Security Training - The Prerequisite to E-Business
The English Renaissance philosopher and political figure Sir Francis Bacon once said that knowledge itself is power. Though that is certainly an inspirational dictum, another famous manifesto is more telling of the state in which information security training finds itself.
"Real knowledge is to know the extent of one's ignorance," asserted eastern philosopher Confucius.
A litany of information security managers and educators concede that there is much to learn and keep abreast of when it comes to the rapidly evolving arena of data security. At the same time, there is an all-too-real problem in that the present educational opportunities are thought by some people in the industry to be quite lacking. There are not enough courses, experts say, and what is offered needs honing, if not over-hauled. Educating society's youngsters on using the Internet safely and establishing information security tracts in universities would be major pluses to this energetic field. Creating more specialized and hands-on educational courses for those now in the midst of attempting to protect their companies' assets would be a huge boon.
"While IT managers are very knowledgeable about general IT issues, most are not well-versed in information security," says Bernie Dodwell, business development manager at U.K.-based Allasso. "IT security is a fast-moving, volatile and dynamic sector and most IT managers do not have the time or resources to keep ahead of the game."
Surpassing the runaway train that is the electronic information age, with its confident cybercriminal passengers comfortably on-board, may be a likelihood - but a distant one at the moment. In a 1999 study conducted by the SANS Institute, a co-operative education and research organization, the number one management error often leading to security handicaps was caused by a lack of education. Employees often tasked with maintaining computer security are not trained in it, according to The 7 Top Management Errors that Lead to Computer Security Vulnerabilities. Continues the study, businesses typically do not provide "the training nor the time to make it possible to do the job."
"IT security managers in most organizations are well-versed in information security and probably lag behind somewhat in their knowledge of IT in general," contends Ed Carroll, engagement manager in the security consulting services practice of Texas-based BMC Software. "IT managers, on the other hand, have greater knowledge in the technology and less in security. Security may be viewed as an impediment, or a necessary evil, by some managers who may have had prior bad experience(s) with a security organization."
Carroll explains further that sometimes IT managers think that security vendors add little benefit to an organization or see them as a conglomeration of folks who come in and reset passwords. "Security organizations that are able to help IT managers see and understand the role of security, assist with timely integration and implementation of business applications and new technologies, and can distinguish themselves as being part of the solutions, and not part of the problem," he adds.
Some security providers are adding extensive training services to their solution and service offerings. These might take the form of tutorial web portals or actual educational seminars. Meanwhile, companies throughout the world are realizing, as the Internet becomes a major conduit in establishing a now-required e-business substructure to thrive, that their employees - not just their IT department - need to be educated about information security.
"It will become a standard of business practice," contends Steph Marr, vice-president of Information Security for Predictive Systems, a network consulting company headquartered in New York. He adds that security training is a huge area right now, which will need to become even more far-reaching in furnishing comprehensive instruction.
"It's on par with the millennium bug," he says. "The next boogie man is not the Y2K bug, but the hacker."
Most IT managers struggling with implementing protections for their companies are familiar with professional organizations like the SANS Institute, MIS Training Institute and the U.S. Department of Commerce's National Institute of Standards and Technology (NIST). All of these groups provide training of some sort in information security.
Along with its system and security alerts, news updates, research projects and publications, SANS provides in-depth education addressing a legion of security vulnerabilities and defenses. Just this year, it also implemented a distance learning and certification program, the Global Incident Analysis Center (GIAC) Training and Certification Program. At any of 2,000 sites around the world, training is provided and certification tests are given to those people responsible for "managing and protecting important information systems and networks" according to an online SANS description. Besides basic training, the program also boasts advanced training on specific security areas requiring hands-on proof of skills mastery.
MIS provides instruction to people all over the globe on subjects ranging from information security management or e-commerce issues to internal auditing or enterprise applications. These educational offerings are provided through seminars, on-site seminars, conferences and symposia. MIS' Information Security Institute focuses solely on infosecurity, presenting over 30 courses and special programs.
Collaborating with various major universities, NIST's Academic Affairs will often identify and promote collaborative research efforts with the academic community, in addition to maintaining a Postdoctoral Program in co-operation with the National Academy of Sciences/National Research Council. Even the Federal Bureau of Investigation has classes that support training of law enforcement in computer forensics and other technological issues.
These and other professional organizations, such as the Computer Security Institute or National Security Agency, offer general instruction, but as information security becomes a bigger issue, they have begun providing more specialized classes. "There's a critical need (for security training)," says Norm Kelson, managing director of IT audit and technical seminars for MIS. "Historically, our systems were built on private networks … and you had less of a concern, but as soon as you use the Internet you have a lot more concerns obviously because it is a public network."
Greg Surbey, vice-president of knowledge resources with JAWS Technologies of Canada, says that many companies have a solid data security division in place, but with the Internet extending into virtually all aspects of business new vulnerabilities keep cropping up. "It's a new game today, so they're having to re-learn the whole concept of security," he says. "Education, especially in this arena cannot be event-driven. It's not a one-shot deal. Training in this field is an on-going part of your life. To go and take training and think you're done is not the right attack."
With this philosophy in mind, many security vendors like JAWS have extended educational opportunities to their own employees and customers. As an example, JAWS University was recently formed to implement a variety of curricula based on platforms such as the web or computer-based knowledge management systems. Through a web-enabled portal, the company is offering competency analysis, learning management and best practices to its employees now, but within three months, says Surbey, JAWS clients will also be able to take advantage of the service.
The Missing Links
Even as private companies and professional groups beef up their training capabilities there are many industry experts who feel much more is needed. "There's not a whole lot of (training) going on and what is going on is a conference-style setting not lab-training," says Sondra Schneider, CEO of Security University headquartered in Connecticut. Additionally, some courses offered can be costly for companies. The main issues facing this industry, she explains is improving what is available and devising ways to get people to the point of attending courses or hands-on labs.
"I'd really like to see some formal training criteria," she adds. "This is still an outstanding issue. My vision, a simple start, would be to have a focus group develop a curriculum for security professionals. We could begin with the Certification for Information System Security Professional (CISSP) creators, include universities and security portals … as well as other universities that are starting to create information security programs."
And there are some companies who believe starting educational programs to address younger computer users wouldn't be a bad idea, either.
Sophos recently launched the SAFE NET e-QUETTE program in response to the UK Prime Minister, Tony Blair's announcement of getting everyone online by the year 2005. The plan aims to educate people about the viral dangers prevalent on the Internet. It is also intended to teach children and teenagers about the educational benefits of using the Internet and to dispel any romantic or youthful notions about hacking.
Predictive's Marr says that an educational infrastructure needs to be established in colleges and public schools that has at its core the goal of data security instruction. If governments are proclaiming that the protection of electronic information is a national and international security issue, then they can back this in the school systems. "You need to teach social responsibility in our schools on how to use computers," he says. After all, he adds, some hackers making headlines have barely escaped puberty and are now answering for their deeds in courts of law with heavy penalties as their end reward.
These hackers and other advanced cybercriminals pose huge threats to companies on all continents. Overall, U.S.-based companies are aware of the security their electronic systems demand, says Marr, but the individual employee seems a bit more knowledgeable in, say, Malaysia and other parts of Asia. Security University's Schneider says that professionals in other regions seem to come to the States for extensive training, though.
"Just returning from the Asia Pacific, where infosecurity end-users and network administrators tell me they are substantially behind in security training. They stated there was no university-level training such as the U.S. provides, (though) I have not confirmed that information," she says. "Training in the U.K. has limited education as well. Most network system administrators and security wannabes come to the U.S. or to U.S.-based companies for training - U.S.-based security training companies like MISTI, SANS, CSI, NIST and NSA."
Education Before Training
Whether through seminars, immersion training like that which SANS offers, or web portal classes, companies must first decide where their needs lie and who needs to be trained. They also have to decide what the best modes of learning are for their employees, says Ian Higginbotham, U.K general manager of Norman Data Defense Systems. It is all about education before training even begins, he says.
"First of all, they need to identify the right training course," he explains. "A measure of the maturity of the security industry is that individual training courses are now growing up in specific areas of security, such as firewalls and web security, which means that there is more tailored training available."
Preparations will also entail determining where the risks are most prevalent within a company, says Schneider. Then, time and assets will need to be spent on addressing the needs. "Spending more money on security tools is not the metric to measure how secure the network is," she warns. "Educate."
Instruction in infosecurity is the most important step companies can take to defend themselves against all the electronic threats out there today, agrees Allasso's Dodwell. Training, he says, starts with the conception and implementation of a comprehensive policy before even looking at the technology. Seeking professional advice from experts who focus on security and are aware of all the issues, including the physical aspects of protection should be done.
These policies, says BMC Software's Carroll should be communicated and carried out. All employees should be aware of their roles in safeguarding company assets. "Policies that clearly state an organization's objectives towards security - explained in the context of the organization's business goals, and backed up by well-thought-out enforcement mechanisms and techniques make it crystal clear to all what the expectations for security are, from the clerks in the warehouse to the CEO," he explains. "After policy, ongoing awareness and vigilance are also key security pillars."
With this in mind, training for all employees should be offered. Perhaps, there may be mandatory attendance at security awareness seminars for some employees, while advanced technical training may be a requirement for security and systems administrators, Carroll adds.
Igal Sapir, security marketing director for BMC Software in Tel Aviv, maintains that training should also be targeted and minimized whenever possible given the busy schedules most employees and IT managers face. Central administration tools would be integral to this happening.
"Training should be provided to all employees, but different positions should get different training depending on their job relation to security," he says. "In-depth training should be provided to all security specific personnel. In-depth vigilance training should be provided to IT managers, system administrators, help desk and similar types of personnel. Regular vigilance training should be provided for everybody."
According to Higginbotham of Norman Data, only one out of every seven companies in the U.K. has a security policy in place. There are no figures available to show how many of the one in seven have made another pertinent step - and that is implementation of that policy, he adds. "I believe large companies need to have a number of security specialists trained in different areas as there is no chance that one person can do it all. As software becomes more complex then the security associated with it becomes more complex, and I believe that the best security can only be implemented when it is simple," he explains. "I think the first hurdle has to be the proper development and implementation of a security policy which applies to everyone."
Delivering the Goods
The modes of delivering these levels of training vary. Through conferences, seminars, web-based classrooms and other instructional options, companies can keep their employees abreast of infosecurity issues. The question is which method of preparation is ideal.
Massachusetts-based Lotus Development Corporation offers the tools needed to enable companies with the abilities to teach their employees whatever topics they feel are needed. From self-directed study to web-training that allows students to share information in real-time, Lotus carves out all sorts of learning modules for companies, governments and academia.
Kristina Lumsden, solution offerings manager for Lotus, says web-based training is a feasible option these days. With companies turning to vendors like hers, course work may be customized to fit employee needs, whereas outside educational options may be a bit more generic, she explains.
"It's another way of using the Internet as a tool. I think its popularity will grow," she says. "Will it replace face-to-face training? I don't think so."
Nor does Kelson of MIS. He says that security training cannot be accomplished through a general program, but involves much granularity. Face-to-face training is expensive, while web-training may be more convenient. The best training program a company could engage in might involve varied modes of delivery covering general and specific topics, he explains.
Smaller topics like encryption or vulnerability studies using tools from specific vendors may be appropriate for web-training, says Schneider, but this method will never become a replacement for classroom or lab instruction. "Is virtual learning as good as face-to-face, hands-on classes? No - they do not have the network to play with to do security resolution," she explains.
Internet Security Systems (ISS) in Georgia has been offering educational services since 1996, and in that time has helped over 2,000 organizations train over 6,500 employees. In addition to conducting vendor-neutral courses for IT security professionals, ISS Secure University also offers certification programs for its own products and Check Point's Firewall-1. Classes are held in educational facilities throughout the world, but may be carried out at a company's site.
Besides its online training, JAWS Technologies has also worked with the computer science and criminology departments at Florida State University and the University of Calgary to develop IT security courses. Surbey of JAWS says that Internet-style training is beneficial because it can change as rapidly as the technological topics, yet classroom education is just as valuable due to the depth of knowledge shared by students. He maintains that infosecurity is fast-becoming a 'discipline' and will eventually be prevalent at the university level.
Education means Awareness
A number of educational programs are out there. Though some may argue that more hands-on instruction is required, others maintain that companies need to take advantage of what's available now. "There are enough groups already doing this," says Kelson. "The question is can companies dedicate the time."
To protect their assets, organizations all over must invest the resources to train all of their employees. The time and money dedicated to education will benefit all the enterprises conducting business via the web. "The most important point is awareness," says Surbey. "Every individual associated with an organization needs to be aware of data security."
Carroll of BMC Software explains further that the future of e-business demands that all employees of any group will have to share in the responsibility of defending themselves, co-workers and company. One division will no longer carry the brunt of data protection for an entire enterprise, especially given the break-neck speed in which business is moving.
"The need to balance an effective security program with the need to ensure accessibility to the right information, by the right resources, at the right time, is more crucial than perhaps at any other time," he says. "Sensitive or proprietary information critical to an organization's health and ongoing viability are exposed as never before: Internet accessibility, corporate espionage, hackers, dumpster divers, disgruntled employees. Only through the combination of effective policies, management enforcement, user awareness and ongoing vigilance on the part of every employee within an enterprise can the protection of corporate computing resources - regardless of technology or computing platform, be adequately safeguarded."
Globally, organizations are waking up to the risks they choose to take in not educating their employees about e-business and associated security hazards. Making deals electronically can garner all sorts of riches, but can also lead to a company's downfall if appropriate security mechanisms are disregarded.
"The demand for training is rocketing as companies become more and more aware of the issues," says Allasso's Dodwell. "Security is not something that is dealt with once and then left on the shelf. It is an ongoing and constantly evolving market and needs constant monitoring. Together with a security policy, training is the key component of a successful defense. Security training issues are virtually the same throughout the world. As the Internet and e-commerce continue to grow, the market will have to grow with it."