Cybersecurity Master's vs. OSCP

cyberdc09

Hey, I'm currently deciding between two options and would like some advice. A little background about me first. Like many, I'm trying to break into the Information Security field. I have a degree in Information Systems and I work in technology as a Business Analyst (not security related at all). I also recently completed the CSX Cybersecurity Fundamentals Cert from ISACA to learn about some of the basics and get my feet wet.

I would like to move onto the next step, especially considering I'm going to have some down time these next few months. I have been eyeing the WGU Cybersecurity and Information Assurance Master's program. I know Master's degrees in Cybersecurity have a mixed/negative reputation, but what I like about this program is they offer two certs as classes (CEH and CHFI) and also my company will provide tuition reimbursement cutting the costs significantly.

My other option is going for the OSCP. I know this is a rigorous test, especially for newcomers, but I'm willing to put forward the commitment. From what I've been reading, completing this cert should qualify someone for a Junior PenTest role. A con for me is my company wouldn't provide any reimbursement and I would have to pay completely out of pocket.

Which of these two options do you think would be beneficial for me? Open to hearing other suggestions as well!

SteveLavoie

I would take from another point of view.. look at job opportunity in your area (or area you want to relocate) and see what they are requiring. Sure a Master last longer on your resume than a certification, but certification are faster to get an ROI.  OSCP is not that expensive to get by itself and if you have time it could be a good windows to do it.  However OSCP is targeted toward a pentester role, is it what you want? 

Cybersecurity in itself is a very wide domain, so please define what area is interesting you the more. I am guessing that your experience as a business analyst  would lead you more to translate technical requirement to business requirement and vice versa, than a more technical only one (like pentester).

Nyblizzard

If you are motivated at the moment to complete an accelerated Masters program, do it now.

chrisone

If you get your AA, BA, masters, PhD, rest assured you will still need to get certs. 

You choose whether you want to get certs along with the extra student loan debt.
or 
Trust your BA and get those certs without the extra debt. Granted you may still have your BA debt to deal with already.

Good luck, either scenario is a blessing to have. 

egrizzly

If you have a degree in Information Systems from an accredited university you should've taken courses in programming, database, and networking.  That, together with a Security+ certification, is enough educational base to break into the cybersecurity field, which seems to be your stated goal.  Aiming for a Masters Degree or an OSCP, all without actual work experience in the cybersecurity field is what they call putting the cart before the horse.

You should be aiming to get your CompTIA Security+ certification.  After you successfully pass that, run through some labs then place the labwork in your resume as experience.  From listing he OSCP I assume you have chosen Penetration Testing as your area of focus in cybersecurity.  You can then begin intermediate certifications such as CEH or Pentest+ which focus you more into that path.  After either of those come the OSCP.  That would be your natural path in my opinion.

jtwhite0322

I am in my final term and about to finish my MSCIA and I am going to tell you what I wish someone had told me...  Avoid this program at all costs.  Do the MBA in IT or anything else if you must get an Masters.  The CHFI has been removed from the program, not that it is a huge selling point and that is not why I say avoid it.  The whole program is kind of half-baked.  I got a BS from WGU in IT and the program was excellent, but it is very clear that WGU put very few resources into developing the MSCIA degree.  You will be much better off getting CS certs or pounding the pavement hard to break in somewhere and get some CS experience.  There is nothing in this program that will make you more marketable.  It is not worth the debt and I know my fellow WGUers will hate this, but any MS that people are getting in 6 months or less, only includes one entry-level certification, and has no meaningful research component, probably isn't worth the paper it is printed on.

VictorVictor5

chrisone said:

If you get your AA, BA, masters, PhD, rest assured you will still need to get certs. 

You choose whether you want to get certs along with the extra student loan debt.
or 
Trust your BA and get those certs without the extra debt. Granted you may still have your BA debt to deal with already.

Good luck, either scenario is a blessing to have. 

+1. I will agree with my brother @chrisone 1,000% on this point. Yes, you'll still needs certs post-degree, and even after a PhD. Kinda like yours truly! 

However, I will add, if you go to a traditional university for grad school (MS and/or PhD), if you can do research, you will essentially on a full ride. So no debt if you plan on writing a Masters thesis or dissertation. The only drawback for this approach is the stipend is low. But, tradeoffs, right?

Yes, I realize you are already in industry, and your options are limited, but you may be able to conduct research on a part-time basis in exchange for a lower cost MS/PhD. All universities really care about is publications because it will bring them more funding. Look at publishing as your ticket to advanced degrees at a lower cost if you can't go full time. It's possible, but will take a bit of time.

VV5 out.

AverageJoe

cyberdc09 said:

Which of these two options do you think would be beneficial for me? Open to hearing other suggestions as well!

I'm not sure why you think it's a choice of one or the other?  If you're interested in achieving both, why not pursue both?

That said, I agree with egrizzly that if you don't have Security+ then you should probably hit that first.  

LonerVamp

Look at the jobs you want and see what they are asking for. Do you need a Master's?

At the end of the day, these are some of the things that hiring manager and even the HR screeners are going to be looking for (to be overly general):

1. degree of any sort (if required by the HR screen to move forward any further)
2. job experience by years
3. applicability of experience to the job
4. certs
5. everything else.  (This includes Master's, PhD, hobbies...)

My main point is, getting job experience is going to be key for many opportunities. The Master's is often going to tell employers that you have school bills to pay and likely will be expecting a salary above what normally goes to entry level, 0 experience candidates.

For the OSCP, there's no guarantee that even experienced persons will pass this without 12 months of hard effort at it. It's not a put-money-down-study-take-test-pass sort of commitment. It's deeper than that. It's doable, but risky. It also really only puts you on course for doing pen testing, which can be a hard sell for candidates who only have the OSCP and no real enterprise experience. You're going to have to get lucky and do well in the interview and practical assessment part of the interview.

That said, the OSCP is a talking point. But, that's only if the person you're talking to understands the cert. If they don't, and their own technical acumen is lacking, they won't see value in it. But if they do, it's a talking point that gets some level of respect, and that experience *can* help you catch bad guys on the blue teams.

On a personal note? There are lots of BA and MS level degrees in cybersecurity that are junk and teach you almost nothing. That said, I have an MIS degree from 20 years ago and when I got out I was ill-prepared for "real" IT work. I have little faith in what I've seen or heard from today's cybersec curricula, especially above a BA. I mean, other than machine learning/data science or statistical stuff or deeper theory, what's left to really learn? But whatever works, my man!