[ISN] Six ways to justify security training

From: InfoSec News (isn@private)
Date: Tue Jun 01 2004 - 03:46:57 PDT

  • Next message: InfoSec News: "[ISN] FDIC info security lacking, GAO finds"

    Advice by Peter H. Gregory 
    MAY 27, 2004 
    A few days ago, a reader asked if I could help him justify the cost of
    security training that he and his fellow Unix system administrators
    felt they needed.
    I gave the reader a variety of ideas, one of which is sure to resonate
    with his manager. When making your pitch, you might want to try these
    1. Avoidance of a costly security incident. The knowledge and skills
    gained in security training will help system administrators do a
    better job of securing systems. For instance, host hardening may help
    to prevent a break-in. Improving password quality may fend off a
    dictionary attack.
    Security incidents are expensive, disruptive and could cause long-term
    pain for people's careers. Incidents interrupt and take the momentum
    out of projects and turn department priorities upside down.
    2. Avoidance of disruptive downtime. Often, when the knowledge gained
    in security training is applied to host hardening, those systems have
    added resiliency. This will make them more resistant to attacks,
    improving availability.
    No one likes downtime, especially unscheduled downtime for security
    reasons. Unscheduled downtime hurts those end-of-month metrics and
    other performance indicators.
    3. Improved availability. Learning security skills sharpens a system
    administrator's overall skills: To secure a system, one must be
    intimately familiar with a system. Administrators trained in security
    will be more familiar with all of the systems' switches and knobs and
    will be less likely to make mistakes. Mistakes decrease availability
    and reliability.
    4. Improved consistency. Meticulous system administrators will want to
    secure not just one system, but all of the systems in his sphere of
    influence. This will tend to make the configuration of many systems
    more consistent.
    Consistency is a good thing in busy environments where several people
    are managing a large population of systems. The more consistent the
    systems are, the less likely things are going to go wrong.
    5. Improved failure analysis. Administrators who have received
    security training will know more about how their systems work.  
    Consequently they'll do a better job of root-cause analysis the next
    time something goes wrong.
    6. Improved audit results. Many companies' IT shops are under more
    scrutiny than ever. Increased regulation, stricter requirements from
    customers or suppliers, or the need to reduce the probability of
    security incidents are driving home the need to improve the security
    of systems, processes and people.
    More companies than ever are facing audits. In many cases, the
    high-level results of those audits are publicly available (in
    particular, audits performed on government systems and publicly held
    Many companies are having security companies perform security
    assessments on their systems, networks and operations, in order to
    discover opportunities for improvement. In the face of this,
    management often opens the training spigot a little to help improve
    the results of upcoming assessments.
    Increased marketability
    The more training you can put on your resume, the more marketable you
    will become. As a longtime IT manager, I have always encouraged my
    staff members to improve their skills through training and
    certifications. I have long held to what was first a counterintuitive
    fact: The more marketable your staff members are, the more likely they
    are to stay.
    There are two reasons for this. First, technologists love to learn new
    skills and technologies. If I provide both, they're more likely to
    stay put and ride the learning train for as long as possible. Second,
    if I'm providing my staff with learning and training opportunities,
    they'll feel more secure in their jobs and be less likely to develop
    anxiety that can lead to a job change.
    ISN mailing list
    Sponsored by: OSVDB.org

    This archive was generated by hypermail 2b30 : Tue Jun 01 2004 - 05:38:45 PDT