complete a project on time. The CISSP exam itself is a test of knowledge only.

With that as background, which can be more valuable to you, CISSP or an MS in Cybersecurity? If you already have five years of security experience across multiple domains, then acquiring a CISSP next is a no brainer.

You will be able to get certified in a short time. Should you then pursue an master's degree? If you already have exposure to leadership positions on the job, then that may be unnecessary.

If not, then the MS in Cybersecurity will give you the opportunity to enhance those abilities and move up in responsibility on the job. This also depends on how your company values advanced degrees. Companies differ on this topic.

What if you have little or no security experience? The MS in Cybersecurity program will expose you to all the security domains, developing skills and abilities so you can make a better case for moving into a security role.

This can be done in 18 months with our online program. The CISSP is a much longer road, which will take five years of your time.

What about ultimate goals? Do you aspire to be a CISO? My research shows that there are multiple paths to this position. Neither a master's degree or a CISSP is a sure path to the executive suite.

Lack of either isn’t a barrier in any case. Recruiting firm Heller Associates has a nice summary of what it takes to move to the CISO role. Here’s my take on which of those skills you can start to obtain from a master's degree.

The others you will have to acquire on the job or in other training programs.

Skills Acquired in Quinnipiac's MS in Cybersecurity Program

Hopefully this post gives you some ideas on how you can use either the MS in Cybersecurity or the CISSP to advance your career to the next level. For other questions, you can reach out to me at frederick.scholl@quinnipiac.edu.

You may also find more information about Quinnipiac's online MS in Cybersecurity here.