Home > Uncategorized > About Information Security Centers and Institutes

About Information Security Centers and Institutes

From time-to-time I read postings and news items in which someone from some organization named a “center” or “institute” is quoted or a study performed by one of these organizations is cited. For example, I recently saw a news item that stated that a certain institute had conducted a study that indicated that individuals who had certain information security-related certifications had a higher salary than others. I have often wrestled with how credible the various centers and institutes that operate within the information security arena are, so let’s explore this issue for just a little bit.

I have spent a good part of my career in academic institutions. In such settings, the right to have the title of “center” or “institute” in connection with any effort within the institution is generally tightly controlled. For example, suppose that for some reason, I as a faculty member at some university wanted to name my research program something like “Center for Advanced Studies in Information Security.” Unless I had a very substantial program in terms of significant levels of sustained funding, staff, and positive impact upon the scholarly environment, I would be unlikely to be allowed to use such a name in connection with the program.

Reality outside of academic institutions is completely different when it comes to using the title “center” and “institute,” however. There is virtually no validation of any center or institute actually having any implied expertise or functioning at any particular level. So, for example, I could create an entity, the “Schultz Institute of Advanced Research in Information Security,” and unless there were some kind of trademark infringement issue, I could operate under this impressive name until hell freezes over. I could have a staff of one, myself, or, if I were craftier, I could list a staff of ten people, all of whom agreed to have their names listed as a personal favor to me or perhaps in the hope that their professional stock might rise or that they might get some research or consulting work that they might not otherwise have gotten.

As far-fetched as my hypothetical example might seem to you, this kind of thing happens all the time. I was at a conference last spring in which the “executive director” of a fancily-named information security “center” made a presentation, one with which I frankly was not very impressed. I found out afterwards that this so-called center operated out of this person’s house and that he was the only active member of this “center.” Strangely, my initial impression was that this person must have been a very knowledgeable and influential person.

Please do not get the impression that I am saying that every or even most information security-related institutions and centers operate on a “smoke and mirrors” basis. Many of these organizations make substantial contributions to our field. At the same time, however, some very deliberately appear to be much more than they are. So when you read of a study on some information security-related issue, I’d advise you to not accept the reported findings and conclusions at face value. The study may not have been conducted properly, the sample size may have been far too small to allow generalization of the results, the so-called “research team” may have consisted of a single individual who may or may not have had proper credentials for conducting the study, the results may not have been properly analyzed, and the conclusions may or may not be valid. Consider also that the so-called “laboratory” in which data may have been collected may have actually been someone’s basement. Oh, and worse yet, some organization that strongly expected certain results and conclusions favorable to its marketing efforts may have financed the research in the first place.

The bottom line is that you should take names and titles of organizations with a grain of salt. Be skeptical. You can generally trust the very well-established ones such as SRI International and MITRE, and the Rand Corporation, but with the rest—caveat emptor once again applies.

Categories: Uncategorized Tags:
  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.