Sunday, January 6, 2008

Why Some InfoSec Training Is Sacred

Here's another one for the CISO's to ponder.

Think about how you handle professional development across IT. I'll bet that, if you are fortunate enough to have a training budget, that it's based on the number of FTE's in each of your IT budget columns. And this makes sense - it's perfectly fair to invest equally in each person working for you. So it only makes sense that when you reduce spending on training, you do this equally as well. But this could be a mistake.

Professional development, and most IT spending for that matter, can be tied to needs that the business controls. For instance, if you think about server platforms, I'm sure you want to train your people on Windows Server 2008 before you start widely deploying it. But the decision can also be made to subsist on Windows Server 2003 for another year or two. (In fact, you probably have third-party apps holding you back anyway, but I digress.)

Now consider your incident response team. I'm sure you want to keep them trained up on malware analysis, forensics, the latest threats and exploits, etc., etc. But that's money you may want to spend elsewhere. Unfortunately, you and your business don't get to decide whether or not the new threats that come out this year are going to apply to you. They will. They do.

So you see what I'm getting at, right? You can postpone investing in new technologies and therefore the training that goes with them. But you can't postpone new threats. And so you can't postpone spending on infosec training and also expect to be as prepared to handle security threats this year as you were last year. So before you uniformly cut IT training, understand that where infosec training is concerned, there is an elevated risk level that the business may not be able to manage in other ways.

No comments: