Citing a need to increase the professionalism and non-technical skills of IT security professionals, officials from the SANS Institute unveiled two new master’s degrees in Information Security Management and Information Security Engineering. The academic programs, definitely unique in the world of credentialing organizations, will be administered by the newly formed SANS Technology Institute, which was unanimously approved as a separate, degree-granting institution on Nov. 16 by the Maryland Higher Education Commission.
“That means SANS can grant masters of science degrees in the same way that John Hopkins University or New York University can,” said Alan Paller, the SANS Institute’s director of research. He added that his organization is distinctively qualified to offer such a program because of the quality of SANS instructors and subject-matter experts. “We have an academic program led by people who actually know what the attacks are.”
Still, the new master’s degrees will be something of a work in progress for a while, said Stephen Northcutt, president of the new SANS Technology Institute. “We have no illusions that we have all the answers,” he said. “The SANS Institute is on a journey. SANS has had the fortune to be considered thought leaders in the information security space and to have really wonderful people who have lots of experience in the industry who share that with others. They have lessons in leadership that they can share with them.”
The SANS Technology Institute’s academic programs will be 30 credit hours apiece and will take about two years to complete. “It has a residential component, where the students come with other students to learn as a group, so that they have the time to build a community and network,” Paller said. “The other half of it is distance learning, but a very active, synchronous distance learning, except for people who are deployed in military situations or something like that.”
The overall cost for one of these degrees will run about $28,000, which seems steep compared to certification, but not when measured against typical master’s programs at private universities. “This is a big commitment by the students and their employers,” Paller said. “The students have to have substantial experience in the field, and their employers have to say that they are the people being groomed for management. There’s no point in investing this much in people who aren’t going to be able to take on the management responsibility.”
The first degree, Information Security Engineering, will be aimed at more technically minded professionals in IT security, Northcutt said. “We’re not going to kid anyone. This is going to be extremely difficult degree to get,” he said. “It’s harder to get than our highest certification in GIAC, the GSE. We’re hoping that as companies and government agencies decide they need to take it up a level, they’ll invest in their people and give them some time and support to be able to walk this very long path.
“The second degree is a management degree,” he added. “If you are a manager, you’re probably working 50 to 60 hours a week. How in the world are you going to keep your technical skills to the level they need to be, and how are you going to increase them as threats increase? We want to have a program to help kick-start managers to get to the level they need to be, so that they can be effective in the workplace. Our goal is to take it up a level and push people to write journal-level papers. We’re hoping to take the results of the research methodology and make sure we’re creating a generation of communicators.”
IT security pros might not be accustomed to intense study of topics like project management, legal issues and marketing security solutions, but these skills are fundamental to the future vitality of the field, Paller said. “One of the things we’ve found when we’ve tried hard to talk corporations and government agencies into making changes to defend themselves is that some of the people who have been managing cyber-security are wonderful, but many have been forced into those jobs from other jobs when they had no background in cyber-security, no background in the technical nature of the attacks and no management skills,” he said. “They hadn’t ever learned how to present proposals to management, how to negotiate, and how to do speaking and writing. When people don’t have that knowledge, they have a lot of trouble persuading their organization to take action.”
Applications are currently being accepted for the first classes, which will have the capacity for several hundred students. The courses will commence in February next year.
For more information, see http://www.sans.edu.