In the past weeks, I have received emails asking about Cyber Security certifications, graduate school, and projects.

I’ve begun research into Cybersecurity MS programs and have a couple questions. Do you have any online programs you recommend? I have been using google searches and the NSA’s “Centers of Academic Excellence for Cyber Operations” to try to figure out the best schools. Do you have any advice on applying to Tufts’ MS in Cybersecurity and Policy? I know this may not be the most technical degree, but am considering applying because of the clout that The Fletcher School holds. Also, any other ideas besides grad school? I felt like online grad school was the best option because of my unknown start date. At least I could get some classes done for a masters while I am waiting and then take a semester (or more) off when I begin work.

Another one:

In regards to cybersecurity specifically, do you think it would be worth it to work on getting certifications this summer? Online courses maybe? If you have any ideas for security projects/opportunities/courses I should look into, please let me know.


Certifications can only help you, not hurt you. Full stop. Certifications (or certs) can be very valuable if you are young or starting out in the field. Certs can help you get past Human Resources. Certs can show that you have baseline knowledge and have interest in the field. There are many Security certifications available –with various costs and goals. See long list on Wikipedia: Considerations to think about:

  1. Can you afford a cert? There is a financial cost to taking any certification exam. Some certs are most expensive than others, including annual renewal.
  2. Do you need a cert? For some jobs, certifications are required. An example is working for the U.S. Department of Defense. Here is a table of baseline certifications approved by the DoD:
  3. What do you want to be certified in? Some certifications are broad (e.g., CISSP, GSEC by SANS, Security+), some are specific (e.g., GREM Reverse Engineering Malware by SANS Institute, Offensive Security Certified Professional).

I have a few former students pursuing the Security+ certification as we speak.

A CISSP is very desirable if you want to be in management (e.g., CISO) because the CISSP exam is very broad, covers 10 domains. However, it is also expensive to take and maintain. I usually don’t recommend the CISSP to many people. Without going on a vicious rant, I also want to point out the outstanding issues with the CISSP:

I got the SANS GCIH (Certified Incident Handler) certification in 2007, let it lapse in 2011, and never renewed. Was it worth it for me? Yes: (1) the course was fantastic as it was a technical boot camp, and (2) I put the GCIH in my speaker bio at a number of venues including DEF CON. I will need to renew the GCIH certification if I teach the SANS SEC504 Hacker Techniques Training course (this goes for any SANS course).

Don’t lose sleep over certifications, you will go crazy. Your passion and capacity to learn in Cyber Security much more important than a certification. Most of us got our jobs/careers in Security because of hands-on skills like setting up a home lab, not because of certifications (which also includes college). Which leads to…

Graduate School

Any time students ask me about going to graduate school, especially for Cyber Security, I ask the following questions in return:

  1. Why do you want to go to graduate school? What got you interested?
  2. What do you hope to get out of it? This includes academics, special events, connections, anything…
  3. What are you hoping to do after you get graduate degree?

Going to graduate school can be a major life decision: whether Master’s where there will most likely be no financial aid, or Ph.D. where it can take 5 or more years to complete. You want to be so sure you are going to graduate schools for the right reasons, else you will waste both your money and everyone else’s time –including my time. You need to think hard.

A good reason to go to graduate school, online Master’s, looks something like this: “I’m finding at work that there are gaps in my Security knowledge that I would like to explore in a more thorough way than just online research. Learning on the job is extremely valuable and it’s something I’m continuing to do. I do miss taking classes though.”

“am considering applying because of the clout that The Fletcher School holds.” => This is VERY true and the standards are very high. We have a lot of pride in the relationship the School of Engineering has with The Fletcher School of Law and Diplomacy at Tufts. You have to be so sure that you want to do policy AND tech –a blend of both. If your career goal is to have a fantastic technical AND policy foundation in cyber security (so both tech and non-tech), come to Tufts.

“Do you have any online programs you recommend?” => Yes, the best ones include:

Online Master’s route:

  • Georgia Tech
  • Berkeley
  • Johns Hopkins
  • NYU
  • Northeastern
  • Boston College

Ph.D/research route:

  • Carnegie Mellon
  • Georgia Tech
  • Washington
  • Michigan
  • Berkeley
  • Maryland
  • UC San Diego
  • UC Santa Barbara
  • Brown
  • Cornell
  • Princeton
  • Columbia
  • Virginia
  • Stanford