Several years ago I worked on developing a curriculum for a master’s degree in information security. The choice we faced at that time was to find a middle ground between an “MBA with a security minor” or a technical focus similar to SANS. Our original idea was to strike a balance between the two: that is, to focus on the technical knowledge and background that a technical lead in information security would need to know and do, while combining that with the background to take on a technical leadership role within a security organization.
An example will clarify this. We did not expect that our students would complete the curriculum knowing how to configure an XXX firewall. We did expect that the student would know what a firewall is and what it does, and be able to explain how various firewall rules affect the flow of traffic. So, for example, we expected our student to understand the statement “Block all incoming TCP connections that aren’t associated with a connection request from “inside” the network.” and be able to communicate this to a non-technical audience (e.g., “We don’t allow folks from outside our network to connect to our internal servers.”)
Under a new administration, the program changed focus to a more “business” oriented program, focusing on risk management, eGRC and the like. All technical courses were designated as electives, except for a two-semester course that covered the (ISC)2 CBK. It was possible to achieve a master’s degree without ever being exposed to issues such as cryptography, network security, software security testing and so forth beyond the material covered in the (ISC)2 CBK.
I don’t object to the role of the CISO or the CSO, nor do I object to the technical roles of a network security analyst or systems administrator. However, I strongly believe that there needs to be an individual who is able to communicate effectively with the suits and the T-shirts. The proof of the pudding is indeed in the eating, and a corporate GRC policy is only as good as the implementation of that policy.