Abstract Introduction What Does Industry Need?

Transcription

1 Connecting Information Systems and Cybersecurity Education with the Demands for Cybersecurity Experts in Modern Firms Jason G. Caudill, PhD Associate Professor of Business King University Abstract: The rapidly changing cybersecurity environment in which today s businesses operate is demanding additional resources in the field of information systems generally and specifically in the preparation of cybersecurity professionals. This paper examines the shifting demands of information systems professionals, the needs of industry, and the structure of information systems program delivery in higher education. The goal is to begin a discussion of how to best develop information systems academic programs to provide qualified, effective information systems professionals to today s businesses. Introduction The past year has, very publicly, exposed the risks that are faced by commercial enterprises and their customers from the growing threats of cybercrime. Data breaches at major American retailers have become unnervingly familiar, with up to 70 million customers impacted by the Target Corporation data breach discovered in December of 2013 (Target Corporate) and 56 million customer payment cards potentially compromised by the Home Depot breach that was discovered in September of 2014 (Home Depot, 2014). Other recent breaches include Neiman Marcus Group, Supervalu grocery stores, and P.F. Chang s China Bistro (Sidel, 2014). Sidel (2014) also cites Javelin Strategy & Research s 2014 fraud report indicating that there was a 45% rise in customer fraud losses in 2013, totaling $16 billion. With fraud losses mounting, and attacks increasing, there clearly needs to be some action taken. This is necessary for a variety of reasons. Ethically, as responsible corporate citizens, retailers need to make their best efforts to protect the privacy and security of customers who trust the company with their business. Competitively, to best serve their shareholders, companies need to provide customers with assurances that they are safe doing business with the company in order to retain and attract consumers to the business. These needs, necessary in a rapidly changing competitive and security environment, require businesses and business leaders to become more knowledgeable about cybersecurity in general and the qualities of cybersecurity specialists, their future employees, in particular. The goal of this paper is to present the current state of information systems curriculum and how that curriculum addresses the needs of today s businesses. Going forward there will be an ever- increasing need for business and higher education to partner in developing these experts and keeping everyone in the process up to date on the most recent developments. By understanding the academic process as well as the needs of academic institutions business leaders will be better positioned to provide information to the universities and assist in developing the best information systems and cybersecurity experts that are needed in industry. Information Systems programs in general will be the primary point of discussion as cybersecurity is most often an emphasis within the broader program. What Does Industry Need? At the most basic level it is clear that industry needs more experts in cybersecurity. The Bureau of Labor Statistics projects 37% growth in the demand for information security analysts from and 2012 median pay, the most recent year of available data, averaged over $86,000 per year. This is a high growth rate, and high rate of pay, for professionals that are increasingly necessary for today s business environment to succeed. The question for businesses and universities is one of what these in- demand professionals need to learn in order to deliver appropriate value to their future employers.

2 In a 2013 study Amadi and Born identified that employers want Information Systems (IS) graduates to have skill sets in both business and technology, with the top three categories, ranked by importance, being: knowledge of business ethics and privacy issues, IS security, and client- server database. These categories are a very close reflection of just what went wrong in the breach events cited earlier. The security of customer information certainly concerns both ethics and privacy, and the mechanisms to best safeguard that privacy are through IS security, in particular the secure data exchange between clients and servers, the process of which is where customer information is exposed to possible interception and theft. In the area of business skills the Amadi and Born (2013) study also explored what business skills were recognized as important in IS professionals by employers. Ranked behind business ethics and privacy issues were the categories of the general business environment and business models. This is an important point as a skilled IS professional is not only a technologist. Rather, to effectively build and maintain secure systems that serve the needs of a business the IS professional needs to understand business concepts and business models. Effectively addressing these needs is a challenge for both academic programs and companies, with communication between the two being a key to successful preparation and practice. Legier, Woodward, and Martin (2013) explain that the rapid changes experienced in IS as a discipline demand frequent updates to curriculum to best match the demands of the workplace. Their study also discovered a rating of only 3.54/5 from employers on the quality of preparation new IS graduates brought to their first job. This identifies a disconnect between industry needs and academic content and sets the stage for the challenge of partnerships between the two sectors. To best begin addressing the disconnect, an explanation of how the education and development process functions will help executives to understand how to best inform and partner with universities. Developing New Cybersecurity Professionals Training competent cybersecurity professionals is a complex and time- intensive process. Martin & Woodward (2013) suggest that the United States may not have the capacity to train the number of professionals needed. Simply defining the academic program connected to cybersecurity specialists can be difficult, as the names of the discipline, the academic unit in which the discipline is housed, and the content of a cybersecurity program is different in different universities (Sharma, Murphy, Rosso, & Grant, 2013). Sharma, et. al. (2013) also note that there is little research to date on what industry actually wants from graduates of a cybersecurity program, a fact which further complicates the task of supplying companies with the needed help to address the problem of security breaches. To understand how these future professionals are being trained the first step may be to examine the ways in which IS and cybersecurity curricula are being designed. The history of such curricula is longer than many in industry might expect, with the Data Processing Management Association (DPMA), which later became the Association for Computing Machinery (ACM) actually beginning investigation of the needs for education in computing for business and industry in 1965 (Longenecker, Feinstein, & Clark, 2013). To illustrate just how much change occurs in the teaching of IS, a core factor in the complexity of developing professionals in the field, Longenecker, et. al. (2013) identified a total of 138 skills tied to IS curricula and examined their presence in curricula over a fifty year period finding: by grouping the various skills according to use by the various models, we were able to show that of the 138 total skills, 37 skills were either retired or too new to be included in any of the models. Of the remaining 101 skills, some were common to all programs (35), remaining skills were common for programs up to IS 2010 when a significant number were abandoned (64) (p74).

3 With such constant change IS curriculums, including the training for cybersecurity, need to continually evolve. One approach to successful curriculum development is to build an integrated program that concludes with a capstone exercise providing real world experience in a live consulting environment or something similar. In the author s experience as a program coordinator for a Computer Information Systems program this was the approach; graduating seniors worked with local businesses and other organizations in a semester- long, team- based consulting project to build and deploy a live technical product. This process of integrated curriculum and related capstone project is not, however, a one- time effort. To remain applicable the curriculum needs annual review and adjustments to best address the demands of industry (Reinicke, Janicki, & Gebauer, 2013). As part of this continuing review IS programs must adapt to address the expressed needs of industry. Adding to the complexity of remaining current in the teaching of technical skills there is also a challenge of integrating related skills into an IS curriculum to produce graduates who have a full skill set to satisfy the needs of employers. Beyond the technical skills, today s IS practitioners also need interpersonal skills and an understanding of business operations and organization strategies (Simon & Jackson, 2013). This mix of necessary, and constantly evolving, skill sets poses very real challenges to both education and industry. The placement of such programs inside universities, and the informing of such programs by the corporate bodies hiring the graduates, will be of paramount importance going forward. Degree Program Placement and Partnerships The evolving operating and security environment faced by today s businesses poses challenges to professionals and also to educators. The mix of skills demanded of IS professionals makes the program a difficult one to place in the academic environment. From a technical perspective the program is a natural fit for a College of Arts and Sciences in a modern university. Computer Science programs are often found here, as are departments of Mathematics, both of which contribute to the discipline of Information Systems. The demands for communication skills may also fit into the Arts and Sciences model as the study of literature, rhetoric, and other related disciplines are often housed here. The contrasting view to the Arts and Sciences model is to house an IS program in the College of Business to serve the need to provide IS professionals with an understanding of business strategy and business models. These are topics that are generally not found in other areas of a campus. Colleges of Business also have traditionally included technical skills including quantitative reasoning and business transaction processing. Colleges of Business also incorporate business communication skills into their curriculum, focusing on professional communication in both oral and written forms. Additionally, much of the demand for IS professionals comes from the business community where graduates will be working to support and create business operations. The linkage between IS and Colleges of Business also extends well beyond campus. Business schools traditionally do very well in placing students in internships and other live business environment experiences as part of their education. Combined with the usual practice of business faculty being actively involved with organizations as consultants, board members, or networking with businesses for research purposes placing an IS academic program inside a College of Business provides for the active exchange of information that is necessary between industry and IS to prepare students with the proper mix of skills for success as graduates in the workplace. As has been indicated through the literature there is great variability in the content and placement of IS programs. The variability of curriculum can be expected as different programs are reacting at different paces to different shifts in the work environment. The placement of the programs in academic schools, however, could be better standardized in response to the identified needs of companies. For most academic disciplines there is standard placement across most universities. It

4 appears, based on the expressed needs of industry, that IS needs to be either housed in, or at a minimum partnered with, a College of Business to best prepare students with the mix of skills and experiences that are needed for successful professional practice. Conclusion The relationship of training and practice in the field of Information Systems is a very challenging contrast of cultures. While academic practice generally evolves slowly, IS programs are under pressure to better adapt to an increasingly rapidly changing business environment. Placing IS programs consistently inside of Colleges of Business may not be the only solution to the challenges being faced today, but it is an effective and natural fit. Just as IS has moved from being an ancillary activity to a core strategic element in businesses it will be necessary going forward for IS programs to become a core element in the degrees delivered and awarded by Colleges of Business. Making this shift will better prepare IS professionals, better serve businesses, and by extension better serve and protect customers in an increasingly dangerous cybersecurity environment. References Amadi, E. & Born, A. (2013). Information systems programs and business needs: Case study of a midwestern university. Research in Business and Economics Journal, 7, p Bureau of Labor Statistics. Information security analysts. Occupational Outlook Handbook. Retrieved from: and- information- technology/information- security- analysts.htm. Home Depot. (2014). The Home Depot completes malware elimination and enhanced encryption of payment data in all U.S. stores. Retrieved from: Legier, J., Woodward, B., & Martin, N. (2013). Reassessing the skills required of graduates of an information systems technology program: An updated analysis. Information Systems Education Journal, 11(3), p Longenecker, H., Feinstein, D., & Clark, J. (2013). Information systems curricula: A fifty year journey. Information Systems Education Journal, 11(6), p Reinicke, B., Janicki, T., & Gebauer, J. (2013). Implementing an integrated curriculum with an iterative process to support a capstone course in information systems. Information Systems Education Journal, 11(6), p Sharma, A., Murphy, M., Rosso, M., & Grant, D. (2013). Developing an undergraduate information systems security track. Information Systems Education Journal, 11(4), p Sidel, R. (2014). Fraudulent transactions surface in wake of Home Depot breach. The Wall Street Journal. September 23, Simon, D. & Jackson, K. (2013). A closer look at information systems graduate preparation and job needs: Implications for higher education curriculum enhancements. World Journal of Education, 3(3), p

5 Target Corporate. Retrieved from experience/payment- card- issue- FAQ.