The Troubling Decline Of IT Security Training - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Government // Cybersecurity
Commentary
11/15/2013
08:00 AM
W. Hord Tipton
W. Hord Tipton
Commentary
Connect Directly
LinkedIn
RSS
E-Mail
100%
0%

The Troubling Decline Of IT Security Training

Can our governments really afford to fall further behind in IT security competence? Recruiting isn't enough.

Those of us in government circles hear an awful lot about the high demand for information security professionals. I admit I just may be someone who shouts the loudest on any given day. Indeed, the US government (and the world) is in grave need of more qualified people.

However, I am seeing an equally troubling trend that is impacting those who already work in government cyber positions and one that must be addressed as agencies formulate their security strategies for the new fiscal year: IT training and educational opportunities for existing personnel appear to have reached an all-time low.

Just prior to the sequester last fall, my organization, (ISC)², asked approximately 1,600 information security professionals from the federal government to forecast their training/education budgets. Nearly half of respondents reported that 1) their agency’s training budgets had remained the same over the past 12 months, and 2) they expected an increase in the coming year.

Yet, as 2013 rolled out its schedule of educational conferences, slowly but surely, government attendance started to decline, government leaders started to pull out of their speaking obligations, and several of the tried-and-true information security conferences were actually cancelled. My colleagues are reporting stagnant growth in education and training of new and existing practitioners and professional across the board.

[Find out why security challenges are taking on a new twist. Read Think Hackers Are IT's Biggest Threat? Guess Again.]

In analyzing the reasons for this year’s absence of IT professionals from conferences and other training events, is it really the result of a few bad apples caught in the act of wasteful conference spending in other areas? Or is it the result of security budget cuts, starting when the sequester hit? Either way, is it in the government’s best interest to focus on recruiting new hires and yet neglect the advancement of those who are already in the ranks? 

Army personnel recently considered professional development such a high priority that they created an online interactive means for personnel to engage in its October Annual Meeting and Expo despite budget and travel cuts. Yet, other agencies that actually received significant funding for information security initiatives this year withheld budget approval for their information security personnel to attend our annual Security Congress last September.

How can we say that we don’t have enough qualified information security personnel when we don’t adequately train the people we do have? Consider that this is the fastest growing career field in the world, and yet we are not keeping up with training.

Is online professional development the way of the future? Perhaps. Online conferences and educational opportunities will likely serve in the interim while sequesters, shutdowns, and debt ceilings are being debated on the Hill. The good news is that most professional organizations, including (ISC)², have invested substantially in their online training/education capabilities in recent years. We have very sophisticated online training tools and are recognizing a sizable uptick in registered users.

While the online dimension is certainly a viable option in the interim for those professionals serious about increasing their knowledge, anyone who has attended the RSA Conference, Blackhat or the (ISC)² Security Congress knows that the element of human interaction greatly enhances one’s educational experience. There is something very powerful about being in a room of peers who are grappling with the same challenges and who are provided the forum to exchange ideas and successes.

The government ultimately needs to get back to that place and budget for the full experience of professional development. As for the bad apples who take advantage of educational opportunities, those few will never disappoint. Let’s just hope that greater accountability measures are in place as a result. Let’s also not forget that there are a lot of good apples in the bunch who are dedicated to keeping our national assets secure and who deserve the chance to grow in all areas of professional development.

With exponential growth in emerging technologies and sophistication of the attack we defend against daily, we simply cannot afford to fall even further behind.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Susan_Nunziata
50%
50%
Susan_Nunziata,
User Rank: Strategist
11/18/2013 | 8:14:33 PM
Re: Bigger than IT alone
@tsdoaks: That's excellent advice, and I think for many CIOs and IT execs the CFO is probably more likely seen as someone to steer clear of rather than work on having in your corner.

Makes perfect sense, though, as does your insight into approaching security from a pure business standpoint. There is a body of research, in addition to information about breaches at your competitors, to draw form in building the business case for security expenditures.

Making that business case can be challenging for some, though. As you rightly note: As a CIO and CISO, it's important that we are able to articulate that clearly and persuasively enough that it doesn't smell like another IT expenditure for the sake of IT.

Does it help, then, for a CIO or CISO to have had some training in a business program? I'm not suggesting a full-blown MBA, just perhaps some targeted training that might help in this regard. What are your thoughts on that idea?
Susan_Nunziata
50%
50%
Susan_Nunziata,
User Rank: Strategist
11/18/2013 | 4:47:01 PM
Re: Bigger than IT alone
@tsdoaks: Nice work here: We found that developing the right relationships, educating staff, and publicizing the value of IT security may be a way of shaking loose some budget dollars for training.

Thanks for sharing that. Can you tell us more about what the right relationships are? I agree 100% getting the C-suite to "see the light" is essential. What other relationships should IT security execs work on developing throughout their organizations? 
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Author
11/15/2013 | 4:21:23 PM
Train then drain
How much of this reluctance to train is government managers worried that they'll spend precious funds to educate their security pros on cutting-edge tech, only to have them bail to higher-paying private-sector jobs?

We see it happen now with SEALs and other special forces, where it costs the US thousands to train these experts, who are then lured away by the Haliburtons of the world. Cyber-warriors may not be able to survive in the wild for a month with nothing but a compass and a knife (at least the ones I know), but they have other skills worth big bucks.
Susan_Nunziata
50%
50%
Susan_Nunziata,
User Rank: Strategist
11/15/2013 | 2:53:03 PM
Bigger than IT alone
This issue is of particular concern to IT professionals, though it is far bigger than IT alone. The state of awareness and training about proper security preactices is completely lacking across the enterprise. IT professionals first need the training in the tools and best practices, then the end users throughout the organizaiton also need education about security. We're still seeing end users with shocking lack of awareness about basic security (don't click on that unknown link in the email from the person you don't know, please!).

Security only seems to rise to the surface of priorities when there's a breach. Otherwise it's the forgotten stepchilde in the IT organization and in the enterprise as a whole.

Good security practices should be made part of the emplyee performance evaluations for every single employee across the organization, IMHO.
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Slideshows
10 Things Your Artificial Intelligence Initiative Needs to Succeed
Lisa Morgan, Freelance Writer,  4/20/2021
News
Tech Spending Climbs as Digital Business Initiatives Grow
Jessica Davis, Senior Editor, Enterprise Apps,  4/22/2021
Commentary
Optimizing the CIO and CFO Relationship
Mary E. Shacklett, Mary E. Shacklett,  4/13/2021
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Slideshows
Flash Poll