Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

6/5/2013
02:30 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Is Security Professional Development Too Expensive?

Paid trainings and certificates serve vital role, but open-source-style security education offerings could make the entire security education field more complete and affordable

As the security industry continues to grapple with a shortage in skilled professionals, particularly within very specific niches like application security, the state of security professional development continues to keep the industry locked up in a number of hotly contested debates. Beyond the most obvious argument over the value of security certifications, some security pundits have stepped up to argue about a more fundamental impediment to rising the tide for all boats in the industry: the cost of paid training.

"Mathematically it's easily demonstrable that organizations can't afford to send all of their employees to a class when you're talking classes that typically are around $1,000 a day," says Xeno Kovah, lead infosec engineer at The Mitre Corporation. "It's just not possible to take a group of 50 people out of your company, if you have a large one, and pay the amounts of money that are being asked to sufficiently bootstrap your employees."

Regardless of budget, though, more frustrating for early-career security professionals is what Kovah calls a gap in vocational knowledge between what college-level degree programs offer in foundational curriculum and what security professional development certification programs or very specialized paid training courses offer. Gaining the knowledge to get from point A to point B can be difficult even if the professional does have the money in hand or an employer sponsor willing to foot the bill.

[Is malware getting around BIOS security measures? See BIOS Bummer: New Malware Can Bypass BIOS Security.]

"Imagine that I'm a graduate and have just now completed my degree," says Ajay Nawani, chief of Cyberoam Academy, a security course recently launched by network security firm Cyberoam, who agrees that there's a gap between theoretical and practical knowledge that the industry hasn't done a good job addressing in early career security pros. "I will never have those kinds of [knowledge] for those kinds of professional, highly skilled courses. I wouldn't be able to get into CISSP without spending maybe three or four years in the industry. Only then could I think of attending such courses." Even though there's no easy answer to getting security professionals the right training for their jobs, Kovah believes that applying open-source principles to the field of security professional development could go a long way toward filling the vocational knowledge gap while helping to drive down the cost of training. He's bringing that ethos to a new side project he's spearheading, called OpenSecurityTraining, a massive open online course (MOOC) platform that gives security experts the opportunity to make open courseware, training videos, and other curriculum available both to self-directed learners and to other trainers who might want to use it to develop their own classes.

And just as open-source and paid software coexist in a happy equilibrium with their own roles in the enterprise, he believes his MOOC approach is a good supplement, rather than a competitor, to paid training.

"I see this as augmenting some of the existing commercial training," Kovah says. "I don't see it as trying to replace the commercial training. There's always going to be much deeper potential for classes, but simultaneously we're not trying to do the sort of foundational knowledge that a lot of online classes coming out of colleges will handle."

Instead, where he sees OpenSecurityTraining falling in the spectrum is in the intermediate-level course work that may get pros started on more advanced and specialized career tracks. So, for example, some current offerings include Introduction to Vulnerability Assessments, Malware Dynamic Analysis, and Intro to Software Exploits. He is currently working on encouraging other thought leaders and trainers in the industry to share courseware and knowledge in other areas, like application security, to bolster out the offerings.

New York University adjunct professor Keith O'Brien says that self-directed learning and similar grassroots alternatives aren't new to the security industry, pointing to efforts like Security Tube as evidence of outlets that experts have set up to share information and mentor the younger set. Unfortunately, with many of the other alternatives, "it's all just kind of thrown at you," says O'Brien, who teaches classes at NYU. According to Kovah, the big differentiator with OpenSecurityTraining are the class maps he and his collaborators are developing to offer guidance on how students can systematically train themselves.

"Historically there are people who will go out and spend a lot of their own time learning and mastering areas, but by providing the material, we're making it that much easier for people to do some self study and give themselves a leg up," he says.

As for its place compared to paid training offerings, other instructors involved in the initiative say that OpenSecurityTraining stands to help students get more return off their paid training investments.

"I kind of view it as using my material to build a prerequisite foundation for other more advanced trainings you could go out and take," says Corey Kallenberg, who offers course materials for the site's exploits training track. "The better your foundation is, the more you're going to take from those advanced pay classes." On the flip side, this is where the eventual cost savings will come as well. Students or their employers may be still shelling out cash for paid classes, but they're less likely to spend it on the introductory courses in favor of more specialized training.

"It sets a newer, better baseline in terms of what they can be expected to know," Kovah says. "We can say, look, there's material on intro to exploits [and] teach something more advanced than that. By pushing instructors to teach more advanced things [in paid courses], I think that brings down the costs in the end."

According to Hord Tipton, executive director of ISC2, any kind of augmentation to the security training market can only help the industry.

"In general, all training has its place and is valuable," Tipton says. "No particular training is going to give any one person all that there is to know about how to survive in the information security world. But on the other side of that, you have to make sure you select the right type of training that fits your requirements matrix."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
shenry770
50%
50%
shenry770,
User Rank: Apprentice
6/6/2013 | 6:27:14 PM
re: Is Security Professional Development Too Expensive?
heck yes! Take a poll!
Stop Defending Everything
Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
Architectural Analysis IDs 78 Specific Risks in Machine-Learning Systems
Jai Vijayan, Contributing Writer,  2/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-1842
PUBLISHED: 2020-02-18
Huawei HEGE-560 version 1.0.1.20(SP2); OSCA-550 and OSCA-550A version 1.0.0.71(SP1); and OSCA-550AX and OSCA-550X version 1.0.0.71(SP2) have an insufficient authentication vulnerability. An attacker can access the device physically and perform specific operations to exploit this vulnerability. Succe...
CVE-2020-8010
PUBLISHED: 2020-02-18
CA Unified Infrastructure Management (Nimsoft/UIM) 9.20 and below contains an improper ACL handling vulnerability in the robot (controller) component. A remote attacker can execute commands, read from, or write to the target system.
CVE-2020-8011
PUBLISHED: 2020-02-18
CA Unified Infrastructure Management (Nimsoft/UIM) 9.20 and below contains a null pointer dereference vulnerability in the robot (controller) component. A remote attacker can crash the Controller service.
CVE-2020-8012
PUBLISHED: 2020-02-18
CA Unified Infrastructure Management (Nimsoft/UIM) 9.20 and below contains a buffer overflow vulnerability in the robot (controller) component. A remote attacker can execute arbitrary code.
CVE-2020-1791
PUBLISHED: 2020-02-18
HUAWEI Mate 20 smartphones with versions earlier than 10.0.0.185(C00E74R3P8) have an improper authorization vulnerability. The system has a logic judging error under certain scenario, successful exploit could allow the attacker to switch to third desktop after a series of operation in ADB mode.