Security Academic Degrees: Feather Your Nest

While certifications are great, they won't get you into the boardroom. But one-stop shopping for a security education isn't there yet. It's up to CSOs to help change all that.

June 01, 2004 — CSO — College is good. You get everything you need in one place. Classes. Peer networking. A meal plan. And a degree that proves you're qualified. But for the security executive, college is not goodwell, not good enough, anyway. Yet. Because right now, there's no one degree that will land you a C-level security job. In fact, CSO might be the last executive-level position that requires you to cobble together your own education. "For new folks, the training ground doesn't yet exist," says Howard Schmidt, CISO of eBay. "There is no CSO institute. And colleges offer only an Ã la carte menu."

Today there's no one place for you to get your CSO credentials. "The job description and skill set requirements are still in draft form," Schmidt says.

And that job description keeps expanding. A full-blown CSO position now includes such diverse security staples as video surveillance and network intrusion detection; but it also encompasses risk measurement and analysis, regulatory compliance, outsourcing, workplace violence and homeland security.

To put your current career on hold while embarking on any postgraduate program is daunting enough—and where would you find such a broad-ranging curriculum? Academia seems poised to develop programs, but so far, the pace is slow. You need to go to one place for your security expertise and another for risk management training—not an easy thing for the professional to do.

The information security community may be a bit further along when it comes to advanced academic degrees appropriate to executive-level security leadership. In fact, several programs offering an MBA in information assurance are under development. (For more on academic pedigrees in corporate and physical security, see On-the-Job Training.) Many CISOs emphasize that the ideal CSO skill set includes a strong technology background coupled with a strong business sense. CSOs need to combine an understanding of risk management and governance with an awareness of legal and regulatory issues, and they need to know their audience, says Steve Katz, president of Security Risk Solutions. "It's a C-level job. And if we lose sight of that, we lose sight of the position we are filling."Getting There From HereIt was 1999, and John Petrie was the technical services manager at Sprint. Petrie began his career with a bachelor's degree in international studies and military intelligence, but came to a crossroads the day his boss doubted his aspirations. The boss told Petrie he'd never rise to the executive level because security personnel didn't understand the business. Today, however, Petrie is the CISO of the University of Texas Health Science Center at San Antonio. He had plenty of technical skills, certifications and experience. "But I didn't have the business theory; the know-how to do budgeting and accounting," he says. So he got an MBA.