How to Earn a Master's in Information Assurance: John Orlando, Norwich University
Now it's also a Master's degree program in which instructors base their whole curriculum on helping security professionals get closer to - and rise higher in the ranks of - their companies and agencies.
In an exclusive interview, John Orlando, MSBC Program Director at Norwich University, talks about the school's Masters of Science in Information Assurance, discussing:
TOM FIELD: Hi, this is Tom Field, Editorial Director with Information Security Media Group. We are talking about information security education today. I am privilege to do be speaking with John Orlando, MSBC Program Director at Norwich University. John thanks so much for joining me today.
JOHN ORLANDO: Thank you very much, Tom.
FIELD: I want to talk with you specifically about your Masters of Science in Information Assurance. Now in today's economy, I want to get your perspective, how important are academic credentials for security professionals?
ORLANDO: Well, academic credentials have become more important in the past few years. When we started the Insurance Assurance program back in 2001, their really were very, very few academic programs in Insurance Assurance. At that time, the major credentials were the professional credentials such as the CISSP. That was considered the gold standard in Information Assurance profession. And at that time, there was only a small number, or at least a much smaller number of professionals that had that credential than have it today. So it was a differentiator in pursuing a job. You may pursue and job and be competing with 10 candidates, and there were one or two other people with CISSP, and that really gave you a leg up.
Now the number of people with CISSP has grown tremendously, as well as other credentials, of course. And what you are starting to see is that when jobs are listed, the CISSP or other credential is simply a baseline for applying. So you'll still get the 10 maybe 20 applications, but now almost everybody will have it. So you're going to need another differentiator and academic credentials have become that new differentiator that may put you ahead of most other people in the pursuit of jobs in the business.
FIELD: Well, let's talk about your specific program in the Masters in Information Assurance. What is new and unique about this program?
ORLANDO: Well, we designed this program specifically to be at a management level rather than a technology level. That is, we saw the need in the Information Assurance field for programs that don't focus on how to configure certain vendors to buy our [product], like a CISCO certification or a Microsoft certification. Certainly, there were other places you could get those from. What we saw was a need for a management level program.
A program that would teach people how to implement an enterprise-wide information assurance program, and this means working with people outside of the IT field. Especially with sort of working with the sort of front line employees because many of the breaches, many of the problems that companies run into are a result of regular employee behavior. You know surfing the internet on company computers and allowing malware and things like that. So we found that professionals need the management skills to implement the policies and procedures to develop an enterprise-wide information assurance program, not simply something that is IT focused, not something setting up firewalls and things like that, but getting the people in the organization on board and working with the variety constituencies outside of the IT arena.
So, our program is designed for management level work. To put yourself into management position and to manage other people, often times managing without authority, which is a real trick. The other thing is that we wanted to make sure that what we teach has always applied to practice. And Norwich University was actually founded 189 years ago by a man who had the theory that if you don't apply what you learn while you learn it, it won't stick. And modern education research has actually proven that. So, we make sure that students apply what they learn immediately, and we use what was at the time and it may still be a somewhat unique case study. That is, our students use their own organization as a case study as they work their way through the program. So, each week is on a different topic, and what they do is they apply that topic to their organization by analyzing their organization in terms of what they are learning. So let's imagine hypothetically, a particular week is on physical threats to the information infrastructure. They'll learn about the regular common threats of fire, water, attack and things like that. And then they'll actually interview the people who are in charge of that infrastructure and they'll ask them, what kind of fire protection do we have? What kind of protection do we have against attack? And they'll write a short paper as part of their course, which gets graded, but it's really an analysis of their own organization. It is, these are the systems we have, these are the deficiencies, and here is where I would recommend changes.
At the end of the semester, or at the end of a particular seminar, I mean, the students gather those individual weekly analyses together into a kind of consulting report that they deliver to their own organization. And we have had students actually promoted prior to graduating from the program, because their organization is getting essentially consulting reports that they otherwise would pay many, many thousands of dollars for, and are actually by implementing these recommendations, improving their security status. So, it is a "win-win" situation. The student gets immediate application of what they are doing. They get experience at a consulting level, and their organization gets the benefit of the results of that case study. So that is something that we implemented right away and I believe it is still somewhat unique within the education field.
FIELD: Well that is interesting because we talk all the time about how technology and security people have to be closer to the business, and you're really forcing them to be closer?
ORLANDO: Yes, exactly, and that's really the focus of our program is looking at information assurance through a business prospective. Because, of course, it is very often the case that people complain that the information assurance or information security folks are putting in a variety of processes that just slow down productivity. That just take up time, and you know just don't produce a business benefit. So we force them to talk to the people who are in charge of these programs, and analyze these programs and systems from a business prospective and make a business case for implementing the policies and procedures. So it meshes with the organization business goals and long-term goals.
FIELD: Now what are the requirements for students entering the program?
ORLANDO: Well, our students must have an undergrad degree, because this is a master's degree. They must also have recommendations, including a recommendation from their employer, and that is probably the most important recommendation. We want to make sure that the employer stands behind the student and says one, we're going to support you in your case study, and two that this is somebody who we think has the skills and the time management skills to put in 15 to 20 hours a week for the next 18 months in their studies. So we really want to get a good picture of the student and by the way I should say, if they can't get permission for a case study we do allow them to do what is called an "Industry case study" where they research their own industry. Let's imagine they are in the finance industry. Instead of researching their own business, they research the industry itself as an alternative. Although, we prefer people do the case study, and the vast majority do.
FIELD: Where do you find, if you can generalize even, students are coming from now?
ORLANDO: Well, the major thing is that they are mid-career working professionals. Our students, I think the average age is like 35. So they're not the 18-year-old -- you know college kids with baseball caps turned backwards in a classroom. They are in their 30s, 40s, 50s, 60s. There are even a few students in their 70s. So they are career people. They've been out there for 10-15 years. Most are already in the information assurance field, or at least to the extent that they have those duties. Maybe they are the IT Manager or the AIT Manager at their business, but as part of that they have information assurance duties and they want to add to those skills. A number of students actually come from the public sector. We get a number from organization every where from the CIA, FBI, to the military and things like that. It's not all private sector, but one thing that is definitely consistent is that these are working adults. These are adults who have families, who have various responsibilities. We understand that we have to serve them as working adults and they have additional needs from the traditional 18 to 22-year-old undergraduate and we have to focus on what those needs are.
FIELD: Well, I think that is a good distinction because these are people that are in jobs, but you've already talked about how they can actually be promoted while in the program and that sort of begs the question. For these people that have got good careers going, what is their career trajectory after graduating from the program?
ORLANDO: Well, a lot of them are looking to move up within their organization. Let's imagine they came into the IT department. They had an undergrad degree, a bachelors in some field related IT. They may have found that in order to move ahead, to move up into the higher level of management position that they need a graduate degree. It's similar to other areas of a business from finance to HR. Often people discover that they need a MBA to make the next step. So, many of these people are looking for that credential to move up to the next level within their own organization. Some people are looking to bridge across to the information assurance folks. If they are in a very large organization and there is a specific information assurance division, they may be looking to join that division. And then a few people are looking to actually just leave the regular nine to five and become consultants. And this case study program that we use is actually a very, very good way of preparing someone for a consulting position, because they are essentially doing the work of a consultant. They are doing the interviews. They are preparing the reports, and what's really interesting about it people tell us that a lot of what consulting is about. They learn through this is knowing who to ask and what questions to ask them, and very often knowing or getting a sense of to what extent do you have to believe their answers, because you may ask one person about a system and then ask someone else about the same system and get a very different prospective because they are different levels in the organization. So, the case study actually teaches them a little bit about what consultants run into when they have to come into an organization from the outside and try to learn about it, and how they just gathering the information which you think would be straight forward is often times the biggest challenge.
So, we do have a number of folks that have moved into consulting and set up their own firms. And sometimes they set up a firm with other students in the program. I can think of at least two or three cases where they have done that, because our courses actually are heavily discussion oriented, and students actually get to know each other very, very well despite the fact that they are spread all over the country. Because they are communicating on a discussion board almost daily during the week, they do get to know each other well and sometimes they will go into business together after graduating.
FIELD: Well, it sounds fascinating. How many students do you have in the program right now?
ORLANDO: At this moment, I believe we have about 150-200 students. We run four seminars a year, and we actually have four start dates every three months. And that is very different from the traditional academic calendar, and that is one of the ways that we have designed it to serve adult students. The traditional academic calendar, the fall semester, the spring semester, and three months off in the summer, works well for the 18-22-year-old who is on campus. It doesn't work well at all for the adult. The adult has to structure their life around their education, and we find that if they take three months off in the summer other things fill their lives and then they have a harder time jumping back into their studies. So we actually run our program, our seminars, continuously for eighteen months so that the adults can structure their lives around their studies on a weekly basis. And they can kind of just stay on that treadmill until the eighteen months are done. And that way we get much, much better retention in that it is something like ninety to ninety-five percent of the students who start the program finish, which is very, very important obviously for an adult. They are paying for their education and they want to make sure that the money isn't wasted.
So, it's kind of a round-about way of getting back to the answer. We have a couple hundred students right now and we bring in probably about fifty new students at each new entrance dates, which is four times a year.
FIELD: John, one last question for you. Where can people go to find out more about this Masters of Science and Information Assurance program?
ORLANDO: Yes, just our website,www.Norwich.edu. That is the Norwich University general website. And when you get to that, you're going to find kind of a big gold-ish emblem that says Norwich University School of Graduate Studies, and that is what the Information Assurance program is run out of. We actually have 10 online Masters Degrees and all the degrees are focused on working adults, so go to the Norwich home page and you'll find the School of Graduate Studies and in there you'll find all the information you need of our MSI program.
FIELD: Very good. John, thanks for your time and your insight today.
ORLANDO: Thank you very much, Tom.
FIELD: We've been talking with John Orlando, MSBC Program Director with Norwich University. For Information Security Media Group, I'm Tom Field. Thank you very much.