My primary role as a security consultant is to help organisations and individuals identify and manage their technology and business risks. My secondary role is that of a network security vendor educator. I really enjoy both of my roles because I have an opportunity to educate people on how to select and more importantly correctly implement technology to minimise exposure to risk.
An industry veteran by the name of Bruce Schneier, produces some good quotes on the topic of IT Security. One that I like is – “If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.”
Perhaps it is a little blunt; however there are many people who believe that technology can solve all of their security related problems. However, as a consultant an all too common problem I see in many organisations is that they invest in great technology but unfortunately they fail to invest in the right skills, people or training required to correctly integrate and operate the new platform. This typically leads to poorly executed implementations.
All technology, if not correctly configured or managed provides limited value to a network that it is supposed to protect. For example, a vulnerable application behind a poorly configured security device might work, however it is most likely still vulnerable.
Getting back to the topic, why is training, specifically IT vendor training important?
To me the key reason is product specific knowledge that is delivered by someone with real-world, practical examples on how features work and how they can be implemented. Reading manuals and experimenting with how a feature is configured and functions is helpful. Being shown how and having the option to be able ask how a feature can be practically implemented from a security guru is powerful.
I know I have a vested interest, I sell and deliver training. I’m also an employer who understands the costs associated with training. One thing I’ve noticed during my time as a trainer is the most motivated, effective and loyal staff I’ve met are probably some of the lowest paid, however, they are often the best trained.
Do I invest my own time and money in training? Yes, many weeks a year. Why? If I don’t, I know I can’t maintain my skills to add value to my clients.
We are continuously told there are skills shortages in this industry, and to a degree there is. The good news is a solution exists. If you can’t find the skills you need – training is the answer. The benefits of training are many and you can’t say the same about not adequately training your staff or yourself on security technologies.
If you’re an employer, manager or employee you need to ask yourself the question. Can you afford not to spend money on training?
Jason Ross (CISSP) – Instructor at Red Education, Principal Consultant at EthiSEC
Red Education is the leading provider of specialised IT training and Professional services across the Asia-Pacific region. We provide training for multiple vendors with a regular public schedule in over 24 different locations. In addition to this we also have the ability to conduct closed onsite courses. For further information on how we can cater to your requirement please visit our website www.rededucation.com.