I know that i have fallen behind on my blog here but lets see if we can catch up a bit.  Today I would like to share some thoughts concerning It traing and certifications;

A successful IT security program consists of:

• Developing IT security policy that reflects business needs tempered by known risks;
• Informing users of their IT security responsibilities (through awareness and training), as documented in agency security policy and procedures; and
• Establishing processes for monitoring, reviewing, and updating the program.

 An awareness and training program is crucial, in that it is the vehicle for disseminating information that users, including managers, need in order to do their jobs. In the case of an IT security program, it is the vehicle to be used to communicate security requirements across the enterprise.

 An effective IT security awareness and training program explains proper rules of behavior for the use of agency IT systems and information. The program communicates IT security policies and procedures that need to be followed. This must precede and lay the basis for any sanctions imposed due to noncompliance. Through awareness and training, users first should be informed of the expectations. Accountability must be derived from a fully informed, well-trained, and aware workforce.

 Awareness: Security awareness efforts are designed to change behavior or reinforce good security practices. Awareness is not training. The purpose of awareness presentations is simply to focus attention on security. Awareness presentations are intended to allow individuals to recognize IT security concerns and respond accordingly. Awareness relies on reaching broad audiences with attractive packaging techniques. Training is more formal, having a goal of building knowledge and skills to facilitate the job performance.

 Training: Training strives to produce relevant and needed security skills and competencies. The most significant difference between training and awareness is that training seeks to teach skills that allow a person to perform a specific function, while awareness seeks to focus an individual’s attention on an issue or set of issues.

 Education: Education integrates all of the security skills and competencies of the various functional specialties into a common body of knowledge, adds a multidisciplinary study of concepts, issues, and principles (technological and social), and strives to produce I security specialists and professionals capable of vision and proactive response.

 Certification: Professional development is intended to ensure that users, from beginner to the career security professional, possess a required level of knowledge and competence necessary for their roles. Professional development validates skills through certification. Such development and successful certification can be termed “professionalization.” The preparatory work to testing for such a certification normally includes study of a prescribed body of knowledge or technical curriculum, and may be supplemented by on-the-job experience.

The movement toward professionalization within the IT security field can be seen among IT security officers, IT security auditors, IT contractors, and system/network administrators and is evolving. There are two types of certification: general and technical. The general certification focuses on establishing a foundation of knowledge on the many aspects of the IT security profession. The technical certification focuses primarily on the technical security issues related to specific platforms, operating systems, vendor products, etc.

Some agencies and organizations focus on IT security professionals with certifications as part of their recruitment efforts. Other organizations offer pay raises and bonuses to retain employees with certifications and encourage others in the IT security field to seek certification.