Master's in Cybersecurity vs. MBA: Navigating Career Advancement in Cyber

Many things come to mind when you think about advancement in your career, but one that often stands out is formal education.

While the tides have started to turn in the tech and cyber industries for what companies expect from employees in terms of requiring formal education at lower-level roles, the expectations at higher levels are still rooted in formal credentialing. Those credentials often come in the form of an advanced degree and gradual assimilation to the standard deviation of the corporate norm.

People in the cybersecurity field who are fortunate enough to be in a position to consider this level of advancement often have several questions that come to mind:

• Should I go back to school and get a master’s degree?

• If yes, should that master’s degree be a Master’s in Cybersecurity, or should it be something more “business-like” with an MBA?

• If yes, am I doing this because I think that’s the right thing to do, or has someone higher up at work told me I need to do it to advance?

• What would either advanced degree mean for my future career prospects, and how would either degree be perceived by future employers?

• Which degree would unlock more doors?

Whatever your own questions and motivations might be for looking down this path, let’s try to answer all these questions and more in this post.

The TL;DR

• For technically inclined individual contributors (ICs), a Master's in Cybersecurity is beneficial.

• Current people managers should consider an MBA for leadership roles, such as CISO.

• Neither an MBA nor a Master's degree guarantees career advancement, and organizational views on these qualifications can vary.

• These qualifications can be seen as stepping stones to future roles rather than immediate career boosters.

• There are many other ways to get technical or go deeper outside of an advanced degree.

Looking at the Data

I did a scientific very informal study back in 2021 about people seeking degrees who worked in the cybersecurity industry.

You can see the full post and data here:

Another quote worth repeating from that same post:

After doing this experiment, I had a suspicion that there would be some percentage of the population who also felt the same about advanced degrees. So I decided to give my own perspective about a Master’s in Cybersecurity and an MBA to hopefully help some people out who are considering this path forward.

The Technical Path with a Master's in Cybersecurity

For Individual Contributors

If you’re an individual contributor - a person who is not directly responsible for HR hiring, performance reviews, firing, etc. - today, a master’s in cybersecurity could help you go deeper technically into the field. This could set you up for higher-level individual contributor roles, like a principal/distinguished engineer or an architect.

Of course, getting an advanced degree is never really about where you currently are in life or your current employer.

You get an advanced degree to set yourself up for success down the road. It's more like compound interest.

It's for the job after the next job.

For the Manager Level

If you’re at the manager level already, a master’s in cybersecurity isn’t likely to do much for your advancement, at least not directly. It won’t hurt your chance for advancement, but you’re already expected to be more business-focused and less tech-focused.

You can still get value from a master's in cybersecurity, especially those focusing on program building and structures. However, unless you come in as a CISO, you're going to have to work within an existing system that may not fit how your courses were set up. It could be a great theory but poor practical application.

Beyond the Classroom: Practical Ways to Sharpen Your Cybersecurity Skills.

If you're a manager and using a master's in cybersecurity as a way to “stay technical,” there are a lot better ways to get technical without a master’s:

• Make something and ship it.

• Do A Cloud Guru or TryHackMe.

• Do the Cloud Resume Challenge (now also see The Kubernetes Resume Challenge).

• Submit a conference talk.

• Write a newsletter (see the stack I use for Return on Security).

• Start a blog about any of the above.

• Start a YouTube channel about any of the above.

As you move up in cybersecurity, things become more about the business of running a function and less about the tech work itself.

Getting a master’s in cybersecurity as a manager won’t hurt you, but it may not give you the return you hope for.

The Leadership Ascent: Advancing with an MBA

For Individual Contributors

On the other hand, if you’re an IC today who wants to be a manager and pursue an MBA, it’s not likely to help you get your first manager role.

Landing your first manager role is a whole lot more about timing, who you know, and someone willing to take a risk on you.

Employers typically want to see a "sure thing" when it comes to management roles. Employers don't like to take chances on training managers; they just want to bring people in who already have the skills.

This is what makes landing your first manager job so hard, but more on that metamorphosis in a later blog post.

Getting an MBA as an IC in cybersecurity won’t hurt your chances of advancement, but it won’t immediately pay dividends in your climb, either.

For the Manager Level

When you’re already at the manager level in the cybersecurity field, getting an MBA is a different story.

1. Getting an MBA while a manager, the classes will be a bit more relatable to what you actually do day-to-day.

2. You’ll start to get associated more with the “business side of things,” and you can play that up.

Understanding, communicating, and enabling the business through cybersecurity should be the ultimate goal of cybersecurity. Businesses don't exist to be secure. They exist to serve customers and make money.

The goal of cybersecurity is to support the business to be as secure as possible while enabling that main goal. As you advance, keep this business framing in mind. Remember, being a CISO is not a technical role; it’s a business role.

Deciding between an MBA and a Master's in Cybersecurity

That part is a lot harder to decide which path you want to take. The answer is that the journey is as unique as the individual embarking on it.

Whether through a Master's in Cybersecurity, an MBA, or alternative routes of self-improvement and skill acquisition, the key lies in aligning your educational choices with your career aspirations and the evolving demands of the cybersecurity landscape.

You've got to think about your career a few years out and what you might want to do to know how to answer this question for yourself. That requires a bit more methodical thought and planning to get yourself on the right path.

Of course, if you want to pursue either (or both!), I’d never advise against it. Many, many paths can get you to your goals.

This is just my take on my own path, filled with my own biases and goals, so take that as you will.

Level Up Your Career

There are also other ways you can continue to learn and hone your leadership approach to position yourself for career advancement.

I made the CareerSec course just for that:

This course and field guide go through the thought processes and strategies that have fast-tracked my own career advancement.