Article Preview
TopIntroduction
During the last two decades, the impact of security concerns on the development and exploitation of Information Systems (IS) never ceased to grow, be it in public or private sectors. In this context, information security management has become paramount as demonstrated with the new ISO 2700x series (ISO/IEC 27001, 2005) dedicated to the set-up of Information Security Management System and the existence of over 200 practitioner-oriented security and risk management methods (see Dubois et al., 2010).
Information System Security Management helps companies identify and implement security requirements in a cost-effective manner. Indeed, security threats are so numerous that it is outright impossible to act on all of them, because (1) every technological security solution has a cost, and (2) companies have limited resources. Hence, companies need assurance that they adopt only solutions that will provide significant Return on Investment. This is done by comparing the cost of a solution with the risk of not using it, e.g., the cost of a business disruption due to a successful security attack. In this sense, security management plays an important role in the alignment of a company’s business strategy with its Information Technology strategy. Because of this business/IT alignment dimension, the job profile associated this responsibility requires to combine technological competences together with business oriented ones. This twofold orientation makes difficult to find adequate persons, that we will call Chief Security Officer (CSO) in the rest of this paper.
This conclusion applies in Luxembourg where there are many technologically security oriented persons but only a few with the required business and management expertise. Thus a need for a specific education dedicated to CSO was identified. First, we further develop the context regarding the identification for these needs and also the motivation for introducing a university Professional Master programme instead of a professional certification. Once this decision taken, the next question was about the content of the programme. This was evident that a multidisciplinary programme is required but its precise content has still to be designed. This is where our Tudor centre, a research public entity dealing with technology transfer and innovation, has been contacted because of its expertise in the design of training content meeting requirements for the development of new competences. For many years, Tudor centre has developed an expertise in previous projects focused on ICT related job profiles evolutions. This expertise is formalized into a rigorous and systematic method supporting the elaboration of a job profile skills card based on a set of iterative processes combining information capture methods such as interviews, focus groups, and information watch techniques. Then, we further detail this method together with its application to the elaboration of the skills card associated with the job of a CSO. Finally, before we conclude, we report on the elaboration of the programme in such a way that each lecture is meeting some of the requirements elicited in skills card and that the complete programme achieves the goal of capturing all of them.