After spending ~8 years actively managing and learning about cybersecurity — I chose to pursue a MS in Cybersecurity degree over pursuit of a slew of professional certifications. I initially struggled with that decision and my rationale was primarily driven by 4 decisions:
1. Choosing learning depth over certification expediency
2. Expanding my professional relationships as a key outcome
3. Participating in learning at a National Security Agency / National Centers of Academic Excellence in Cybersecurity educational institution
4. Prioritizing high quality learning by selecting a US top 15 ranked school offering online courses
I will still pursue professional cybersecurity certifications over time (like the CISSP) — but with a goal of adding checkboxes that provide additional validation of my learnings and experience from my MS degree. This only matters for external credibility with a subset of customers, regulators, and other cybersecurity practitioners. (The credibility with cybersecurity practitioners is dubious at times due to the large volume of “certified” professionals who have minimal hands-on experience / time in seat / learned judgement.)
Choosing learning depth over certification expediency
There are hundreds of thousands of certified practitioners for major cybersecurity certifications. I regularly see “helpful” posts on LinkedIn/X providing guidance on which of the 100+ certifications are good. These posts further offer additional simplification by aggregating dozens of certifications into buckets by perceived complexity, niche or career stage — beginner, specific to penetration testing, management, etc. The CISSP is a commonly cited certification for managers. A quick Internet search at the time of writing this article returned 85K results for “CISSP exam training”. Scrolling through — there are promises of achieving the certification by attending a 5-day bootcamp, numerous self-study guides/flashcards, and a gazillion offers to get someone across the goal-line by memorizing security facts. Concepts are good — and helping someone to pass a standardized test like the CISSP is an admirable goal.
Memorization of concepts for cybersecurity is one of the requirements for a Masters in Cybersecurity — but so are in-depth labs every week. For example — over the course of the two year program, I probably spent 80 hours working with Wireshark in multiple different environments. Some additional examples of lab work in one of my classes — a Digital Forensics class:
– I had to fill out chain of custody forms for a digital forensics class — the same or similar forms used by corporate forensic and law enforcement teams.
– I used Paraben’s E3 workbench to search for evidence on copied hard drives files and mobile phone dumps from Cellebrite.
– I used StegExpose and OpenStego to find hidden evidence in Steganography in images and Xio for .wav and audio files.
For my Penetration Testing course, I used Zenmap for Reconnaissance, Metasploit for attack packages and reverse shells, Aircrack-ng for breaking passwords/keys, composed social engineering attacks with emails and dummy HTML pages, and analyzed SIEM log files for incident root cause analysis. You get the idea. Essentially each course was full of concepts and hands on labs — the labs being something that the CISSP exam doesn’t offer.
Finally — each course had required research and threaded discussions. Every week a topic was posted and students were required to post about the topic and make two meaningful posts on other student posts for the week. For example — one week the topic was on Malware and tactics / techniques for preventing and responding to Malware incidents. Another week was finding and analyzing a recent cybersecurity breach — describing the breach, reverse engineering the tactics and approaches that were used, and describing what could be done to prevent the breach going forward. Some of these discussions took me 4 or 5 hours to research and present — while others took only 60 minutes. The research was great for learning — but so were the interactions and perspectives of the other students in my classes. The discussion research and interactions were another form of learning that you don’t get from memorizing the book for a CISSP certification.
Expanding my professional relationships as a key outcome
One of my primary motivations for choosing a Masters in Science degree over the CISSP was to accelerate the expansion of my professional cybersecurity practitioner network. Through the degree coursework I met cybersecurity practitioners via group projects and the weekly threaded discussions — people that I can call on in the future to hash things out with. The threaded discussions gave me a different perspective as I interacted with new industries and learned about their cybersecurity challenges. This is what I was looking for.
The unexpected network connections were the professors. Some of them were full-time experts working in industry — at Microsoft, Google, Pepsi, and others. Others came from industry and are now teaching / consulting. They were insightful and I learned a lot and made great connections for the future.
Participating in learning at a National Security Agency / National Centers of Academic Excellence in Cybersecurity institution
I wanted a way to focus on cybersecurity excellence for my Masters in Science — and this led me to focus on only schools that offered at least one of the US National Security Agency (NSA) designations of Academic Excellence for cybersecurity. The NSA created and currently manages a program that sets educational standards for cybersecurity, and awards designations to Colleges and Universities that follow these standards and meet related requirements. The program and details can be found here: https://www.nsa.gov/Academics/Centers-of-Academic-Excellence/
I’m sure that the CISSP program covers many of the topics that the NSA centers of excellence embrace — but the NSA accreditation requirements also include competency development, community outreach and full integration of cybersecurity across academic disciplines. The NSA actively works on updating and setting standards for current cybersecurity problems. For example — for the CyberDefense designation, a University is required to map student outcomes against learning outcomes annually. The 2024 requirements are as follows:
Foundational Competencies:
– IT Systems Components, Cybersecurity Foundations, and Cybersecurity Principles.
Either 5 technical core competencies or 5 non-technical core competencies:
Finally, there are 56 optional competencies:
All of the Designation requirements for Center of Academic Excellence — Cyber Defense can be found here: https://dl.dod.cyber.mil/wp-content/uploads/cae/pdf/unclass-cae-cd_designation_requirements.pdf
As of this writing there are 463 institutions that have current designations for cybersecurity operations, defense, or research.
Prioritizing high quality learning by selecting a US top 15 ranked school offering online courses
My final decision point was to identify an academic institution that offered all of the previously discussed items — plus was academically rigorous and recognized for that rigor. The universe of high-quality programs that have NSA CAE designations, plus a specific cybersecurity MS degree that is offered online, is not huge. So, selecting one that is consistently ranked in the top 15 equates to picking a “top tier” program. The online component was critical for me since I work full-time and have a family. Online courses allowed me the flexibility required to work around my work and family schedules. I narrowed down the choices and eventually chose the University of Dallas: https://udallas.edu/academics/programs/cybersecurity/index.php
The program costs around $42/43K USD for tuition and books. It was not the cheapest, nor was it the most expensive. I appreciated that the degree was offered by the business school — since my professional experience level is management focused. As a Catholic — the school’s faith foundation was appealing. The faculty experience and combination of industry and academic experience was appealing. The fact that the director of the program, Dr Sandra Blanke, is still conducting recent research and is part of the leadership for working with the NSA on the NSA CAE-CD curriculum was appealing. Overall, I am highly satisfied with the quality of the program, the depth of the learning and the connections that I made throughout — and am proud to say that I completed my degree in August of 2024. It was such an energy giving time for me — that I decided to pursue my PhD in Cybersecurity Management and begin that program in January of 2025 at NOVA Southeastern.
I’m not opposed to the CISSP certification — and will probably complete it at some point. However, the MS in Cybersecurity from the University of Dallas was incredibly fulfilling, and I learned so much more than I ever could from memorizing a textbook for a professional cert.
David Mosher is a CEO, Board Member, virtual Chief Information Security Officer (vCISO), MS in Cybersecurity, PhD Student in Cybersecurity Mgmt.