One of the greatest challenges in landing a job in any field is demonstrating that you possess the knowledge and experience required for the role. This is especially true in cybersecurity, where 70% of organizations say half of applicants to their posted positions are unqualified for the role to which they are applying.

This is often pointed to as the explanation behind the paradox that the cybersecurity field supposedly has over 4 million unfilled positions but cybersecurity applicants cannot find jobs. If applicants are unrealistic about their skill sets and compensation requirements and cannot demonstrate that they have the skills for the job, hiring managers may be unwilling to take a chance on them.

One of the simplest ways of demonstrating proficiency and standing out from the competition is by pursuing higher education. Completing a master’s program in cybersecurity results in a diploma that verifies that you have achieved the associated level of knowledge and experience.

Why not get a degree?

The arguments in favor of pursuing a master’s degree in cybersecurity are fairly straightforward. But what are the arguments against pursuing one? Some of the major disadvantages of a master’s degree are the demand for master’s degree holders, the duration of the program and the cost.

Pro: Demand

The principle of supply and demand is a major driver that dictates pricing and competitiveness in the job market. If there are more positions than applicants, hiring packages get better and it’s easier to find a job. Conversely, a saturated job market means that hiring managers have a better range of applicants to choose from.

Pro: Job requirements

CyberSeek is intended to provide hard data on the current cybersecurity job market in order to help close the skills gap in the United States. This data includes information on the desired education level included in numerous job postings.

According to CyberSeek, a master’s degree is not required for the majority of cybersecurity jobs. In fact, of the fifteen positions included in their analysis, security intelligence has the highest percentage of job roles requiring a master’s degree at 18%, and security intelligence is only considered a cybersecurity “feeder role.” Between 0 and 15% of cybersecurity job postings require a master’s degree.

Pro: New opportunities

Another way to look at this is the number of new positions that a master’s degree opens up. Rasmussen College performed an analysis of 96,951 job postings to determine if they needed a high school diploma, associate degree, bachelor’s degree, master’s degree or doctorate.

Of these 96,951 job postings, a candidate with a bachelor’s degree was eligible for 93,793 of them, which is 96.7%. A master’s degree opens up another 2,442 potential positions, which make up 2.5% of the total.

Program duration

In general, a master’s degree takes a couple of years after completion of a bachelor’s degree. This is significantly longer than earning a certification, which can take between three and nine months on average. However, this significant time investment also has other downsides.

Con: Skill relevancy

One of the downsides is the expected longevity of the information learned there. The average half-life of technical skills is approximately two years, meaning that half of the information learned in a technical profession, like cybersecurity, will be outdated and irrelevant within two years.

With a two-year program, this means that if a class was updated the summer before courses began, half of its information could be expected to be out-of-date by the summer after graduation. This also assumes that professors are constantly updating their courses and that students are not enrolled in courses that are already several years old.

Con: Hands-on experience

A recurring problem with common hiring practices is that you need experience to get a job and a job to get experience. This is true in the field of cybersecurity as well, where 95% of organizations are looking for hands-on experience during the hiring process but only 89% care about a candidate’s credentials.

During a master’s degree program, a student can be expected to pick up some hands-on experience in their field. However, realistically, they’re unlikely to gain the same amount of real-world experience as a person working in the field for that same two years. When hiring for a position, HR may favor promoting someone with two years of experience in the field at a lower grade than hiring someone with an advanced degree but no experience.

Con: Program cost

Beyond the time investment, a master’s degree can also represent a significant financial investment by a student. The average price of a master’s degree is between $20,000 and $70,000 per year. While scholarships and internships may reduce this cost, they are limited in number and may carry additional obligations.

In comparison, pursuing a certification in the field can be significantly cheaper. Well-respected certifications such as the (ICS)2 CISSP, EC-Council CEH and CompTIA Security+ certifications all have self-study options for under $1,000.

Conclusion: Should I pursue a master’s degree in cybersecurity?

At the end of the day, the choice of whether or not to pursue a master’s degree in cybersecurity is one of personal preference. A specific career path or position at a certain company may be easier to achieve (or even require) advanced education. In other cases, a certification or two and/or demonstrated experience in Capture the Flag (CTF) exercises may be more than enough to land the job that you want.

One important consideration is that many companies support continuing education for their employees and may even pay for a master’s degree. If so, getting a certification or two to get your foot in the door and pursuing a master’s degree as an employee might be a cheaper and better option.



  1. Cybersecurity Career Paths and Progression (February 2019), CISA
  2. Future of Work: The People Imperative, Deloitte
  3. Cybersecurity Career Pathway, CyberSeek
  4. Is a Cyber Security Degree Worth It? The Facts You Can’t Ignore, Rasmussen College
  5. State of Cybersecurity 2020, ISACA