‘The Thing That Should Not Be’ – MBA effect in Information Security?
Title inspired by ‘Metallica’
As i’m listening to the Harvard Business Ideacast (and the lovely voice of Sarah Green) while also reading my usual feeds i remember a particularly interesting show which broadcasted early 2009. Triggered by his article “America’s monumental failure of management” Prof. Mintzberg was on the show to discuss the possible impact of the popular M.B.A. programs and their graduates on the global state of the economy. He’s not alone with this view; Matthew Lynn took the same line in his article “M.B.A. Schools Have Nothing to Offer in New World” which was picked up by SiliconIndia providing some additional commentary on the topic. Naturally the supporter of M.B.A. programs objected to this conclusion but i cant help to think there might be at least some truth to that theory.
Now why do i bother mention this on the blog? Maybe it’s just me but i have an eerie feeling that there might be similarities between the rise of popularity of M.B.A. programs towards the end of last century and the situation we have today with Information Security programs. It seems not that long ago that Fred Piper started with his Information Security program at Royal Holloway; basically the only academic program at that time and still one of the most respected. Since then the demand and along with it in best free market economy manner the supply of academic information security programs flourished. A quick look at the directory of computer forensics education over at Forensic Focus (and that’s just the relatively small area of computer forensics) should give an idea how much of a hot topic for academia this has become.
Looking at how difficult of a time academia had and still has to transfer relevant computer and Information Technology skills to students i’m kinda sceptical about the level of quality and dedication most of these InfoSec programs provide. Information security is, as most readers would probably agree, a very challenging area which requires not only a lot of experience to teach properly but also constantly updated skills to stay relevant. Can all these programs created in the couple years deliver on this satisfactorily? Do they have the experience in their faculty to create and maintain a relevant program and teach it to students? Who knows.
To be fair – most Universities only react to the demand out there. Articles as seen in the New York Times “Wanted: ‘Cyber Ninjas’” or ComputerWorld “The 10 best IT jobs right now” do their part to ensure the demand for these programs does not dry out soon. Unsurprisingly this also attracts soon-to-be experts who are not really interested in the topic but see the financial potential or haven’t decided on their career yet and just go with the trend. Having finished one of these programs not too long ago myself i could take away at least a limited impression of the typical student and program content. Sure there are some smart students, some even motivated and with an interest in InfoSec, but if i should be honest many were more concerned with their CV or ‘when do we learn how to hack’ than security principles and basic knowledge.
So should we fear hordes of passionless ‘Security M.B.A.’s who don’t really care what they work in and are just in it because companies are willing to pay good money? Nah, we would have seen that happen before in the finance sector or IT sector … oh.
‘Neo Aeon’ – Safer Internet Day 2010 coming up
Title inspired by ‘Tiamat’
February 9th is the official Safer Internet Day 2010! No problem if you never heard of it. This is a good opportunity to take a break from what you are doing and think about how you can make the internet a safer place – especially for the most vulnerable surfers out there: Kids. You don’t have to be a parent to understand that some of those pages you accidently surf to (or maybe not so accidental) are certainly not for the eyes of our small ones and that the internet should not be trusted with any kind of personal information.
Parents want their kids to grow up using and understanding new technology but at the same time they are also concerned about the dangerous side of the internet. Web filtering software – similar to what enterprise users are accustomed to – can be useful to block obviously inappropriate content. This does not relief the parent from guiding and – to a certain extend – controlling the junior surfer however. Considering that some of the best parental control software is available for free there is no excuse not to take a couple minutes and make the surfing experience a safer one. It is not very surprising that Microsoft is one of the providers of parental control software considering their dedication to children and family friendly initiatives. Windows Live Family safety provides more than just web filtering, whereas BlueCoat’s K9 focuses on their (excellent) content filtering service. There is also TechMission SafeFamilies which seems to struggle with newer operating systems however.
Beyond the content filtering security enhancing addons like Trend Micro’s Web Protection, Finjan’s SecureBrowsing or WebOfTrust (WOT) will provide further protection from web based threats.
More information and tips on how to make the Internet an enjoyable experience for kids can be found on the (co-founded by the European Union) insafe site. Keep in mind – help the kids and you help your future.
‘Slowly Learning that Fact’ – Virtualization Security Training courses
Title inspired by ‘Undertow’
If you are employed by a company of reasonable size you know the drill; new year, new training plans and renewed hope for some budget to fund that plan. After i managed to get on a VMWare vSphere course last year, which turned out to be a little light on security content side, i was looking for a training class that is focusing on security challenges in virtualized environments. Not that i have high hopes to get it funded anyway but it seems to be quite difficult to even find a training class that would offer this kind of education. Digging through the information available online i came up with the (rather short and probably incomplete) list below.
SANS 577: Virtualization Security Fundamentals
No surprise here; SANS recognized the need for some kind of formal training and Dave Shackleford designed this 2 day course. I have no idea how good it is but it’s unlikely a SANS course is anything less than top notch. Sadly no dates for a class room based training in EMEA at this point.
If i’m not mistaken this class is Tim Pierson’s and was discussed briefly in one of the last Virtualization Security Round Table podcasts. The course agenda looks promising and covers a lot of ground. Similar to SANS 577 it seems only available in the US however.
ITL Virtualization (In)Security
I’m not sure what the status with this training is; InvisibleThingsLab are looking at the virtualization security topic from a more development/hardware angle and there is no information available if the BlackHat’09 training course ever made it into a scheduled class outside conferences.
Catbird’s Certified Virtual Security Professional
Catbird was early on the market with a certification and accompanying coursework. Unfortunately i have no information whether this is a vendor specific training or when and how it is offered. I’d assume mainly Catbird customers will go for this training.
And this concludes the training offerings i was able to find online. I expected at least the ‘big 3′ (VMWare, Microsoft, Citrix) to have their own courses in place by now but so far security seems to play only a minor role in virtualization training publicly available . If you happen to have more details on this topic please feel free to let me know (Daniel AT virturity dot com) and i’ll update the posting accordingly.
Now let’s see how i convince my boss to fund that SANS course…
