[ISN] Six ways to justify security training
isn at c4i.org
Tue Jun 1 06:46:57 EDT 2004
Advice by Peter H. Gregory
MAY 27, 2004
A few days ago, a reader asked if I could help him justify the cost of
security training that he and his fellow Unix system administrators
felt they needed.
I gave the reader a variety of ideas, one of which is sure to resonate
with his manager. When making your pitch, you might want to try these
1. Avoidance of a costly security incident. The knowledge and skills
gained in security training will help system administrators do a
better job of securing systems. For instance, host hardening may help
to prevent a break-in. Improving password quality may fend off a
Security incidents are expensive, disruptive and could cause long-term
pain for people's careers. Incidents interrupt and take the momentum
out of projects and turn department priorities upside down.
2. Avoidance of disruptive downtime. Often, when the knowledge gained
in security training is applied to host hardening, those systems have
added resiliency. This will make them more resistant to attacks,
No one likes downtime, especially unscheduled downtime for security
reasons. Unscheduled downtime hurts those end-of-month metrics and
other performance indicators.
3. Improved availability. Learning security skills sharpens a system
administrator's overall skills: To secure a system, one must be
intimately familiar with a system. Administrators trained in security
will be more familiar with all of the systems' switches and knobs and
will be less likely to make mistakes. Mistakes decrease availability
4. Improved consistency. Meticulous system administrators will want to
secure not just one system, but all of the systems in his sphere of
influence. This will tend to make the configuration of many systems
Consistency is a good thing in busy environments where several people
are managing a large population of systems. The more consistent the
systems are, the less likely things are going to go wrong.
5. Improved failure analysis. Administrators who have received
security training will know more about how their systems work.
Consequently they'll do a better job of root-cause analysis the next
time something goes wrong.
6. Improved audit results. Many companies' IT shops are under more
scrutiny than ever. Increased regulation, stricter requirements from
customers or suppliers, or the need to reduce the probability of
security incidents are driving home the need to improve the security
of systems, processes and people.
More companies than ever are facing audits. In many cases, the
high-level results of those audits are publicly available (in
particular, audits performed on government systems and publicly held
Many companies are having security companies perform security
assessments on their systems, networks and operations, in order to
discover opportunities for improvement. In the face of this,
management often opens the training spigot a little to help improve
the results of upcoming assessments.
The more training you can put on your resume, the more marketable you
will become. As a longtime IT manager, I have always encouraged my
staff members to improve their skills through training and
certifications. I have long held to what was first a counterintuitive
fact: The more marketable your staff members are, the more likely they
are to stay.
There are two reasons for this. First, technologists love to learn new
skills and technologies. If I provide both, they're more likely to
stay put and ride the learning train for as long as possible. Second,
if I'm providing my staff with learning and training opportunities,
they'll feel more secure in their jobs and be less likely to develop
anxiety that can lead to a job change.
More information about the ISN