Markus Mainka - Fotolia

Cyber security training must reflect real risks, warns the IISP

In the rush to skill-up through cyber security training, the IISP warns businesses may go down the wrong track, resulting in a false sense of security

Companies should invest wisely in cyber security training, carefully considering the quality and real benefits, advises the Institute of Information Security Professionals (IISP).

Following the recent wave of global cyber attacks, the IISP believes that inexperienced or narrowly focused training providers may jump on the bandwagon, offering cyber security courses that do not provide the skills and techniques businesses need to prevent and deal with attacks, giving companies a false sense of security and leaving them vulnerable.

“After the WannaCry and Petya ransomware attacks, the need for organisations to improve their cyber security strategies has become abundantly clear and demand for cyber security training has continued to grow,” said Amanda Finch, general manager at the IISP.

“While the move by companies to be more proactive in educating their practitioners and staff about cyber security is certainly very positive, the risk is that overwrought teams will invest in training that provides only high-level or regurgitated content, which isn’t adequate and fails to reflect the evolving threat landscape, new technologies and significant changes in cyber skill profiles and challenges.”

According to the IISP, it is often difficult for organisations to know which training courses or providers are right for them and their teams, especially for many small to medium-sized enterprises (SMEs) that may not have high levels of in-house cyber security skills and experience to scope out the problem or understand their knowledge deficit.

To help address this problem, the IISP Accredited Training Scheme gives organisations the confidence that they are investing in courses that have been stringently assessed against the IISP’s Skills Framework, accepted by government, industry and academia as the de facto standard for measuring the knowledge, experience and competency of information security professionals.

By going through the IISP Accredited Training Scheme, commercial training providers are able to demonstrate that they deliver courses that meet the changing needs of businesses and public sector organisations and map knowledge and skills against a recognised standard. “An IISP accreditation means the training course materials and content have been carefully assessed to ensure they meet the stated objectives and competency levels defined by our Skills Framework,” said Finch.

Read more about information security skills

In the latest IISP survey, over 80% of security professionals identified “people” as the industry’s biggest challenge, compared to technology and processes. While people are seen as the weakest link in IT security through lack of risk awareness and poor security practices, this “people problem” also includes the skills shortage at a technical level and the risks from senior business stakeholders making poor critical decisions around strategy, budgets and response.

The IISP Skills Framework that underpins the Accredited Training Scheme was first introduced in 2006 and developed by world-renowned academics and security experts in collaboration with industry, government and universities.

The framework is used by the UK government as the basis for its Certified Professional Scheme and by organisations to develop and benchmark their own in-house capabilities. It is also fundamental to the development of UK university courses in information security, while The Tech Partnership uses the latest version as the foundation for cyber security apprenticeships and degree apprenticeships.

Read more on Hackers and cybercrime prevention