When Coventry University ran its MBA students through a simulated cyber attack, few of them knew what to do, and most expected IT professionals to take the lead.
“You put a team in a room and tell them, ‘You’ve been attacked, what do you do?’ And usually everyone turns to the techie guy,” says Anitha Chinnaswamy, course director for Coventry’s Cyber Security Management MBA.
This is exactly the mentality Ms Chinnaswamy and others want to change. As cyber attacks become a daily part of corporate life, everyone on the management team needs to understand how to prevent them. “Security now lies in both technology and policy, process and people,” she says.
Global enterprise security spending is expected to reach more than $96bn in 2018, according to Gartner, an increase of 8 per cent from 2017. Most of the training element of this focuses on technical skills, but some argue that this alone is not enough.
“Technical skills . . . by themselves are not sufficient to achieve effective cyber security,” says Alan Brill, senior managing director for cyber security and investigations at Kroll, the security company. Preventing breaches, he says, relies as much on managing the online behaviour of employees as installing firewalls.
Moreover, because cyber attacks have financial, legal and reputational implications, professionals from an increasingly wide range of corporate functions need to understand the threats and how to prevent or respond to them. “Each MBA programme should have at least some content on cyber security,” says Mr Brill.
For now, this remains a long way off. However, some schools are responding. In the US, for example, the University at Albany’s business school offers a full-time MBA specialisation in cyber security, covering both managing risks and analysing security incidents. Among the online courses offered by Florida Tech is an MBA in cyber security.
Coventry University was the first to offer such a course in the UK. Launched in 2015, the Cyber Security Management MBA is taught through face-to-face workshops on campus as well through online content. Topics include strategic thinking and analysis, network security, crisis communications and international cyber and digital law.
From September, the university will have cyber security MBA students and regular MBA students studying core subjects — such as finance and marketing — together, with additional modules available for those with the security specialism. This will allow for a broader exchange of knowledge and experience between professionals from different backgrounds, says Ms Chinnaswamy. “It’s the networking aspect,” she says. “It gives them an opportunity to interact with each other.”
While some of the students on Coventry’s course are security experts, most come from a range of industries and functions, with few having extensive or specialised technical knowledge.
By contrast, the students taking the MBA on cyber security at London Metropolitan University are professionals who manage cyber security departments or processes. To take the course these students must have a background in computing or a related discipline.
“They want to blend management knowledge with the specialist area they’re in,” says Hazel Messenger, MBA course leader at London Metropolitan. “They’re wanting to sit at a board meeting and to understand what the guy from marketing and finance is saying.”
The Coventry and London Metropolitan courses reflect the need for two different types of cyber security management courses. One for strategy, operations or finance executives who are moving into the cyber security side of the business and another for professionals with a technical background who are rising through the ranks of senior management.
“Someone from a technical background might need help in understanding the geopolitical environment or strategic decision making, whereas the business person might need some help in understanding network architecture,” says Tim Ogle, cyber security expert at 7Safe, a division of PA Consulting that provides cyber security investigation services as well as training.
Business schools are not alone in teaching the management side of cyber security. At Texas A&M School of Law, a master of laws degree in risk management includes a course in cyber security, which Mr Brill teaches.
Regardless of sector, he says, cyber security education needs to expand beyond the realm of computer science. “Organisations that consider cyber security to be a technology problem — something that can be offloaded to the ‘techies’ — are almost guaranteed to have incidents.”