CISO Education Requirements: Degrees, Training Courses, and Certifications

CISO Education Requirements: Degrees, Training Courses, and Certifications

About 25 years ago, the evolution of the overall digital ecosystem necessitated the creation of the first CISO role. Now, 61% of companies have a CISO.

Because it’s a relatively new position, the CISO career path isn’t set in stone, leaving many prospective CISOs uncertain about which degrees and certifications to pursue. In this post, we’ll explore higher education options for aspiring CISOs, as well as certification options that benefit both aspiring and current CISOs.

CISO education requirements

Some experts believe that having a college degree doesn’t matter as much as having the right skills and experience for the position. However, technology is constantly evolving, and cyber attacks are more complex than ever, so many companies do expect to see extensive field-related education on a cybersecurity exec’s CV.

The majority of companies will pass over candidates without a degree. In an analysis of cybersecurity job postings from September 2017 to August 2018, Burning Glass Technologies found that 88% required at least a bachelor’s degree. Advanced degrees may result in higher pay, and are increasingly common for CISOs (a 2018 Kaspersky Lab study found that 68% of CISOs have master’s degrees).

If you’re looking to become a CISO, there a number of educational paths that can benefit you:

Computer science education

It’s no surprise that a bachelor's degree in Computer Science or IT is the first step for many aspiring CISOs, followed by a master’s degree in the same field. While an MS in Computer Science is generally adequate, you may want to consider more specialized programs (e.g. computer engineering, cybersecurity, digital forensics, cybersecurity management) depending on your particular goals and interests.

Business education

Extensive IT knowledge and experience is vital, but soft skills are also in high demand. It’s desirable for CISOs to be educated in business so that they can effectively communicate with stakeholders about complex cybersecurity topics and earn buy-in for cybersecurity initiatives.

Combining computer science education with business education is a good way to ensure you have both the hard and soft skills necessary for a CISO position. Cybersecurity managers and CISOs are increasingly pursuing MBAs for this exact reason, and MS degrees with an emphasis on management and policy are also desirable because they place IT within the greater context of commerce.

Law education

This path is perhaps the least traveled for CISOs, but it’s an interesting option for cybersecurity professionals. Cyber law is an emerging field, and a CISO with education in this area can be a great asset for businesses (especially those in heavily regulated industries). A few universities even offer specialized cyber law programs, such as the Cybersecurity & Data Privacy concentration at Loyola Law School and the Cybersecurity Law concentration at the University of Texas School of Law.

CISO training courses

As demonstrated by the education section of this post, there is no one single path to becoming a CISO, and the same applies to professional CISO training and certifications.

If you’re vying for a CISO position, earning certifications can help increase your chances of being selected. If you’re already in a CISO position, training courses and certifications will help you evaluate and expand your skills and set the stage for a potential salary increase.

Here is a breakdown of a few common CISO certifications and their requirements:

CISSP (Certified Information Systems Security Professional)

This certification is offered through the International Information System Security Certification Consortium, or (ISC)², and is geared toward security managers and executives. It covers eight core domains:

  • Security and risk management
  • Asset security
  • Security architecture and engineering
  • Communication and network security
  • Identity and access management (IAM)
  • Security assessment and testing
  • Security operations
  • Software development security

To receive this certification, candidates are required to have a minimum of five years of work experience in two or more of the eight domains. One year of required experience can be satisfied with either a college degree or an additional credential from the (ISC)² approved list.

CISM (Certified Information Security Manager)

The CISM certification is offered through ISACA, and is arguably the most popular certification in cybersecurity management. It tests proficiency across four core domains:

  • Information security management
  • Information risk management and compliance
  • Information security program development and management
  • Information security incident management

Experience requirements, exceptions, and substitutions for CISM certifications are relatively complex, and can be found on ISACA’s website.

CCISO (Certified Chief Information Security Officer)

Offered through the International Council of Electronic Commerce Consultants (EC-Council), the CCISO program tests proficiency in management strategy across five core domains:

  • Governance and risk management
  • Information security controls, compliance, and audit management
  • Security program management and operations
  • Information security core competencies
  • Strategic planning, finance, procurement, and vendor management

Certification requires five years of experience in each of the five CCISO domains, but waivers are available for those with other certifications and/or graduate degrees.

[Related: Worthwhile TPRM Certifications for Security & Risk Professionals]


The cybersecurity talent shortage means that highly skilled cybersecurity experts, including CISOs, are in high demand. There’s no right or wrong path to becoming a CISO, but the right combination of education, experience, hard and soft skills, and certifications will give any aspiring CISO a competitive edge.

2023 Gartner RC Image Square

“By 2025, lack of talent or human failure will be responsible for over half of significant cyber incidents.” How can a human-centric design strengthen your cybersecurity program? Get your report to learn from key predictions, market implications, and recommendations.