MBAs with Cybersecurity Specialism Urgently Needed

Cybersecurity has become a hot topic in recent weeks with the US government accusing Russia of hacking Democratic Party emails and of interfering with its presidential election. Cybersecurity fears were not allayed when in the same month sites such as Twitter, Netflix, CNN, the Guardian and Reddit were brought down by widespread internet disruption, the result of a new kind of malware that infects computers and turns them into a remotely controlled network of ‘bots’. We appear to be entering an era where science fiction meets a new science reality.   

With an increasing number of cyber-attacks reports entering the public domain, there has been an incremental awareness of the need for this type of threat to be managed reliably, not just by governments but also by businesses, universities, and, well, everyone. An illustration of how a gross lapse in business oversight can turn into a large-scale debacle is this month’s cyber heist of the UK’s Tesco Bank in which 9,000 customers are believed to have lost a total of £2.5 million (c. US$3.1m). Security specialists are said to have repeatedly warned the bank of vulnerabilities in their mobile app software, advice that senior management allegedly ignored.  

We are living in an increasingly tech-savvy world where almost anyone anywhere has the potential to become a hacker, and many governments, businesses and universities appear to be combining forces in an attempt to thwart the impending scale of the threat. The UK chancellor, for example, announced a government initiative to inject £1.9 billion (c.US$2.4 billion) into cybersecurity research and innovation, as part of the country’s official ‘National Cyber Security Strategy’. Many education leaders also understand that cybersecurity training can no longer be the restricted domain of IT specialists, but is a form of education that needs to instead be applied more generally.

TopMBA.com spoke to Dr David Upton, operations management professor and co-director of the ‘Cyber Risk for Leaders Programme’ at the University of Oxford’s Saïd Business School  to gain an insight into why a course in cybersecurity can present itself as a very valuable asset to MBAs in particular.   

Saïd Business School on cybersecurity: Business leaders must understand the true nature of cyber risk

"The scale, nature and growth of the problem is not well understood,” says Upton. The truth of the matter is that business leaders are not yet fully aware, or are not taking the time to understand the risks posed by cyber-attacks. Upton points to the scarcity of qualified people on the technical side as well. 2016 stats indicate that there are one million cybersecurity positions left unfilled globally, a number that is only projected to rise. "Managers in companies who know how to manage [cybersecurity risks] are even scarcer," Upton explains.

Cybercrime cost the UK economy around US$13.7 billion in 2015, a figure Upton believes to be underestimated. "But government is not, and cannot, be the defender against all of this activity. It is businesses that are on the front line. And there are many recent examples pointing to poor management as the source of the problem," says Upton. The cyber-attack on Tesco Bank is one such instance of probable mismanagement.

The components that make a cybersecurity management program

Saïd Business School’s program on cyber riskshares two valuable tenets with its MBA cohort, according to Upton; (1) that cybersecurity is primarily a human, and not a technical problem, and (2), that it is the responsibility of company leaders to, “determine, not only the actions, but also the ‘tone-at-the-top’,” in their dealings with cyber risk.  

Saïd Business School first tackles what Upton calls, “the drivers of the problem,” in its coverage of cybersecurity in the MBA program. Drivers would encompass such things as internationalization, social media, the high-reward and low-risk aspects, cloud computing, and the Internet of Things. MBA students then cover topics which include insider threats and cybersecurity strategy, human engineering, and the technology of cyber threats. “We teach the management of these problems using a case-based approach, in which we use real, and current examples, to teach future business leaders how they should manage cybersecurity,” says Upton.

The future of cybersecurity

Upton points out that, to date, “cyber-attacks have not had a significant impact on companies’ stock price.” However, he also indicates that this is very likely to change dramatically, together with the attitude of senior managers who will need to take the imminent threat posed by cybercrime into hand accordingly.

“The growth of the Internet of Things, the use of Artificial Intelligence (AI) by attackers, and the increasing technological and tactical skill of the adversaries will demand yet more capacity from senior managers,” affirms Upton. The internet disruption that brought down Twitter, Reddit and CNN was directly related to The Internet of Things with hackers now being able to enter offices and homes through any appliance connected to the internet, ranging from smart kettles, to air conditioners, to printers and laptops. And since the threat posed by the level of interconnectedness between ‘things’ is so great, we are, Upton explains, “more likely, in the future, to see legislation that demands all products and services sold to meet a minimum level of cyber-safety.”    

Education itself will need to change in a number of regards. While a course in cybersecurity today is usually an elective, this type of program seems likely to become a required element in an MBA’s core curriculum. Upton enforces the real need for future MBAs to understand the extent of the implications posed by cyber risk, offering the example of a merger between two companies as an illustration: “How should one manage the potential holes created when alien IT systems are glued together?” he asks, adding, “this kind of issue will become increasingly important to any manager.” With the view that education must keep up with the ‘prevailing issues’ and must produce managers that are, “able to lead adroitly in this arena, either as part of the board, or in the senior leadership of companies,” Upton strongly signposts the real need for MBAs to take the plunge and become cyber savvy.

Businesses will embrace MBAs with cybersecurity knowledge

By 2017, it is estimated that the cybersecurity market will be worth US$120 billion, with projections that US$1 trillion will be spent between 2017 and 2020 (globally). These are merely the most recent figures, however - as awareness continues to increase, more funds are likely to be directed into this area, adding to the level of opportunity for MBAs who possess that very valuable cybersecurity specialism.

Saïd Business School offers its MBA students UK Government Communications Headquarters (GCHQ) accredited core and elective modules in cybersecurity risk, and is one business school among a growing number adapting their curricula to the evolving digital landscape. Other GCHQ-accredited institutions offering MBAs classes in cybersecurity include Warwick Business School and Coventry Business School. In the United States, universities such as the George Washington University, Stanford, MIT Sloan, Harvard and Colombia either offer electives in cybersecurity or dual degrees which combine a master’s level specialization in cyber risk with an MBA.

The more revenue corporations lose through cyber breaches, the higher the demand for cyber-qualified business managers will be. MBA candidates who study cybersecurity as part of their MBA today are going to be those that have a very distinct string to their bow, one which will likely be a huge asset to them in the near future.