Rexxfield's Michael Roberts

Monday, August 11, 2008

Justifying IT Security Training & the ROI

This essay is based on observations over a 12 year period in which I have been involved in the IT Training industry; most recently with Mile2 which delivers what is arguably the best Penetration Testing Training globally.

Unlike “commodity” training such as commonly available Cisco and Microsoft certification courses, IT security training investments require a higher degree of due diligence on the part of the student and on the part of management personnel responsible for Information Assurance within their organization.

Unfortunately the managers of many organizations have yet to grasp the severity of risks posed by the vulnerabilities invariably present within their network because many are yet to be identified. As such, they are often reluctant to invest in the security training those on the frontline are desperately seeking. This is akin to a bank being slow in deciding if it should have an armed guard in the foyer just because it has not had a hold-up since it opened in 1919, even though the crime indicators for the area escalating. If a decision was made to hire a guard and the bank enjoyed another 5-year period without a holdup, the “bean-counters” might argue that the guard is not needed. The question is how many holdups were thwarted by the guard? In the same manner, how many network breaches are thwarted by a network secured by personnel with relevant, efficient and up-to-date IT Security Training? It is not a measurable statistic, but the assumption that many breaches were probably thwarted does stand to reason.

Unlike almost any other IT problem an organization may face, a security breach is far more serious than a broken router or a crashed hard drive which can be routinely remedied. After all, information assets such as customer databases, trade secrets and intellectual property are probably the most valuable assets on a commercial organization’s balance sheet; or, in the case of government or military entities, their databases contain some of the world’s most sensitive secrets. Information assets are usually the worst things to lose because when they are stolen, they are probably not insured and invariably create irrecoverable or irreversible damage.

What I am attempting to articulate here is something fundamentally obvious, but which no one seems to have adequately addressed. What is the difference between a “specialty IT security trainer” and a “great general instructor with a mediocre to great book”? An executive director of a large Asian delivery partner asked this question recently and it is a great question. It occurred to us that the difference isn't in the quality of instruction, or in the curricula, or in the courseware, or in the frequency of updates. It is in the just-right combination of all these elements.

A premier IT security training vendor does not sell training programs, or instructor days, or courseware; he sells an organization's security. Program graduates secure their organizations because they know what to do, when to do it and how, and they understand why. Good IA training vendors deliver on this promise time and again because they don't train just anybody (they insist on prerequisites), they don't rely on books and their instruction is a mix of from-the-field experience and pedagogical excellence.

In an effort to provide the best possible protection for their clients’ information assets, Mile2 Security Training Partners have elected to bring in “hired guns” from Mile2 to make sure students have everything reasonably required to create and implement effective security policies.

Good Training Companies will continue to utilize their internal team of multifaceted instructors to provide great training value for “commodity” training courses such as Microsoft, Cisco and Citrix to name but a few. However, with respect to IT Security Training, they bring in the experts. This decision allows local students a quality alternative to the “class in a box” security options offered by other training vendors and delivered by all-purpose trainers. These courses are generally obsolete by the time the courseware or book is shipped, let alone presented in class. IT Security evolves constantly and in keeping, related curriculum should be printed only a week or two before each event to allow for crucial last minute updates; hence, covering the latest threats.

You may be the decision maker for training budgets or you may have to go “hat in hand” to management for funding; either way, before you make a decision on what training to pursue, do a quick mental check list of EVERYTHING your organization can least afford to lose. Once you have the list, estimate the losses if that information is lost or stolen. If it is a customer database, how much would you lose if your customers lost their trust in your organization and went elsewhere with their business? This “scenario planning” is a great way to justify the training budget you need.

When management compares the cost of potential losses against the relatively low training fees, they will find an excellent return on investment. Quality information security training programmes equate to a very low insurance premium for your priceless information assets.

Michael Roberts Google+

No comments: