Jun 2 2016
I was in the company of two seasoned security professionals last month who had just completed CISSP training – and I found their opinions and comments very interesting indeed. The fist point of interest here was, both individuals were of the same opinion insofar as, they saw the CISSP training as a badge which could be applied to their CV’s. However, neither party felt that the said training had made them better security professionals, and concluded that the value of the CISSP in operational hands-on sense was low [before you throw stones, please may I remind that I am just the observer here, and the hearsay words and opinion expressed are not mine]. One of the training attendees I would class as top of his game when it comes to UNIX, and he went on to add that there was very little content in his training experience which brought to life the subject matter of the teaching/learning experience by value-add example. Thus overall the conclusion was, whilst both professionals felt it had been important to attend the CISSP training to embellish their professional CV’s, it had done little to improve their performance when it came to the matter of supporting operational activities in the wider cyber sense.
To throw my pennyworth into this conversation, I do actually concur that such high level training provides an excellent opportunity to incorporate the newcomers to the security profession with the basics of security language. However, such levels of training do very little to accommodate the required depth of knowledge which is anticipated, and expected to be present to serve real-time protection to the organisational perimeters – so please remember that the CISSP et al is not a silver bullet.
In our new age of cyber threats, as security professionals it is our responsibility to protect the planet – I know this sound like a very big statement, but consider the implications if we all get this wrong – say by wondering down the yellow brick road of Compliance, and Governance, whilst at the same time ignoring the areas of technological threats, which for some reason may have been acknowledged and satisfied by that ever glowing green reporting dashboard which so often get pushed out in front of the executive. Telling one storey, whilst at times hiding the realities of the state-of-nation so-to-speak.
Fact of the matter is, such training as CISSP, CISM, and other such packages are important, and they do provide a baseline – but they need to be underpinned with detailed hands-on training to accommodate the pragmatic level of tuned-in skill sets – turning the aware professional, into a hands-on doers who can go well beyond the ‘just talking a good job’ stage.
I have also been exposed to opinions which suggest that the world of academia, in some cases may arrive at a similar juncture at which there is only a requirement to deliver ‘high levels’ of content when it comes to some particular subjects [case in point here Digital Forensics]. This again for me does tend to conclude with two points of conclusion. 1. That such high-level content does not necessarily enable the student beyond an academic appreciation which may be derived from the presented teaching, and 2]. In many such examples of this [with exceptions of course of Nottingham Trent and Coventry Universities] there is a tendency to yet again see the drive of industry wide, high-level certifications to be the source of the underpinning of content. Forgive me here if I am wrong, but with students leaving university with a ramped up debt of multiples of thousands of pounds, I believe it is here where the benefit of academic content, linked with the operational hands on capabilities will serve them, and the prospect employer well to create the conjoined opportune meeting of mutual benefit in the space of productive employment.
It is in this space where I have been honoured to work with global training leaders such as the Dubai based Meirc, who have engaged multiples of seasoned speciality knowledgeable professionals in all fields, ranging from ITIL, to Disaster Recovery, from Project Management to Cyber Security, and onward to encompass the more in depth speciality disciplines of Digital Forensics – focusing on the depth of training to expose their attending delegates to the realities of the mission in hand.
For example, if we look at the area of Digital Forensics, the subject area is so wide, it implies that it demands much to be delivered in the Digital Forensics Programme – including, but not restricted to:
On to other complex investigations involving external challenges such as DNS, OSINT, Data Exfiltration, and other complexities arriving in a very dynamic profile. Here only by organising a focused pragmatic training programme may the desired outcome be realised in the form of cross-transfer of knowledge from trainer to student, fully supported with the most important element of all – practical demonstrations, hands on, and real-life examples of what is, or what has been in.
Going back to the introduction above – I do believe that such training, and of course certification of stuff like the CISSP is so very important. However, please do not run away with the opinion that this gives our prospect employee the edge when it comes to engaging with a real world cyber-attack. Hands on pragmatic expectation may only be evolved out of individuals who have had the required level of hands on experience [and who may not actually possess a CISSP or any other form of Certification]; Or we may look to the evolution of building skills by having our incumbent, and aspiring security professional to attend a level of training which will serve them with the skills to represent them as a Guardian of the Security Mission.
To conclude here. There is much talk and conversation around the Security Skills-Gap, and it may be time to consider just what that statement infers? Does it mean we need far more professionals who hold certified status, or do we need more with the hands-on capabilities to accommodate the end-game operations task? Or maybe when we step back and consider what the Skill-Gap conversation implies, we actually need both in a well-rounded professional who not only understand the high level implication, but who can server their masters with the robust capabilities to make a real difference when all is hitting that corporate fan!
Professor John Walker: Visiting Professor at the School of Science & Technology – Nottingham Trent University [NTU], Visiting Professor/Lecturer at the University of Slavonia [to 2015], Registered Expert Witness, Certified Forensics Investigator Practitioner [CFIP], Editorial Member at MedCrave Research for Forensics & Criminology, ENISA CEI Listed Expert, Editorial Member of the Cyber Security Research Institute [CRSI], Writer for Digital Forensics, Trainer at Meirc Training & Consulting [UAE/Dubai], Fellow of the Royal Society of the Arts [RSA], & Board Advisor to the Digital Trust. He is also the CEO of HEXFORENSICS LTD, a UK-based company providing Expert Witness, Digital Investigations, Incident Response, and Cyber Threat Intelligence Solutions.
Here is the link to the original article: https://eforensicsmag.com/train-pragmatics/
Attend a 5-Day workshop with John Walker:
For more information, contact PLUS Specialty Training