Ensure that relevant knowledge is available, current, validated and reliable to facilitate decision making and plan for the identification, gathering, Organizing, maintaining,, use and retirement of knowledge. High level tasks include :-

1. Nurture and facilitate a knowledge sharing culture
2. Identify and classify source of information
3. Organize and contextualize information into knowledge
4. Use and share knowledge
5. Evaluate and retire information.

Cobit has not referenced any Hirotaka Takeuchi & Ikujiro Nonaka’s work on knowledge management

Mich / M. E. Kabay, PhD, CISSP-ISSMP / Professor of Information Assurance & Statistics / School of Business & Management / Norwich University.

I had the unique opportunity to participate in BSISA programs at two different universities. From my experience with the programs, I would like to focus on three major benefits:

1. Practical training
2. Partnership with infosec companies, agencies and organizations
3. Specialized without being too specialized

Practical Training

One of the things that I found especially valuable in the BSISA programs in which I was enrolled was the effective application of practical training. I believe it was mentioned in a previous comment that new graduates often lack real-life work experience. This lack of experience is a potential negative when entering the job market, as employers are often looking for candidates with a strong command of the skill set required to perform the job. Practical training at the university level provides students with early exposure to some of the various techniques and methodologies used in the field. Practical training is an important tool that I feel is well implemented in ISA programs. At Norwich University, one of the senior level ISA courses required the installation, configuration and management of data center equipment (i.e. servers, switches, routers) in a lab setting. Kennesaw State University sponsors a team of students who participate in the Southeastern Collegiate Cyber Defense Competition (SCCDC), a competition where participants are given network and software infrastructure and asked to perform a series of business injections all while defending their assets against attacks launched by real-life professional penetration testers [http://infosec.kennesaw.edu/SECCDC/]. This practical training gives ISA degree holders an intimate understanding of some of the theories taught in coursework. I have highlighted some of the practical training I received in interviews, and in many cases I was able to demonstrate that I had the command of the skill set sought by the potential employer.

Partnership with infosec companies, agencies and organizations

Dr. Kabay mentions in the article above the benefit of professors’ field experience in ISA programs. Most, if not all of my ISA professors at both NU and KSU had an average of about 20-years experience in the infosec field before coming to teach at their respective universities. Besides the points that Dr. Kabay makes, I believe this attribute of the ISA program provides an invaluable benefit to the student in the form of professional networking. At KSU, one of the senior level courses included a series of presentations by industry professionals. There was also a class field trip to a local ISSA chapter meeting. At NU, there was a summer training program with the NSA. Most of these partnerships were made through connections the professors had in the industry. I have found that infosec is a tight-knit industry. Many times, landing the job relies heavily on the professional connections you make in college and in the workplace. I believe that by design, the ISA degree programs I participated in emphasize the importance of professional networking.

Another important parallel to mention with the BSISA programs offered at KSU and NU is the design of the program. I found both programs to be akin to a BS in Computer Science or Computer Information Systems with a security concentration. Unlike getting a degree at a trade school, the programs I participated in took a comprehensive approach to education. I was required to take core courses in English, Mathematics, History, Accounting etc. Both degree programs expanded into more specialized course like Cryptography and Introduction to Information Security & Assurance while staying true to traditional CS courses like Programming and Operating Systems. This is an important feature of ISA programs, because a security professional needs to be technical, but also be efficient in communication and analytical skills.

It is my experience that ISA programs seek to keep much of the Computer Science tradition rooted in a mathematics and science, while preparing students to be security professionals through specialized ISA course, practical training and professional networking.

Going into college, I knew I wanted to be a security professional. I started by majoring in Computer Science at Norwich University. When Norwich started to offer the BSCSIA in my second year, I jump on it, and added it as my second major. I was part of the first graduating class of the BSCSIA program in 2006 at Norwich University. Right out of Norwich, I was hired as a security analyst at a large dedicated security company. In two years, I moved on to become an antivirus researcher there. Simultaneously, I achieved a master’s degree in computer science at a University of California, Irvine. I’m currently a vulnerability researcher at a leading software company in Silicon Valley. I became a CISSP in 2008.

My education in Norwich’s BSCSIA program was a critical part of how I got my start. That education has helped me contribute to information security quickly in my career. In my first role, I helped design and develop a security intelligence service for users of my company’s security software. In my next role, I analyzed hundreds of strains of malware and wrote signatures for users to be protected against them. In my current role, I research vulnerability information and share this with trusted partners who create protections such as intrusion detection and antimalware signatures for our mutual customers. I’m humbled to say that thousands of enterprises and perhaps millions of individuals are more secure because of this work.

The Norwich BSCSIA (NUBSCIA) is a technical degree—with all the non-technical components for a graduate to be a security professional right out of college. Let’s say I had attended a fictive program with the following aspects; this is how I think it would have impacted my work prospects, career, and contributions to security:

If I had got just a BSCS degree , it would have made it really hard for me to perform in my security job on day one, and have diminished my options for career mobility. I would have had to learn the parts of the NUBSCSIA not having to with Computer Science on my own. Possessing the science but not its applications, I would possibly have been set back five years.

If the NUBSCSIA were all about security training with little about Computer Science, I would have been the security worker’s analogue to a mechanic, instead of its analogue to a mechanical engineer. I could have done technical work, but would have lacked appreciation for background or scientific detail. I would be less innovative. Research positions would have been out of my reach and my career development would have slowed.

If the NUBSCSIA offered solely security, with little regard for classes on criminal justice, business, and social science , I wouldn’t have seen the big picture. I could have got the hows but not the whys of my job. Without understanding how information security serves an organization and society, and depends on people, I could have got into technical positions but would have suffered to perform non-technical aspects of the job, such as interfacing with management.

I’m a security professional today, just as I had planned going into college. Within five years of graduating from college, I have already contributed to improving security for all. This wouldn’t have been possible without the education I received as part of the Norwich BSCSIA.