Q&A: How to Train Non-Security ManagersInsights from Kent Anderson of Encurve LLC
Recently, we received this question: What training programs are out there to help non-security managers understand the importance of information security to our organizations?
For a response, we turned to Kent Anderson, founder and managing director of Encurve LLC, a member of ISACA's security management committee.
Kent Anderson on Training for Non-Security Managers:
What training programs are out there to help non-security managers understand the importance of information security?
I have found a serious shortage of formal training on information security for non-security professionals. Most of the industry training organizations have 'Intro to Information Security' courses, but immediately dive into technical details such as Internet protocols and cryptology. Many business schools are beginning to offer curriculums in security management that focuses on the business and managerial aspects of security, but these are time consuming, expensive and not directed toward people that are looking for a more basic and fundamental understanding.
What I would recommend is to pursue some self-paced study. There are papers and publications that have been developed to help business managers understand security risks better. Here are a few titles that you might find helpful: ANSI's The Financial Impact of Cyber Risk: 50 Questions Every CFO Should Ask (it's a free download; but requires registration); ISACA's Information Security Governance: Guidance for Boards of Directors and Executive Management, 2nd Edition. Both documents take a strategic business view of the complexities of IT security risks and macro level recommendations.
What questions do you have re: careers in information security? Please submit them via the "Post a Comment" box below.