The Value of Security Training

3:46 PM -- How often do your security team members ask you if they can go to the latest upcoming security conference or class? Maybe you're the one who has to approach your manager to get permission.

I've been there. In the past, it's always been with employers that had little to no training budget, forcing me to stay in the cheaper hotel down the street from the conference or volunteering to get a discounted conference fee.

To me, though, almost every dime spent on my training was well spent, with only a few exceptions. In the beginning of my career, when I had to beg, borrow, and steal to get training, I didn't take it for granted, I soaked up every bit of knowledge I could. If you're lucky enough to have training dollars allocated, you still need to be sure you're making the right choices in the training you take.

How do you quantify the return on investment from sending a staff member to a three- to six-day training session that costs between $3,000 to $6,000 -- not including travel?

Some favor training that results in certification, and I agree -- but not when the certification process is nothing more than a multiple choice exam. I believe that a certification process must include practical application of the knowledge learned during the training.

The training also can't be limited to "death by PowerPoint." It needs to involve hands-on lab testing so that attendees get to experience what is being taught. Virtualization and pre-built virtual machines can have a huge impact in this area, making it easier for everyone to have the same testing environment.

In the interest of full disclosure, I currently hold the Certified Information Systems Security Professional (CISSP), GIAC Certfied Firewall Analyst (GCFW), GIAC Certified Incident Handler (GCIH), and GIAC Certified Forensic Analyst (GCFA) certifications.

Would I recommend any of them? If you want something on your resume to get past head hunters, then get the CISSP. As for usable security knowledge that you can put into action, the CISSP doesn't offer it. I personally believe the CISSP is more for managers who didn't start off as techno-weenies. The training is too high-level for hands-on people.

The GIAC certifications are directly related to training offered by the SANS Institute, which is great -- but only if you're not already a subject matter expert in the topic. For the best return on investment, go for the Gold. It isn't cheap, but when you pass the practical -- essentially a small thesis paper -- then you can bet you've got knowledge you can apply to your job.

Some certifications focus on specific niches of knowledge, usually related to a vendor-specific product or technology. I haven't gotten any of those certifications myself. If you need to get a vendor's solution implemented and maintained properly, then this is probably a worthwhile investment.

At some point though, the available certifications simply don't cover the advanced knowledge that gets covered at conferences like Black Hat, DefCon, CanSecWest, and ShmooCon. But when you reach the level where you're excited about the bleeding-edge technical talks presented at those events, you probably won't need certifications or justifications to please management.

Until then, set training objectives that are reasonable based on job duties and expectations. And consider offering salary increases or other incentives that encourage your people to utilize the new knowledge.

— John H. Sawyer is a security geek on the IT Security Team at the University of Florida. He enjoys taking long war walks on the beach and riding pwnies. When he's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading