Verification of Security Training and Certification
written by: Steve Mallard•edited by: Bill Fulks•updated: 5/20/2011
Are your security analysts trained adequately and how do you verify if they are trained and certified? Verification by your IT department is an ongoing process and commitment to your organization. With data breaches surpassing 517 million since 2005 it should be required by your company.
slide 1 of 6
Security in Today's World
In 2010 there was over a billion dollars in theft online. With e-commerce taking the lead in selling and providing services and goods, information technology security is the largest growing career field.
The Identity Theft Resource Center keeps a database of data breaches of major organizations, companies and government websites. Having tracked these breaches since 2005, this valuable resource gives information on what to do in the event there is a data breach or if someone experiences identity theft. PrivacyRights.org reports over 517 million individual records being breached since 2005.
With thousands of botnets, viruses and malware entering email and being released out on the web; organizations have to be ready and provide a network defense starting with personnel.
With this amount of data leaking to malicious users, it is important that companies obtain confirmation of information security training before hiring a potential employee.
slide 2 of 6
With so many companies offering Information Security training, it is important to look not only at the individual certification but the individual institution or organization that offers the training. While boot camps were popular several years ago, this type of training is often rushed and many times the act of getting the individual certified by offering practice tests is not the ideal way to become certified.
Look for training from the SANS Institute, ECCouncil, CWNP, CompTIA and Microsoft. These organizations provide certifications that are not only in demand but contain concepts that meet information technology needs. While there are many other organizations that offer certifications, you should verify each of these organizations and their standing in the IT community.
Training should be provided by an accredited organization recognized by major vendors. Verification of IT certifications and training are important in keeping your organization secure. This insures that the credentials provided are authentic and the training quality meets industry standards. IT certifications can be gained through self-study but having a mentor and instructor helps to insure that the appropriate labs, lectures and training are delivered.
Training should contain labs, lectures, and discussion groups. Always look for the number of hours of training. When talking to your security analyst, get an understanding of how the class was structured.
slide 3 of 6
Skills and Concepts
The title says it all. The skills needed in information security are not just on a higher level but individual analysts should have an understanding from your help desk level to the higher level positions in your organization. These skills are not all inclusive where the individual has just IT skills. The analyst should have an understanding of your business model.
Finding the right individual to secure your organization should not be based on who is known by your IT department. The decision should be based on skills and concepts. The individual should have hands-on experience with a majority of the applications and hardware in your organization. While it would be ideal to have someone who has all of the above skills and concepts, your decision to hire these specialists should take some time.
slide 4 of 6
Challenge and Re-certification Process
Analysts who currently work for your organization should be challenged and trained on a regular basis. Simulation of breaches, hardening, implementation, migration and social engineering should be given to employees and applicants. Have these individuals 'show' and explain the processes needed to keep your organization secure.
Many companies advertise the fact that they train on a regular basis but often training records reflect differently. While presentations are a great form of training, having employees show and explain the processes is more effective. Often complacency and the daily grind can lead to security issues. Employees should be rotated in jobs to avoid this job burnout. By rotating employees, you can find strengths and weaknesses within your IT department. This ensures quality teamwork and makes your employees more versatile.
It is great to promote certifications but it is better to require re-certification. Re-certification with good quality training organizations can lead to a highly motivated organization. By re-certifying with a well-known organization, it brings new materials and ideas to your IT department.
Employees should be paid for and reimbursed for certifications and re-certifying. A career ladder and evaluations should be performed on a regular basis.
slide 5 of 6
Verification of Security Training and Certification
Confirmation of information security training and certification should never stop at the certificate or the exam results. Many of the organizations offer a digital transcript that can be sent electronically to your email. Don't accept a copy and pasted transcript. Professional organizations that offer this capability will email or provide the link for organizations. What should you do to further verify the training and number of hours in class? Call or email the organization. Always ask for a copy of the syllabus or an outline of the curriculum.