Last updated: 
4 months 1 week ago
Blog Manager
I'm the Information Security Manager at Janet and through this blog I'll be sharing some of my experiences, ideas and thoughts on information security topics.

Group administrators:

Some thoughts on information security skills, qualifications and training

19 September 2014 at 10:14am

I've been asked about this topic a number of times in the last few months so I thought I'd share my thoughts here. Some of the suggestions are generic and broad in their reach and could be used elsewhere in your organisation.

What I typically do is breakdown the skills and qualifications that I think our operations require into a number of categories. These might be.

1. Qualifications that we are legally or contractually obliged to maintain. Everyone driving to a customer needs a driving license, my office needs one qualified first aider at all times to keep the Health and Safety Executive happy, and I need at least one penetration tester qualified to Tiger Scheme SST to maintain our promises to customers.

As a rule, these aren't qualifications that can be be matched by equivalent experience even if you are an excellent driver, experienced doctor or penetration tester.

2. Vendor specific qualifications. If we're a Cisco house and rely upon their technology then it makes sense that we at least consider their qualifications. You may go as far to say that you should need a pretty strong case not to use their qualifications. This doesn't have to be a fixed rule though, a member of staff can show their competencies through experience and self-study. It may also be the case that gaining the eventual certification isn't that important and it's the associated training that you really care about.

3. Vendor neutral qualifications. Certifications such as CISSP or GIAC Certified Incident Handler are good for demonstrating a baseline of knowledge within a particular field or area that's not tied to a specific vendor. The vendor-neutrality can be seen as a positive feature, but many vendor qualifications have a wider applicability too. Again, staff may be able to show equivalent competencies through experience and other means. There doesn't need to be a rush to gain certifications to demonstrate ability.

4. Personal development. Not all training needs to be directly aimed at business objectives or technical skills. Expanding the experience and skills within your team can be invaluable in unforeseen ways and staff may wish to look at new directions in their career.

Once I've broken down and categorised the skills and qualifications that I'm looking for then I create a matrix against a list of staff, making sure that I also keep track of important information such as expiry dates and additional skills and qualifications that staff members have. The matrix is reviewed and updated periodically and after any staff changes, whichever is sooner.

Using the matrix I try and work out where the particular skills weaknesses are. So if I'm the only member of staff who knows about the Cisco ASA firewalls we rely upon then, getting someone else up to speed becomes a priority.

There needs to be room for flexibility - telling someone that they will become familiar with technology x may work, but it's unlikely to be as successful as identifying a member of staff who is already interested in x. I also try to ensure that certification is not confused with experience.