Comments
Cyber Security Education: Remove The Limits
Threaded  |  Newest First  |  Oldest First
aws0513
50%
50%
aws0513,
User Rank: Apprentice
9/4/2014 | 3:30:29 PM
An idea to consider
As a IT security professional, I try to attend conferences that will help me provide the best services to my employer.  In almost all cases, I attend conferences while paying out of my own pocket in both conference fees AND on my own vacation time.

In most cases, my employers have been unable or unwilling, or both, to flip the bill for conference attendance.  In a few cases, I did have the opportunity to go to conferences on official capacity with pay, but usually only for one day because they were unwilling to pay me for a multi-day conference.  And in all cases, I only attended when the conference was within a commuting distance and only with an exhibit hall pass.  Passes that included conference presentations and/or courses were out of the question due to cost.

I see this as another barrier to expanding the security workforce.

My suggestion: Offer the opportunity for ANY organization to apply to to get at least one (1) full pass to a conference for any employee of their choosing at no cost.  Recommend the organization allow the employee to attend the conference with pay and travel/per diem costs (no promises there, but a message in this respect can go a long way toward the effort).

Reasoning: I know that some organizations understand the need for their professionals to attend such conferences and thus coordinate resources and timing accordingly. 
But I also know that there are a large number of organizations that do NOT subscribe to that view for many different reasons. 
If the IT security workforce movement is going to make any tracks in smaller, yet just as vulnerable industries and markets, there needs to be an effort to find ways to entice organizations to send talented people to collect and hopefully share the information and the message.

To me, the model of "We'll come half way if you come half way" is a great opportunity to expand the security field in new directions and into industries that historically have not engaged security conference attendance in the past.

Just a suggestion, but I think it may go a long way toward expanding the security workforce.

NOTE: If such opportunities already exist, these should be marketed very broadly and emphatically.  And discounts do NOT work.  I have seen management balk at 70% off the gate price on conference.  Make it real by making it free for just one employee and I am almost certain that attendance, and the security workforce, will grow in time.
miketcook
50%
50%
miketcook,
User Rank: Apprentice
9/4/2014 | 4:58:02 PM
aws0513: Re: An idea to consider
With your very thoughtful comment, I am surprised you stay with the companies you mention.  EVERY company I have worked for has invested in their employees and their education, which included conferences, and tuition reimbursement.

You must have some strong personal reasons for staying with these companies, and shelling out $$ from your own pocket.  I applaud your efforts, but if you're only getting vendor passes, you're missing a great deal of the education that is taking place.
aws0513
50%
50%
aws0513,
User Rank: Apprentice
9/4/2014 | 7:14:13 PM
Re: aws0513: Re: An idea to consider
Actually, most of my work has been in the government sector.  Over 20 years of IT and security experience working with government systems and architectures either as a government employee or as a contractor for government entities.  

In all my experiences, funding availability was the most common reason for preventing these organizations to send people to independent security conferences/events.  I would commonly get funding support for government sponsord events which were often pretty good, but not once have I been able to convince my supervisors or customers to flip for independently sponsored conferences.
BTW, since the budget for most government entities is virtually frozen in regard to conferences these days, I am amazed that any government employees get to attend any conferences at all these days.  I know that a handful from some of the larger government agencies and entities get to attend, but the numbers are far less lately.

Trust me when I say that there is a veritable army of IT pros out there that are working for entities that do not or cannot consider independent conferences as an option for professional development for their IT staff.  

True story -  I worked in one IT shop of 15 people where 6 of them paid for their own trip to Black Hat a few years back.  They were all professionals in their field, but the management just could not fund even one of them to attend.  So they all turned it into a professional escape junket out of their own pocket.  I would have joined them except that at the time my own budget was not in line to support it.  

Some responses when requesting conference attendance funding have been:
  • Can you get the same information on YouTube or through some web conference for free?
  • We did not provide for conference attendances within your contract, but we did provide for specific technology training where we get vouchers due to enterprise level contract with vendors.  Would you like to learn about product X from vendor Y?
  • I feel that nothing on this conference itinerary is necessary for our operations at this time.
  • Maybe next year.  We just do not have any funds remaining for this year.
  • You can go for one day, but only to see the exhibit hall.  I need you to look for vendors that provide X service or product.
  • You already have your CISSP.  You should already know this stuff.  (I know... this one is arguable, but it did come up in a serious discussion - no lie).

Am I frustrated.  Yes.  But I also know that funding is a real issue for the government these days.  The same goes for small and medium businesses in the private sector.

I have also conducted independent consulting side work for many smaller business owners that absolutely laughed when I asked if they would pay for such a conference for their employees (not even for me).  Again, the price tag for these events was beyond any budget they currently operated with.

Do I know that great educational opportunities exist at independent conferences?  Darn tootin' I do.  I have been blessed to learn some excellent information from the conferences I was able to afford and attend.  
But this fact just washed against the rocks of management-think when dollar signs regarding the cost float across their table.

I get that people should be paid for the training and information they share at these conferences.  But I also know that the ticket cost is a real barrier for many other people to attend.  If that barrier can be lowered in some way, maybe more people can take the leap into the security field on behalf of their employers.

Again...  just a suggestion.  I would be interested to see what would happen if the idea was tested.
GonzSTL
50%
50%
GonzSTL,
User Rank: Strategist
9/5/2014 | 9:28:25 AM
Re: aws0513: Re: An idea to consider
I agree with all that regarding technical training, but I think there isn't very much emphasis in business communication training. If we as security professionals had better communication skills, especially with evecutive management, we could be better poised to push the security agenda forward. Remember when the hot topic was to align IT with the goals of the organization? Well we have to effectively communicate to executives that security goals align with IT goals, which in turn align with the organization's goals. Until we succeed in this, our message will either fall on deaf ears, or will lose its impact. There is still the stigma that the security group is the department of "NO", and we have to overcome that by communicating the importance and relevance of security both at the organizational level and in the users' personal lives.
Hord
50%
50%
Hord,
User Rank: Apprentice
9/10/2014 | 3:35:50 PM
Re: aws0513: Re: An idea to consider
I could not agree more with GonzSTL that information security professionals need better communications skills. The importance of training security professionals in the area of "soft skills" that facilitate better collaboration and understanding between technical people and executives is something that we at (ISC)2 have been emphasizing for the past decade. In fact, our 2013 Global Workforce Study reported that "communications skills" was the 2nd top skill that employers are seeking when hiring an information security professional. It is imperative that effective communication skills — including writing, presenting, and speaking — should be on the forefront of this community's professional development platform.
Hord
50%
50%
Hord,
User Rank: Apprentice
9/10/2014 | 3:37:43 PM
Re: aws0513: Re: An idea to consider
The lack of funding support for training of US government personnel is part of a much bigger issue that needs to be addressed: What are the government's plans to attract and retain the qualified personnel that it so desperately needs? Training and education is just one area that government MUST address if it wants to compete with private industry for security personnel and fill the widening skills gap. In response to aws0513, we are doing everything possible to make it easier for US government employees to attend our professional development events and conferences. We will continue to do our part to offer events at no-cost or greatly discounted cost to US government employees and to advocate for government participation. We also aim to stage events in areas convenient for security professionals.


IT's Reputation: What the Data Says
IT's Reputation: What the Data Says
InformationWeek's IT Perception Survey seeks to quantify how IT thinks it's doing versus how the business really views IT's performance in delivering services - and, more important, powering innovation. Our results suggest IT leaders should worry less about whether they're getting enough resources and more about the relationships they have with business unit peers.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Must Reads Oct. 21, 2014
InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and community news at InformationWeek.com.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.