The Institute of Information Security Professionals (IISP) – the not-for-profit body that represents information security professionals – is warning companies to invest wisely in cyber security training services with an eye on quality and real benefits.
Following the recent wave of global cyber attacks, the IISP believes that inexperienced or narrowly-focussed training providers may jump on the bandwagon, offering cyber security courses that don't provide the skills and techniques businesses need to prevent and deal with attacks, giving companies a false sense of security and leaving them vulnerable.
"After the WannCry and Petya ransomware attacks, the need for organisations to improve their cyber security strategies has become abundantly clear and demand for cyber security training has continued to grow," said Amanda Finch, general manager at the IISP. "While the move by companies to be more proactive in educating their practitioners and staff about cyber security is certainly very positive, the risk is that overwrought teams will invest in training that provides only high level or regurgitated content, which isn't adequate and fails to reflect the evolving threat landscape, new technologies and significant changes in cyber skill profiles and challenges."
It is often difficult for organisations to know which training courses or providers are right for them and their teams, especially for many SMEs that may not have high levels of in-house cyber security skills and experience to scope out the problem or understand their knowledge deficit. To help address this problem, the IISP Accredited Training Scheme gives purchasers the confidence that they are investing in courses that have been stringently assessed against the IISP's Skills Framework, widely accepted by government, industry and academia as the de-facto standard for measuring the knowledge, experience and competency of information security professionals.
By going through the IISP Accredited Training Scheme, commercial training providers are able to clearly demonstrate that they deliver courses that meet the changing needs of businesses and public sector organisations and map knowledge and skills against a recognised standard. "An IISP accreditation means that the training course materials and content have been carefully assessed to ensure that they meet the stated objectives and competency levels defined by our Skills Framework," said Finch.
In the latest IISP survey, over 80% of security professionals identified 'people' as the industry's biggest challenge, compared to technology and processes. While people are seen as the weakest link in IT security through lack of risk awareness and poor security practices, this "people problem" also includes the skills shortage at a technical level and the risks from senior business stakeholders making poor critical decisions around strategy, budgets and response.
The IISP Skills Framework that underpins the Accredited Training Scheme was first introduced in 2006 and developed by world-renowned academics and security experts in collaboration with industry, government and universities. The Framework is used by the UK Government as the basis for its Certified Professional Scheme and by organisations to develop and benchmark their own in-house capabilities. It is also fundamental to the development of training courses and syllabi for UK university courses in information security, while The Tech Partnership uses the latest version as the foundation for Cyber Security apprenticeships and degree apprenticeships.