Training for security has mushroomed in recent years - in fact, I doubt that there were any security-dedicated training courses just 10 years ago. Most training companies began by developing one-size-fits-all courses that offered awareness of the problem and showed how simple tools could be used to reduce security risks. Today, the security training market is large and often confusing, with many offerings from a range of companies.
When approaching the security training market with a view to buying training, four basic questions must be answered:
- What courses are available?
- Who are the training providers?
- What is the best course for me?
- How do I get the most from my training?
Let us examine each of these in turn.
What Courses Are Available?
IT training courses generally fall into three main categories:
- Technology courses: these aim to teach you about a particular technology area, for example, firewalls or intrusion detection systems.
- Product courses: these train you on the use of particular products such as Windows 2000 security or Firewall-1.
- Certification courses: the objective here is to prepare you for a specific certification examination, for example CSA or CISSP. They may be combined with a product course if the certification scheme is product-specific, for example, the MCSE security examination or Check Point's CCSE.
Within each of these three broad groupings, courses tend to range from introductory to advanced. Learning Tree International, for example, provides a foundation course (Introduction to Network and System Security) which is intended to provide basic awareness of the problem and demonstrate how common security problems can be avoided by diligent administrators and users.
This introductory course is used as a foundation for more advanced technology courses, such as Deploying Intranet and Internet Firewalls or PKI in the Enterprise. There are also product courses focused on operating system security, such as Windows 2000 Security or UNIX and Linux Security.
A further important differentiator between courses is the extent to which they are 'hands-on.' There is little doubt that hands-on courses provide a better training experience, as their interactive nature allows the lecturer to introduce a range of audio-visual stimuli, and trainees to 'get their hands dirty' by trying out the practical skills presented. Also, trainees have greater scope to interact with fellow students and the lecturer, and to learn from them by asking questions, swapping experiences, and so on.
Who are the training providers?
In general, there are three different types of training provider:
- Independent training companies: these companies offer courses developed in-house and provide an even-handed approach to the topic, without particular bias for or against any specific vendor or product.
- 'Tied' training companies: such companies provide courses developed by product vendors, such as Microsoft or Check Point. They are by their nature vendor-focused, even when intended as technology courses.
- Vendor training: many vendors provide training specific to their products (as well as through tie-ins with other training companies).
Instructor quality is obviously a vital factor. The independent providers often use freelance consultants who continue to have direct working experience with the technology. Such trainers deliberately limit time in the classroom to continue their real-world practice, thus maintaining a current, rounded knowledge base, which they can draw on when training. Such instructors also tend to have industry certification, such as CISSP. Vendor courses - whether direct or through a tie-in - tend to be delivered by instructors who are certified by the vendor in the relevant area.
Independent training companies tend to provide the more rounded courses, giving a broader view of the technology in question.
Which Courses Are Most Suitable for Me?
Training is a very individual thing - only you know what you want to get out of a training course, and, just as importantly, how much knowledge you have already. A common mistake made by many individuals, and more frequently by training procurers, is to assume that most value is gained from an advanced course. Very often, students come onto advanced courses without the existing knowledge to fully understand the course content. If you are starting out in the security area, always consider taking an introductory course to build up your knowledge of the basics, before tackling more advanced material.
What is important is to understand the difference between product and technology courses. Taking a 'firewalls technology' course with the objective of learning how to configure a Cisco PIX firewall is unlikely to be much use - though you may learn a lot about how other firewalls work! Conversely if you do want to understand how firewalls work and what the differences are, in order to make a purchasing decision, then a technology course will be more helpful than a product course as you will gain knowledge of a range of products.
In general, the best advice is to select your training based on a thorough understanding of what you want to get out of it. If you need very specific product knowledge, then go to the vendors or their tie-ins; for a broader knowledge and more practical view of the technology, the independents are your best bet.
How Do I Get the Most from My Training?
Training can be quite an investment - not only in terms of the cost of the course, but also due to the time lost to the business. However, by finding the right training, correctly tailored to your company's objectives, the return on that investment can be enormous in terms of higher staff skill levels, improved productivity and effectiveness, and greater staff retention.
Here are some tips for getting the most value out of training courses:
- Understand what you want to get out of the training, and pick the course accordingly.
- Read the brochure! Many courses are sold on the basis of their title; what you are buying is the content, not the title. Make sure the content is what you need - if in doubt, ask for more information, or better still, ask the instructor.
- Check the pre-requisites. Many advanced courses cite pre-requisite knowledge, and this should be considered a minimum. Again, if you are unsure of what is required, ask the instructor for advice.
- Prepare. If there are pre-requisites, brush up your knowledge on the subjects listed. If you have time, check the course reading list and work through as much of this as you can - you will learn far more on the course if you are building on existing knowledge.
- List your expectations. Most courses start off by asking students to introduce themselves and identify why they are taking the course. A good instructor will pick up on these points and ensure that he or she covers each student's expectations during the course.
- Interact! Ask questions during the course if you need to have something clarified or expanded. It's amazing how many students simply do not ask any questions at all during a course. It's also a good idea to talk to your fellow students, and pick their brains; the guy sitting next to you may well have already solved the problem you are working on...
- Have fun! Training is not a chore - if you go on the course looking to have an enjoyable time, you probably will!
A Word to the Wise
Do you really want an off-the-peg training course? Many training providers offer on-site courses. These can often be tailored to suit your company's exact requirements, and are usually cost-effective if four or more people need the same training.
Finally, a word about certification. I would strongly encourage anybody looking into training to seek some form of certification, whether from a product vendor, a training provider or through an industry body. More and more employers are looking to certification programs to provide evidence of baseline competency in a particular field. Whenever possible, select training that leads to some form of certification. Ultimately, the more highly skilled and qualified your workforce, the more they and the company will gain from the training you invest in.
Peter Curran, CISSP, is a security training instructor, Learning Tree International (www.learningtree.co.uk).