In the rush to skill-up through cyber security training, the IISP warns businesses may go down the wrong track, resulting in a false sense of security

In the latest IISP survey, over 80% of security professionals identified “people” as the industry’s biggest challenge, compared to technology and processes.””


Companies should invest wisely in cyber security training, carefully considering the quality and real benefits, advises the Institute of Information Security Professionals (IISP).

Following the recent wave of global cyber attacks, the IISP believes that inexperienced or narrowly focused training providers may jump on the bandwagon, offering cyber security courses that do not provide the skills and techniques businesses need to prevent and deal with attacks, giving companies a false sense of security and leaving them vulnerable.

“After the WannaCry and Petya ransomware attacks, the need for organisations to improve their cyber security strategies has become abundantly clear and demand for cyber security training has continued to grow,” said Amanda Finch, general manager at the IISP.

“While the move by companies to be more proactive in educating their practitioners and staff about cyber security is certainly very positive, the risk is that overwrought teams will invest in training that provides only high-level or regurgitated content, which isn’t adequate and fails to reflect the evolving threat landscape, new technologies and significant changes in cyber skill profiles and challenges.”

According to the IISP, it is often difficult for organisations to know which training courses or providers are right for them and their teams, especially for many small to medium-sized enterprises (SMEs) that may not have high levels of in-house cyber security skills and experience to scope out the problem or understand their knowledge deficit.

To help address this problem, the IISP Accredited Training Scheme gives organisations the confidence that they are investing in courses that have been stringently assessed against the IISP’s Skills Framework, accepted by government, industry and academia as the de facto standard for measuring the knowledge, experience and competency of information security professionals.

By going through the IISP Accredited Training Scheme, commercial training providers are able to demonstrate that they deliver courses that meet the changing needs of businesses and public sector organisations and map knowledge and skills against a recognised standard. “An IISP accreditation means the training course materials and content have been carefully assessed to ensure they meet the stated objectives and competency levels defined by our Skills Framework,” said Finch.

Source: Cyber security training must reflect real risks, warns the IISP