Formal information security education – in this context meaning taking in-person classes, attending online training courses either live or via recordings, or by self-learning via print material – is important because it ensures that the right people learn the right things, and that there are metrics to ensure knowledge-transfer has occurred and to evaluate outcomes.
You recognize this need all the time. You would not want to go to a doctor who has read medical books but has never attended medical school, or be represented in court by someone who read law books but never attended and graduated from law school. In fact, in many cases the law requires that people have formal education in order to be able to perform certain tasks.
While such laws may not yet exist for information security, the need for formal education is also quite important. Formal security education often conforms to curricula that have been established and refined over time by many experts. For example, a great many experts have helped create and refine the curricula for the CISSP exam; people who take formal CISSP training courses that cover the CISSP curriculum know that the material that was chosen to be taught was chosen for a good reason. Of course, by mastering such information people can also earn valuable professional certifications.
I should note that it is true that many experts in cyber security are self-taught – but such education would take years of work, and in many cases, the people involved are of such an age that their careers have developed in parallel with the growth of the Internet and associated security developments; if they lacked certain knowledge early on, it was of little consequence.
That is not the case today – and will never be the case again.
Information-security training needs vary dramatically between people, groups, and organizations; while essentially everyone living in the modern world needs basic awareness of the importance of information security, not everyone needs the same amount of knowledge. Professionals with many years of experience training people usually have a better idea than others as to what items to include in curricula for any particular group of people. On the other hand, if someone tried to educate everyone without a properly established curriculum, he or she may end up with serious problems:
- Some people may receive too little training or receive adequate training but in the wrong areas.
- Others may be over-trained, or may spend a disproportionate amount of time and resources on advancing their job functions rather than on honing skills that are important for them in order to successfully deliver on their responsibilities.
Either way, serious problems can result.
To ensure that people receive the right education, it is imperative to identify the appropriate security training needs for each group within an organization – which will depend heavily on the roles and responsibilities of the members of that group, but other factors may weigh in as well. Technical team members will need training on different matters, for example, followed by salespeople.
Once the appropriate needs have been identified, relevant educational courses can be selected. For people who work in the information security field and are looking for a broad overview of information security, a CISSP study course may be ideal – even if they are not planning on taking the exam any time soon.
One aspect of formal education is also testing and feedback – which is needed in order to monitor and report on how well a student has acquired the information being taught. Tests can also reveal if portions of the educational program are not working – for example, if a significant number of students are not “picking up” something from the training.
Loved the article? Can’t wait to take on the world of Information Security? Get a professional certification to position yourself at the front of the pack – and we’ve got special rates for our readers!