Rawpixel.com - stock.adobe.com
Should a CISO have an MBA?
Cybersecurity leaders are often asked to weigh in more frequently on business decisions. This could give MBA-holding CISOs a more visible seat at the table.
Organizations demand a lot from their CISOs. While protecting assets is still their core responsibility, CISOs are increasingly expected to be part of the strategic decision-making process.
"Now CISOs are really at the table," said Kelly Doyle, managing director at executive search firm Heller. "[Companies are] using enterprise security knowledge to help enable growth."
That added responsibility is raising the value of CISOs with MBA degrees. Organizations typically don't require CISO candidates to hold an MBA, but many prefer to hire CISOs with the degree.
"An MBA benefits CISOs in more ways than you would think," Doyle said. "It's become more prevalent for CISOs to get MBAs because now CISOs are viewed as business leaders, strategic growth enablers."
Does an MBA enhance a CISO's value?
If a CISO wants more influence and a seat at the executive table, then technical knowledge alone isn't enough. CISOs need to understand how a business functions across disciplines and what drives business strategy.
For CISOs, it's important to be able to translate risk and technology into terms that colleagues in other disciplines can relate to. And more companies want their CISOs to be business partners.
"As a CISO, you need to know the enterprise end to end," Doyle said. "Having an MBA, you get that business fluency, financial knowledge, process and operations. You want CISOs who can see how data flows through the whole enterprise and organization."
Ross Young, co-host of the CISO Tradecraft podcast, said business strategy courses taught him about models and frameworks such as Porter Five Forces, a framework for analyzing the competitive environment of a business.
"Somebody might say, 'Hey, Ross, how good is this company? Should we acquire it?' If I'm just spitting things off the top of my head, it's very disorganized. If I say, 'Let's consider how Porter Five Forces thinks about this acquisition,' there are five things they would look through," Young said.
Aspiring CISOs can also take advantage of the connections they make while earning a master's degree. "With an MBA, you're exposing yourself to a network. It's the people you meet, it's the alumni networks," Doyle said.
A wider view of the business
CISOs often pursue an MBA because they want to play a larger role in their organizations. An MBA provides them with a foundation to better understand other disciplines, such as marketing, regulatory compliance and HR. They can then better apply their cybersecurity risk management practices to the priorities of the wider organization.
Digital transformation, AI adoption, and other trends are pressuring executives and board members to better understand cybersecurity risk at all levels -- from digital assets to product security. They want CISOs who can help them understand that risk in the context of the overall business strategy.
"[Cybersecurity] has a lot more visibility at the organizational business level," said Kristie Pfosi, global CISO at automotive technology supplier Marelli. She attributed this to changes triggered by the COVID pandemic, when many people worked remotely. That forced companies to shift to an identity-based security approach, which introduced new risks that management needed to understand.
This has also led to changes in reporting lines for CISOs, particularly in larger organizations. As they join the executive team, more CISOs now report to the CEO. "I've definitely seen change in reporting," Doyle said, noting that more CISOs want to be a peer to the CIO rather than a direct report. Many CISOs are now also expected to present directly to the board.
At companies that expect their CISOs to be responsible for both product and enterprise security, an MBA becomes more important, said Julie Myerholtz, CISO at marine recreation and technology company Brunswick Corp. Mercury boat engines are among Brunswick's product lines, and Mercury is relying more on digital technology, which comes with additional risk. "Brunswick is going down the path of autonomous boating," Myerholtz said. "So, understanding the business and the product and how we secure our product in a way that is cost-effective [is important]."
The ability to anticipate the impact of risks that complex products present and communicate those risks to the product development team is crucial. "Cybersecurity doesn't come for free," Pfosi said. She added that her MBA education has enabled her to be able to better explain the implications of risk and to work with stakeholders to define the costs associated with secure product design.
Organizations that prefer CISOs with an MBA tend to compensate them better, but that's because they expect the CISO to play a significant role in the business -- not because of the degree.
"Some of my very successful CISO placements have had MBAs, and they are in a very strong compensation bracket," Doyle said. "I don't know if [an MBA] drives it, but I don't think it hurts." She added that larger companies tend to place a higher value on CISOs with MBAs.
When should a cybersecurity professional consider getting an MBA?
There are two schools of thought on when it is a good time for a cybersecurity professional to pursue an MBA. One camp says wait until you have experience working in cybersecurity. That will give you a better idea of where you want to go with your career and what you want to get from an MBA program.
Andy Ellis, founder and CEO of advisory firm Duha and former chief security officer at Akamai Technologies, recommends seeking an MBA or executive leadership program through a business school later in a career.
"My practical experience of people who put MBA as a checkbox on their career ladder is they tend to get MBAs very early when they don't have the context to frame the education," Ellis said.
Myerholtz got her MBA after about 10 years of work experience because she wanted to be part of an executive team and to better understand how businesses run. "It was important to have experience before starting my MBA because I could apply real-world to the classroom," Myerholtz said.
A change in the expectations of a CISO's role can also trigger the need to get an MBA, as was the case for Pfosi about five years into her cybersecurity career. "The big driver for me was the expansion of the scope and the type of work we were being asked to do," she said. With her professional experience, Pfosi said, the MBA "really completed the picture."
Others suggest getting it early. Even a cybersecurity professional who never rises to the executive level will learn how a company works. This will help with risk assessment and communication with nontechnical colleagues.
Young got his MBA right after his bachelor's degree. "The advantage of that is, the sooner you know things, the more you can use them in your life," he said. "If you don't get your MBA until you're 40, then you probably missed using an MBA experience for 20 years in your work career."
Planning to get an MBA later also comes with risk, Young noted. Returning to school while working can be complicated. Those challenges will be greater for anyone with a family.
Regardless of the timing, gaining a master's degree is considered a worthwhile endeavor because it enables a CISO to speak the language of colleagues. This is particularly important at budget time.
"Once you understand the business requirements around budget and getting product to market and all the risks, you can slot your priorities into their priorities," Ellis said. Otherwise, budgeting becomes "like kids on a playground fighting over a toy."
Michael Nadeau is an award-winning journalist and editor who covers IT and energy tech. He has held senior positions at CSO Online, BYTE magazine, SAP Experts/SAP Insider and 80 Micro. Nadeau also writes the PowerTown blog on Substack for stakeholders in local renewable energy initiatives. Follow him on Bluesky at @mnadeau.bsky.social.
