If IT security solutions are seen as a grudge purchase for South African businesses, IT security training is approached even more grudgingly, with management citing cost and lack of time as their main reasons for neglecting security upskilling.
But without ongoing training investment, organisations could be wasting their existing IT security spend and putting themselves at risk of significant losses.
Why IT security training is neglected in SA
General IT security certifications do require a financial investment, and while most vendors offer some level of basic product training free or at low cost, they too have to charge for in-depth instructor-led training and certification.
With cost-control a top of mind issue, companies are cautious about incurring costs when they are unsure of their ROI.
IT security teams around the country complain there simply isn’t enough time in the day to do everything they are required to do.
Aside from the costs involved, organisations are also reluctant to part with team members for the several days required for in-depth technical training. Skills are in short supply and budgets are constrained, so leaner IT security teams are now having to work harder than ever before, just to keep the ‘lights on’.
IT security teams around the country complain there simply isn’t enough time in the day to do everything they are required to do.
On top of this, many organisations have solutions from different vendors within their environments, having bought into the ‘best of breed’ approach for every component.
This means that for a team to acquire vendor training and certification for each component in the environment, they would need to sacrifice up to five days per vendor, totalling 50 days a year out of the office for critical and scarce resources.
The case for training
As organisations become increasingly digital and prepare for the fourth industrial revolution, demand for advanced IT security skills will grow exponentially, whether organisations bolster their own IT teams or outsource their IT function – increasing demand for skills among security-as-a-service providers.
IT security is a moving target, and training has to stay on top of every new security threat and every new risk posed by a changing enterprise infrastructure.
Without adequate training, even the basics can be overlooked and put the organisation at risk. In fact, Ponemon Institute’s 2018 Cost of a Data Breach study found that up to 70% of data loss occurs due to negligence and misconfiguration of cloud storage servers, databases, networks and firewalls.
This means teams need the basics, but should ideally also have networking and scripting training and experience, as well as ethical hacking training to understand how hackers gain entry and mitigate against this.
At a more senior level, they should move to Certified Information Security Manager certification, and could also explore ISACA’s new Cyber Security Nexus programmes for cyber security specialists, cyber security analysts, and penetration and vulnerability testers.
IT security solutions are only as good as their implementation, therefore security teams must be trained in every aspect of the solutions in place – across features, implementation and integration – to ensure they function correctly and deliver optimal returns.
We frequently encounter organisations surprised to discover features they have residing within their IT environments. In security solutions, it is important to learn the capabilities, correct configuration, and – crucially – how to respond to the data the solution is delivering.
Security solutions typically report on scores of events, and experience and understanding are needed to analyse those reports to identify which should be investigated, and determine what should be done next.
While many organisations and vendors offer basic modules free or at low cost, the ideal for technical training involves in-depth, classroom-based training where participants gain hands-on access to solutions and are able to discuss questions at length with expert instructors.
It is also important to stay abreast of developments by taking advantage of vendor open days and workshops, attending industry conferences and continually adding to the knowledge base through specialised online courses.
While certification, vendor training, workshops and events will certainly eat into the limited financial and time resources available to the average IT security team, the benefits far outweigh the costs: giving the organisation optimal security infrastructure performance, full ROI on IT solution spend, and significantly improved IT security overall.
Share