This question was introduced recently in an article by Upasana Gupta: Should a CISO Have an MBA? She asked four CISO’s their opinion, and three essentially said “no”, while one said “yes”. Eric, at Security, Cigars, and FUD blog, posted his opinion here and here. Basically, he said “no, it’s not necessary as a credential, but some business knowledge might be helpful”. The opinions offered on Twitter were almost universally “no”.
As a business guy, I was somewhat surprised that much of the discussion and opinions centered on MBA as a credential rather than what knowledge or skills someone would learn in an MBA program. None of us at New School are a fan of credentials as such, so my interest in this question is on the educational value compared to alternative investments in education
Also following the New School philosophy, I thought I would look for data and evidence rather than just offering my opinion.
To my delight, I found a fairly comprehensive study: THE CHIEF INFORMATION SECURITY OFFICER: AN ANALYSIS OF THE SKILLS REQUIRED FOR SUCCESS, by Dwayne Whitten of Texas A&M University . The paper is worth reading because it gives a good overview of the conflicting values and forces that are affecting CISO hiring, evaluation, and effectiveness.
Specifically, he finds a gap between how CISOs define success and the job duty descriptions. Quoting from his conclusion:
Based on a thorough review of the literature, interviews with security executives, and an analysis of job listings, a comprehensive list of duties and background/experience requirements were found related to the CISO position (see Table 3). The most interesting issue that arose from this research is that business strategy did not make the list of most included job duties. Given the high level of importance given to this by the literature and the executives, it is surprising that it was not listed on the job listings surveyed. Thus, it appears that many of the organizations searching for new CISOs during the research period did not fully understand the importance of including the CISO in the business strategy formulation. [emphasis added]
This dichotomy seems to relate to how CISOs are viewed. From one point of view, CISO is equivalent to “Most Senior Information Security Manager”. That is, they contribute to the organization in exactly the same way as do other information security managers, but only on larger scope. It is this perspective that is most closely aligned with the opinion that an MBA education would not be helpful. Instead, it would be more valuable to get deeper education in InfoSec technical aspects — engineering, forensics, incident response — plus regulations, compliance, etc.
Another point of view is that a CISO is an executive officer of the organization, and thus has fiduciary duties to stakeholders regarding the organization’s overall performance, and also has teamwork responsibilities with the other executive officers regarding crucial strategic decisions.
Maybe this is rare in practice, and maybe the “Chief Information Security Officer” title is just another example rampant job title inflation. But if a CISO in some organizations are expected to perform in this role, then it is not the case that they are not “just another information security manager, only bigger”. Their job is qualitatively different and the knowledge gained at a good quality B-school might be just what they need.
To respond to Eric, who said “And I’ve yet to see a course on security risk management in traditional MBA programs”, I offer two examples: 1) James Madison University offers an MBA in Information Security. 2) Worcester Polytechnic Institute offers an MBA concentration in Information Security Management. The WPI MBA course catalog list quite a few that would be directly valuable to a CISO (e.g. “INFORMATION SECURITY MANAGEMENT”, “OPERATIONS RISK MANAGEMENT”, and “E-BUSINESS APPLICATIONS”), plus many that would be indirectly valuable (statistics, change management, negotiations). (Disclosure: I got my undergraduate degree from WPI. Their MBA program is very good, esp. for technical managers.)
I’ll close with a comprehension test for CISOs. Read this workshop report: Embedding Information Security Risk Management into the Extended Enterprise. It’s the output of 18 CISO discussing the most challenging issues facing them regarding information security across their enterprise and across their supply chain.
I think you’ll see that most of the problems involve analysis and methods go well beyond the typical education and experience of information security managers. Instead, they require knowledge and skills that are more typically covered in MBA programs — business strategy, economics, finance, organization behavior and change management, organization performance management and incentives, plus business law and public policy.
Conclusion: if a CISO is expected to be an executive officer (esp. for a large, complex technology- or information-centered organization), then he/she will need the knowledge and skill exemplified by the comprehension exercise, above. MBA is one path to getting those skills, at least if you are thoughtful and selective about the school you choose. Other paths are available, so it’s not just about an MBA credential.
Otherwise, if a CISO is essentially the Most Senior Information Security Manager, then MBA education wouldn’t be of much value.