I’m an alumn of UC Berkeley’s master in cybersecurity program (MICS), and the other day I received a promotional email from Berkeley’s respected MBA program to enroll in a part-time “learn while you work” MBA.

For half a second I was tempted, then I realized that would not be a good investment of my time. But the thought is an interesting one and worth digging deeper here.

Should a CISO get an MBA?

Let’s break this down. As I've written before, a CISO has to be in tune with the business. Managing security is a business function, and it’s all about the money. So it’s vital that a CISO “gets” the business—otherwise you will be proposing a budget and security controls that are either too little or too much to match your employer’s security risk.

But, by the same token, an MBA with no technical security experience or knowledge is going to flounder in a CISO role. You can’t manage risk that you don’t understand.

A CISO’s job is incredibly broad—IT security, cloud security, application/product security, regulatory compliance, security certifications. The CISO has a portfolio almost as broad as the CEO. This means you are stretched thin but still need to be deep enough in every area to be effective.

Is spending two years not working and getting an MBA going to help you be a better CISO? Maybe a tiny bit. But you just lost out on two years of potential earnings, if you attend full-time. Or is spending three years part-time getting an MBA going to help you be better CISO? Maybe, but the ROI is very poor.

In a perfect world a CISO would have a PhD in Cryptography, a PhD in computer science, a law degree, an MBA, be a chartered accountant, not to mention be a l33t h@xor and CTF champion at DefCon, code in a dozen different languages, be an eloquent orator, a talented writer, a natural leader, and on and on and on.

But life is finite! What are the most important things to be effective as a CISO?

You might argue, well, getting an MBA isn’t going to hurt. Well, yeah it is! Life is short and you can only learn so much so quickly. There are much more important things for you to learn and study to be a better CISO. An MBA is way, way, way down on the list of things you should be learning to grow in the role.

Of course, if you have zero experience in business whatsoever, then maybe you might make an argument that getting an MBA would be of some slight value. But wouldn’t it be a lot more valuable to go out into the workforce and get experience working in an actual business? Life is not a textbook, business is not a textbook, managing security is not a textbook, you have to live life as it is, not as your pet textbook wishes it were.

It's the textbooks that worry me. We live in a time of dogma, where square pegs are forced into round holes, where facts are cherry-picked to “prove” pet theories, but securing a business against aggressive, hostile, persistent nation-state adversaries is an unforgiving profession that does not tolerate bullshit.

You have to engage with reality as it is, not as you would like it be, not as the textbook told you it would be, not as your personal preferences wish it were.

All that being said, I know a couple CISOs with MBAs and they strike me as smart, pragmatic people making good decisions for their employers. So it is possible, I think, to walk the tightrope and avoid letting an MBA skew your good security judgment.

But the bottom line for me is: Is an MBA going to make me better at my job right now? No. Do I recommend CISOs get an MBA? Also no. Do I recommend job seekers in cybersecurity get an MBA? Definitely not.

Being pragmatic means also recognizing that every rule has its exceptions. But sometimes the exceptions prove the rule: you don’t need an MBA to be a world-class CISO any more than you need an MBA to be a world-class General Counsel or a world-class CFO.