“Cyber security training must reflect real risks” urges Institute of Information Security Professionals
The Institute of Information Security Professionals (IISP) – the not-for-profit body that represents information security professionals – is warning companies to invest wisely in cyber security training services with an eye on quality and real benefits.
Following the recent wave of global cyber attacks, the IISP believes that inexperienced or narrowly-focused training providers may decide to ‘jump on the bandwagon’, offering cyber security courses that don’t provide the skills and techniques businesses need to prevent and deal with attacks, while at the same time giving companies a false sense of security and leaving them vulnerable.
“After the WannaCry and Petya ransomware attacks, the need for organisations to improve their cyber security strategies has become abundantly clear, while the demand for cyber security training has continued to grow,” outlined Amanda Finch, general manager at the IISP.
“While the move by companies to be more proactive in terms of educating their practitioners and staff about cyber security is certainly very positive, the risk is that overwrought teams will invest in training that provides only high level or regurgitated content which isn’t adequate and fails to reflect the evolving threat landscape, new technologies and significant changes in cyber skills profiles and challenges.”
It’s often difficult for organisations to know which training courses or providers are right for them and their teams, and especially so for many SMEs that may not have high levels of in-house cyber security skills and the necessary experience to be able to scope out the problem or understand their knowledge deficit.
To help address this issue, the IISP’s Accredited Training Scheme affords purchasers the confidence that they’re investing in courses that have been stringently assessed against the IISP’s Skills Framework, itself widely accepted by Government, industry and academia to be the de facto standard for measuring the knowledge, experience and competency of information security professionals.
By going through the IISP’s Accredited Training Scheme, commercial training providers are able to clearly demonstrate that they deliver courses that meet the changing needs of businesses and public sector organisations alike and map knowledge and skills against a recognised standard.
“An IISP accreditation means that the training course materials and content have been carefully assessed to ensure that they meet the stated objectives and competency levels defined by our Skills Framework,” added Finch.
People: the industry’s biggest challenge
In the latest IISP Survey, over 80% of security professionals identified ‘people’ as the industry’s biggest challenge, compared to technology and processes. While people are seen as the weakest link in IT security due to a lack of risk awareness and poor security practices, this ‘people problem’ also includes the skills shortage at a technical level and the risks from senior business stakeholders making poor critical decisions around strategy, budgets and response.
The IISP Skills Framework that underpins the Accredited Training Scheme was first introduced in 2006 and developed by world-renowned academics and security experts in collaboration with Government, industry and universities. The Skills Framework is used by the Government as the basis for its Certified Professional Scheme and by organisations to develop and benchmark their own in-house capabilities. It’s also fundamental to the development of training courses and syllabi for UK university courses in information security, while The Tech Partnership uses the latest version as the foundation for both cyber security and degree apprenticeships.
Working closely with the information security community, the IISP boasts a growing membership of over 2,800 individual members across the private and Government sectors, 44 corporate member organisations and 19 academic partners.
The Skills Framework is used extensively by the IISP’s corporate members to benchmark and develop the capabilities of their employees. It has also been adopted by e-Skills UK to develop a National Occupational Standard for Information Security.
As stated, the IISP also accredits training courses offered by commercial training providers against the Institute’s Skills Framework. This enables attendees to build knowledge in areas of the Skills Framework where they might have gaps and gain hands-on experience.
*More information about the IISP and its work can be found online at: www.iisp.org