PricewaterhouseCoopers recently conducted its 2004 Information Security Breaches Survey, which found that undereducated security workers are the leading cause of security breaches. Such survey results enforce the presumption that employers must spend time and money to make sure their personnel is adequately trained and educated.

But committing that time and money, especially in SMEs, can be a big problem. "According to other studies by outfits like CERT and SANS, these issues are particularly acute in organizations that don't have formal incident response plans or teams designated to handle security incidents. Basic security training and skills are absolutely essential—something along the lines of what's covered for Security+, TICSA [TruSecure ICSA Certified Security Associate], SANS GSEC [SysAdmin Audit Network Security GIAC Security Essentials Certification], CheckPoint Security Fundamentals, and so forth—but beyond that performing risk assessments, security audits, and making security consciousness part of the IT mindset is also important," says Ed Tittel, president of LANwrights, a company dedicated to network-oriented writing, training, and consulting.

The most qualified information security professionals find themselves being spread thin, with their roles ever more exacting. That's no surprise with the state of IT and information security growing vastly more challenging of late. With proper training and education policies, however, the likelihood of security issues stemming from undereducated workers can be substantially mitigated.



Conviction Is Key

Following Sept. 11, 2001, general security, including information security, is said to be everyone's top priority. Unfortunately, reality proves that this may not be the case. The reason? Oftentimes upper management restricts the budget to a tiny fraction of the organization's total IT expenditure. So how do IT managers ensure that their employees get the training they need? "Unfortunately, this is an issue that requires companies to spend money and invest time and resources. This means upper management has to buy in and recognize it's a situation that requires their support and (where possible) participation. If a company can't handle security in-house, it should look to a managed security services provider for aid (and be prepared to spend at least $50,000 a year on funding out-of-house security efforts, if not more)," says Tittel.



Find The Right Services

Everything from assistance with risk assessment and threat analysis to security audits, remediation planning and implementation to ongoing security monitoring and updates can be purchased from security companies nowadays. "Corporations now have a specific duty to inform their employees, contractors, and partners about their responsibilities in ensuring information security and privacy," says Patrick von Schlag, president of Deep Creek Center, an IT learning consultancy. "We have worked with a number of large enterprises in health care, financial services, the government, and major university systems to identify, develop, and deliver security awareness training to their teams. Inevitably these are a combination of industry best practices, such as appropriate password management and process requirements unique to that enterprise or vertical. Rich-media systems allow companies to stream content to thousands, or even tens of thousands, of employees at a modest cost, while providing awareness validation through post-testing and tracking."



Get The Training You Need

Exactly how does a manager determine what training is needed and then go about getting it? Tittel believes that the first step is to conduct a risk assessment and a threat survey of your organization. Without in-house expertise, this task is best placed in the hands of an outside firm. Larger consulting companies (such as Accenture, EDS, etc.) all have specialty practices that provide this type of service, and lots of security companies are also able to supply such expertise (such companies as Foundstone and System Experts are examples). A number of security Web sites provide listings for further information (for instance, SecurityPortal.com and SearchSecurity.com, which cater primarily to security personnel). According to Tittel, "Once an organization can define its security needs, those same experts can help identify the kinds of skills and knowledge required to provide them, which in turn can help to determine what kind of training might be needed. It's important to be aware that some senior level security credentials—CISSP, CPP, PSP—require five years or more of documented, on-the-job security experience, as well as meeting examination, educational, and other requirements." It's important to know that in some cases, it won't be possible to "train up" in-house people quickly enough, so outside hires (or consulting arrangements) may still be necessary.



Footing The Bill

When it comes to employee training and education, one question is likely to arise. Who will pay for that training? Should the financial burden be placed solely on the employer or should the employee foot the bill (or a part thereof)? It's the employer's responsibility to meet legal, financial, and best practices requirements for its target markets and industries. Ultimately rank-and-file employees simply do their jobs and help accommodate such requirements, but they shouldn't be asked to pay for the training necessary to meet them. The general consensus is that if an organization doesn't want to absorb the cost of delegating tasks to an outside security firm, it must be prepared to make the investment to get its own people trained and prepared to meet the organization's security needs.

by Douglas Schweitzer, Sc.D.