- Doug Jacobson and Julie A. Rursch
Every day we hear about the newest attack, the latest exploit, or another cyber threat. In response, we hire security consultants, look for the best security team we can find, and buy the latest products from the security vendors.
Security expertise cannot exist in a silo, however. All employees in your organization need to be security savvy to help reduce risk. But how many of your personnel worry about security on a daily basis? While our credo is that all of your employees are responsible for your company’s security, the IT professionals are—to one degree or another—at the forefront of security issues that arise in your business.
How can IT professionals become security savvy? In general, there are three basic tracks to an information security education. Different individuals may choose different paths, either informal or formal. Many times, there’s synergy to be gained when IT staff members participate in multiple types of IT security education.
Informal Information Security Education
As a whole, IT professionals are bright and inquisitive. Many of your IT staff members already explore IT security on their own time. Informal education has a very low cost of entry into the IT security world. Websites offer free information, while purchasing a text or general security book incurs only a small monetary cost. Informal education allows the participant to learn at his own pace, explore areas of personal interest and is largely experientially based. IT professionals can take old equipment sitting in their basements or garages, and setup environments to test security processes and theories. Hands-on practice, and experience, is key in learning about IT security.
The downside to learning on your own is, well, you are learning on your own. While you can post questions on Web forums, if you are a true newcomer to IT security, your questions may be framed in a way that others cannot answer or refuse to answer because they are too basic. It’s difficult to know where to begin and what areas to focus on. While the Web does provide a wealth of information on IT security, it is the Internet. Not every document about IT security is valuable or even true; this can be hard to evaluate when you are new. Finally, the informal education approach takes true initiative on the part of the IT staff member to complete the work. As an IT staff member, it is hard to demonstrate proof of the work completed in informal education, other than skills demonstrated on the job. There is no paperwork confirming the knowledge gained.
Formal Information Security Education
Formal education has a larger monetary cost than informal education; personnel, equipment, classroom space and computing time all factor into the costs. And there can be large disparities in the price and value of the education. However, at the end of any type of formal education, the IT professional will acquire documentation proving completion of the course and competency in the topic. Formal information security education is a very structured approach with hard deadlines and timetables. For those individuals who need structure, it is a more reasonable approach than informal education. It also provides a systematic way for students to navigate through the volumes of IT security topics and issues. But, for the working IT professional who may have family and other commitments, time management is key to success in a formal education environment.
There are two kinds of formal education options available to those wanting to learn about IT security: security certificates or short courses, and degree programs. Both types can be delivered in person or online.
Security Certificates: Generally, certificate courses on security are short sessions lasting either a few days or a few weeks. The courses tend to be very specific and focused narrowly on one or two topics. Students who take this approach can gain some very good hands-on training with many labs, and little reading. However, because the time on task is shorter, they may not be able to apply the acquired knowledge to a broader framework, or extrapolate to a different situation or security threat. An increase in the amount of time spent on mastering a topic has been correlated to an increased ability to understand and apply topics learned. This method is very good at sharpening skills and building on current knowledge. With this type of education, it is harder to get the big picture of how everything fits together because the material is delivered in short self-contained modules.
Degree Programs: This approach can be thought of as a traditional university course in which a class runs 16 weeks, though it may occur online instead of in a classroom. The teaching that occurs here is the combination of reading—usually texts, but also current events and journal articles—as well as laboratory experiments, homework and tests. This is the most comprehensive approach to learning about IT security. Pursuing this kind of education is a significant time commitment. In a three-credit course, there are typically 48 contact hours for the student with the instructor and about that same amount of time spent out of class on laboratories and homework. Courses that are part of a degree program build understanding throughout the semester, providing the student with a logical progression through the topics and labs. Since a degree program requires multiple courses, there is a logical progression from the introductory topics to advanced topics to senior capstone experiences, where all the topics are tied together into one project.
Professional Interaction: Plugging Into the Security Community
There are many opportunities for professional development as an IT staff member through the security community. Organizations like InfraGard provide an opportunity for professional presentations by members or federal security agencies, as well as the exchange of ideas between colleagues. There may be some cost to membership and a vetting process where people are evaluated to see if they can be members. While this is a great way to network with peers or experts in the area, often any learning opportunities are limited to short presentations. We find these types of groups are best suited to people who have had some security education. Someone new to IT security could use these venues to learn about more formal educational opportunities in the area.
We’ve outlined several methods to educate IT professionals about security, and while more education is almost always better for professional development; in this case, we can also conclude that the more security savvy your IT staff, the better protected your organization will be. This is, of course, as long as you also have dedicated security staff. Good security is all about layers of protection, both in technology and in people.
About the authors
Doug Jacobson is a professor in the department of electrical and computer engineering at Iowa State University and director of the Information Assurance Center, which was one of the original seven NSA-certified centers of academic excellence in information assurance education.
Julie A. Rursch is a lecturer in the department of electrical and computer engineering at Iowa State University and director of the Iowa State University Information Systems Security Laboratory, which provides security training, testing and outreach to support business and industry. Send comments on this column to firstname.lastname@example.org.