Education Education Education.
There’s three kinds of education that are top-of-mind for me this week and I think they should be important to most of our readers.
Formal Information Security Education
I don’t have a formal IT background. I’m a cross-trained artist/accountant (don’t ask). I do the “lateral thinking” thing – makes me good at discovering hidden risks, good at creatively routing around those risks, and good at articulating the information security world to users, clients, customers, and executives.
I get a lot of spam from universities / university-ish organizations (physical mail, email and lately phone calls) telling me that in order to get anywhere in this industry, I need a Masters in Information Security/Information Assurance. I usually enjoy the conversation that ensues where they describe to me all of the career benefits, talk through the whole thing, then finally ask the qualification question — “do you have a university degree?” Nope. I have a Canadian college diploma (we don’t do the “associates degree” thing here) with 4 years of post secondary as well as an additional year of post secondary which is not in a diploma granting field. Does that count? Nope. Can I pay for equivalency? Well, sort of, but not really, as it’s not recognized to “upgrade” from a non-business diploma to a business one.
So, I’m not going to get that MSIA any time soon.
Should I prefer interviewees who have specific training, or ones with backgrounds similar to mine — ones that have proven an ability to think and an ability to learn?
Am I buying an education or am I buying a thinking learning person?
Interesting question that.
Don’t get me started on ISC^2 or ISACA this week. That’s a whole arc of stories.
IT Staff Cross-Education
I’m a huge supporter of ongoing learning – of growing the next generation of talent rather than always looking for the “hit the ground running” skill set. Lately though, I’ve encountered a few co-workers who are *really* un-interested in learning anything outside of their specific purview. How do I motivate them into seeing that another point-of-view may be exactly what they need to see past the immediate issue to the larger issue?
In a couple of cases, it is time to throw the baby out with the bathwater. There is nothing I can say or do which is going to improve them. It’s time to shuffle them off to their next employer.
In other cases, it’s a matter of finding the light-bulb moment. Finding that one topic or viewpoint or analogy which causes a sudden paradigm shift which causes the entire Information Security perspective to snap into sharp focus. That’s a great feeling.
Put time into making informed allies of your IT co-workers. They’re your eyes and ears. If you neglect them, you get what you deserve!
General Staff Awareness Education
I’m busily working on updating / freshening the Information Security webpages for our internal employees. As I go through this agonizing process (is there anyone out there who likes writing awareness materials…ok … now tell the truth…) I’m discovering more and more that perspective is very important. The topic of Information Security has been made esoteric by the practitioners. I know that’s hard for many of you to grasp… it was hard for me to grasp the first time I did and it’s been a rather constant battle. As most infosec folks come from a techie background, we delight in complicated systems that take effort to grok. In many cases it’s a juvenile response to the more popular kids when we were in school. It’s saying – “Hey, you like your Intertubes safe… now you’ve got to deal with me… I find this stuff simple, you find it hard… how’s them apples?” – both to employees, customers and executives.
And it’s not right. Not anymore.
It’s up to the infosec folks to make this stuff easy. We need to take off the white lab coats. We need to use analogies to simplify for those we are responsible to while we simultaneously fight the industry machine that wants these things to be complicated in order to support next quarter’s sales effort.
Use the analogies. Befriend the users. Don’t call them (l)users. The BOFH thing is funny… but it’s not going to win you any friends. And at the end of the day – is it more important to belittle a user, or to make sure that they don’t ignore you and victimize you by doing something preventable which causes YOU to lose your job and your employability.
What kinds of education issues do you encounter at your day job?
[tags]ranting, information security, education[/tags]