IT Training and Certification Helps Safeguard Data
By Jim Zimmermann
Verizon’s recent "2012 Data Breach Investigations Report" uncovered 855 incidents of data breaches in 2011, with 174 million corporate and personal records compromised. Disconcertingly, 96 percent of attacks were not very difficult, and 97 percent of breaches were avoidable through simple countermeasures.
PwC's "The Global State of Information Security Survey 2013" stated: “As mobile devices, social media and the cloud become commonplace—both inside the enterprise and out—technology adoption is moving faster than security.” Mark Lobel, a principal in PwC’s Advisory Practice, was quoted in the study saying, “Security models of the past decade are no longer effective. Today’s rapidly evolving threat landscape represents a danger that shows no signs of diminishing, and businesses can no longer afford to play a game of chance.”
It seems as if news of major data breaches is a regular staple of news organizations, but these reports are only the tip of the iceberg. Most security breaches do not make it into media outlets, and many breaches go undetected for long periods of time—if they are ever detected. In addition, many breaches that are detected are not reported.
The biggest impacts mentioned in the news are monetary losses caused by stolen credit card data or loss of other financial or personal data. However, data breaches can have other negative effects on an organization, including image and intellectual property.
An organization’s reputation and brand can be severely damaged—sometimes to the point that an organization cannot continue doing business. And if intellectual property is stolen, it can harm an organization’s ability to compete.
The "2012 Data Protection & Breach Readiness Guide" from the Online Trust Alliance states: “Few events can damage a company’s brand and the trust of its customers more than a data incident, defined as either the loss or misuse of customer data.” As Zappos CEO Tony Hsieh said after the breach of its 24 million customers, “We have spent over 12 years building our reputation and trust; it is painful to see us take so many steps back due to a single incident.”
Unfortunately, data breaches cannot be completely eliminated, since threats continue to evolve as new techniques and technologies are developed. However, there are ways that companies can mitigate future threats. One of the best is through vigorous and ongoing security training of employees.
Staff Needs Security Training
As mentioned earlier, the Verizon study found that 96 percent of attacks were not very difficult, and 97 percent of breaches were avoidable through simple countermeasures. So the challenge is to make data breaches more difficult to accomplish and to block avoidable breaches through countermeasures.
PwC's "Global State of Information Security Survey 2013" found that “No security program can be effective without adequate training, yet only about half of respondents report that their companies have employee security and privacy awareness training programs. ... Lack of training is cited as a top reason why contingency and response plans are not effective.”
One way organizations can help make data breaches more difficult—while implementing appropriate countermeasures—is through vigorous training and certification of staff. Although a great deal of the training needs to take place in IT departments, non-IT employees also need to receive security training. The best security systems put in place by IT can be compromised when employees are careless about security.
Security training can take many forms: self-education via books and online courses; instructor-led training; mentoring; and courses and degrees from institutions of higher education. Even more important than the training modality is having executive support. If executives do not emphasize the importance of security training in a very visible way, much of the training will fall on deaf ears.
In addition to basic security training, companies may want to consider securing certifications for IT staff because these certifications guarantee a baseline level of expertise. Staff with security certifications have studied security issues and have successfully passed stringent exams that demonstrate that they have learned the required materials.
General security certifications are available as are specialty certifications such as network security, data security and application security. The most popular certifications include CompTIA Security+; ISACA Certified Information Security Manager (CISM) and Certified Information Systems Auditor (CISA); (ISC)2 Certified Information Systems Security Professional (CISSP) and Certified Secure Software Lifecycle Professional (CSSLP); GIAC Secure Software Programmer; and EC Council Certified Ethical Hacker (CEH).
When coupled with continuous learning—both on the job and via other learning modalities—certifications can help achieve more secure IT environments.
Training and Certification Solutions
A number of resources are available to help IT professionals stay up to speed on security and achieve certifications. Staff members can select the learning mode they feel most comfortable with or combine different learning modalities into a comprehensive learning plan.
Here are the types of security learning resources available:
· E-learning: Security-related e-learning courses are available from a number of suppliers, including Skillsoft. Courses are designed to provide basic and advanced security skills, preparation for certifications and online labs that allow learners to practice new skills in a simulated IT environment
· Online Video Instruction: These videos range from basic security concepts to the planning and implementation of security procedures.
· Instructor-Led Training: Also referred to as classroom training, ILT involves having people attend live classes that are led by a trainer with expertise in security. One of the leading instructor-led training firms dedicated to security training is Security University, which provides training on multiple certifications, including those required by the U.S. government.
· Virtual Instructor-Led Training: VILT combines ILT with e-learning, and it often involves participating in a live instructor-led course over the Internet. The tools offered vary, but most have an online video component with the ability to participate and ask questions via chat and email.
Most VILT vendors record their training sessions for those who miss a class, or who wish to review material. Access to online books and reference materials may also be included.
· Mentoring: Some training vendors offer access to experts in various security certifications, such as Skillsoft’sonline mentoring program. Normally, subscribers to a mentoring service can submit questions, receive test-prep emails or participate in online chat sessions with the mentors. Another way to find potential mentors is to join an IT security information group, such as the Information Systems Security Association (ISSA) and to get involved in local chapter meetings.
· Books: Many publishers produce high-quality IT security books, which are available in print, e-book and via online libraries. Online libraries provide access to hundreds of leading security books from dozens of well-known publishers at a fraction of the cost of buying printed copies or e-books.
· Colleges and Universities: Many colleges and universities offer courses in IT security, and some offer graduate-level degrees and online versions of their courses. Here are a few examples:
The George Washington University offers an onlineMaster of Professional Studies in Security and Safety Leadership degree
The University of Tulsa has an Institute for information Security.
Excelsior College offers an online IT Bachelor’s Degree with a concentration and certificate in cyber-security.
If your organization wants to effectively reduce security threats, a good place to start is by developing the security talent you will need now and in the future. Whatever methods you select to develop security talent, don’t delay. As PwC’s Lobel points out, the “danger shows no signs of diminishing.”
Jim Zimmermann is a director at Skillsoft Books24x7. During his 35+ years in the IT industry, he has managed technical and marketing projects for IBM, Fujitsu and Dun & Bradstreet, among others, and founded and sold three startups. He can be reached at email@example.com