‘The Thing That Should Not Be’ – MBA effect in Information Security?

Title inspired by ‘Metallica’

As i’m listening to the Harvard Business Ideacast (and the lovely voice of Sarah Green) while also reading my usual feeds i remember a particularly interesting show which broadcasted early 2009. Triggered by his article “America’s monumental failure of management” Prof. Mintzberg was on the show to discuss the possible impact of the popular M.B.A. programs and their graduates on the global state of the economy. He’s not alone with this view; Matthew Lynn took the same line in his article “M.B.A. Schools Have Nothing to Offer in New World” which was picked up by SiliconIndia providing some additional commentary on the topic. Naturally the supporter of M.B.A. programs objected to this conclusion but i cant help to think there might be at least some truth to that theory.

Now why do i bother mention this on the blog? Maybe it’s just me but i have an eerie feeling that there might be similarities between the rise of popularity of M.B.A. programs towards the end of last century and the situation we have today with Information Security programs. It seems not that long ago that Fred Piper started with his Information Security program at Royal Holloway; basically the only academic program at that time and still one of the most respected. Since then the demand and along with it in best free market economy manner the supply of academic information security programs flourished. A quick look at the directory of computer forensics education over at Forensic Focus (and that’s just the relatively small area of computer forensics) should give an idea how much of a hot topic for academia this has become.

Looking at how difficult of a time academia had and still has to transfer relevant computer and Information Technology skills to students i’m kinda sceptical about the level of quality and dedication most of these InfoSec programs provide. Information security is, as most readers would probably agree, a very challenging area which requires not only a lot of experience to teach properly but also constantly updated skills to stay relevant. Can all these programs created in the couple years deliver on this satisfactorily? Do they have the experience in their faculty to create and maintain a relevant program and teach it to students? Who knows.

To be fair – most Universities only react to the demand out there. Articles as seen in the New York Times “Wanted: ‘Cyber Ninjas’” or ComputerWorld “The 10 best IT jobs right now” do their part to ensure the demand for these programs does not dry out soon. Unsurprisingly this also attracts soon-to-be experts who are not really interested in the topic but see the financial potential or haven’t decided on their career yet and just go with the trend. Having finished one of these programs not too long ago myself i could take away at least a limited impression of the typical student and program content. Sure there are some smart students, some even motivated and with an interest in InfoSec, but if i should be honest many were more concerned with their CV or ‘when do we learn how to hack’ than security principles and basic knowledge.  

 So should we fear hordes of passionless ‘Security M.B.A.’s who don’t really care what they work in and are just in it because companies are willing to pay good money? Nah, we would have seen that happen before in the finance sector or IT sector … oh.