Critical Control 20: Security Skills Assessment and Training to Fill Gaps

Posted by ecole on August 19, 2009 – 5:18 pm
Filed under Consensus Audit Guidelines, Information Security Community

Let’s look at control 20 of the 20 Critical Security Controls and how this can be implemented in an organization.    You can also follow SANS Fellow Dr. Eric Cole on twitter at @drericcole or email ecole@secure-anchor.com with any questions.

Critical Control 20: Security Skills Assessment and Training to Fill Gaps

Technology moves and evolves at such a fast pace that without a good training plan and motivated self learners, most IT professions get left behind after only a short amount time. For an organization to maintain security, it must afford the opportunity to its personnel to enhance their skill set through various training efforts.

Any organization that hopes to be ready to find and respond to attacks effectively owes it to their employees and contractors to find the gaps in their knowledge and to provide exercises and training to fill those gaps. A solid security skills assessment program can provide actionable information to decision makers about where security awareness needs to be improved, and can also help determine proper allocation of limited resources to improve security practices

Training is the most effective way to increase the workforce proficiency but is generally the first thing cut during economic challenges. The value add to an organizations security posture is directly proportionate to its willingness to allow its trained personnel to increase their skill set, which in turn increases the ability to identify security risks. Additional benefits include the ability to:

  • Identify and report malicious activity
  • Respond to an incident in accordance to set policies
  • Minimize the impact of an incident
  • Return to normal operation in a more efficient manner

There are a number of training opportunities available to organizations. These range from online webinars to locally hosted classrooms. Most training sessions can be tailored to meet the needs of an organization and the budget available.

Training comes in a variety of packages. Some are relatively inexpensive, while others are very costly for an organization. The organization must identify its critical needs to increase or maintain an excellent security posture and focus on training that meets the task at hand. Primary types of training that have the greatest impact:

  • Specific, incident-based scenarios
  • Lessons learned
  • Trends and methods

Specialized pointed training gives added benefit to the organization and allows for the increase in workforce talent.

For additional details on the controls, please go to SANS 20 Critical Security Controls.  Portions of the above are taken from version 2.0 of The Twenty Critical Controls.

You can also follow Dr. Eric Cole on twitter at @drericcole or email ecole@secure-anchor.com with any questions.

Permalink|Comments RSS Feed - Post a comment|Trackback URL.

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*

*
To prove you're a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
Click to hear an audio file of the anti-spam word