George Mason University's School of Management and Volgenau School of Engineering recently were awarded a $500,000 grant from the National Science Foundation (NSF) to develop Chief Information Security Officer (CISO) core competencies and then apply the results to establish learning objectives and curricula guidelines for cyber security leadership education programs. In addition, the grant provides funding for developing online cyber security leadership courses and ultimately to develop an online version of Mason's existing cyber security program, the MS in Management of Secure Information Systems (MSIS).
The research funded by the NSF grant seeks to answer the question of what core competencies are critical to cyber security leadership effectiveness. Cyber security is changing as a field with an increasing need for leaders with a multidisciplinary background spanning leadership, management, policy and technology. Cyber security is starting to be viewed as a key element of organization strategy–and cyber security leaders are being looked upon to be able to communicate effectively about enterprise risks to other executives and corporate boards.
Managing the project are Angelos Stavrou, associate professor of computer science and associate director of the Center for Secure Information Systems at George Mason University, who is the principal investigator (PI); J.P. Auffret, director of Mason's cross-disciplinary cyber security program, who is a co-principal investigator (Co-PI); and Brent Kang, associate professor of the Graduate School of Information Security at the Korea Advanced Institute of Science and Technology (KAIST) and associate professor of applied information technology at Mason in 2012, who is also a Co-PIs.
Stavrou, Auffret, and Kang's backgrounds for the project range across technology management and cyber security engineering and policy. Auffret is also the director of Mason's MS in Technology Management program—which is a founding partner of the U.S. Government's CIO University and has already established core competencies for CIOs—and co-founder of the International Academy of CIO. The group has previously had cyber security research funded by NIST, DARPA, DHA, IARPA and NSF.
In order to develop the CISO core competencies and learning objectives, individuals from academia, government, and the private sector will join together to share their expertise and exchange best practices in structured interviews, workshops, and focus groups. These will not only explore and establish the core competencies that are critical to cyber security leader effectiveness, but also measure how cyber security leaders spend their time (priorities, functions, activities, etc.), and what organizational dimensions are factors in cyber security leader success.
Auffret, said, "While this approach has been used in the past by the U.S. Chief Information Officer (CIO) Council in mapping CIO core competencies to CIO education programs, this approach has not been applied to this extent to cyber security leadership education. The ultimate goals are to strengthen and institutionalize the role of the CISO and to continue to enhance cyber security leadership education curriculum in line with the changing role of the CISO."
Richard Klimoski, professor of management and psychology, Roy Hinton, associate dean of executive education in the School of Management, Goodlett McDaniel, associate provost of distance education at Mason, and Danny Menasce, university professor of computer engineering, are also integral to the project with expertise and experience in leadership and leadership development, research methodologies, online education, cyber security, distributed networks, and multidisciplinary education.
The research project will continue through July 2015 and results of initial workshops and focus groups will be available in the spring of 2014.
The core competency research results will be disseminated to academia, government and private sector through workshops, publications and at a Cyber Security Leadership Education Forum with the goal of adoption in private section and government. Stavrou, Auffret, and Kang plan to continue hosting annual Cyber Security Leadership Forums after the completion of the grant to provide an ongoing means for academia, government, and private sector to update CISO core competencies, learning objectives, and curricula guidelines and foster and expand capacity and access for cyber security leadership education.
Stavrou, Auffret, and Kang also plan to promote the learning objectives and curricula guidelines to universities as a set of best practices and metrics to assess and enhance cyber security leadership programs.