An Extra Measure of SecurityBy Steven S. Ross | Posted 2005-03-07 Email Print
How much should you budget for security training and certification for your technology staff?
Standards-setting organizations in the U.S. have tried to provide a framework, but the British have been more systematic. "The U.K. Department of Trade and Industry has been working on a good practices standard," Sasse points out. A policy is due this year.
Coursework and manuals linked to specific products are useful but not ideal, she says. "Security products don't—by themselves—protect you. People try to use the stuff as an amulet."
Instead, Sasse recommends coursework that stresses case studies "in a company, a college, a hospital. Send the students out to do risk analysis, to look at countermeasures and costs. Simulate it for a structured seminar short course that runs for one week."
She is testing a course and hopes to commercialize it. One key issue: simulations tend not to prepare personnel for certification tests, which are generally multiple-choice and fact-specific.
Morrow Long, director of Yale University's Information Security Office, has his own goal: "I budget a week's worth of training annually for each of my I.T. staff members. That translates to as much as five days at formal seminars or vendor briefings. And it's not enough."
A network of Web sites, private trainers, security firms and sellers of security hardware and software now serves information-technology security training needs.
Instructor-led courses are typically priced at $500 a day. Online courses covering the same amount of material cost about as much, but save on travel. Certification courses generally run two days for $1,000, with $100 to $500 more for the test. Government and academic discounts average 20% to 30%.