<img alt="dcsimg" id="dcsimg" width="1" height="1" src="//www.qsstats.com/dcs8krshw00000cpvecvkz0uc_4g4q/njs.gif?dcsuri=/index.php/c/a/Tools-Calculators-hold/An-Extra-Measure-of-Security&amp;WT.js=No&amp;WT.tv=10.4.1&amp;dcssip=www.baselinemag.com&amp;WT.qs_dlk=XS74FClPLEELtrai64WMWwAAAAc&amp;">

An Extra Measure of Security

By Steven S. Ross  |  Posted 2005-03-07 Print this article Print

How much should you budget for security training and certification for your technology staff?

M. Angela Sasse, a professor at University College London who specializes in security, recommends top-to-bottom training in an information-technology department—and higher in the organization. "There has been a tendency to delegate security to specialists," Sasse says. "But things change all the time. Sometimes the experts are necessary, but overall you can't delegate. People who are running the business have to take an interest and understand the risks."

Standards-setting organizations in the U.S. have tried to provide a framework, but the British have been more systematic. "The U.K. Department of Trade and Industry has been working on a good practices standard," Sasse points out. A policy is due this year.

Coursework and manuals linked to specific products are useful but not ideal, she says. "Security products don't—by themselves—protect you. People try to use the stuff as an amulet."

Instead, Sasse recommends coursework that stresses case studies "in a company, a college, a hospital. Send the students out to do risk analysis, to look at countermeasures and costs. Simulate it for a structured seminar short course that runs for one week."

She is testing a course and hopes to commercialize it. One key issue: simulations tend not to prepare personnel for certification tests, which are generally multiple-choice and fact-specific.

Morrow Long, director of Yale University's Information Security Office, has his own goal: "I budget a week's worth of training annually for each of my I.T. staff members. That translates to as much as five days at formal seminars or vendor briefings. And it's not enough."

A network of Web sites, private trainers, security firms and sellers of security hardware and software now serves information-technology security training needs.

Instructor-led courses are typically priced at $500 a day. Online courses covering the same amount of material cost about as much, but save on travel. Certification courses generally run two days for $1,000, with $100 to $500 more for the test. Government and academic discounts average 20% to 30%.

eWeek eWeek

Have the latest technology news and resources emailed to you everyday.