Kelsey Sheehy

Business schools train grad students to handle security breaches and protect customer data

Convenience and credibility are what sold Henry Bromley III on James Madison University 's M.B.A. program.

The Virginia-based mechanical engineer, husband, and father needed a reputable business school close to home that allowed him to balance work, family, and grad school. The program's emphasis on information security was little more than an interesting afterthought.

"I went in merely for the M.B.A.," Bromley says. "I wasn't so interested in information security ... little did I know it would really boost my career."

Bromley landed a position with Booz Allen Hamilton, a government consulting firm, before finishing his Information Security M.B.A. in 2008. Now a senior information security engineer consulting for defense industry clients, Bromley's work is all cybersecurity, all the time, he says.

"This is the real deal. The kind of nuts and bolts on how we can protect our information," and what that information is worth, Bromley says. "I feel like I've stepped into the forefront of it."

James Madison launched its Information Security M.B.A. program in 2000 as a response to industry demand after Y2K panic prompted companies and the government to take a closer look at the security of digital data, says Michael Busing, the school's M.B.A. program director.

Other schools carving out niche business degrees in information security include Colorado Christian University , which pairs in-person business courses with online information security classes from the University of Fairfax in Virginia. DeVry University 's Keller Graduate School of Management also offers an information security M.B.A. via a blend of online and in-person courses, and students enrolled in the M.B.A. program at Ferris State University in Michigan can opt to specialize in information security and networking management.

While the number of M.B.A. programs focused on specific industries increased between 2006 and 2010, those focusing on data and E-business dropped slightly, according to a recent report by the Association to Advance Collegiate Schools of Business (AACSB), an accrediting body for business school programs.

Southern New Hampshire University launched an M.B.A. in information security and assurance, only to discontinue the program a few months later, says Gerard Ross, director of marketing at SNHU. "It was too niche for us," Ross says, acknowledging the program's focus didn't match industry needs in the region.

While New Hampshire is not a hotbed for cybersecurity, Washington, D.C. is. With many of its classes offered in Reston, Va., JMU's proximity to a hub of finance, government, and defense contractors helps sustain the program. Approval from the National Security Agency also adds to the vitality of the program, and graduates receive NSA certification when they complete their M.B.A.

To identify business issues and ensure its curriculum stays ahead of the curve, the College of Business consults an industry advisory board established by JMU's College of Integrated Science and Technology, Busing says. Executives from companies such as Fannie Mae, Freddie Mac, Microsoft, and CarMax, among others, make up the board.

"We pick their brains and say, 'How does this match with what your needs are?'" he says.

The program combines traditional business courses -- such as accounting, finance, and marketing -- with specialty courses such as information security and ethics and computer forensics to show students how protecting data fits into a business model.

"We're starting to look into things like ... how secure is secure enough? What are your risks? And then relating that to ... the financial implications of a loss," Busing says.

In the cybersecurity industry, a loss can be anything from someone stealing government secrets to hackers snatching credit card information.

"Zappos -- recently their credit card information was compromised. Basically, how do you handle that and what does it do to your brand image?" Busing says. "There are a lot more things that you have to try to put a dollar amount on. Some of it is very hard to quantify."

Delving into the monetary value of information was eye opening, says Bromley, the former JMU M.B.A. student.

"What is information worth, what is good to divulge from a business aspect ... Banks do risk calculations and expect a modest amount of fraud and have insurance to cover those loses. It's a business decision," he says.

"You wouldn't be able to make those decisions if you didn't know what the information was worth. In the line of work I do -- we're talking life or death with national security -- it elevates what the information is worth."


Copyright © U.S. News & World Report


Information Security MBA's Teach Business Side of Cybersecurity