Government // Cybersecurity
Commentary
11/15/2013
08:00 AM
W. Hord Tipton
W. Hord Tipton
Commentary
Connect Directly
LinkedIn
RSS
E-Mail
100%
0%

The Troubling Decline Of IT Security Training

Can our governments really afford to fall further behind in IT security competence? Recruiting isn't enough.

Those of us in government circles hear an awful lot about the high demand for information security professionals. I admit I just may be someone who shouts the loudest on any given day. Indeed, the US government (and the world) is in grave need of more qualified people.

However, I am seeing an equally troubling trend that is impacting those who already work in government cyber positions and one that must be addressed as agencies formulate their security strategies for the new fiscal year: IT training and educational opportunities for existing personnel appear to have reached an all-time low.

Just prior to the sequester last fall, my organization, (ISC)², asked approximately 1,600 information security professionals from the federal government to forecast their training/education budgets. Nearly half of respondents reported that 1) their agency’s training budgets had remained the same over the past 12 months, and 2) they expected an increase in the coming year.

Yet, as 2013 rolled out its schedule of educational conferences, slowly but surely, government attendance started to decline, government leaders started to pull out of their speaking obligations, and several of the tried-and-true information security conferences were actually cancelled. My colleagues are reporting stagnant growth in education and training of new and existing practitioners and professional across the board.

[Find out why security challenges are taking on a new twist. Read Think Hackers Are IT's Biggest Threat? Guess Again.]

In analyzing the reasons for this year’s absence of IT professionals from conferences and other training events, is it really the result of a few bad apples caught in the act of wasteful conference spending in other areas? Or is it the result of security budget cuts, starting when the sequester hit? Either way, is it in the government’s best interest to focus on recruiting new hires and yet neglect the advancement of those who are already in the ranks? 

Army personnel recently considered professional development such a high priority that they created an online interactive means for personnel to engage in its October Annual Meeting and Expo despite budget and travel cuts. Yet, other agencies that actually received significant funding for information security initiatives this year withheld budget approval for their information security personnel to attend our annual Security Congress last September.

How can we say that we don’t have enough qualified information security personnel when we don’t adequately train the people we do have? Consider that this is the fastest growing career field in the world, and yet we are not keeping up with training.

Is online professional development the way of the future? Perhaps. Online conferences and educational opportunities will likely serve in the interim while sequesters, shutdowns, and debt ceilings are being debated on the Hill. The good news is that most professional organizations, including (ISC)², have invested substantially in their online training/education capabilities in recent years. We have very sophisticated online training tools and are recognizing a sizable uptick in registered users.

While the online dimension is certainly a viable option in the interim for those professionals serious about increasing their knowledge, anyone who has attended the RSA Conference, Blackhat or the (ISC)² Security Congress knows that the element of human interaction greatly enhances one’s educational experience. There is something very powerful about being in a room of peers who are grappling with the same challenges and who are provided the forum to exchange ideas and successes.

The government ultimately needs to get back to that place and budget for the full experience of professional development. As for the bad apples who take advantage of educational opportunities, those few will never disappoint. Let’s just hope that greater accountability measures are in place as a result. Let’s also not forget that there are a lot of good apples in the bunch who are dedicated to keeping our national assets secure and who deserve the chance to grow in all areas of professional development.

With exponential growth in emerging technologies and sophistication of the attack we defend against daily, we simply cannot afford to fall even further behind.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Author
11/15/2013 | 4:21:23 PM
Train then drain
How much of this reluctance to train is government managers worried that they'll spend precious funds to educate their security pros on cutting-edge tech, only to have them bail to higher-paying private-sector jobs?

We see it happen now with SEALs and other special forces, where it costs the US thousands to train these experts, who are then lured away by the Haliburtons of the world. Cyber-warriors may not be able to survive in the wild for a month with nothing but a compass and a knife (at least the ones I know), but they have other skills worth big bucks.
Susan_Nunziata
50%
50%
Susan_Nunziata,
User Rank: Strategist
11/15/2013 | 2:53:03 PM
Bigger than IT alone
This issue is of particular concern to IT professionals, though it is far bigger than IT alone. The state of awareness and training about proper security preactices is completely lacking across the enterprise. IT professionals first need the training in the tools and best practices, then the end users throughout the organizaiton also need education about security. We're still seeing end users with shocking lack of awareness about basic security (don't click on that unknown link in the email from the person you don't know, please!).

Security only seems to rise to the surface of priorities when there's a breach. Otherwise it's the forgotten stepchilde in the IT organization and in the enterprise as a whole.

Good security practices should be made part of the emplyee performance evaluations for every single employee across the organization, IMHO.
Greg MacSweeney
100%
0%
Greg MacSweeney,
User Rank: Apprentice
11/15/2013 | 1:06:44 PM
Security Training In Any Industry Is Lacking
The lack of information security training isn't limited to the federal government. Financial services companies are also complaining that they can't find qualified information security experts. But, very few financial organizations invest any resources in security training. Most firms expect new hires to come in knowing everything they need to know about security. It just isn't that simple. All firms need to invest in training for information security.
<<   <   Page 2 / 2
Cyber Security Standards for Major Infrastructure
Cyber Security Standards for Major Infrastructure
The Presidential Executive Order from February established a framework and clear set of security standards to be applied across critical infrastructure. Now the real work begins.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest September 18, 2014
Enterprise social network success starts and ends with integration. Here's how to finally make collaboration click.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
The weekly wrap-up of the top stories from InformationWeek.com this week.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.