Cyber Security: Is a Master’s Enough, or Do I Need a PhD?

In a daring ransomware attack in June of 2021, cyber criminals extracted $11 million from JBS USA Holdings Inc. It’s but one example of the many dangerous hacks that have sent companies, individuals, and governments scrambling to shore up their cyber defense and risk management systems. Without question, cyber security is one of the most pressing issues in the world and will be for years to come, as cyber crime can negatively impact everything from one’s personal finances to a municipality’s water supplies.

President Biden has made creating better cyber security systems and educating/training cohorts of skilled cyber security experts a focus of his administration, and called on the Department of Homeland Security to step up its commitment to bolstering the nation’s cyber security defenses. However, it’s unreasonable to expect immediate solutions, given the complexity of the problem; meeting these goals is going to require years of effort.

Anyone considering working in the field should know that cyber security is a computer science specialty and should have some relevant experience in that area. If you do and want to pursue a cyber security degree, you’ll likely develop advanced programming and system design skills before focusing on a specialized area of study. According to the Harvard University career services office, “Those interested in fields like data science or cyber security should plan to pursue a focused master’s or PhD degree to learn specialized knowledge and abilities applicable to those fields.” Graduate degrees in cyber security carry excellent long-term value and can prepare you for many exciting careers. But, which one should you get? PhDs offer the best education, but master’s degree programs are more common—and don’t take nearly as long.

This article seeks to answer a common question in cyber security: is a master’s enough, or do I need a PhD?. It covers:

• What is a cyber security master’s?
• What do you learn in a cyber security master’s program?
• What jobs can you get with a cyber security master’s?
• What is a cyber security doctorate?
• What jobs can you get with a cyber security doctorate?
• Deciding which degree you need

What is a cyber security master’s?

A cyber security master’s is an advanced degree that prepares you for a career defending computer systems from cyber attacks. You will be able to seek positions in private companies (like banks and healthcare organizations), government agencies (like the DHS or National Security Agency (NSA)), and organizations like think tanks. Cyber security professionals who earn a master’s degree commonly have an established computer science skillset. Though not necessarily a requirement, they typically have completed a relevant bachelor’s degree program in computer science, data analytics, or cyber security (though the latter is not a very common program).

It’s essential to differentiate between the types of cyber security degrees—program titles and curricula can differ, but still lead to the same jobs. Common degree titles in this field are:

• Master of Science in Applied Information Technology with a cyber security concentration
• Master of Science in Computer Engineering with a cyber security concentration
• Master of Science in Computer Information Systems & Cyber Security
• Master of Science in Computer Science with a cyber security concentration
• Master of Science in Cyber Security Engineering
• Master of Science in Cyber Security Management
• Master of Science in Information Security
• Master of Science in Technology, Cyber Security, and Policy

It’s even possible to focus on cyber security as part of another defense degree. For instance, Virginia Commonwealth University offers a Master of Arts in Homeland Security and Emergency Preparedness that includes cyber security coursework. Students in this program prepare for jobs mostly in policy rather than the technical side of cyber defense. This is quite distinct from the more traditional University of Tulsa program, which prepares students with computer science backgrounds to “master the theory, concepts and techniques of information assurance and network defense in real-world environments.”

Many programs don’t have specific prerequisites for applicants beyond the necessary bachelor’s degree from an accredited institution. Still, that doesn’t mean you should jump into a cyber security master’s program if your secondary-level education is in a non-STEM subject.

Cyber security programs that accept students without a computer science background often require them to complete bridge courses to prepare for the difficulty of a master’s-level cyber security program. You’ll need to learn the material one way or another, and having experience can allow you to spend more time focusing on advanced-level courses targeted to advancing your desired career path.

What do you learn in a cyber security master’s program?

While cyber security programs can have different coursework, they all prepare graduates to combat cyber threats. Common topics include:

• Advanced algorithms
• Computer forensics
• Cryptography
• Digital forensics
• Ethical hacking
• Incident response
• Information assurance
• Networking
• Network security
• Security governance

What jobs can you get with a cyber security master’s?

A master’s can qualify you for many cyber security jobs—especially in advanced technical roles or as a cyber security manager. A cyber security master’s also is a means to help you switch careers, especially if you don’t have a technical background, though remember this is less common. If you’re using an advanced degree program to join the cyber security workforce from another field, you may have to start in a lower-level position and work your way up.

Three of the top jobs that you can earn after completing a master’s in cyber security degree program include:

Computer information systems manager

This IT-focused position requires maintaining your business, agency, or organization’s network. You can expect to earn a median annual income of over $150,000 per year as a CIS manager, according to the Bureau of Labor Statistics (BLS).

Cyber security architect

The one position on this list that requires excellent hacking skills, cyber security architects are the keepers of their organization’s computer system. They can quickly identify and fix data breaches and implement risk mitigation strategies. Because this is an upper-level position, and building and maintaining an organization’s computer system is beyond the capabilities of a single person, you’ll likely manage a team. According to ZipRecruiter, these cyber security experts are compensated well, earning a median annual income of nearly $147,000.

Chief information security officer

Candidates for these executive roles typically have a robust skill set and advanced degrees, even beyond a master’s. You may even find yourself completing a certificate program (or two) to bolster your resume. To successfully run an organization’s cyber operations, these professionals must understand upper-level management, relevant laws, and data utilization techniques. Earning an MBA with a concentration in cyber security can qualify you for this role. You’ll need to understand aspects of cyber security law and data privacy in addition to running an organization’s cyber operations. Chief information security officers earn an average annual salary of over $165,000, according to PayScale.

What is a cyber security doctorate?

Since it is a relatively new field, there are fewer cyber security doctorate programs than master’s, though several well-regarded schools offer cyber security or information security doctoral programs, including Northeastern University and Johns Hopkins University, which provides two tracks: Health and Medical Security or Cryptography & Privacy. Other programs may allow students more flexibility in what they study.

Schools often don’t dedicate entire PhD programs to cyber security. Instead, you’ll study it as part of a computer science program. Schools with excellent computer science PhD programs and robust cyber security resources include Carnegie Mellon University, New York University, and Stevens Institute of Technology.

According to NYU, “Cyber security is a particular research strength of the computer science program.” Students who are admitted into the program can choose it as a research subject; they meet with an advisor who helps facilitate research and develop a plan of study that satisfies course requirements and student interest. Every computer science PhD candidate must complete six “breadth” courses—regardless of their specialty. They then focus on meeting “depth” requirements then completing and defending a thesis.

Doctoral programs take longer to complete than master’s degrees. You’ll likely spend between five and seven years completing your education (they also have much stricter admissions requirements) and the coursework is rigorous and comprehensive. For instance, Northeastern states that the overall goal of its program is to “prepare graduates to advance the state of the art of security in systems, networks, and the internet in industry, academia, and government.” This is not the type of degree to jump into if you casually want to make a career change.

Doctoral candidates often end up teaching at the collegiate level or working in research rather than trying to secure a position with day-to-day responsibilities at a large company. They also typically work closely with professors, learning and implementing research methods.

One positive aspect of a PhD program is that it’s easier to obtain financial support for your studies. Many programs offer students a stipend or work-study program—usually teaching undergraduate coursework—and PhD candidates typically have the first pick of scholarships. That said, it’s easy to spend nearly a decade working on your degree, and the idea of having a fully or partially funded PhD can become less appealing when you realize you may be giving up a six-figure job to complete it.

What jobs can you get with a cyber security doctorate?

Many PhDs pursue research or academic positions, but you won’t be limited by your degree. Graduates from the Stevens Institute of Technology PhD in Computer Science program, which includes a cyber security track, work in all fields, including government, research, private enterprise, and academics, and are prepared to take on roles like:

• Software engineer
• Research scientist
• Professor
• Data scientist

According to PayScale, a PhD leads to many of the same positions as a master’s degree (though PhDs tend to have the edge during the interview process), including chief information security officer and information security manager, and professionals with this degree typically earn an average annual salary of just under $177,000.

If you do decide to conduct research, it won’t be restricted to an academic setting. One researcher detailed his experience leaving academia, noting “there is enormous opportunity to conduct cutting edge research in companies. In fact, much of this research is inaccessible to universities without industry collaboration.” Much depends on exactly what you study in your PhD program. If your thesis or capstone project revolves around developing new authentication methods to prevent phishing scams, you might pursue different positions than someone who focuses on developing uses for machine learning in threat mitigation—which is changing the field.

PhDs also frequently pursue professorships. At the University of California, Berkeley, you’ll likely they start as an assistant professor—even with a PhD. Tenure can help you become an associate professor. From there, it’s usually a few more years until you can become a full-time professor. According to Inside Higher Ed, professors at private doctoral universities earn around $203,000; those at public undergraduate schools earn roughly half as much.

Deciding which degree you need

While having a master’s degree strengthens your application to a PhD program, it’s not necessary. Ultimately, deciding which degree you should earn genuinely comes down to the one that best serves your career goals.

PhD programs expect a higher level of academic excellence; it’s the clear choice for people who want to be educators or researchers. As PhD programs are much longer—at least five years—you will lose opportunities for work experience while completing your cyber security education, but have an extra qualification when you finish. According to one professor on Quora, “My students with PhDs (all technical areas; I worked in a few) do get much higher salaries but, yes, they suffer during graduate school with lower income.” You usually have a higher pay ceiling with a PhD, but it takes a while to reach it.

You’ll typically have an easier time obtaining financial aid in a PhD program, and many top programs, such as the one at Stevens, are fully funded. However, it’s possible to work during a two-year master’s program, especially if you complete an online degree—and most PhD programs are not offered online.

Ultimately, either of these graduate degrees can help you find work in the cyber security field. According to a Burtch Works study, 48 percent of data scientists have a PhD and 43 percent hold a master’s. These numbers do not completely represent cyber security professionals, but serve as an indicator of the type of higher education needed to succeed in computer science disciplines. Either degree you choose will serve you well and prepare you for national security, law enforcement, and private enterprise careers. But, if you’re wondering whether a master’s degree is enough: it is.

(Last Updated on February 26, 2024)

Questions or feedback? Email editor@noodle.com