Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Management
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Input on Security Training Structure

from [bradleyb] Network Security [Permanent Link]
Subject: Input on Security Training Structure
Date: Thu, 3 Mar 2005 08:27:17 -0800 
Hello everyone,

I'd like to get some feedback on a security training issues that I am
working on...  

I am currently building a security training curriculum for a software
company.  My target audience is a technology savvy sales department and its
service/support teams.  The ultimate goal of the training is to increase the
comfort level of the department when discussing security issues with
clients, and to prepare department personnel to enter into strong security
partnerships with their clients.  

Yesterday I met with one of the people who is helping to define the
overarching framework to be used for further definition of training
objectives and a course content outline.  I did not find the approach that
was described to be particularly appealing to me from a security
perspective.  My recommendation was to look at the sales process from more
of a security lifecycle perspective (though I use the term loosely in this
context).

What I would like is some feedback on the model that I put forward.  This
model represents a high level look at what subjects need to be included in
the training in order to accomplish our goal.  The examples within each area
are not all inclusive, they are just representative of the point I want to
get across...    

1.  The business imperative of security:  Department personnel must
understand why security is important and what the key drivers for security
are in today's complex information age.  This includes things like aligning
security to meet business goals and objectives, being compliant with legal
and regulatory requirements, protecting customer, employee, and stockholder
interests, ensuring a level of due care, etc.

2.  The challenges that customers face:  Department personnel need to know
what the customer landscape looks like and empathize with their challenges.
They need to understand that our products and services are just one small
piece of the pie when it comes to what a security management type is
concerned about.  This includes things like management support issues,
getting buy in for security initiatives, resource constraints,
prioritization of work efforts, proving the value added by security
measures, etc.

3.  The strategies, models, and practices customers use to overcome these
challenges:  Department personnel should be conversant in the strategies
that customers develop to protect their enterprise environments.  They
should know what the common models and practices are.  This includes things
like Corporate/IT Governance initiatives, ISO standards, COSO/COBIT, NIST
Pubs, Risk Management Practices, return on investment strategies (though I
hate using that terminology), etc.     

4.  How technology fits in:  Once you know what the direction and strategies
of an enterprise security program are, then and only then can you begin
discussing the role of technology and which types of technologies are
appropriate to a particular customers environment.  This includes strong
technical familiarization with our products and services, where they can add
the best value, how they perform in comparison to competing products and
services, how to help customers make the most of their investment, planning,
design, implementation and operations activities, etc.    

5.  Maintenance and Support:  This is probably the most important step in
the entire process.  Our department personnel need to understand the
importance of continued maintenance and support, and of keeping strong
partnerships in place with our customers AFTER the sale.  This would include
things like regular checkups with customers, validating the value added by
our products and services, taking in customer feedback, responding to
vulnerabilities, understanding the patching process and its potential impact
on a customer, helping support customers during critical situations, etc.



So does that make sense?  Am I missing any major areas that you might think
a sales or product/service support type might need to know in order to make
the best use of a customers time and add value while keeping the big picture
in mind?  If you were dealing with a vendor and they had this kind of
understanding of your issues and challenges before trying to sell you a
product or service, would that be useful?  Do you think it would make better
use of your time?  Would it increase your confidence level in the vendor to
know that their people had this kind of training and experience?    

Any and all feedback is welcome and appreciated...

Thanks,
Brad Bemis
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Input on Security Training Structure, bradleyb <=
Next by Date:  SOX hall of shame, Gideon T. Rasmussen, CISSP, CISA, CISM, CFSO, SCSA
Next by Thread:  SOX hall of shame, Gideon T. Rasmussen, CISSP, CISA, CISM, CFSO, SCSA
Indexes:  [Date] [Thread] [Top] [All Lists]