by Andrew Hay
My name is Andrew Hay and I, like many of my colleagues, work for an organization in an information security function. What Iâ€™d like to impress upon you is the need for organizations to support the continuous learning of their employed security staff. The field of security is a constantly evolving entity and, to that end, requires its practitioners to be able to adapt. Most practitioners take the time to increase their knowledge by reading blogs, books, and papers in their spare time and by joining local security organizations. Some, depending on their geographic location, even pay out of their own pocket to attend local or domestic security conferences.
If your employees are taking the time to enhance their knowledge – knowledge that will inevitably be used to help protect the organization – shouldnâ€™t the organization match that contribution?
That is the point of this, and future, articles. I would like to help you understand how you can contribute to the protection of your organization by assisting with the professional development of your security staff.
The first way to assist your employees is to allow them to attend industry conferences. Conferences are the best way for security practitioners to meet their peers, share war stories, and learn from the best minds in the industry. Many organizations are hesitant to send their staff to conferences due to the cost but the average entrance cost of a big ticket conference is roughly $1,500USD, excluding flights, hotels, and meals. Youâ€™ll note how I mentioned the extra costs â€“ flights, hotels, and meals â€“ as a separate line item. Often, the cost of the conference isnâ€™t the pain point, itâ€™s the associated costs incurred by those attending.
Attending a security conference does not need to be expensive, however. Several organizations, such as ISSA, ISACA, OWASP, and many others, offer local low cost one- or multiple-day conferences that cater to practitioners in a particular geographic area. The conference content is excellent, the employee has the opportunity to network with peers, and the employer need not worry about huge travel-related expenses.
Ideally, the business should budget for one major conference, which may or may not be local, and one or two local conferences per budget year. This nominal investment not only helps bring cutting edge knowledge back into the organization, it also boosts the employeesâ€™ view of the organization that they work for.
In subsequent articles in this series, I will strive to help you understand the other avenues for supporting security practitioners within your organization. With this knowledge you can ensure that your employees are being equipped with the weapons to effectively manage the overall security of your business. Until next time.