Goal: CISO - Next step: MSc or OSCP or MBA?
Looking for some advice on what direction to take my studies next, as I cannot decide!
Experience: 20 years in IT & Security (technical, hands-on plus some management), the last 5 years I've worked exclusively in security. I've worked in 4 companies (one a huge corp) and have been relatively successful, working up from InfoSec Analyst to now holding the CISO role in all but name (I do the job of the CISO, managing a small security team, but don't have the title - there is no CISO and it looks likely there never will be, where I currently am).
Goal: reach proper CISO level, leading a larger team, earning more money
Qualifications: I hold CISSP, ISO 27001 Lead Auditor/Implementer, HCISPP and a myriad of IT certs. I do not have a bachelor's degree.
1. Study for MSc. Advanced Security & Digital Forensics, online at a reputable university (I've been unconditionally accepted for September start, without BSc based on experience, certs and references) = 2.5 years & lots of money, but I don't know if I want to commit to it, nor if it will give me any real value for money
2. Forget the MSc (a lot of money and time and blah blah blah) and instead focus on achieving up to date skills and certs: OSCP, OSCE, CCSP
3. Forget all the technical stuff and study for an MBA = 2 years, lots of money and more blah blah blah
What do you think? Is it worth spending the time and money on the MSc, given the above? Would it be better to go for more technical certs, as per option 2? Or should I hang up my techie shoes and go all in for MBA?
All the CISOs I've met and worked for have had no technical knowledge, just conceptual. They talk management speech (which I can do quite well), but they bluff the technical stuff (which people like us can see right through). I don't want to be an "old-school" blah blah CISO; I want to be the CISO that delivers value to the business, understands his people, speaks their language and bridges the gap between cybersecurity and management. I believe a good CISO should not just be able to influence the board, but also be able to roll up his/her sleeves and muck in with the techies. Do you agree/disagree?
Thanks for taking the time to read my ramblings