Q: A couple of IT pros on my team have taken an active interest in security. I want to harness that and turn them into specialists, but before we get them trained how can I make sure their well-meaning efforts do not create problems?
A: If their interest is genuine, consider offering them a chance to get a feel for security research practices, and to have some real fun, without putting anyone in danger. For example, Sophos offers a Malware Analysis Workshop on which even comparative beginners in IT security get a chance to work with live malware in complete safety, on PCs provided by Sophos which are wiped after use. (The course lasts one day and doesn't spruik any particular security software. The course is based on free tools which delegates can download for themselves off the internet. Knowledge of specialised techniques such as disassembly and debugging is not required. A second, advanced day, is available for those who want to take things further.)
About the author: Paul Ducklin is one of the world's leading virus experts and has given papers and presentations at various industry events including Virus Bulletin, ICSA and AVAR conferences. He has also written several articles on the virus threat and is a respected industry spokesperson. Paul is currently Sophos' Head of Technology for the Asia Pacific.