Sabbatical_Taking_A_Deeper_Look_At_Information_Security_Cropped2.jpg

Sabbatical: Taking a deeper look at information security and internal audit

Information systems professor Paul Steinbart will spend fall semester on sabbatical, working with defense contractor, General Dynamics, in the company’s Phoenix location. A sabbatical gives a professor a chunk of time to study a topic in-depth. Sabbaticals yield research papers and analysis, but direct benefits also extend to the university, students and industry. Steinbart took time to explain how this works, and to discuss what specifically he will be working on while he’s away.
Information systems professor Paul Steinbart will spend fall semester on sabbatical, working with defense contractor, General Dynamics, in the company’s Phoenix location. A sabbatical, Steinbart explained, gives a professor a chunk of time free from teaching and administrative responsibilities, to study a topic in-depth. Sabbaticals yield research papers and analysis, but direct benefits also extend to the university, students and industry. Steinbart took time to explain how this works, and to discuss what specifically he will be working on while he’s away. [podcast id="1"] Transcript: Information systems professor Paul Steinbart will spend fall semester on sabbatical, working with defense contractor, General Dynamics, in the company’s Phoenix location. A sabbatical, Steinbart explained, gives a professor a chunk of time free from teaching and administrative responsibilities, to study a topic in-depth. Sabbaticals yield research papers and analysis, but direct benefits also extend to the university, students and industry, as Professor Raghu Santanam explained in our last podcast. Steinbart took time to explain how this works, and to discuss what specifically he will be working on while he’s away. Why are sabbaticals important? Paul Steinbart: In particular for business professors, the neat thing about sabbaticals is, it gives us a chance to immerse ourselves in a particular area of the business world, different from the part of the real world that we're in the rest of the time. We're in an educational institution, and so, it gives us a chance to see how issues that we talk about are being handled in practice, what are the areas where they're having maybe challenges, in terms of applying theoretical principles, where they're having challenges in areas about which there hasn't been any theoretical research. Both of those types of questions are very fruitful for both purposes of writing, for research, as well as for enriching the classroom. KnowWPCarey: So, your sabbatical can be an opportunity to get another window on your area of research interest. Then, you come back to campus with a lot of good stuff you can impart to our students, not only about the topic but also about how industry is operating these days. Steinbart: If your sabbatical involves industry experience. Some sabbaticals are purely an opportunity to deepen your own research skills, and so sometimes you might have a sabbatical where you go to another university and work with colleagues that are maybe recognized around the world as the leader in a particular technique or particular topic, and so it's a chance for you to interact with them. The biggest advantage of the sabbatical is you get this block of time to immerse yourself in a specific topic or set of topics, as opposed to the rest of your career when you're focused on instruction. Then, there's time when you've got administrative responsibilities and you're still doing your research responsibilities, and you've got counseling. So, you can get so much more accomplished in a four-month period if the whole four months is free to focus just on the knowledge creation aspect. KnowWPCarey: Exactly, exactly. It must be really refreshing. Steinbart: Yes, it is. I've had the privilege of having one sabbatical in the past, and I really enjoyed it quite a bit and it also prepared the way for what I've done since that sabbatical, because it helped me to create some Master's level courses that we teach here that didn't exist before I took the sabbatical. KnowWPCarey: Which courses are they? Steinbart: The course that I teach in the MSIM program and the one that also is offered in the Master's of Accountancy program, and they're courses about information security and internal controls in organizations. Observing information security in industry KnowWPCarey: How about this upcoming sabbatical? What are you going to be doing? Steinbart: I'm going to have the opportunity to work and observe, basically, as an observer immerse myself in the day-to-day functions of the information security group at this company, General Dynamics, and see what they do on the day-to-day basis, and in particular how they interact with other areas of the business. My particular interest is, because of a research project that I'm involved in, looking at and studying the relationship between the information security group and the internal audit group within an organization. Where do they work complimentary? Where do they work independently? Where are the issues, if any, that exist to maximize the potential benefits or synergies of their efforts. This will be just a chance to do an in-depth analysis rather than just collecting say survey data, or doing a series of one-hour interviews. I'll be able to spend four months to really get a feel in one specific setting, of how these two separate functions that are organizationally separate have—the people that work in them have markedly different academic backgrounds and interests that come from different sides of the world, almost, and yet they have a common focus in the sense that they're both interested in trying to minimize the overall level of risk to the organization's information assets. KnowWPCarey: So, would you say that your role while you're there is almost like a consultant? In other words, will there be a product at the end that will be of value to General Dynamics, like a deliverable? Steinbart: I'm not obligated to provide any specific deliverable to them, so in that sense it's not like a consulting engagement. The product I hope that will come out of this, that they've agreed to, will be a series of academic papers that could perhaps be distilled into either some specific advice for them, or if nothing else, the kind of advice that managers of any company could look at and say, "Hey, if we want to take more advantage of some of the potential synergies between these two functions, these are things that we should work on." Professional ties: ISACA and SDSUG KnowWPCarey: So, it sounds like this project is the result of a relationship that you've built with the company, because a company would have to have a considerable level of trust and confidence before they would invite somebody like you inside. So, can you tell me a little bit about that? Steinbart: Yes, you're right. Through my interaction with some of the professional organizations in the Valley, I've gotten to know some of the people at GD. I've actually, over the years, worked quite closely with somebody in their information security department, Eric Graham. He and I have co-authored two chapters in scholarly books about information security issues, particularly those relating to wireless communications, and using wireless in an organizational setting. As a result of that collaboration and friendship that's developed, Eric has come and spoken to my classes numerous times. That, I think, played a big role in opening the doors for them to be willing to explore having an academic visit for an extended period of time. KnowWPCarey: You mentioned that you have interacted with General Dynamics people in professional organizations. What organizations are those? Steinbart: The two would be ISACA, which is the Information Systems Audit and Control Association, although that's actually their old title. I think they now just go by ISACA. They've decided that they just want to have the acronym. Also, the Sonoran Desert Security Users Group, and the SDSUG meets quarterly and it's security professionals that gather to share experiences, to learn about new issues, to have vendors provide demonstrations of products. It's primarily—both of those settings are just excellent opportunities to network and to just share ideas and information with other people that are doing either the audit of information security, or else actually doing the information security, and what are the challenges and what are the issues. KnowWPCarey: So, it's a very nice two-way street in those organizations, because we as an academic community have that way of intersecting with the companies, and companies then learn more about us and understand what we can — how possibly we can help them, right? Steinbart: Yes. It's a great opportunity. I've made a couple of presentations at these local chapter meetings to share results of research that I've done that might be of interest and use to practitioners. Then, on the other hand, I learn a lot by listening to the practitioners as to, what are the issues that they're facing right now? KnowWPCarey: So, how long will you be off campus, then? Steinbart: The Fall semester of this year is when I'll be gone. KnowWPCarey: When you come back, after the new year 2013 you're going to be full of new ideas that's just going to be moved right into the classroom. Steinbart: Yes. I should be able to have a lot of examples of things, more current examples, to illustrate principles that I'm talking about. At the same time, I’ll be devoting a lot of time also to writing up the results of what I've learned, in a way that I can share with the rest of the academic and practitioner community. KnowWPCarey: That'll be great news for our KnowIT readers and listeners a year from now. Paul Steinbart: Yes!

Latest news