Shostack + Friends Blog Archive


Would a CISO benefit from an MBA education?

This question was introduced recently in an article by Upasana Gupta: Should a CISO Have an MBA? She asked four CISO’s their opinion, and three essentially said “no”, while one said “yes”.  Eric, at Security, Cigars, and FUD blog, posted his opinion here and here.  Basically, he said “no, it’s not necessary as a credential, but some business knowledge might be helpful”.   The opinions offered on Twitter were almost universally “no”.

As a business guy, I was somewhat surprised that much of the discussion and opinions centered on MBA as a credential rather than what knowledge or skills someone would learn in an MBA program.  None of us at New School are a fan of credentials as such, so my interest in this question is on the educational value compared to alternative investments in education

Also following the New School philosophy, I thought I would look for data and evidence rather than just offering my opinion.

To my delight, I found a fairly comprehensive study: THE CHIEF INFORMATION SECURITY OFFICER: AN ANALYSIS OF THE SKILLS REQUIRED FOR SUCCESS, by Dwayne Whitten of Texas A&M University . The paper is worth reading because it gives a good overview of the conflicting values and forces that are affecting CISO hiring, evaluation, and effectiveness.

Specifically, he finds a gap between how CISOs define success and the job duty descriptions. Quoting from his conclusion:

Based on a thorough review of the literature, interviews with security executives, and an analysis of job listings, a comprehensive list of duties and background/experience requirements were found related to the CISO position (see Table 3). The most interesting issue that arose from this research is that business strategy did not make the list of most included job duties. Given the high level of importance given to this by the literature and the executives, it is surprising that it was not listed on the job listings surveyed. Thus, it appears that many of the organizations searching for new CISOs during the research period did not fully understand the importance of including the CISO in the business strategy formulation.  [emphasis added]

This dichotomy seems to relate to how CISOs are viewed.  From one point of view, CISO is equivalent to “Most Senior Information Security Manager”.  That is, they contribute to the organization in exactly the same way as do other information security managers, but only on larger scope.  It is this perspective that is most closely aligned with the opinion that an MBA education would not be helpful.  Instead, it would be more valuable to get deeper education in InfoSec technical aspects — engineering, forensics, incident response — plus regulations, compliance, etc.

Another point of view is that a CISO is an executive officer of the organization, and thus has fiduciary duties to stakeholders regarding the organization’s overall performance, and also has teamwork responsibilities with the other executive officers regarding crucial strategic decisions.

Maybe this is rare in practice, and maybe the “Chief Information Security Officer” title is just another example rampant job title inflation.  But if a CISO in some organizations are expected to perform in this role, then it is not the case that they are not “just another information security manager, only  bigger”.  Their job is qualitatively different and the knowledge gained at a good quality B-school might be just what they need.

To respond to Eric, who said “And I’ve yet to see a course on security risk management in traditional MBA programs”, I offer two examples: 1) James Madison University offers an MBA in Information Security.  2) Worcester Polytechnic Institute offers an MBA concentration in Information Security Management. The WPI MBA course catalog list quite a few that would be directly valuable to a CISO (e.g. “INFORMATION SECURITY MANAGEMENT”, “OPERATIONS RISK MANAGEMENT”, and “E-BUSINESS APPLICATIONS”), plus many that would be indirectly valuable (statistics, change management, negotiations).   (Disclosure: I got my undergraduate degree from WPI.  Their MBA program is very good, esp. for technical managers.)

I’ll close with a comprehension test for CISOs.  Read this workshop report: Embedding Information Security Risk Management into the Extended Enterprise.  It’s the output of 18 CISO discussing the most challenging issues facing them regarding information security across their enterprise and across their supply chain.

I think you’ll see that most of the problems involve analysis and methods go well beyond the typical education and experience of information security managers.  Instead, they require knowledge and skills that are more typically covered in MBA programs — business strategy, economics, finance, organization behavior and change management, organization performance management and incentives, plus business law and public policy.

Conclusion: if a CISO is expected to be an executive officer (esp. for a large, complex technology- or information-centered organization), then he/she will need the knowledge and skill exemplified by the comprehension exercise, above.  MBA is one path to getting those skills, at least if you are thoughtful and selective about the school you choose.  Other paths are available, so it’s not just about an MBA credential.

Otherwise, if a CISO is essentially the Most Senior Information Security Manager, then MBA education wouldn’t be of much value.

10 comments on "Would a CISO benefit from an MBA education?"

  • Eric says:

    You’ve made my point, with a small exception. My point is that a credential, for the sake of a credential, is not of value. Skills, experience, knowledge, cultural fit, strategic focus and more are crucial for business leaders, regardless of which business function they lead.

    You did manage to cherry pick that I don’t like credentials out of two posts worth of writing that significantly emphasize what I do think is important. I believe that a smart, competent and capable person can achieve the skills and experience needed WITHOUT that MBA and that the MBA is no substitute for those skills and experience. In fact, I’m not particularly impressed by the “skills” that people with MBAs have. But that’s a different story.

  • Russell says:

    @Eric — I agree with you regarding the value of credentials in general and MBA credentials in particular.

    Also, I’m not directly critiquing your posts directly. I really encourage everyone to read your two posts, since it wasn’t my goal to summarize them:

    I’m also not asking anyone to decide this issue by evaluating the sample of the MBA population they have encountered. I, too, am not very impressed by most of the MBAs I’ve encountered. I have worked side-by-side with people with MBAs from Harvard, Stanford, Wharton, Dartmouth, Northwestern, etc. and I can testify that they ARE very smart and tend to have more analytic skills than generic MBAs. But that’s not what I’m presenting.

    Instead, I wanted to focus attention on what a typical InfoSec manager could *learn* through a proper MBA program and how that learning might help them be successful in their role as a corporate officer.

    To take the discussion away from credentials or people-we-know-with-MBAs, I presented the “comprehension test”, based on the output of 18 CISOs at very large organizations. If a CISO can “step up the the plate” to be a leader in their organization on all the issues and problems presented in the workshop paper, then I’d say they are well qualified. I’m suggesting that MBA is one path to get that knowledge and skills, in contrast to an educational alternative that simply builds their knowledge in domains where they already have expertise.

  • Eric says:

    I think it’s very important to have a discussion about skills, experience, ability, cultural fit …. and to be clear that getting an MBA doesn’t provide those things in and of itself.

    Frankly, if you want to be a great CSO or CISO, you need to be smart and capable. Whether you have an MBA or not is not going to make you smart and capable. Smart, capable people who get MBAs from Dartmouth or Stanford or Harvard or what have you were already those things before they got their MBAs.

    I’d argue that experience and time working for a capable, senior CSO/CISO type is going to provide much more skill and knowledge type value than the time spent getting a big name MBA. And the generic MBAs (Univ of Phoenix, for example) just “check the box”.

    Now, if you are young, in your 20s let’s say, and you want to be an executive in a company someday, go get an MBA from Dartmouth or Yale or Stanford. You will put yourself on a big time fast track that is almost impossible to do any other way. But that’s really quite different from what we’re talking about here.

  • Russell says:

    Thanks for your additional comments.

    I agree with your general point, Eric. And I’m speaking as someone who did the same job as these MBAs even though I didn’t have one myself (BS in EE and Management).

    I’m asserting that there are a handful of analytic skills that a good MBA program provides that often don’t happen outside formal education.

    One example is probability and statistics, and also decision analysis. A very high percentage of InfoSec managers I’ve met have never taken a course in probability & statistics or decision analysis.

    For example, many issues involving InfoSec at an executive level involve drawing inferences from a sample of data (e.g. quality of a process). It’s very helpful to have skills in probability and statistics so that you can speak authoritatively about whether some pattern is or is not statistically significant or whether a hypothesis from an experiment can be supported with high confidence or not. And I’m not even talking about risk analysis or risk assessment.

    If you look at the “Embedding Information Security Risk Management into the Extended Enterprise” report, I’m arguing that these problems require more than general smarts and “experience gained in the trenches” to solve.

  • Eric says:

    A couple quick points.

    Note I didn’t suggest that “time in the trenches” was equivalent to an MBA. I don’t believe that. Time working for a senior, capable CSO/CISO …. actually, in my case I worked for a SVP running a delivery organization. Working for the executive, learning those things that the executive knows by seeing it happen for real. It’s similar to the military’s idea that one of the pieces of learning to be a general is to be an aide to a general and see what they do up close and personal.

    I also don’t have an MBA, my background is similar, BS CpE. But I work side by side with folks who have MBAs from, for example, Tuck School at Dartmouth.

    Again, big name MBA programs have a very high value if you can do them early in life and get fast tracked. They have a much lower value later on in life. Generic MBA programs are almost entirely about “checking the box” to get the job.

    I’m not at all certain that a CSO/CISO has to be able to “speak authoritatively” about whether something is statistically significant. I have folks working for me that do that.

    I may have to write Part III.

  • Gunnar says:

    I always liked this post, if your CSO lacks a MBA fire on of you

    Agree on the sentiment if not the letter

  • Russell says:

    Nice link addition, Gunnar!

  • Russell says:

    Another article describes this issue, without specifically mentioning MBA:

    “4 skills CISOs need now” CSO Online

    “Business acumen—at a whole new level

    “The biggest issue security folks are dealing with right now is that in the past they’ve used their peer group of security pros to be their benchmark of what their skills should be,” said Kushner. “Now that benchmark is really the executive team.”

  • Mc says:

    Although I am not a CISO, I have taught graduate courses in InfoSec at several solid schools (NCS, DIC, EMU, GWU). Someone posted a thread just a couple days ago how our career field is starting to split two ways as you climb the ladder – the security technical track, and the business risk track. I wish I could give the appropriate person credit, but I can’t locate the article now.

    The article and comments above allude to the emergence of this phenomenon. For me, my MBA gave me insight into many of the models, tools and analyses that aid in effective security management. I have been able to employ statistical analyses, multiattribute utility theory, and even calculus to work on security revelant problems.

    Sadly, too much InfoSec is still practiced like witchcraft. (I’m looking at you, ISC2). That’s rapidly changing. These new and revised MBA programs hold promise for moving our field into more scientific and predictable risk management practices. I say, “Bring it on!”

Comments are closed.