Comments
The Troubling Decline Of IT Security Training
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
LancefreeL028
100%
0%
LancefreeL028,
User Rank: Apprentice
12/24/2013 | 6:40:12 AM
Re: People are the problem
I agree we need training. Keep up the good work

 

buikspieren trainen
HaileyMcK
50%
50%
HaileyMcK,
User Rank: Apprentice
11/19/2013 | 10:00:21 AM
People are the problem
Thanks for posting this. You make an incredibly important point. Human ignorance is the biggest tool that hackers use to get access to the networks and systems they target. Users need consistent, targeted reminders about security best practices, and IT professionals need to udnerstand the emerging threat landscape. We need training!
Li Tan
50%
50%
Li Tan,
User Rank: Ninja
11/19/2013 | 8:39:42 AM
Re: Security Training In Any Industry Is Lacking
I think there is no universal standard about the good skill set of IT security professional. The certificate itself is not so much more than a piece of paper. The field experience is really necessary and highly valued asset. Furthermore, as an IT security professional, the business sense is necessary. You can never build a 100% impeccable security system but what you need is a system that fulfil's the real business security needs.
tsdoaks
50%
50%
tsdoaks,
User Rank: Apprentice
11/18/2013 | 8:45:11 PM
Re: Bigger than IT alone
@snunyc: Targeted training or targeted involvement in very business oriented processes via projects would be invaluable. As elementary as this may sound, there is nothing like C level bonding over a large, complex project (cohesive team aligned with a goal). Everyone learns (and suffers) in a way that can build long lasting relationships. Using your understanding of your (business) audience/motivation can make business cases more relatable. But to your point - you must first understand your business.
snunyc
50%
50%
snunyc,
User Rank: Apprentice
11/18/2013 | 8:14:33 PM
Re: Bigger than IT alone
@tsdoaks: That's excellent advice, and I think for many CIOs and IT execs the CFO is probably more likely seen as someone to steer clear of rather than work on having in your corner.

Makes perfect sense, though, as does your insight into approaching security from a pure business standpoint. There is a body of research, in addition to information about breaches at your competitors, to draw form in building the business case for security expenditures.

Making that business case can be challenging for some, though. As you rightly note: As a CIO and CISO, it's important that we are able to articulate that clearly and persuasively enough that it doesn't smell like another IT expenditure for the sake of IT.

Does it help, then, for a CIO or CISO to have had some training in a business program? I'm not suggesting a full-blown MBA, just perhaps some targeted training that might help in this regard. What are your thoughts on that idea?
tsdoaks
50%
50%
tsdoaks,
User Rank: Apprentice
11/18/2013 | 7:51:27 PM
Re: Bigger than IT alone
@snunyc: Surprisingly one of the best allies to have is the CFO (to whom I did not report). In our organization the annual financial audits included human behavior regarding security of financial data. She had a vested interest just as I did in making sure we had proper training for IT security personnel as well as the security awareness for all employees. It didn't hurt that she could advocate for me in meetings with the other C-level peers. Who better to have in your corner? The key was finding common ground. In our organization, data is king. If we no longer received data from the feds due to our inability to protect it, we all lost. As a CIO and CISO, it's important that we are able to articulate that clearly and persuasively enough that it doesn't smell like another IT expenditure for the sake of IT.
snunyc
50%
50%
snunyc,
User Rank: Apprentice
11/18/2013 | 4:47:01 PM
Re: Bigger than IT alone
@tsdoaks: Nice work here: We found that developing the right relationships, educating staff, and publicizing the value of IT security may be a way of shaking loose some budget dollars for training.

Thanks for sharing that. Can you tell us more about what the right relationships are? I agree 100% getting the C-suite to "see the light" is essential. What other relationships should IT security execs work on developing throughout their organizations? 
ANON1234185168628
50%
50%
ANON1234185168628,
User Rank: Apprentice
11/18/2013 | 1:43:03 PM
Re: Security Training In Any Industry Is Lacking
There is a real shortage of IT security skills across most enterprises, not only in federal government, but in commercial industry. One of the biggest issues is what credentials we accept to prove that the security professional has the necessary skills -- the CISSP is the standard at the moment, but there is a lot of disagreement about what skills security pros need to have, and how they can prove their experience in a credible fashion. What skills/credentials doses your organization look for when hiring?

 

Tim Wilson, editor, Dark Reading
tsdoaks
50%
50%
tsdoaks,
User Rank: Apprentice
11/17/2013 | 11:53:36 AM
Re: Bigger than IT alone
You are spot on. The behavioral science/psychology associated with (IT) security is often overlooked. However, federal government standards and audits include the management and enforcement of the security policies that focus on these behaviors. Granted, there are tools and processes that can identify risky behaviors (don't click here!) but a better trained IT security professional may not necessarily improve the outcome. A more aware and educated organization may. The entire organization (and certainly its leadership) has to make security a priority for budgets to open up to additional IT security training dollars. And to your point, that generally doesn't happen until something catastrophic occurs. All may not be lost! We found that developing the right relationships, educating staff, and publicizing the value of IT security may be a way of shaking loose some budget dollars for training. Sadly, using the breaches of other agencies has also provided some leverage when comparing similar weaknesses. Lastly, having the C-level across the org agree to include annual security training/compliance/testing as a condition for employment helped mitigate those behavioral risks and bring the IT security discussions to the forefront of everyone's thinking. This approach made it easier to obtain training dollars.
DavidLawrence2
50%
50%
DavidLawrence2,
User Rank: Apprentice
11/16/2013 | 6:21:23 PM
Re: Security Training In Any Industry Is Lacking
Have to agree with you here.  I teach students at the Graduate Level and while I teach project and program management, many of the students are in the Information Security track.  Many of them have approached me for career advice.  While there are many jobs in the field, the vast majority are looking for people with experience - but given the clearances and complexities of security it has hard to get starting jobs or internships to get the experience.
Page 1 / 2   >   >>


The Agile Archive
The Agile Archive
When it comes to managing data, donít look at backup and archiving systems as burdens and cost centers. A well-designed archive can enhance data protection and restores, ease search and e-discovery efforts, and save money by intelligently moving data from expensive primary storage systems.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Elite 100 - 2014
Our InformationWeek Elite 100 issue -- our 26th ranking of technology innovators -- shines a spotlight on businesses that are succeeding because of their digital strategies. We take a close at look at the top five companies in this year's ranking and the eight winners of our Business Innovation awards, and offer 20 great ideas that you can use in your company. We also provide a ranked list of our Elite 100 innovators.
Video
Slideshows
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.