As we at Security Current talk to CISOs and other information security leaders on a daily basis, we are often asked career-oriented questions. One frequently asked question is about college degrees: Which degree(s) is most important to help advance a CISO’s career? We understand that people are positioning themselves to climb the corporate ladder, or to attain a more significant position than they currently have, and certainly college degrees are one way to demonstrate a foundational level of knowledge.
As for what degree may be most valuable, we put that question to two experts in the matter, Jamey Cummings, Senior Client Partner with Korn Ferry, and Dave Mahon, Chief Security Officer, CenturyLink.
Security Current: Jamey, in your role at Korn Ferry, you work with many major corporations that are looking to fill high level positions such as Chief Information Security Officer. We are interested in hearing your thoughts on whether candidates for a CISO position need more than a bachelor’s degree, or if they even need one at all. In your experience, what are your clients stating to be the degree requirements for the CISO candidates you bring to them?
Jamey Cummings: The short answer is, generally it doesn’t really matter. For some organizations, I’d say it’s more a cultural thing to pass on someone not having any degree at all. And that does occasionally show itself, even though there are many CISOs who have been quite successful despite the fact they don’t have a degree. However, in a market that is tight for talent and where there are people who have been very successful, I’ve been pleasantly surprised that a good number of my clients have been flexible in their requirements. If the person brings to bear the experience, the knowledge, the soft skills, and the other things that they need to do a good job, then often the hiring company will be okay with the candidate not having a degree.
If someone doesn’t have a degree and they want to attain one in order to take that concern off the table during a job search, I would say to do something that is interesting and relevant. If the person wants to be in information security for a career, it makes sense to do something in technology or business. For people at this level, there’s a certain amount of technological knowledge that is certainly necessary and relevant to have, but business acumen will help to differentiate the person at more senior levels. For someone who is already technically strong, a business degree will help round out the person’s knowledge and help to have conversations with people outside of technology.
I think a master’s degree is nice to have, but at the end of the day, I don’t know that it matters that much. Typically, what I see is someone who would get a master’s degree in information systems or something like that just to enhance their technical capabilities, to stay close to the technology, but others go more the route of business. They want to develop more business acumen and get that MBA and then, maybe longer term, they want to do more than be a CISO. But even if not, I think they feel like it helps them to be more affective in communicating with other stakeholders outside the realm of technology.
Security Current: So much of being a CISO has to do with compliance and understanding third-party contracts to minimize risk, and knowledge of the applicable laws is so important. Do you have clients that might be looking for people with law degrees or backgrounds?
Jamey Cummings: Not necessarily, but I’m doing a couple of privacy executive searches right now, and that’s an area where a requirement to have a JD (Juris Doctor) degree might be more prominent. Privacy and security are increasingly intertwined, and even though the privacy officer may not necessarily report to the CISO, they need to have a good copacetic relationship, similar to risk. So, what we have found is that the desire for a JD, a legal background, is more prominent when it comes to privacy, because they’re typically dealing a lot more with GDPR and compliance and things like that, more so than an information security officer directly.
Security Current: Dave, you’re the highly respected Chief Security Officer at CenturyLink, and you’ve been in the information security business for quite some time. Please share your thoughts on the importance of college degrees, and which ones are important to a CISO’s career.
Dave Mahon: Let me start by looking at this from the perspective of a young person just starting a career today. I think when you’re young and you’re looking to learn technical skills, it might not seem relevant why you would get a college degree, but a degree is very relevant for a couple of reasons. It develops your mind beyond the technical skills. I think there is a great deal to be gained in getting degrees, whether they are computer science, some type of engineering degree, or an information security management degree. Those types of bachelor degrees are what I refer to as preparing an individual for entry into the job market with technical capabilities. If the person is intent on climbing the corporate ladder, say to a CISO position or beyond, he or she will need many more additional capabilities because climbing the corporate ladder is not just incumbent on having technical capabilities. It requires leadership skills, management skills, the ability to speak or to think “360” and holistically, and I think a broader education is essential to the person’s success.
I also recommend that people read books about great leaders who faced significant challenges, and how they thought them through, and what their qualities were. One book I like to recommend is The Last Lion, which is the life of Winston Churchill. It details the challenges of a leader, 66 years old and retired, who emerged in significantly stressful times, when lives were on the line, to lead his nation during war time and maintain their freedom. Those same types of skills are essential if you are going to be a corporate leader today. Or to put it more broadly, it’s about how to think through a strategy and implement it in times of constant change.
Security Current: If somebody is looking to get an advanced degree, would you recommend more of a business degree, like an MBA, as opposed to some sort of additional technical degree?
Dave Mahon: I think it depends upon their career choice. Let’s say the person has an undergraduate technical degree in computer science, and their chosen path is now heading more into a business leadership role. In this case, an Executive MBA may very well be a preferred degree. The process of an Executive MBA program pairs someone with a technical background with people who have other skills, such as accounting and marketing. This team is asked to solve problems or analyze business decisions, and the team members teach one another along the way. That’s a great way to enhance a technical degree with subject matter expertise from colleagues.
That’s one way to look at it. Another way to look at it is, if the person’s chosen path is going to have substantially more technical responsibilities, then I would say that a masters in electrical engineering or something like that would be useful.
Now, that doesn’t mean that they can’t do both. A person’s career can span 30, 40, or even 50 years. They can spend half of that time in a technical area, and then maybe look to become an SVP, an EVP, or maybe even a CEO. In that case, both technical and business degrees can serve them well.
Learning doesn’t have to stop at one or two degrees. There are all sorts of options now for continuing education. There are weekend programs, and remote programs. There are ways to get exposure to MBAs that are sometimes not the full commitment of time. More education is never a bad thing.
Security Current: What about professional certifications? Are those important to a CISO’s career progression as well?
Dave Mahon: Yes, I think that certifications, typically the mainstream ones like the CISSP, are important. Also the technical ones, like GIAC and others, are highly relevant to CISOs.