Tuesday, June 18, 2013

A Master’s Degree in Information Assurance or Information Security…Worth the Investment?

Last week a Facebook connection whom I’ve known for quite a while posted this:
“It's a time of great change and flux at work right now so I see a window of opportunity to finally get my master’s degree. Problem is where is the best place to get a Information Assurance Master’s Degree?
Because I know this information security professional personally and I have a few ideas to share regarding Master’s degrees, I offered a few suggestions:

“Not a recommendation but a suggestion for something for you to explore: University of Maryland, Norwich...many others. If you're going to make this investment, do it because you see personal value in doing so but don't expect that employers will immediately reward you for a Masters in Information Security. They're just not asking me to deliver candidates with such a degree yet. Another thing to consider is whether you will attend the distance learning arm of a brick and mortar school or whether you will invest in a school that just has an Internet presence. I would lean towards the brick and mortar option and if you want to know why, feel free to call me at 719.686.8810.
I wasn’t the only one who had ideas to share.  Here were a couple of other comments that were offered to my Facebook connection:

“I have held off because from a salary perspective vs. experience perspective, experience pays more unless you are just trying to get in the door. You are not a newbie, so if you are doing it for personal reasons, I agree with Jeff in that brick and mortar would be the way to go. Do it for the experience!
“I started doing mine a few years ago with Capitol College online, but quit it after 3 courses. It just felt like the online approach was a diploma factory, and I didn't see any real benefit to it after a while. I agree that experience is a better selling point than a 'meaningless' master’s degree. I know several people who have completed one, and it didn't improve their work one bit because they just wanted the degree and didn't learn anything in the process.
“Jeff, if you go to the Norwich website and register as a perspective student…you will get 10 calls a week from them
In in the process of filling information security jobs, I have yet to work with an employer that has asked me to deliver a candidate who possesses a master’s degree in information assurance or information security.  This is not to say that these degrees have no value.  I’m simply addressing the demand side of the discussion.

Years ago, I distinctly remember a call I shared with an information security professional who had just completed a PhD.  He was upset that his employer wasn’t giving him a raise and a promotion as a result of completing the degree. If you pursue advanced education, my suggestion is that you do so because you want to, not because you assume an employer will reward you for an advanced degree.

If you’re an information security professional who wants to stay on a technical career path, a master’s degree in information security or information assurance might be a wise choice.  

However, if you have aspirations to one day become a CISO or CSO, I strongly suggest that you consider an MBA.  Employers need security leaders who can understand the business and who can craft security and risk management solutions that are beneficial to the business.

Employers have asked me to deliver candidates for security leadership positions who possess an MBA.

If you have experience with a school that provides a Master's level degree in Information Security or Information Assurance, it would be great to hear from you.  I've shared only a few points of view because that's all I have to share.

SecurityRecruiter.com's Security Recruiter Blog