The Troubling Decline Of IT Security Training - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Comments
The Troubling Decline Of IT Security Training
Oldest First  |  Newest First  |  Threaded View
Page 1 / 2   >   >>
Greg MacSweeney
100%
0%
Greg MacSweeney,
User Rank: Apprentice
11/15/2013 | 1:06:44 PM
Security Training In Any Industry Is Lacking
The lack of information security training isn't limited to the federal government. Financial services companies are also complaining that they can't find qualified information security experts. But, very few financial organizations invest any resources in security training. Most firms expect new hires to come in knowing everything they need to know about security. It just isn't that simple. All firms need to invest in training for information security.
Susan_Nunziata
50%
50%
Susan_Nunziata,
User Rank: Strategist
11/15/2013 | 2:53:03 PM
Bigger than IT alone
This issue is of particular concern to IT professionals, though it is far bigger than IT alone. The state of awareness and training about proper security preactices is completely lacking across the enterprise. IT professionals first need the training in the tools and best practices, then the end users throughout the organizaiton also need education about security. We're still seeing end users with shocking lack of awareness about basic security (don't click on that unknown link in the email from the person you don't know, please!).

Security only seems to rise to the surface of priorities when there's a breach. Otherwise it's the forgotten stepchilde in the IT organization and in the enterprise as a whole.

Good security practices should be made part of the emplyee performance evaluations for every single employee across the organization, IMHO.
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Author
11/15/2013 | 4:21:23 PM
Train then drain
How much of this reluctance to train is government managers worried that they'll spend precious funds to educate their security pros on cutting-edge tech, only to have them bail to higher-paying private-sector jobs?

We see it happen now with SEALs and other special forces, where it costs the US thousands to train these experts, who are then lured away by the Haliburtons of the world. Cyber-warriors may not be able to survive in the wild for a month with nothing but a compass and a knife (at least the ones I know), but they have other skills worth big bucks.
dankney
50%
50%
dankney,
User Rank: Apprentice
11/16/2013 | 2:10:40 PM
Look at the conferences, not just the budgets.
There's an implicit assumption here that the trend is due to spending decisions rather than issues within the conferences themselves.

My experience over the last several years is simply that the quality of conference training has been declining steadilty. The threats, topics and techniques being discussed have essentially stopped evolving in the session rooms. Talks tend to either be slight but obvious variations over previous presentations or show-and-tell about a project that was delivered using well-established tools and techniques.

I can assure you, if you're paying attention to the traffic hitting your datacenter edge, that attack sophistocation has not stagnated.


As security continues to evolve from a problem set to a set of products, the real conversations are happening behind closed doors. Vendors can't allow potential customers to see them discussing threats they can't mitigate, so the dialogue becomes private.


Why would you spent $3k to attend a conference where you aren't actually invited to learn the real content and have nothing to sell?
DavidLawrence2
50%
50%
DavidLawrence2,
User Rank: Apprentice
11/16/2013 | 6:21:23 PM
Re: Security Training In Any Industry Is Lacking
Have to agree with you here.  I teach students at the Graduate Level and while I teach project and program management, many of the students are in the Information Security track.  Many of them have approached me for career advice.  While there are many jobs in the field, the vast majority are looking for people with experience - but given the clearances and complexities of security it has hard to get starting jobs or internships to get the experience.
tsdoaks
50%
50%
tsdoaks,
User Rank: Apprentice
11/17/2013 | 11:53:36 AM
Re: Bigger than IT alone
You are spot on. The behavioral science/psychology associated with (IT) security is often overlooked. However, federal government standards and audits include the management and enforcement of the security policies that focus on these behaviors. Granted, there are tools and processes that can identify risky behaviors (don't click here!) but a better trained IT security professional may not necessarily improve the outcome. A more aware and educated organization may. The entire organization (and certainly its leadership) has to make security a priority for budgets to open up to additional IT security training dollars. And to your point, that generally doesn't happen until something catastrophic occurs. All may not be lost! We found that developing the right relationships, educating staff, and publicizing the value of IT security may be a way of shaking loose some budget dollars for training. Sadly, using the breaches of other agencies has also provided some leverage when comparing similar weaknesses. Lastly, having the C-level across the org agree to include annual security training/compliance/testing as a condition for employment helped mitigate those behavioral risks and bring the IT security discussions to the forefront of everyone's thinking. This approach made it easier to obtain training dollars.
DarkReadingTim
50%
50%
DarkReadingTim,
User Rank: Apprentice
11/18/2013 | 1:43:03 PM
Re: Security Training In Any Industry Is Lacking
There is a real shortage of IT security skills across most enterprises, not only in federal government, but in commercial industry. One of the biggest issues is what credentials we accept to prove that the security professional has the necessary skills -- the CISSP is the standard at the moment, but there is a lot of disagreement about what skills security pros need to have, and how they can prove their experience in a credible fashion. What skills/credentials doses your organization look for when hiring?

 

Tim Wilson, editor, Dark Reading
Susan_Nunziata
50%
50%
Susan_Nunziata,
User Rank: Strategist
11/18/2013 | 4:47:01 PM
Re: Bigger than IT alone
@tsdoaks: Nice work here: We found that developing the right relationships, educating staff, and publicizing the value of IT security may be a way of shaking loose some budget dollars for training.

Thanks for sharing that. Can you tell us more about what the right relationships are? I agree 100% getting the C-suite to "see the light" is essential. What other relationships should IT security execs work on developing throughout their organizations? 
tsdoaks
50%
50%
tsdoaks,
User Rank: Apprentice
11/18/2013 | 7:51:27 PM
Re: Bigger than IT alone
@snunyc: Surprisingly one of the best allies to have is the CFO (to whom I did not report). In our organization the annual financial audits included human behavior regarding security of financial data. She had a vested interest just as I did in making sure we had proper training for IT security personnel as well as the security awareness for all employees. It didn't hurt that she could advocate for me in meetings with the other C-level peers. Who better to have in your corner? The key was finding common ground. In our organization, data is king. If we no longer received data from the feds due to our inability to protect it, we all lost. As a CIO and CISO, it's important that we are able to articulate that clearly and persuasively enough that it doesn't smell like another IT expenditure for the sake of IT.
Susan_Nunziata
50%
50%
Susan_Nunziata,
User Rank: Strategist
11/18/2013 | 8:14:33 PM
Re: Bigger than IT alone
@tsdoaks: That's excellent advice, and I think for many CIOs and IT execs the CFO is probably more likely seen as someone to steer clear of rather than work on having in your corner.

Makes perfect sense, though, as does your insight into approaching security from a pure business standpoint. There is a body of research, in addition to information about breaches at your competitors, to draw form in building the business case for security expenditures.

Making that business case can be challenging for some, though. As you rightly note: As a CIO and CISO, it's important that we are able to articulate that clearly and persuasively enough that it doesn't smell like another IT expenditure for the sake of IT.

Does it help, then, for a CIO or CISO to have had some training in a business program? I'm not suggesting a full-blown MBA, just perhaps some targeted training that might help in this regard. What are your thoughts on that idea?
Page 1 / 2   >   >>


State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Commentary
Enterprise Guide to Edge Computing
Cathleen Gagne, Managing Editor, InformationWeek,  10/15/2019
News
Rethinking IT: Tech Investments that Drive Business Growth
Jessica Davis, Senior Editor, Enterprise Apps,  10/3/2019
Slideshows
IT Careers: 12 Job Skills in Demand for 2020
Cynthia Harvey, Freelance Journalist, InformationWeek,  10/1/2019
Register for InformationWeek Newsletters
Video
Current Issue
Getting Started With Emerging Technologies
Looking to help your enterprise IT team ease the stress of putting new/emerging technologies such as AI, machine learning and IoT to work for their organizations? There are a few ways to get off on the right foot. In this report we share some expert advice on how to approach some of these seemingly daunting tech challenges.
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll