Government // Cybersecurity
Commentary
11/15/2013
08:00 AM
W. Hord Tipton
W. Hord Tipton
Commentary
Connect Directly
LinkedIn
RSS
E-Mail
100%
0%

The Troubling Decline Of IT Security Training

Can our governments really afford to fall further behind in IT security competence? Recruiting isn't enough.

Those of us in government circles hear an awful lot about the high demand for information security professionals. I admit I just may be someone who shouts the loudest on any given day. Indeed, the US government (and the world) is in grave need of more qualified people.

However, I am seeing an equally troubling trend that is impacting those who already work in government cyber positions and one that must be addressed as agencies formulate their security strategies for the new fiscal year: IT training and educational opportunities for existing personnel appear to have reached an all-time low.

Just prior to the sequester last fall, my organization, (ISC)², asked approximately 1,600 information security professionals from the federal government to forecast their training/education budgets. Nearly half of respondents reported that 1) their agency’s training budgets had remained the same over the past 12 months, and 2) they expected an increase in the coming year.

Yet, as 2013 rolled out its schedule of educational conferences, slowly but surely, government attendance started to decline, government leaders started to pull out of their speaking obligations, and several of the tried-and-true information security conferences were actually cancelled. My colleagues are reporting stagnant growth in education and training of new and existing practitioners and professional across the board.

[Find out why security challenges are taking on a new twist. Read Think Hackers Are IT's Biggest Threat? Guess Again.]

In analyzing the reasons for this year’s absence of IT professionals from conferences and other training events, is it really the result of a few bad apples caught in the act of wasteful conference spending in other areas? Or is it the result of security budget cuts, starting when the sequester hit? Either way, is it in the government’s best interest to focus on recruiting new hires and yet neglect the advancement of those who are already in the ranks? 

Army personnel recently considered professional development such a high priority that they created an online interactive means for personnel to engage in its October Annual Meeting and Expo despite budget and travel cuts. Yet, other agencies that actually received significant funding for information security initiatives this year withheld budget approval for their information security personnel to attend our annual Security Congress last September.

How can we say that we don’t have enough qualified information security personnel when we don’t adequately train the people we do have? Consider that this is the fastest growing career field in the world, and yet we are not keeping up with training.

Is online professional development the way of the future? Perhaps. Online conferences and educational opportunities will likely serve in the interim while sequesters, shutdowns, and debt ceilings are being debated on the Hill. The good news is that most professional organizations, including (ISC)², have invested substantially in their online training/education capabilities in recent years. We have very sophisticated online training tools and are recognizing a sizable uptick in registered users.

While the online dimension is certainly a viable option in the interim for those professionals serious about increasing their knowledge, anyone who has attended the RSA Conference, Blackhat or the (ISC)² Security Congress knows that the element of human interaction greatly enhances one’s educational experience. There is something very powerful about being in a room of peers who are grappling with the same challenges and who are provided the forum to exchange ideas and successes.

The government ultimately needs to get back to that place and budget for the full experience of professional development. As for the bad apples who take advantage of educational opportunities, those few will never disappoint. Let’s just hope that greater accountability measures are in place as a result. Let’s also not forget that there are a lot of good apples in the bunch who are dedicated to keeping our national assets secure and who deserve the chance to grow in all areas of professional development.

With exponential growth in emerging technologies and sophistication of the attack we defend against daily, we simply cannot afford to fall even further behind.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Page 1 / 2   >   >>
Greg MacSweeney
100%
0%
Greg MacSweeney,
User Rank: Apprentice
11/15/2013 | 1:06:44 PM
Security Training In Any Industry Is Lacking
The lack of information security training isn't limited to the federal government. Financial services companies are also complaining that they can't find qualified information security experts. But, very few financial organizations invest any resources in security training. Most firms expect new hires to come in knowing everything they need to know about security. It just isn't that simple. All firms need to invest in training for information security.
Susan_Nunziata
50%
50%
Susan_Nunziata,
User Rank: Strategist
11/15/2013 | 2:53:03 PM
Bigger than IT alone
This issue is of particular concern to IT professionals, though it is far bigger than IT alone. The state of awareness and training about proper security preactices is completely lacking across the enterprise. IT professionals first need the training in the tools and best practices, then the end users throughout the organizaiton also need education about security. We're still seeing end users with shocking lack of awareness about basic security (don't click on that unknown link in the email from the person you don't know, please!).

Security only seems to rise to the surface of priorities when there's a breach. Otherwise it's the forgotten stepchilde in the IT organization and in the enterprise as a whole.

Good security practices should be made part of the emplyee performance evaluations for every single employee across the organization, IMHO.
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Author
11/15/2013 | 4:21:23 PM
Train then drain
How much of this reluctance to train is government managers worried that they'll spend precious funds to educate their security pros on cutting-edge tech, only to have them bail to higher-paying private-sector jobs?

We see it happen now with SEALs and other special forces, where it costs the US thousands to train these experts, who are then lured away by the Haliburtons of the world. Cyber-warriors may not be able to survive in the wild for a month with nothing but a compass and a knife (at least the ones I know), but they have other skills worth big bucks.
dankney
50%
50%
dankney,
User Rank: Apprentice
11/16/2013 | 2:10:40 PM
Look at the conferences, not just the budgets.
There's an implicit assumption here that the trend is due to spending decisions rather than issues within the conferences themselves.

My experience over the last several years is simply that the quality of conference training has been declining steadilty. The threats, topics and techniques being discussed have essentially stopped evolving in the session rooms. Talks tend to either be slight but obvious variations over previous presentations or show-and-tell about a project that was delivered using well-established tools and techniques.

I can assure you, if you're paying attention to the traffic hitting your datacenter edge, that attack sophistocation has not stagnated.


As security continues to evolve from a problem set to a set of products, the real conversations are happening behind closed doors. Vendors can't allow potential customers to see them discussing threats they can't mitigate, so the dialogue becomes private.


Why would you spent $3k to attend a conference where you aren't actually invited to learn the real content and have nothing to sell?
DavidLawrence2
50%
50%
DavidLawrence2,
User Rank: Apprentice
11/16/2013 | 6:21:23 PM
Re: Security Training In Any Industry Is Lacking
Have to agree with you here.  I teach students at the Graduate Level and while I teach project and program management, many of the students are in the Information Security track.  Many of them have approached me for career advice.  While there are many jobs in the field, the vast majority are looking for people with experience - but given the clearances and complexities of security it has hard to get starting jobs or internships to get the experience.
tsdoaks
50%
50%
tsdoaks,
User Rank: Apprentice
11/17/2013 | 11:53:36 AM
Re: Bigger than IT alone
You are spot on. The behavioral science/psychology associated with (IT) security is often overlooked. However, federal government standards and audits include the management and enforcement of the security policies that focus on these behaviors. Granted, there are tools and processes that can identify risky behaviors (don't click here!) but a better trained IT security professional may not necessarily improve the outcome. A more aware and educated organization may. The entire organization (and certainly its leadership) has to make security a priority for budgets to open up to additional IT security training dollars. And to your point, that generally doesn't happen until something catastrophic occurs. All may not be lost! We found that developing the right relationships, educating staff, and publicizing the value of IT security may be a way of shaking loose some budget dollars for training. Sadly, using the breaches of other agencies has also provided some leverage when comparing similar weaknesses. Lastly, having the C-level across the org agree to include annual security training/compliance/testing as a condition for employment helped mitigate those behavioral risks and bring the IT security discussions to the forefront of everyone's thinking. This approach made it easier to obtain training dollars.
ANON1234185168628
50%
50%
ANON1234185168628,
User Rank: Apprentice
11/18/2013 | 1:43:03 PM
Re: Security Training In Any Industry Is Lacking
There is a real shortage of IT security skills across most enterprises, not only in federal government, but in commercial industry. One of the biggest issues is what credentials we accept to prove that the security professional has the necessary skills -- the CISSP is the standard at the moment, but there is a lot of disagreement about what skills security pros need to have, and how they can prove their experience in a credible fashion. What skills/credentials doses your organization look for when hiring?

 

Tim Wilson, editor, Dark Reading
Susan_Nunziata
50%
50%
Susan_Nunziata,
User Rank: Strategist
11/18/2013 | 4:47:01 PM
Re: Bigger than IT alone
@tsdoaks: Nice work here: We found that developing the right relationships, educating staff, and publicizing the value of IT security may be a way of shaking loose some budget dollars for training.

Thanks for sharing that. Can you tell us more about what the right relationships are? I agree 100% getting the C-suite to "see the light" is essential. What other relationships should IT security execs work on developing throughout their organizations? 
tsdoaks
50%
50%
tsdoaks,
User Rank: Apprentice
11/18/2013 | 7:51:27 PM
Re: Bigger than IT alone
@snunyc: Surprisingly one of the best allies to have is the CFO (to whom I did not report). In our organization the annual financial audits included human behavior regarding security of financial data. She had a vested interest just as I did in making sure we had proper training for IT security personnel as well as the security awareness for all employees. It didn't hurt that she could advocate for me in meetings with the other C-level peers. Who better to have in your corner? The key was finding common ground. In our organization, data is king. If we no longer received data from the feds due to our inability to protect it, we all lost. As a CIO and CISO, it's important that we are able to articulate that clearly and persuasively enough that it doesn't smell like another IT expenditure for the sake of IT.
Susan_Nunziata
50%
50%
Susan_Nunziata,
User Rank: Strategist
11/18/2013 | 8:14:33 PM
Re: Bigger than IT alone
@tsdoaks: That's excellent advice, and I think for many CIOs and IT execs the CFO is probably more likely seen as someone to steer clear of rather than work on having in your corner.

Makes perfect sense, though, as does your insight into approaching security from a pure business standpoint. There is a body of research, in addition to information about breaches at your competitors, to draw form in building the business case for security expenditures.

Making that business case can be challenging for some, though. As you rightly note: As a CIO and CISO, it's important that we are able to articulate that clearly and persuasively enough that it doesn't smell like another IT expenditure for the sake of IT.

Does it help, then, for a CIO or CISO to have had some training in a business program? I'm not suggesting a full-blown MBA, just perhaps some targeted training that might help in this regard. What are your thoughts on that idea?
Page 1 / 2   >   >>
Cyber Security Standards for Major Infrastructure
Cyber Security Standards for Major Infrastructure
The Presidential Executive Order from February established a framework and clear set of security standards to be applied across critical infrastructure. Now the real work begins.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - August 27, 2014
Who wins in cloud price wars? Short answer: not IT. Enterprises don't want bare-bones IaaS. Providers must focus on support, not undercutting rivals.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Howard Marks talks about steps to take in choosing the right cloud storage solutions for your IT problems
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.