Learning the business of security
Malware hits the Mac but is it worth worrying about?
We have recently looked at some of the accreditation programmes that are available for security professionals, as well as some of the education courses.
Back in January, I attended a presentation by Kevin Jones, the professor of dependability and security of socio-technical systems at City University London. In September, Jones's department will launch an MSc in information security and risk; I caught up with him to learn more about his plans and what the intention of the course is.
Jones told me that the course would create an educational programme that combines the technical capabilities of security and business issues; its location close to the City of London (the University is based in Islington) will draw people to the part-time course, he said.
He added: “With the Masters, we thought about the expertise and what skills people need that are not being satisfied. We will not teach technical things as we are not looking for a unique niche. We get asked a lot about security, but it is not good for the non-security types, so we teach critical business functions.
“A key part of security is to be business-aware, so this is a programme for people who want to be the CISO and talk to the board and be part of the security team. It is not about technologies like encryption or the firewall, it is about managing security and how to communicate issues at an executive level.”
He said professionals often lack the ability to communicate their achievements and projects to the right audience. “[The board] will ask how much money is spent, what is the potential exposure, and a good CISO can answer both,” he said.
“Security needs a full career path… we are putting this together on how to progress. This is not a post-graduate course, it is for those who want to get to the next level.”
This point was raised at the 2011 Gartner security conference by former SAB Miller CISO and 2011 SC Magazine "information security person of the year" Mark Brown, who said that if CISOs do not engage their board, they could lose "chief officer" from their job title within five years and that they needed to become business enablers.
Back in January, Jones spoke at the Infosecurity Europe press conference and said that better knowledge is needed at all levels, with a need to communicate and for people to be trained to present issues to a variety of levels.
He said: “The modern CISO has to be comfortable in the modern space, manage conflicting requirements but be aware of business risk and cost implications, and communicate that properly – too much risk and the company fails. The CISO needs to communicate all things to all levels, which is a difficult role as they have to speak geek and business fluently. We have a cultural gap that we need to fill.”
Jones said an undergraduate programme may be added in September 2013. The MSc launching this September is a two-year part-time course, with two modules per ten-week term and a project to be completed.
Jones said: “There will be no exams, it will be marked on professional reports. For the application process, each entrant will be degree-educated with four to five years' experience; it will be a small group so we can evaluate on a case-by-case basis.
“For the first year, we are expecting six to ten people and we will ramp that up as we polish the course; this is not off-the-shelf and it will be much more interactive. There will be two members of staff committed to this and we will get guest speakers in.”
What City is offering is certainly different from other courses in that it is teaching business, rather than technical, skills, but with a sprinkling of the former not unexpected. As Jones said, this is the first year of a freshly created course – and put a group of techies together and they will likely talk shop. Doing that to the board is what this course will aim to achieve.