Security training needs complete overhaul Qualifications 'no indication of true knowledge', claims Doctor of Intrusion Detection and Prevention Iain Thomson, vnunet.com 19 Nov 2004 http://www.vnunet.com/news/1159541
The poor quality of many UK-based IT security professionals is placing the nation's businesses in danger, according to the first man in the UK to get a PhD in intrusion detection and prevention. Dr Emlyn Everitt, who was awarded his PhD by the University of Glamorgan after four years of research, has called into question the value of qualifications, including those awarded by the Certified Information Systems Security Profession (CISSP). He told vnunet.com that qualifications need to be based on real research and practical experience, and that poorly trained security staff are costing businesses money and leaving IT systems open to attack. "The CISSP gives an indication of knowledge, but it is no indication of true knowledge," said Dr Everitt. "We need a ground-up rethink of the way we train. It's a similar situation to the UK space programme: we had the knowledge and experience to compete with the Russians and Americans and threw it away." He pointed out that proper management of security resources is as important as having those resources in the first place, adding that badly managed security could be worse than no security at all. In some cases companies were wasting money as they had security hardware but were unable to use it properly. Outsourcing is not a solution to this, he continued, since outsourcing providers need to have someone to check that they are adhering to best practice. Professor Neil Barrett of Cranfield University said: "It is certainly the case that any qualification based on experience is going to be more useful than a multiple-choice example. "It is possible to cram for exams like the CISSP and pass. But bear in mind that most people have worked in the industry for some time before they go for a qualification." Dr Everitt, who works for IT firm Logicalis, also pointed out that academics would need to be paid more if good training was to be built into the university system. He explained that a minimum seven years' training would be needed for a competent university lecturer, but that such academic jobs often had starting salaries of below �20,000 leaving people with little choice but to go for higher salaries in industry. You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
