Brandeis GPS Blog

Insights on online learning, tips for finding balance, and news and updates from Brandeis GPS

Tag: Brandeis GPS Student Experience (page 3 of 4)

My Journey in Online Learning

The M.S. in Project and Program Management program at Brandeis GPS through the eyes of a recent graduate, Thomas Gratiano.

ProjectManagement_03Three years ago as the manager of the Program Management Group within the Manufacturing and Global Supply Chain (MGSC) Division, my manager challenged me to build my business acumen. To meet this challenge, I started researching: certifications, certificates, and degree programs.

Eventually I came across the Brandeis program, the curriculum was exactly what I was looking for to build on my existing Program Management skills. During the pursuit of my degree at Brandeis I took four classes on campus and six online.  Although I was hesitant at first about taking online classes, the online option provided an increased level of flexibility.  This proved to be a key feature of the program as I ended up Program Managing two projects with our team in Belgium while attending classes online. I was able to travel as often as required with no impact to my ability to participate in class. e-Learning Concept. Computer Keyboard

Upon completion of my degree, I was promoted to senior manager in charge of Framingham manufacturing operations and the MGSC Program Management group. The Brandeis degree built my business acumen and provided me the opportunity to continue to grow with my company. 

Brandeis launches MS in eLearning design, technology

Repost from Brandeis NOW: http://www.brandeis.edu/now/2014/june/onlinedesignandtech.html

Brandeis University’s division of Graduate Professional Studies has established a new master’s of science degree in online instructional design and technology.

Brandeis developed the program, which will be offered online, in response to the growing need for professionals highly skilled in the development of digital learning resources to support the rapid proliferation of online education courses and e-Learning powered training programs.

FLIPPEdThe Advisory Board reports that the demand for graduates with instructional design skills has increased in recent years, with a 63 percent increase in total job postings from 2010 to 2013, and a 50 percent increase in job postings for instructional designers and technologists. They also found that employers increasingly demand instructional designers with content development and collaboration skills.

“As public and private interest and money flow into this space, the need for highly trained professionals versed in the art and science of instructional design has almost certainly never been higher,” said Jason Gorman, a member of the professional advisory board for Brandeis’ master of science in online instructional design and technology program and vice president of learning experience design services at Six Red Marbles, the largest US-based development house for learning materials.

The Brandeis program will prepare students to harness educational technologies in the development of online courseware, use iterative and formative course development processes, and apply evidence-based learning methodologies to the design of dynamic online learning courses.

The program includes courses focusing on how to effectively apply various instructional design methodologies and principles of learning science to online course development, as well as courses focusing on the creative utilization of instructional technologies such as learning management systems and rich interactive courseware authoring tools. The program is designed to help instructional designers, educational technologists, and training and development specialists to successfully manage instructional design projects, work effectively with subject matter experts, apply evidence-based course design principles, and develop dynamic learning content to support fully-online course and program design and delivery.

Six core courses and four electives are required (a total of 30 graduate credits). Students may enroll in up to two courses before officially applying for admission.

“Instructional design has become a crucial skill set for both educational institutions and training and development organizations across a variety of industries and sectors,” said Brian Salerno, who chairs the new program. “The Internet and mobile platforms have emerged as a desirable delivery medium for learning and training materials, as well as educational courses. Instructional designers help organizations not just transition their learning content online, but help them to design effective online courses that harness all the advantages that instructional technology has to offer.”

Program graduates will be able to:

  • Apply evidence-based learning science and online pedagogical principles to the design, development, facilitation, and assessment of online courses and programs.
  • Develop online instructional products and environments utilizing ADDIE and other models of instructional systems design.
  • Design dynamic, adaptive, and interactive online multimedia-based instructional content and courseware.
  • Evaluate and integrate instructional technologies, platforms, and collaborative tools for use in diverse instructional settings and applications.
  • Demonstrate creativity and innovation in the application of instructional design principles and technologies to respond to instructional challenges and emerging trends.
  • Lead and manage online instructional design and technology teams and projects, utilizing effective written and oral communication strategies.

This is the eighth part-time, online master degree program offered by Brandeis’ division of Graduate Professional Studies. The programs are geared for professionals looking to advance in their fields and keep up-to-date on the latest practices. Students are taught techniques that they can apply immediately in their places of work. The course instructors bring their applied experiences into the online classrooms, and the programs’ professional advisory boards help ensure that the courses and programs remain current and relevant.

More information about the master’s program in online instructional design and technology, as well as registration for the virtual open house on Thursday, June 26, 7 pm EDT, is available online or by calling call 781-736-8787.

Is an Average of Averages Accurate? (Hint: NO!)

by: Katherine S Rowell author of “The Best Boring Book Ever of Select Healthcare Classification Systems and Databases” available now!

Originally posted: http://ksrowell.com/blog-visualizing-data/2014/05/09/is-an-average-of-averages-accurate-hint-no/

Today a client asked me to add an “average of averages” figure to some of his performance reports. I freely admit that a nervous and audible groan escaped my lips as I felt myself at risk of tumbling helplessly into the fifth dimension of “Simpson’s Paradox”– that is, the somewhat confusing statement that averaging the averages of different populations produces the average of the combined population. (I encourage you to hang in and keep reading, because ignoring this concept is an all too common and serious hazard of reporting data, and you absolutely need to understand and steer clear of it!)

hand drawing blue arrowImagine that we’re analyzing data for several different physicians in a group. We establish a relation or correlation for each doctor to some outcome of interest (patient mortality, morbidity, client satisfaction). Simpson’s Paradox states that when we combine all of the doctors and their results, and look at the data in aggregate form, we may discover that the relation established by our previous research has reversed itself. Sometimes this results from some lurking variable(s) that we haven’t considered. Sometimes, it may be due simply to the numerical values of the data.

First, the “lurking variable” scenario. Imagine we are analyzing the following data for two surgeons:

  1. Surgeon A operated on 100 patients; 95 survived (95% survival rate).
  1. Surgeon B operated on 80 patients; 72 survived (90% survival rate).

At first glance, it would appear that Surgeon A has a better survival rate — but do these figures really provide an accurate representation of each doctor’s performance?

Deeper analysis reveals the following: of the 100 procedures performed by Surgeon A,

  • 50 were classified as high-risk; 47 of those patients survived (94% survival rate)
  • 50 procedures were classified as routine; 48 patients survived (96% survival rate)

Of the 80 procedures performed by Surgeon B,

  • 40 were classified as high-risk; 32 patients survived (80% survival rate)
  • 40 procedures were classified as routine; 40 patients survived (100% survival rate)

When we include the lurking classification variable (high-risk versus routine surgeries), the results are remarkably transformed.

Now we can see that Surgeon A has a much higher survival rate in the high-risk category (94% v. 80%), while Surgeon B has a better survival rate in the routine category (100% v. 96%).

Let’s consider the second scenario, where numerical values can change results.

First, imagine that every month, the results of a patient satisfaction survey are exactly the same (Table 1).

patient-satisfaction-survey-table1

The Table shows that calculating an average of each month’s result produces the same result (90%) as calculating a Weighted Average (90%). This congruence exists because each month, the denominator and numerator are exactly the same, contributing equally to the results.

Now consider Table 2, which also displays the number of responses received from a monthly patient-satisfaction survey, but where the number of responses and the number of patients who report being satisfied differ from month to month. In this case, taking an average of each month’s percentage allows some months to contribute to or affect the final result more than others. Here, for example, we are led to believe that 70% of patients are satisfied.

patient-satisfaction-survey-table2

All results should in fact be treated as the data-set of interest, where the denominator is Total Responses (2,565) and the numerator is Total Satisfied (1,650). This approach correctly accounts for the fact that there is a different number of values each month, weights them equally, and produces a correct satisfaction rate of 64%. That is quite a difference from our previous answer of 6% — almost 145 patients!

How we calculate averages really does matter if we are committed to understanding our data and reporting it correctly. It matters if we want to identify opportunities to improve, and are committed to taking action.

As a final thought about averages, here is a wryly amusing bit of wisdom on the topic that also has the virtue of being concise. “No matter how long he lives, a man never becomes as wise as the average woman of 48.” -H. L. Mencken.

I’d say that about sums up lurking variables and weighted averages — wouldn’t you?

– See more at: http://ksrowell.com/blog-visualizing-data/2014/05/09/is-an-average-of-averages-accurate-hint-no/#sthash.WCltUtKb.dpuf

Untitled-1

Thoughts from a Recent Graduate

 A look at the Brandeis GPS student experience through the eyes of recent graduate from our Master of Software Engineering Program, Megan Tsai. 

My time with Brandeis GPS has been very helpful for my career. This is a feeling shared by all of my fellow GPS graduates. During commencement, IMG_1230the student speaker shared his experience of taking a discussion or an idea from class and applying it directly to his job. Many of the GPS graduates sitting in front of me were nodding their heads in agreement. There were several times I was able take what I had learned just the night before and take my work to the next level.

As one of the few students in an entry level position in all of my courses, my experience in the master’s degree program involved mostly sharing my perspective as an entry level worker. This allowed me to gain career advice from experienced fellow students and instructors. GPS courses are not just for established workers with years of experiences under their belt. GPS courses are for anyone who wants to advance his or her career, exchange ideas with people from different backgrounds, and catch up on the latest technologies and techniques. 

The types of cIMG_1262ourses offered allow software engineers of different capacities to learn something new. The fact that GPS courses are online helps professionals living around the world connect through an academic environment. The online courses also allow busy people find  time in their day to complete the course requirements. Ten courses may seem impossible for any one busy with work, life and other commitments. However, the flexible nature of GPS courses will help anyone achieve the dream of obtaining an advanced degree.

Is Healthcare the Next Frontier for Big Data?

The health care industry has always been at the center of emerging technology as a leader in the research and application of advanced sciences. Now, more than ever, the industry is on the edge of an innovation boom. Health care information technology possesses vast potential for advancement, making the field fertile ground for game-changing innovation and the next great frontier for big data.

The use of electronic health records (EHR), electronic prescribing, and digital imaging by health care providers has exploded in recent years, Health Affairs reports and the global health information exchange (HIE) market is projected to grow nearly ten percent per year, reaching $878 million in 2018, according to Healthcare Informatics.

But despite massive growth, health care IT faces a number of barriers slowing advancement.

When it comes to health information technologies, demand is outpacing delivery. Users desire higher levels of performance beyond the capacity of current IT solutions.

“Providers certainly want to do things that vendor technology doesn’t allow right now,” Micky Tripathi, Ph.D., CEO of the Massachusetts eHealth Collaborative (MAeHC), said to Healthcare Informatics.

program-hero-health-medical-informaticsOne reason technology is lagging is health care IT systems are independently developed and operated. Rather than one massive network, there are numerous “small shops developing unique products at high cost with no one achieving significant economies of scale or scope,” Health Affairs reported. As a result, innovations are isolated, progress is siloed, and technology cannot meaningfully advance.

To deliver the highest quality of care, the health care community must unite disparate systems in a centralized database. But, this is easier said than done. The industry must be sure to maintain the highest standards of security complying with Health Insurance Portability and Accountability Act of 1996 (HIPAA).

As a result, the health care IT industry currently faces a crucial challenge: devise an overarching system that guarantees security, sustainability, and scale.

The key to unlocking solutions is Big Data are the informaticians who translate mountains of statistics into meaningful healthcare IT applications.

“The growing role of information technology within health-care delivery has created the Electronic-Prescribingneed to deepen the pool of informaticians who can help organizations maximize the effectiveness of their investment in information technology—and in so doing maximize impact on safety, quality, effectiveness, and efficiency of care,” the American Medical Informatics Association noted. The future of health care hinges on the ability to connect the big data dots and apply insights to a creating and practicing a smart IT strategy.

Organizations have thrown themselves into the big data trenches to innovate solutions to the problem facing their industry. Ninety-five percent of healthcare CEOs said they were exploring better ways to harness and manage big data, a PricewaterhouseCoopers study reported. With the commitment of the health care community, plus the right talent and resources, industry-advancing innovations won’t be far behind.

Health care is indisputably the next great frontier for big data. How we seek, receive, and pay for health care is poised to fundamentally change and health care informaticians will be leading the evolution.

Find out more about the opportunities in health care information technology at the MS in Health and Medical Informatics Virtual Open House on June 3rd.

Student Speaker & GPS Graduate: Rob Havasy

rob_havasy casual cropped low-res

Rob Havasy, Brandeis GPS’ student speaker for commencement, is graduating with his Master of Science in Health and Medical Informatics. Rob is currently the Corporate Team Lead for Product & Technology Development at PartnersHealthcare, Center for Connected Health. Rob is passionate about technology and its potential to significantly improve the outcomes of our healthcare system. His unique combination of experience – understanding the science, the business, and the technical aspects of healthcare allow him to approach problems from a variety of perspectives.

Rob explains, “after starting a career in a new industry, the Brandeis Health and Medical Informatics program gave me the knowledge and insights I needed to quickly understand and tackle the challenges facing healthcare”

Rob notes that interacting with faculty and students from around the country and around the world provided him valuable diversity of opinions about the real issues we face on a daily basis. The flexible format of Brandeis GPS courses enabled him to focus on both his career and education at the same time. He was able to immediately apply his classroom learning to his job.

“In an academic medical environment, education is highly valued; everyone has letters

An example of Rob's photography

An example of Rob’s photography

after their name. Adding the MS, along with the Brandeis name has generated new opportunities for me within my organization.”

Outside of his career, Rob enjoys photography, his motorcycle, blogging and spending time with his daughter. Rob currently lives in central Massachusetts.

Cloud Computing and the OpenStack Advantage

by: Nagendra Nyamgondalu, Senior Engineering Manager at IBM India and Brandeis Graduate Professional Studies Master of Software Engineering Alum

It was only a few years back that most IT managers I spoke to would smirk when they heard  the  term  “cloud” in  a  conversation.  They  either  didn’t  believe  that  cloud cloud-iaas computing  would  be  viable  for  their  businesses’  IT  needs  or  were  skeptical  about  the maturity  of  the  technology.  And  rightly  so.  But,  a  lot  has  changed  since  then.  The  technology, tools and services available for businesses considering adoption of a public cloud, setting up their own private cloud or treading the middle path of a hybrid one, has  made  rapid  strides.  Now,  the  same  IT  managers  are  very  focused  on  deploying  workloads and applications on the cloud for cost reduction and improved efficiency.

Businesses  today  have  the  choice  of  consuming  Infrastructure  as  a  service  (IaaS),  Platform as a service (PaaS) and Software as a service (SaaS). As you can imagine, these models map directly to the building blocks of a typical data center. Servers, storage and networks form the infrastructure on top of which, the required platforms are built such as databases, application servers or web servers and tools for design and development. Once the two foundational layers are in place, the applications that provide the actual business value can be run on top. While all three models are indisputable parts of the bigger picture that is Cloud Computing, I have chosen to focus on IaaS here. After all, infrastructure is the first step to a successful IT deployment.

Essentially, IaaS is the ability to control and automate pools of resources, be it compute, storage,  network  or  others  and  provision  it  on-­‐demand.  Delivering  IaaS  requires  technology  that  provides  efficient  and  quick  provisioning,  smart  scheduling  for deployment  of  virtual  machines  and  workloads,  support  for  most  hardware  and  of  course, true scalability. OpenStack is an open source framework founded by Rackspace Hosting  and  NASA  that  takes  a  community  approach  to  make  all  this  possible.  It  was  designed  with  scalability  and  elasticity  as  the  overarching  theme  and  a  share­nothing, distribute-­‐everything approach. This enables OpenStack to be horizontally scalable and asynchronous. Since inception, the community has grown to a formidable number with many  technology  vendors  such  as  IBM,  Cisco,  Intel,  HP  and  others  embracing  it.  The  undoubted advantage that a community-­‐based approach brings, especially to something like IaaS, is the extensive support for a long list of devices and cloud standards. When a new type of storage or a next generation network switch is introduced to the market, the vendors have a lot to gain by contributing support drivers for their offerings to the community. Similar support for proprietary technology has dependencies on customer demand and the competitive dynamics amongst the vendors -­‐ this almost always results in delayed support, if that. While proprietary versus open source is always a debate, the innovation and cost benefits that open alternatives have provided in the recent years, has  clearly  made  CIOs  take  notice.  Support  for  a  variety  of  hypervisors,  Open  APIs,  support  for  object  or  block  storage  and  the  mostly  self-­‐sufficient  management capabilities are some of the common themes I hear on why businesses are increasingly adapting OpenStack. Additionally, the distributed architecture cloud_securityof OpenStack where each component (such as Compute, Network, Storage & Security) runs as a separate process connected  via  a  lightweight  message  broker,  makes  it  easy  for  ISVs  looking  to  build  value-­‐adds  on  top  of  the  stack.  All  the  right  ingredients  for  a  complete  cloud management solution for IaaS.

Most  IT  managers  dream  of  the  day  when  every  request  for  infrastructure  is  satisfied  instantly by the click of a button regardless of the type being requested, workloads run smoothly and fail-­‐over seamlessly when there is a need to, resource usage is constantly optimal  and  adding  additional  hardware  to  the  pool  is  a  smooth  exercise.  Business  managers dream of the day when they have instant access to the infrastructure needed to run their brand new application and once it is up, it stays up. Aaah Utopia.

The good news is it is possible here and now.

21495fc

 

Nagendra Nyamgondalu is a Senior Engineering Manager at IBM in India. He is a 2003 graduate from Brandeis University, Graduate Professional Studies’ Master of Software Engineering Program.

 

Design Your Agile Project, Part 1

by: Johanna Rothman

Find the original post here: http://www.jrothman.com/blog/mpd/2014/03/design-your-agile-project-part-1-2.html

The more I see teams transition to agile, the more I am convinced that each team is unique. Each project is unique. Each organizational context is unique. Why would you take an off-the-shelf solution that does not fit your context? (I wrote Manage It! because I believe in a context-driven approach to project management in general.)

One of the nice things about Scrum is the inspect-and-adapt approach to it. Unfortunately, most people do not marry the XP engineering practices with Scrum, which means they don’t understand why their transition to agile fails. In fact, they think that Scrum alone,without the engineering practices, is agile. How many times do you hear “Scrum/Agile”? (I hear it too many times. Way too many.)

I like kanban, because you can see where the work is. “We have a lot of features in process.” Or, “Our testers never get to done.” (I hate when I hear that. Hate it! That’s an example of people not working as a cross-functional team to get to done. Makes me nuts. But that’s a symptom, not a cause.) A kanban board often provides more data than a Scrum board does.

Can there be guidelines for people transitioning to agile? Or guidelines for projects in a program? There can be principles. Let’s explore them.

The first one is to start by knowing how your product releases, starting with the end in mind. I’m a fan of continuous delivery of code into the code base. Can you deliver your product that way? Maybe.

How Does Your Product Release?

I wish there were just two kinds of products: those that released continuously, as in Software as a Service, and those with hardware, that released infrequently. The infrequent releases release that way because of the cost to release. But, there’s a continuum of release frequency:

Potential Release Frequency

How expensive is it to release your product? The expense of release will change your business decision about when to release your product.

You want to separate the business decision of releasing your product from making your software releasable.

That is, the more to the left of the continuum you are, the more you can marry your releases to your iterations or your features, if you want. Your project portfolio decisions are easier to make, and they can occur as often as you want, as long as you get to done, every feature or iteration.

The more to the right of the continuum you are, the more you need to separate the business decision of releasing from finishing features or iterations. The more to the right of the continuum, the more important it is to be able to get to done on a regular basis, so you can make good project portfolio decisions. Why? Because you often have money tied up in long-lead item expenses. You have to make decisions early for committing to hardware or Non Recurring Engineering expenses.

How Complex is Your Product?

Let’s look at the Cynefin model to see if it has suggestions for how we should think about our projects:

CynefinI’ll talk more about you might want to use the Cynefin model to analyze your project or program in a later post. Sorry, it’s a system, and I can’t do it all justice in one post.

In the meantime, take a look at the Cynefin model, and see where you think you might fall in the model.

Do you have one collocated cross-functional team who wants to transition to agile? You are in the “known knowns” situation for agile. As for your product, you are likely in the “known unknowns” situation. Are you willing to use the engineering practices and work in one- or two-week iterations? Almost anything in the agile or lean community will work for you.

As soon as you have more than one or two teams, or you have geographically distributed teams, or you are on the right hand side of the “Potential for Release Frequency” chart above, do you see how you are no longer in the “Complicated” or “Obvious” side of the Cynefin model? You have too many unknowns.

Where Are We Now?

Here are my principles:

  1. Separate the business decision for product release from the software being releasable all the time. Whatever you have for a product, you want the software to be releasable.
  2. Understand what kind of a product you have. The closer you are to the right side of the product release frequency, the more you need a program, and the more you need a kanban to see where everything is in your organization, so you can choose to do something about them.
  3. Make sure your batch size is as small as you can make it, program or project. The smaller your features, the more you will see your throughput. The shorter your iteration, the more feedback you will obtain from your product owner and “the business.” You want the feedback so you can learn, and so your management can manage the project portfolio.
  4. Use the engineering practices. I cannot emphasize this enough. If you do not keep your stories small so that you can develop automated unit tests, automated system tests, use continuous integration, swarm around stories or pair, and use the XP practices in general, you will not have the safety net that agile provides you to practice at a sustainable pace. You will start wondering why you are always breathless, putting in overtime, never able to do what you want to do.

If you have technical debt, start to pay it down a little at a time, as you implement features. You didn’t accumulate it all at once. Pay it off a little at a time. Or, decide that you need a project to prevent the cost of delay for release. If you are a technical team, you have a choice to be professional. No one is asking you to estimate without providing your own safety net. Do not do so.

This post is for the easier transitions, the people who want to transition, the people who are collocated, the people who have more knowns than unknowns. The next post is for the people who have fewer knowns. Stay tuned.

Johanna Rothman

Graduates with Roots in STEM Face Growing Career Opportunities

By:

As we enter May, young people here in Boston and across the country are about to embark on a new chapter in their lives. Many will be graduating from college and taking their first step into the great, wide, professional world. Question marks fill their future as they wonder what kind of opportunities await them and their hard-earned bachelor’s degrees.

While it is impossible to forecast the job market with absolute certainty, it is undeniable that the fields of science, technology, engineering, and mathematics (STEM) hold the greatest opportunities for job seekers now and in the future. Industries like renewable energy, healthcare, advanced manufacturing and technology are rapidly growing and demand increasing numbers of skilled workers to sustain their expansion.

The computer and math occupations account for close to half of all STEM employment, followed by engineering with 32 percent, and then physical and life sciences at 13 percent, according to U.S. Department of Commerce. Significant growth is projected for computer and mathematical scientists, engineers and engineering technicians, architects and architectural technicians and more STEM occupations.

Those with strong STEM education backgrounds “will find themselves at the center of our new economy,” tech expert Vinay Trivedi said in the Huffington Post.

But unfortunately demand is outpacing supply when it comes to STEM-related careers. Fewer students are pursuing advanced math and science degrees, creating a problematic skills gap threatening the United States’ position in the new global economy.

The U.S. ranks 30th in math and 23rd in science, according to latest Program for International Student Assessment; and the latest ACT results show that only 44 percent of our high school graduates are ready for college-level math, and just 36 percent are ready for college-level science, the National Math & Science Initiative reported.

The impact of the skills deficit which develops in secondary level education has deleterious consequences once those students reach college. Many students abandon interest in STEM career by the end of their sophomore year, Irv Epstein, Professor of Chemistry at Brandeis University, observed.

It is a national imperative to reverse this trend. President Barack Obama declared creating the next generation of STEM leaders an educational priority for the nation at his State of the Union Address in January.

“I also hear from many business leaders who want to hire in the United States but can’t find workers with the right skills. Growing industries in science and technology have twice as many openings as we have workers who can do the job. Think about that–openings at a time when millions of Americans are looking for work,” he said. “That’s inexcusable. And we know how to fix it.”

Many have answered President Obama’s call to improve STEM education. In addition to early education initiatives, select colleges and universities have stepped up including Brandeis University who has partnered with the Posse Foundation to provide merit-based scholarships to minority students interested in pursuing STEM degrees.

But meanwhile, as programs launch to serve the next generation of students, the STEM jobs are still waiting, available for current job seekers who have the skills and ambition to seize the opportunity.

For those who lack adequate STEM skills but are eager to break into expanding, innovative industries, there is a way for them to bridge the skills gap: graduate education. Don’t wait for a job to pop up that fits your resume. Act now to get the training you need for the jobs available.

Original Post: http://bostinno.streetwise.co/channels/stem-education-leads-to-career-opportunity-1/

Watch Your Language: How Security Professionals Miscommunicate About Risk

Author: Derek Brink

Original Post: https://blogs.rsa.com/watch-language-security-professionals-miscommunicate-risk/

What a joy it is to be understood! Yet many security professionals find it difficult to be understood by the business decision-makers they are trying to advise.

“They just don’t get it,” we say. And we grumble that our committed, faithful, and honorable efforts to protect the company and its assets are under-recognized, under-appreciated . . . and under-funded.

riskWe could try speaking louder, and more slowly—the comedic memes for how we instinctively try to communicate with someone who speaks a different language.

Of course, we could start trying to speak the same language. That would probably yield better results.

The way we talk about risk is a prime example of how we habitually miscommunicate. Security professionals mistakenly think they are talking about risk, when they are, in fact, talking about threats, vulnerabilities, and exploits. Some examples include

  • Phishing attacks: This is not a risk. It’s an exploit of a very common vulnerability (humans).
  • OWASP Top 10: These are mistakenly described as “The 10 Most Critical Web Application Security Risks,” but they are not risks. They’re vulnerabilities and exploits.
  • Advanced persistent threats: This isn’t a risk. It’s a threat. (Even when we get the name right, we get it wrong.)
  • Rootkits: This is not a risk. It’s a type of exploit.

As security professionals, we tend to go on and on, talking about threats, vulnerabilities, exploits, and the technologies that help to defend against them, and we think we’re talking about risk. Meanwhile, the business decision-makers we’re trying to advise are confused and frustrated.

So, what is the right language? What is risk?

Shon Harris, author of the popular CISSP All-in-One Exam Guide, defines risk as “the likelihood of a threat agent exploiting a vulnerability, and the corresponding business impact.” Douglas Hubbard, author of The Failure of Risk Management: Why It’s Broken, and How to Fix It, defines risk as “the probability and magnitude of a loss, disaster, or other undesirable event.” (And in an even simpler version: “something bad could happen.”)

To be very clear, it’s not that there are multiple definitions of risk, or that the definition of risk is unclear. It’s that we as security professionals aren’t speaking the right language. When we speak about security risks, we should be speaking about the probability of successful exploits, and the magnitude of the corresponding business impact.

Imagine yourself in the role of the business decision-maker, and imagine that your subject matter experts presented you with the following assessment of risks related to endpoint security:

  • Cleverly engineered stealth malware, rootkits, is designed to evade detection, and persists on endpoints for prolonged periods of time. And new strains of malware are targeting an area of endpoints that performs critical start-up operations, the master boot record, which can provide attackers with a wide variety of capabilities for penetration, persistence, and control. In both cases, we may already be infected, but not even aware.
  • There is a 15 percent probability that an endpoint security exploit will result in business disruption and productivity losses that may exceed $5M.

internet-security1Which of these would be more helpful to you in terms of informing a decision about endpoint security? (It should go without saying that this point could just as easily apply to managing identities and access, or data protection, or application security, or mobility initiatives, and so on. Endpoint security is just an illustrative example.)

Clearly, the second option is more helpful. And the second option is properly framed in terms of risk.

In no way does this guarantee what the actual decision will be. One decision-maker might conclude, “I approve your request to invest in additional endpoint security controls to reduce this risk,” while another decision-maker might conclude, “that’s a risk I’m willing to live with.” But that’s okay—as security professionals, we will have done our job.

By better understanding how to communicate about security risks, we will also enjoy the benefits of being better understood.

About the Author:

BA8D94F2924E634831C8CA3D8E7179C7477BBC1Derek E. Brink, CISSP is a Vice President and Research Fellow covering topics in IT Security and IT GRC for Aberdeen Group, a Harte-Hanks Company. He is also a adjunct faculty with Brandeis University, Graduate Professional Studies teaching courses in our Information Security Program. For more blog posts by Derek, please see http://blogs.aberdeen.com/category/it-security/  and http://aberdeen.com/_aberdeen/it-security/ITSA/practice.aspx

« Older posts Newer posts »

© 2023 Brandeis GPS Blog

Theme by Anders NorenUp ↑

Protected by Akismet
Blog with WordPress

Welcome Guest | Login (Brandeis Members Only)