As you look to improve yourself as a cybersecurity professional, you often need help from an outside source to
increase your knowledge. Security is a broad topic encompassing many disciplines, and cybersecurity is no different. There are technical, procedural, and managerial aspects to be considered to grow your knowledge of cybersecurity; you need to be proactive or you could be left behind. Plus, there are often many different ways to solve the same security problem. Knowing what to do and how to do it requires both knowledge and experience, but how do you gain this expertise?
The answer is cybersecurity training and education, but which is more important? Where should you focus your limited time? Some consider security training and education to be the same thing, but there is a difference between the two. Consider them two sides of the same coin. Both training and education play a part in overcoming knowledge gaps. You need to be aware of your needs, wants, and goals before proceeding. This includes knowing where you want to go with your career and then mapping out a path to get there.
Cybersecurity education provides a more general background on the fundamental philosophies and concepts behind cybersecurity. Education allows you to understand the context for security tools, techniques, and technologies. With security education, you understand why it’s important to have particular protection methodologies in place. Focused at the strategic level of thinking, it's not a one-week course that leads to a certification. Cybersecurity education emphasizes principles of risk management and how security fits into an organizational culture and structure. Acquired through both formal studies and experience, it is a long-term endeavor that can take many months, if not years to acquire. Finally, education teaches critical thinking and allows the student to learn how to learn, which is crucial for new subjects or technologies.
In contrast, cybersecurity training is more specific to a technology, procedure, or skill; it’s tactical or operational, rather than strategic. Training emphasizes the building of explicit skills and applying what you know to a particular situation. It’s directed toward a topic, which can be used to solve defined problems. When you attend cybersecurity training, you are learning about a specific technology or practice that can meet an immediate need. Lastly, training is short term and can often be accomplished in days or weeks.
There’s also awareness, which is neither education nor training. We want our users to have awareness of security issues and solutions. Awareness is not teaching a skill or technology, but rather seeks to increase high-level knowledge or consciousness of an issue. This should be viewed as both long-term education and short-term training. It’s a continual process that often requires repetition for the material to sink in.
I’m not trying to sway your thoughts as to whether education or training is better, because both are important for expanding your cybersecurity knowledge and abilities. You need to decide for yourself the method you want to take in order to meet your career goals. What’s important is that you keep growing and increasing your knowledge: Don’t stop learning!
About the author:
Ron Woerner is a cybersecurity professor at Bellevue University and security analyst at a large architecture and engineering firm in the Midwest. Send comments on this column to firstname.lastname@example.org.