In the past couple of years, the economy has struck hard on organizations seeking to educate their employees. Training budgets have been cut down, and choosing the right course that will give you real Return on Investment is not an easy job. This is especially true in the offensive Information Security Training arena, where standards and qualifications are weakly defined. So how can you make sure you’re getting your money’s worth ?
Welcome to our “10 questions you should be asking your Information Security Training Provider“.
What will the training do for you ? Anyone promising you that you will be a “hardcore penetration tester” or a “security expert” after their 5 day class has never run a pentest, or otherwise has no clue what they are talking about. Learning *any* profession in 5 days is unrealistic, let alone one as complex as IT Security, or penetration testing. This is one of the first questions I ask before attending a training… its allows me to set my goals for the course and gives me a baseline for my expectations.
Always read the syllabus of the course you want to attend, before you attend it. Try finding other people who have taken the class, (if possible) and get their opinion. Try to see if the syllabus follows a reasonable methodology, or if it’s just a collection of topics. If you see a list of 1,500 tools on the syllabus – expect to spend around 0.6 minutes per tool.
Are they well known in their field ? Do they have training experience ? Are they involved in the security community ? Do they practice what they preach? Although these are 4 separate questions, they all relate to one thing – the ability of the trainer to provide the goods you paid so dearly for. Finding a GOOD InfoSec trainer is NOT easy. Most computer genii are usually lacking in their social skills – something a good trainer must have.
Running a few internet searches for the name of your class, or the name of the trainer is a must. Find out what people have to say about their experiences – during and after the class. Although you can’t believe *everything* on the internet, taking an average of all the reviews will usually give you a solid idea of what you are getting into.
How many students will there be in the class ? Some training providers cram more than 40 students in one class – often with a single instructor. During a 5 day period, a trainer can’t give personal attention to 40 people, no matter what. In general, smaller classes mean a more intimate environment, more attention from the trainer, and a more productive and engaging experience.
Remember the famous saying “In theory, there is no difference between theory and practice – But in practice, there is”. If you don’t exercise what you learn, you are less likely to retain or understand it as nothing replaces practical experience. Ask for a rough ratio estimate of “theory vs. exercise” for your class – anything above 40% class-time spent on exercises is a good sign. Of course, this greatly depends on the quality of the exercises too.
Learning methods and techniques on antiquated systems will bring you little benefit in the real world. Hacking a Windows 2000 SP4 machine with RCP DCOM doesn’t cut it any more. On the other hand, don’t expect to learn “Bypassing Windows 7 Stack Protection” in an introductory buffer overflows course. You need to gauge the balance between these two elements carefully.
How should you prepare yourself for the class ? Do you need to refresh your knowledge on certain topics? Nothing is more frustrating than coming to a class, and then lagging behind because you are not up to par with the class requirements. Not good for your learning experience, and not good for your self esteem – on the other hand “no pre-requisites required” might indicate lack of depth. If the pre-requisites were defined well by the training provider, it’s definitely a good resource to use to evaluate the relevancy of the course to you.
The “value” of a certification can be measured in the real world using two main indicators:
What ongoing benefits will you get from the training provider, if any ? Is there a continuation path for the training ? Will the trainers be available for future questions or issues that may arise ? Is there a student community you can join, to discuss the course with other student ? Or in other words, what kind of “post customer service” can you expect ?
These 10 questions should cover all the important elements you should verify before committing your valuable time and limited training budget to any service provider. The average person only gets a limited number of training opportunities per year, therefore you should always maximize the return you receive.