Security cert vs. a master's degree -- which holds more weight?
I am considering investing $20,000 for a master's degree in information assurance through Norwich University, one of the few universities endorsed by the NSA as a leader in information assurance education. What is your opinion of certifications versus degrees in the area of information security? Also, would a master's degree in information security from a lesser known school carry as much weight when it comes time to job hunt?
Great questions, all of them, and they touch on a key aspect involved in any job search: a candidate's ability to represent him- or herself well, and to position what he or she knows in a positive, relevant and compelling way. It's still very much the case that an advanced degree like a master's in IA, CS, MIS, etc. is perceived to have greater value than even a fairly prestigious security certification such as the CISSP or CPP -- as long as the candidate who holds the degree can meet or exceed the experience requirements that come with these credentials.
You will want to address not only what you studied and what you know, but also what you've seen and done, and what kinds of security situations you've encountered and problems you've solved, when you get to the interview stage. All that said, your plan makes pretty good sense to me. As a sanity check, however, it's entirely reasonable for you to ask Norwich University the following questions:
- What kinds of job placement assistance does your program include?
- What placement rates have prior graduates enjoyed?
- What kinds of starting salaries are typical for graduates?
- What kinds of organizations have hired graduates?
...and so forth (hopefully, you get the drift by now, I hope).
The real value of the CISSP and CPP, by contrast, is that candidates must not only pass an exam (which anybody with good exam preparation skills and a good working knowledge of general security concepts, terms, tools and technologies can pass) but they must also document anywhere from three to four (CISSP) to seven to nine (CPP) years of relevant work experience, along with other hurdles they must jump. It's pretty typical for holders of such credentials to earn high five- or low six-figure incomes -- not because of the certification, mind you, but because of the certification AND
the value of the security experience such a certification purports to warrant.
HTH, and good luck with your security education activities.
This was first published in May 2003