“Cyber security training must reflect real risks” urges Institute of Information Security Professionals

The IISP's Skills Framework

The IISP’s Skills Framework

The Institute of Information Security Professionals (IISP) – the not-for-profit body that represents information security professionals – is warning companies to invest wisely in cyber security training services with an eye on quality and real benefits.

Following the recent wave of global cyber attacks, the IISP believes that inexperienced or narrowly-focused training providers may decide to ‘jump on the bandwagon’, offering cyber security courses that don’t provide the skills and techniques businesses need to prevent and deal with attacks, while at the same time giving companies a false sense of security and leaving them vulnerable.

“After the WannaCry and Petya ransomware attacks, the need for organisations to improve their cyber security strategies has become abundantly clear, while the demand for cyber security training has continued to grow,” outlined Amanda Finch, general manager at the IISP.

“While the move by companies to be more proactive in terms of educating their practitioners and staff about cyber security is certainly very positive, the risk is that overwrought teams will invest in training that provides only high level or regurgitated content which isn’t adequate and fails to reflect the evolving threat landscape, new technologies and significant changes in cyber skills profiles and challenges.”

It’s often difficult for organisations to know which training courses or providers are right for them and their teams, and especially so for many SMEs that may not have high levels of in-house cyber security skills and the necessary experience to be able to scope out the problem or understand their knowledge deficit.

To help address this issue, the IISP’s Accredited Training Scheme affords purchasers the confidence that they’re investing in courses that have been stringently assessed against the IISP’s Skills Framework, itself widely accepted by Government, industry and academia to be the de facto standard for measuring the knowledge, experience and competency of information security professionals.

By going through the IISP’s Accredited Training Scheme, commercial training providers are able to clearly demonstrate that they deliver courses that meet the changing needs of businesses and public sector organisations alike and map knowledge and skills against a recognised standard.

“An IISP accreditation means that the training course materials and content have been carefully assessed to ensure that they meet the stated objectives and competency levels defined by our Skills Framework,” added Finch.

People: the industry’s biggest challenge

In the latest IISP Survey, over 80% of security professionals identified ‘people’ as the industry’s biggest challenge, compared to technology and processes. While people are seen as the weakest link in IT security due to a lack of risk awareness and poor security practices, this ‘people problem’ also includes the skills shortage at a technical level and the risks from senior business stakeholders making poor critical decisions around strategy, budgets and response.

The IISP Skills Framework that underpins the Accredited Training Scheme was first introduced in 2006 and developed by world-renowned academics and security experts in collaboration with Government, industry and universities. The Skills Framework is used by the Government as the basis for its Certified Professional Scheme and by organisations to develop and benchmark their own in-house capabilities. It’s also fundamental to the development of training courses and syllabi for UK university courses in information security, while The Tech Partnership uses the latest version as the foundation for both cyber security and degree apprenticeships.

Working closely with the information security community, the IISP boasts a growing membership of over 2,800 individual members across the private and Government sectors, 44 corporate member organisations and 19 academic partners.

The Skills Framework is used extensively by the IISP’s corporate members to benchmark and develop the capabilities of their employees. It has also been adopted by e-Skills UK to develop a National Occupational Standard for Information Security.

As stated, the IISP also accredits training courses offered by commercial training providers against the Institute’s Skills Framework. This enables attendees to build knowledge in areas of the Skills Framework where they might have gaps and gain hands-on experience.

*More information about the IISP and its work can be found online at: www.iisp.org

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts