Shrinking Training Budgets

One of the alarming trends that I have heard lately is that budgets for Information Security seem to be recovering from the economic slump, but training budgets are continuing to shrink.  We have always suffered from the artificial distinction between companies setting aside money for higher education that can’t be touched, versus money for training which is some of the first areas for cuts when times get tough.  I talk to a lot of young professionals who are frustrated because they can’t get money from their companies for training directly related to their job unless it is part of a degree program.  I have always been a proponent of higher education, but I have never really understood the chinese wall between funds set aside for college education and professional training.  Higher education isn’t for everyone, and professional skill development should never be discouraged if it is related to your current position.  Even many of the most accepted industry frameworks of Information Security emphasize keeping the skills of your team up to date.  Of course professional training courses aren’t always the answer, on the job training and other free training opportunities are available, but eventually you will want to invest in some commercial training courses.

Earlier this month at the RSA Conference I attended an interesting professional development session titled “The CISO of The Future: Building A Competitive Skill Matrix.”  The presenter, Lee Kushner, spoke about several aspects of the CISO position and how to position yourself for it.  The point that made the biggest impression on me was “If you do not invest in yourself, do not expect anyone else to.”  Although there might not be equal funding in organizations for professional training, you really do have to take your career into your own hands sometimes.  Just relying on your employer to fund all your training and certification options could end up setting you back several years in your career development plan.  Good technical training isn’t cheap, and maintaining certifications can also get expensive, but if you choose the right ones it will be worth it in the end.  The trick is making the most of your training dollars.  Look for options that don’t require travel and register early to receive discounts.  For example, the SANS Northern Virginia conference offers a wide selection of Security, Audit, and Management courses taught by some of the top experts in the field, and if you register before March 2nd you can get $400 off the normal cost.  Many conferences and courses will even offer discounts if you register with your co-workers as a group.

Another disturbing trend that I have seen is the “get a CISSP for everyone” mentality.  Imagine a Windows system administrator comes to you with an interest in information security.  That is a good moment, right?  What I am seeing is that everyone’s first reaction is to send them down the CISSP path.  What value does the CISSP have for a system administrator?  Sure it gives you a good management level overview of security domains, but it isn’t going to give that administrator one single skill that he/she can apply in their daily work.  I would really like to see more Information Security programs sponsoring targeted security training for staff outside of the security team.  For example, the Northern Virginia conference has a great course, Virtualization Security, which would be much more appropriate for a systems administrator than a generic CISSP.

The rise in the number of CISSPs is happening at an alarming pace.  For someone who specializes in information security, the CISSP is on its way to becoming the equivalent of a high school diploma.  Not having one raises questions, but having one doesn’t really prove anything about your abilities as a security professional.  With so many CISSPs (over 70,000) it is going to dilute the value of the certification eventually.  In a way this is good because it will open the door for more specialized certifications, but as a community we need to stop recommending the CISSP to anyone who shows an interest in security.  I would rather have my operational teams learning the skills that they can use everyday to protect our organization, than trying to memorize some esoteric details from ten domains of information security.

If you want to voice your own opinions about the value of security certifications, you might want to check out the survey being run by the Information Security Leaders website.  This survey seems like it has the potential to provide a good independent assessment of the value of certifications.

Leave a Reply

You must be logged in to post a comment.