There's plenty of room for more educational programs that properly prepare security pros for the challenges they'll face from day one in IT security environments, Stephen Northcutt, president of SANS Technology Institute, an educational organization licensed by the Maryland Higher Education Commission to grant graduate degrees in information security, told InformationWeek. Between SANS and EC-Council, "if we are both wildly successful, we will fulfill perhaps 1% of the market's true need," he added.
For that reason, SANS doesn't see EC-Council University as competition. Northcutt is, however, skeptical of college and university programs that offer only a concentration in security as part of their master's degrees in MIS or computer science. Such programs "are not qualified or equipped to properly prepare the students and end up wasting the student's time and financial resources and do not impart the technical and leadership skills needed to be effective in an era when the threat is at an all-time high," he said.
There are many academic programs that offer advanced IT degrees that treat security as a secondary component. Boston University, for example, offers an Online Master of Science in Computer Information Systems with a concentration in information security. Required courses for this program include network and software security, network management and computer security, and cryptography. Another school, Lawrence Technological University, offers a Master of Science in Computer Science with a concentration in computer security. Required classes at Lawrence include cryptography, distributed database systems and security, and security audit. Neither program's curricula mention white-hat (or "ethical") hacking, vulnerability assessment, or computer forensics.
The EC-Council in 2003 began offering certification for ethical hackers as a means of exposing defense-minded IT security pros to the ways in which malicious hackers operate. The next logical step for this form of security training was to introduce it as a formal academic program, Bavisi said. One of Bavisi's goals is to see more companies create CSO positions, even though he acknowledges that it's a fairly new title at most companies. "Over the past 15 years, CSO hasn't been a common title," he said. "You don't find that title at smaller companies."
Today's CSOs are in general well-educated in business, security, or compliance and auditing, and they play a high-level, strategic role within their organizations, Bavisi said. "But information security is a rapidly changing field, and the benefit of having a CSO with a Master of Security Science degree is that you will bridge the digital divide between security executives and their technical teams," he added.
Some companies may be concerned about investing in a CSO, adding an expensive employee to an area of the business -- security -- that's more of a cost center than a revenue generator. Others may be concerned that their employees will go through the EC-Council master's program only to leave for greener pastures when they've completed their degree. "People ask, 'What if I train my people and they leave?' " Bavisi said. "But, what if you don't train your people and they stay? Is paying for talent going to cost more than succumbing to a cyberattack?"
Whether a company should have a CSO depends on its level of risk and the organizational structure. Bavisi pointed out that he's not suggesting that every company should have a CSO or that every security pro should have a master's degree. But with the state of computer security these days, it's clear that an influx of leadership in the security space could only help.