Government // Cybersecurity
Commentary
11/15/2013
08:00 AM
W. Hord Tipton
W. Hord Tipton
Commentary
Connect Directly
LinkedIn
RSS
E-Mail
100%
0%

The Troubling Decline Of IT Security Training

Can our governments really afford to fall further behind in IT security competence? Recruiting isn't enough.

Those of us in government circles hear an awful lot about the high demand for information security professionals. I admit I just may be someone who shouts the loudest on any given day. Indeed, the US government (and the world) is in grave need of more qualified people.

However, I am seeing an equally troubling trend that is impacting those who already work in government cyber positions and one that must be addressed as agencies formulate their security strategies for the new fiscal year: IT training and educational opportunities for existing personnel appear to have reached an all-time low.

Just prior to the sequester last fall, my organization, (ISC)², asked approximately 1,600 information security professionals from the federal government to forecast their training/education budgets. Nearly half of respondents reported that 1) their agency’s training budgets had remained the same over the past 12 months, and 2) they expected an increase in the coming year.

Yet, as 2013 rolled out its schedule of educational conferences, slowly but surely, government attendance started to decline, government leaders started to pull out of their speaking obligations, and several of the tried-and-true information security conferences were actually cancelled. My colleagues are reporting stagnant growth in education and training of new and existing practitioners and professional across the board.

[Find out why security challenges are taking on a new twist. Read Think Hackers Are IT's Biggest Threat? Guess Again.]

In analyzing the reasons for this year’s absence of IT professionals from conferences and other training events, is it really the result of a few bad apples caught in the act of wasteful conference spending in other areas? Or is it the result of security budget cuts, starting when the sequester hit? Either way, is it in the government’s best interest to focus on recruiting new hires and yet neglect the advancement of those who are already in the ranks? 

Army personnel recently considered professional development such a high priority that they created an online interactive means for personnel to engage in its October Annual Meeting and Expo despite budget and travel cuts. Yet, other agencies that actually received significant funding for information security initiatives this year withheld budget approval for their information security personnel to attend our annual Security Congress last September.

How can we say that we don’t have enough qualified information security personnel when we don’t adequately train the people we do have? Consider that this is the fastest growing career field in the world, and yet we are not keeping up with training.

Is online professional development the way of the future? Perhaps. Online conferences and educational opportunities will likely serve in the interim while sequesters, shutdowns, and debt ceilings are being debated on the Hill. The good news is that most professional organizations, including (ISC)², have invested substantially in their online training/education capabilities in recent years. We have very sophisticated online training tools and are recognizing a sizable uptick in registered users.

While the online dimension is certainly a viable option in the interim for those professionals serious about increasing their knowledge, anyone who has attended the RSA Conference, Blackhat or the (ISC)² Security Congress knows that the element of human interaction greatly enhances one’s educational experience. There is something very powerful about being in a room of peers who are grappling with the same challenges and who are provided the forum to exchange ideas and successes.

The government ultimately needs to get back to that place and budget for the full experience of professional development. As for the bad apples who take advantage of educational opportunities, those few will never disappoint. Let’s just hope that greater accountability measures are in place as a result. Let’s also not forget that there are a lot of good apples in the bunch who are dedicated to keeping our national assets secure and who deserve the chance to grow in all areas of professional development.

With exponential growth in emerging technologies and sophistication of the attack we defend against daily, we simply cannot afford to fall even further behind.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
HaileyMcK
50%
50%
HaileyMcK,
User Rank: Apprentice
11/19/2013 | 10:00:21 AM
People are the problem
Thanks for posting this. You make an incredibly important point. Human ignorance is the biggest tool that hackers use to get access to the networks and systems they target. Users need consistent, targeted reminders about security best practices, and IT professionals need to udnerstand the emerging threat landscape. We need training!
Li Tan
50%
50%
Li Tan,
User Rank: Ninja
11/19/2013 | 8:39:42 AM
Re: Security Training In Any Industry Is Lacking
I think there is no universal standard about the good skill set of IT security professional. The certificate itself is not so much more than a piece of paper. The field experience is really necessary and highly valued asset. Furthermore, as an IT security professional, the business sense is necessary. You can never build a 100% impeccable security system but what you need is a system that fulfil's the real business security needs.
tsdoaks
50%
50%
tsdoaks,
User Rank: Apprentice
11/18/2013 | 8:45:11 PM
Re: Bigger than IT alone
@snunyc: Targeted training or targeted involvement in very business oriented processes via projects would be invaluable. As elementary as this may sound, there is nothing like C level bonding over a large, complex project (cohesive team aligned with a goal). Everyone learns (and suffers) in a way that can build long lasting relationships. Using your understanding of your (business) audience/motivation can make business cases more relatable. But to your point - you must first understand your business.
Susan_Nunziata
50%
50%
Susan_Nunziata,
User Rank: Strategist
11/18/2013 | 8:14:33 PM
Re: Bigger than IT alone
@tsdoaks: That's excellent advice, and I think for many CIOs and IT execs the CFO is probably more likely seen as someone to steer clear of rather than work on having in your corner.

Makes perfect sense, though, as does your insight into approaching security from a pure business standpoint. There is a body of research, in addition to information about breaches at your competitors, to draw form in building the business case for security expenditures.

Making that business case can be challenging for some, though. As you rightly note: As a CIO and CISO, it's important that we are able to articulate that clearly and persuasively enough that it doesn't smell like another IT expenditure for the sake of IT.

Does it help, then, for a CIO or CISO to have had some training in a business program? I'm not suggesting a full-blown MBA, just perhaps some targeted training that might help in this regard. What are your thoughts on that idea?
tsdoaks
50%
50%
tsdoaks,
User Rank: Apprentice
11/18/2013 | 7:51:27 PM
Re: Bigger than IT alone
@snunyc: Surprisingly one of the best allies to have is the CFO (to whom I did not report). In our organization the annual financial audits included human behavior regarding security of financial data. She had a vested interest just as I did in making sure we had proper training for IT security personnel as well as the security awareness for all employees. It didn't hurt that she could advocate for me in meetings with the other C-level peers. Who better to have in your corner? The key was finding common ground. In our organization, data is king. If we no longer received data from the feds due to our inability to protect it, we all lost. As a CIO and CISO, it's important that we are able to articulate that clearly and persuasively enough that it doesn't smell like another IT expenditure for the sake of IT.
Susan_Nunziata
50%
50%
Susan_Nunziata,
User Rank: Strategist
11/18/2013 | 4:47:01 PM
Re: Bigger than IT alone
@tsdoaks: Nice work here: We found that developing the right relationships, educating staff, and publicizing the value of IT security may be a way of shaking loose some budget dollars for training.

Thanks for sharing that. Can you tell us more about what the right relationships are? I agree 100% getting the C-suite to "see the light" is essential. What other relationships should IT security execs work on developing throughout their organizations? 
DarkReadingTim
50%
50%
DarkReadingTim,
User Rank: Apprentice
11/18/2013 | 1:43:03 PM
Re: Security Training In Any Industry Is Lacking
There is a real shortage of IT security skills across most enterprises, not only in federal government, but in commercial industry. One of the biggest issues is what credentials we accept to prove that the security professional has the necessary skills -- the CISSP is the standard at the moment, but there is a lot of disagreement about what skills security pros need to have, and how they can prove their experience in a credible fashion. What skills/credentials doses your organization look for when hiring?

 

Tim Wilson, editor, Dark Reading
tsdoaks
50%
50%
tsdoaks,
User Rank: Apprentice
11/17/2013 | 11:53:36 AM
Re: Bigger than IT alone
You are spot on. The behavioral science/psychology associated with (IT) security is often overlooked. However, federal government standards and audits include the management and enforcement of the security policies that focus on these behaviors. Granted, there are tools and processes that can identify risky behaviors (don't click here!) but a better trained IT security professional may not necessarily improve the outcome. A more aware and educated organization may. The entire organization (and certainly its leadership) has to make security a priority for budgets to open up to additional IT security training dollars. And to your point, that generally doesn't happen until something catastrophic occurs. All may not be lost! We found that developing the right relationships, educating staff, and publicizing the value of IT security may be a way of shaking loose some budget dollars for training. Sadly, using the breaches of other agencies has also provided some leverage when comparing similar weaknesses. Lastly, having the C-level across the org agree to include annual security training/compliance/testing as a condition for employment helped mitigate those behavioral risks and bring the IT security discussions to the forefront of everyone's thinking. This approach made it easier to obtain training dollars.
DavidLawrence2
50%
50%
DavidLawrence2,
User Rank: Apprentice
11/16/2013 | 6:21:23 PM
Re: Security Training In Any Industry Is Lacking
Have to agree with you here.  I teach students at the Graduate Level and while I teach project and program management, many of the students are in the Information Security track.  Many of them have approached me for career advice.  While there are many jobs in the field, the vast majority are looking for people with experience - but given the clearances and complexities of security it has hard to get starting jobs or internships to get the experience.
dankney
50%
50%
dankney,
User Rank: Apprentice
11/16/2013 | 2:10:40 PM
Look at the conferences, not just the budgets.
There's an implicit assumption here that the trend is due to spending decisions rather than issues within the conferences themselves.

My experience over the last several years is simply that the quality of conference training has been declining steadilty. The threats, topics and techniques being discussed have essentially stopped evolving in the session rooms. Talks tend to either be slight but obvious variations over previous presentations or show-and-tell about a project that was delivered using well-established tools and techniques.

I can assure you, if you're paying attention to the traffic hitting your datacenter edge, that attack sophistocation has not stagnated.


As security continues to evolve from a problem set to a set of products, the real conversations are happening behind closed doors. Vendors can't allow potential customers to see them discussing threats they can't mitigate, so the dialogue becomes private.


Why would you spent $3k to attend a conference where you aren't actually invited to learn the real content and have nothing to sell?
Page 1 / 2   >   >>
Cyber Security Standards for Major Infrastructure
Cyber Security Standards for Major Infrastructure
The Presidential Executive Order from February established a framework and clear set of security standards to be applied across critical infrastructure. Now the real work begins.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Nov. 10, 2014
Just 30% of respondents to our new survey say their companies are very or extremely effective at identifying critical data and analyzing it to make decisions, down from 42% in 2013. What gives?
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of November 16, 2014.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.