Consider Avoiding that Masters Degree

Reviewing My Experience as a Professional and a Student

As I begin peaking into the middle area of my career, I’ve brushed into the issues of training, continued growth, and self-development. One of the most significant issues is dealing with the costs of many methods and certifications. Just looking at SANS courses makes me shudder with pain in my wallet. So when it came down to it, I had narrowed my sights back onto the ol’ college try and boy did sunk cost fallacy get me here.

To start, I participated in two different graduate-level programs at two different universities. Both are private, both are generally well spoken for, and both have accreditation from the NSA via the National Centers of Academic Excellence in Cybersecurity (NCAE-C). I won’t directly name either university, as I don’t think that is really the point here (and I don’t encourage any negativity toward them if you go snooping). Instead, I’ll just focus on the curriculum. One program was a Bachelor’s to Doctorate (which required you to bridge with a Master’s), while the other was a standard Master’s. Both of them claimed their programs were degrees in science, majoring in Cybersecurity.

During my time at these schools, I’ve faced the realization that cybersecurity academia feels super… commercialized? I’m maybe not picking my terms right here, but it feels like an assembly line. Students come in at their bachelor’s and then get spit out into a master’s program right afterward. Correct me if I’m wrong in my thinking, but honestly, a master’s program should be reserved for the academic perspective of someone who is seeking to define an edge of their understanding of a given field. Why are we sending fresh graduates directly into a master’s program without any real-world experience to bring to the table? Maybe I’m too traditional in thinking that at the master’s level, we should have folks with knowledge and perspective in the field instead of still being fresh in it. Don’t get me wrong; I think the students who are engaged in this practice are showing dedication to refining their skills and knowledge. Really, I encourage the continued destruction of gatekeeping in the community, but honestly, I feel these institutions are lying to them about the value they bring.

Just like in my review about CISSP, those seeking a master’s degree with little other background should consider other avenues to get into the field. What did I learn in my two programs? I’ll be honest: not much except getting good at filler words to meet an arbitrary word or page count, spotting AI-generated content from my peers and professors, and refreshing all the content from various certifications I have studied for in the past. There were classes where I didn’t touch a book, attend a lecture, or view any materials; I signed in, did what was asked, and moved on. Is this me saying I’m all-knowing, and they should just give me an honorary degree? Absolutely not (but I’m happy to accept). Instead, it shows that the master’s programs are becoming diluted with underwhelming standards and geared more toward being the new bachelor’s degree+. Let me tell you a story about why I have this perspective.

It All Started When My Mom…

My mother wasn’t an I.T. person by any means, but she was a strong-willed woman working two jobs to support her two sons. She worked as a registered nurse with her bachelor’s degree for years before realizing she needed to expand her knowledge to continue to grow in her field, leading her to take a master’s program online at the University of Phoenix. As an adult looking back, my mother set the example in terms of milestones and expectations of academia. The material challenged her to grow and become sharper as a professional. She wouldn’t talk about it much, but you could tell she was dedicated to trying to grow to support a better life for us. It was admirable, but the point I’m trying to make here is she didn’t immediately leave her bachelor’s to go into a master’s. No, she spent time in the field, built practical knowledge on top of all that foundational stuff, and then returned to add more. In a field like Nursing, I have a high regard of respect for that form of self-development, especially in her shoes.

Plagiarizing the Certification Industry

This point I’m about to make irked me. The master programs I attended were littered with courses simply based on popular industry certifications' objectives and curriculum (and a nauseous reliance on EC Council-related content; see here why they’re not my favorite organization.) It felt like there was actually very little effort for the courses to push the industry forward and innovate on their own terms or knowledge base. These were just regurgitations of coursework that, yes, a professor still made, but to what end? Students could’ve simply just taken a Boot Camp or self-study for fractions of a fraction of the cost. If they also attempted to include the exam vouchers in the cost of tuition, then it would’ve been great, and I would’ve zeroed out this entire paragraph, but it didn’t include that. It's just overpriced test prepping and the usual college assignments. I can count on both hands the actual moments in which I walked away with something new or had moments of development and beneficial discussions or assignments.

Was the Paper Worth ~$30,000?

I’m not so sure it was worth it in the end. Maybe I’m still salty and burnt out (I’m writing some of this just two days after I was hooded). Maybe I’m just frustrated with the cybersecurity industry. Overall, this is something I will have to pay back, and I’m not sure if I saw the value it would cost me to obtain it. Again, there were no exam vouchers, and I didn’t walk away with any certifications (I did randomly obtain a Graduate certificate though in the middle of one of the programs, which was weird cause I didn’t apply for it, nor did I intend to get it). I didn’t even have to cover a master’s thesis, which I figured was still somewhat of a standard in academia. I ended up writing a paper anyway in my final class akin to a very light version of one just to say I did some form of research in the field for the program, but even then, I was left feeling wanting and not satisfied.

What Comes Next?

Honestly, I’m not too sure. My career has taken me to many places in the last five years alone, and for better or worse, I don’t regret any of it. That being said, I don’t think I will be returning to Traditional Academia anytime soon. I have a leader who actually completed their PhD in the field and argued somewhat against it, and even vouched that they felt their master’s was more brutal than the doctorate. Part of me wants to leave that to trusting their judgment and not trying it myself simply because this entire experience with traditional academia has made me feel lied to and deceived by the greater qualms of society urging us at a young age that college is the only option.

My favorite learning experience still comes from SANS, hands down, where I was challenged in technically profound ways. Unfortunately, you must self-fund those courses when they get expensive fast. There are also self-study mechanisms that do work well but require learners to have a strong drive and a lot of personal accountability to maintain focus and complete the coursework (take, for example, OSCP).

How Can Academia Change?

One of the funniest things my leader with the PhD said was that in his experience in academia, “Those who can do, do, and those who can’t, teach.” I also noticed that many of the cadres of the programs I attended lacked doctorate-level credentials, which is a common requirement to be a professor at the bachelor's level and (almost always) mandatory for the master’s. This surprised me, but then again, it didn’t. The skills gap seems to be rapidly evolving even into our areas of learning, which is a significant cause for concern.

One significant example is that the course material seemed to blend quite a bit from one course to the next, where one course would basically be a repeat of another course’s material (even down to using the same exact labs). Looking at the credentials of some of the cadre, they were lackluster and even concerning, as they were teaching content in which they had zero real-world experience while also lacking that doctorate degree. This level of improper resourcing bleeds into poor curriculum for students who find themselves going in circles with coursework and not learning more specific content levels that the course name implies they would be learning. This leads to students going out into the world with a misconception of their knowledge and being woefully underprepared for the real world that academia was suppose to prepare them for.

This is negligent in many ways at the bachelor's level but at the master’s level? I consider it fraudulent.

Universities can fix this by simply employing more experienced individuals with more robust resumes, not just credentialed in a handful of certifications. Likewise, they need to walk away from the certification industry entirely. Universities should be at the forefront of research and development, and to receive a moniker like NCAE, a university must actively contribute to the progress of the field nationally and globally in some way consistently. We should be learning from validated and peer-reviewed authors and researchers, preferably from in-house professors, who publish content that can be consumed and thusly distributed to the workforce via the students who took and passed those courses. If they’re going to charge a premium for a degree, the educational opportunities they provide must themselves be a premium service. Hell, I could confidentially teach a boot camp covering any of the certifications I received. Still, I would argue I’m significantly less qualified to teach a college-level course on many cyber topics, but that’s just my opinion.

Alternatives to a Master’s?

If you’re a student fresh from a bachelor’s or are looking to go to the next level mid-career, my argument remains much of the same. Security+ if you’re new, CISSP if you’ve been in the game for at least four years. Both of them are relatively accessible and achievable for those seeking to advance their skill sets. For those seeking a more skill-specific edge, I’d always recommend Paul Jerimy’s certification roadmap, which breaks down individual concentrations for specific kinds of certifications to help you gauge where you’re at and where you want to go.

The one niche but still historically cool benefit is that technically, I have the title of Magister (Mag.) now, so there’s that (see the neo-latin translation of Magister Scientiae). It’s not used in modern-day academia, but I might try to make it have a come-back.