Got your MBA study guide yet? More infosecurity pros are going back to school and chasing down a graduate business
Jesse Horowitz is a techie at heart, someone who five years ago said no to business school for a BA in math with a concentration in scientific computing.
More information from SearchSecurity.com
Peruse our Course Catalog for free information security training on intrusion defense, SOX compliance, email security and more.
Visit our resource center for tips and expert advice on security certifications, training and careers.
The 27-year-old Kenyon College graduate parlayed his technical tendencies into a management job with Wells Fargo Services' security operations center in Minneapolis. There he has led security remediation and policy compliance teams, and currently manages security monitoring and architecture for the financial services giant.
Techie stuff, no doubt. So why is the famous Kaplan GMAT book prominent on his desk? He's going back to school.
Horowitz understands what many security professionals are starting to realize. Technology chops aren't enough to succeed in the information security profession. Those with an MBA have a wider pathway to the CISO's office and higher up the corporate ladder.
"It is a trend. You can't be an effective career infosecurity person without business knowledge," Horowitz says. "You have hardcore techies--engineers and analysts--those guys are gear heads, and we need them. They make the ship run. On the other hand, people in leadership positions have to have [business] ability. We try not to stick an engineer in front of an executive on an all-night call, for example. Get a manager in there to interpret what's going on so that everyone is on the same page."
More security pros are packing their book bags and as a result there is a noticeable increase in academic programs to meet that demand. Many offer continuing education in information assurance with core requirements or electives that gravitate toward business skills.
Carnegie Mellon University's Information Networking Institute (INI) offers graduate degrees in information secu- rity technology and management. Business management courses in risk analysis and management, along with electives in privacy, complement traditional technology courses. The SANS Institute has been licensed in the state of Mary-land to confer graduate degrees in information security engineering and management. The NSA's National Centers of Academic Excellence in Information Assurance are 75 accredited schools in 32 states offering the same mix of business and technology training. Even (ISC)2, keeper of the CISSP certification, has recognized the trend and added sessions for security pros on presenting to the board and sharpening communication skills, "the softer skills," according to Dr. Corey Schou, (ISC)2 board of directors vice chairman.
"Traditional computer science and engineering students have no business acumen and policy insight," says Dena Haritos Tsamitis, INI director. "Our students are sought after by companies. They're foremost engineers with sound technical foundations--and business and policy skills."
Arguably the biggest drivers are government and industry regulations. CEOs don't see the merits of incarceration, and have funded compliance programs to ensure controls are in place to safeguard customer and corporate data. Techies with audit or Six Sigma skills are prime targets for six-figure salaries as a CISO or chief risk officer.
"What we're finding is companies asking for program managers and people who can tie together disparate security aspects of a company's business units, manage the entire function and present that package to the board or senior executives," says Joyce Brocaglia, CEO of Alta Associates, an executive recruitment firm specializing in information security.
It's About Risk, Not Threats
Draconian permit-deny security programs are extinct in the enterprise because network perimeters have disappeared. Busi-nesses don't function without interaction and connectivity between partners, suppliers and customers, and security pros have to enable these relationships without hindering the bottom line. Horowitz is finding out that the secret to facilitating those relationships may lie in the pages of the Kaplan book.
"You have to partner with business units," Horowitz says. Wells Fargo, with 140,000 employees worldwide, centrally manages its IT back end, meaning from an operations perspective, security planning and architecture must also be done centrally. "That means you have to be business savvy and understand time-to-market ratios so that products are profitable, yet still address risk," he says.
Being business savvy means learning not only a new set of large-scale financial skills, having comprehensive regulatory knowledge and understanding legalese, but learning how to talk with business unit managers.
"You have to speak to business units on their terms, and those terms involve customers, customer experience, time to market, profitability and risk. Everything we do is around a risk-based methodology," Horowitz says. "And that's a change because security professionals deal in threats, not risk."
Horowitz, for one, seemed destined for an MBA. Coming out of college in Ohio, he started with Wells Fargo's leadership development program, and after a year of management training, he was entrusted with starting a security remediation and policy compliance team. Horowitz has set a three-year timeline to earn his MBA.
"The CISO needs to be a coordinator and pull processes together and make sense of the regulatory environment," Horowitz says. "You also need to know what write-offs are; what can you depreciate and capitalize; what are incremental spends. It's not just, 'Do I have money,' but 'How do I fit into the moving target that is a budget of this magnitude.'"