 Nov
04 2004
The Cost of Security Training
By Don Parker from
SecurityFocus
It has been said before
that the cost of IT training for those of us in
the computer security industry is really quite
high. After all, there is not only the cost of the
course itself, but also the associated costs of
hotels, food, and rental vehicles if the course is
out of town. This quickly adds up to a rather tidy
sum for managers trying to maximize their often
decreasing budgets. But have those same managers
considered what is the cost of not providing
training to their staff?
IT managers often have difficult decisions to
make, and to offer training or not is certainly
one of them. Do you provide your analysts with
regular training through accredited vendors, or
decide not to do so in light of the financial
cost? Quite a few managers I know personally
choose not to. They believe that if they provide
training for their analysts that they will lose
them to other firms. While this can be a very
valid argument, it is also one on the razor's edge
-- by that I mean you run the risk of your
employee becoming irritated at any lack of
investment in them and their future, and they
simply leave. Several of my peers have left
perfectly good companies for this very reason. All
of them felt that they deserved a job which
provided them with current and up to date
training. Perhaps nowhere in IT does that ring
more true than in the evolving field of security.
Those who have left a company due to training
issues show that education is very valuable
indeed. As a security analyst, for example, you
must not only stay current with technology, but
also improve your core skill set. Whether this is
done by studying a programming language like C or
PERL, or any of the many others, is immaterial.
The point is that you have to stay current, else
your skill set may start rusting out.
Long gone are the days of cradle-to-grave
employment. In our current employment environment
you can pretty much count on the fact that you
will be in a new job several years from now, and
very likely with a new company. To that end you
need to keep your knowledge current.
You will be offering very little added value to
your employer if you do not strive to maintain,
and more importantly update your skills. Right or
wrong, many employees believe that it is up to the
employer to provide that training -- and with that
same reasoning, most believe it should not be the
employee who pays out of pocket for these courses.
This is a classic catch-22 situation, and the
decision on training versus employee retention can
be a difficult one to make. Reality dictates that
most companies simply do not provide adequate
training for their staff simply due to financial
constraints -- and in fact, it may not be
important to their long term objectives. Outside
of the government, military, and large enterprises
you are very often out of luck when it comes to
training dollars. That is a rather bleak reality
for the employee of a small-to-mid size company.
If you own or manage staff in a small-to-mid size
company, it would pay you great dividends to set
aside some money for training. You need not send
your staff out on numerous courses a year to keep
them happy. Upon an initial hiring of a new
employee you should tell them that as part of
their benefits they shall be given perhaps one
course (or however many) per year where all the
costs will be covered. The best and brightest
security courses are not cheap, but their benefit
to your organization can be worth their weight in
gold.
These initiatives would show your next prospective
hire that you are definitely serious about helping
to maintain their skills and investing in them as
an employee. One way I would suggest to do it is
by letting them know that they personally have a
certain dollar amount allotted to them for
training, and they can then give you a wish list
of courses they would like to go on.
Too often it has happened that a new piece of
networking gear is bought and installed without
any training provided on how to setup and
configure it properly. All you may get is a
situation whereby you are told, "here is the
manual for X piece of equipment, read up on it and
learn how to use it." I would argue this is
why there are so many poorly configured machines
out there causing major security headaches and
allowing for breaches by intruders, exposing
valuable company data.
One has little choice at times but to simply read
the manual, but it is a poor way of doing
business. This comes back to another prevalent
idea, such that, "all this security stuff
does nothing for me except to be sucking up my
dollars." Management often thinks this way
when they do not see, or understand, the benefits
of the technology. It is largely due to the fact
that because the latest worm or virus has not
affected them, and thus they do not see the need
to provide training to their security staff.
However, we all know that the very reason they
were not affected is because they had trained and
competent security staff.
For the many people out there who pull double or
triple duty at times, getting the latest training
is even more important. Nowadays having the system
administrator deal with related technology such as
routers, in addition to all his other security
functions, is all too common. These are not
trivial components to configure. Learning on the
job is a good way to learn, but it still cannot
replace the proper training -- yet so few want to
shell out the money for it. I believe this is why
you see so many network security jobs with an
insanely long list of required skills, often
starting with a particular certification. The
person who left that job may indeed have had those
skills, but how many other people realistically
have such a diverse skill set -- and do the job
properly? To expect a prospective employee to have
system administration experience plus be able to
configure and maintain a router, for example, on
top of specialized security knowledge is a little
much.
Many of the jobs I have seen advertised have come
to this. They want everything yet give you very
little in return to help you continually improve
your skill set. And again, I believe this is
simply due to a company no longer wanting to shell
out large dollars on training. They demand that
you have all of this knowledge prior to being
hired. The problem is, if your company is not
willing to provide you with this training how are
you ever going to get it? We must all admit that
management has a delicate balancing act and I for
one don't envy them. Do you train or do you not
train? Yet as a manager you must always remember
one thing: it is an inevitable fact that you will
always lose people no matter what you do. However,
an individual who sees that a company is truly
interested in investing in him personally will be
more likely to stick around.
Don Parker, GCIA GCIH, specializes in intrusion
detection and incident handling. In addition to
writing about network security he enjoys a role as
guest speaker for various security conferences.
|
