How to choose your Information Security Training
In the past couple of years, the economy has struck hard on organizations seeking to educate their employees. Training budgets have been cut down, and choosing the right course that will give you real Return on Investment is not an easy job. This is especially true in the offensive Information Security Training arena, where standards and qualifications are weakly defined. So how can you make sure you’re getting your money’s worth ?
Welcome to our “10 questions you should be asking your Information Security Training Provider“.
1. What are the objectives of the training ?
What will the training do for you ? Anyone promising you that you will be a “hardcore penetration tester” or a “security expert” after their 5 day class has never run a pentest, or otherwise has no clue what they are talking about. Learning *any* profession in 5 days is unrealistic, let alone one as complex as IT Security, or penetration testing. This is one of the first questions I ask before attending a training… its allows me to set my goals for the course and gives me a baseline for my expectations.
2. What topics does the course cover ?
Always read the syllabus of the course you want to attend, before you attend it. Try finding other people who have taken the class, (if possible) and get their opinion. Try to see if the syllabus follows a reasonable methodology, or if it’s just a collection of topics. If you see a list of 1,500 tools on the syllabus – expect to spend around 0.6 minutes per tool.
3. Who is your trainer ?
Are they well known in their field ? Do they have training experience ? Are they involved in the security community ? Do they practice what they preach? Although these are 4 separate questions, they all relate to one thing – the ability of the trainer to provide the goods you paid so dearly for. Finding a GOOD InfoSec trainer is NOT easy. Most computer genii are usually lacking in their social skills – something a good trainer must have.
4. What previous reviews does the class have ?
Running a few internet searches for the name of your class, or the name of the trainer is a must. Find out what people have to say about their experiences – during and after the class. Although you can’t believe *everything* on the internet, taking an average of all the reviews will usually give you a solid idea of what you are getting into.
5. What is the ratio of students to trainers ?
How many students will there be in the class ? Some training providers cram more than 40 students in one class – often with a single instructor. During a 5 day period, a trainer can’t give personal attention to 40 people, no matter what. In general, smaller classes mean a more intimate environment, more attention from the trainer, and a more productive and engaging experience.
6. What is the ratio between theory and hands-on exercises ?
Remember the famous saying “In theory, there is no difference between theory and practice – But in practice, there is”. If you don’t exercise what you learn, you are less likely to retain or understand it as nothing replaces practical experience. Ask for a rough ratio estimate of “theory vs. exercise” for your class – anything above 40% class-time spent on exercises is a good sign. Of course, this greatly depends on the quality of the exercises too.
7. How often is the course updated ? Is the material relevant to modern day situations ?
Learning methods and techniques on antiquated systems will bring you little benefit in the real world. Hacking a Windows 2000 SP4 machine with RCP DCOM doesn’t cut it any more. On the other hand, don’t expect to learn “Bypassing Windows 7 Stack Protection” in an introductory buffer overflows course. You need to gauge the balance between these two elements carefully.
8. What are the pre-requisites for the class ?
How should you prepare yourself for the class ? Do you need to refresh your knowledge on certain topics? Nothing is more frustrating than coming to a class, and then lagging behind because you are not up to par with the class requirements. Not good for your learning experience, and not good for your self esteem – on the other hand “no pre-requisites required” might indicate lack of depth. If the pre-requisites were defined well by the training provider, it’s definitely a good resource to use to evaluate the relevancy of the course to you.
9. Is there a certification involved ? What is it’s value ?
The “value” of a certification can be measured in the real world using two main indicators:
- The “market value” of the certification – how popular is this certification in the workforce ? Is the certificate recognized and appreciated by the industry ? And of course, will it help you get a (better) job ?
- The “practical value” of the certification – or as Eddie Murphy would say “WHAT HAVE YOU DONE FOR ME LATELY?”. What real world skills does the certificate prove? If it proves you can memorize 100 questions, you might not be up to the job when confronted with a real world scenario.
10. What post training benefits are provided?
What ongoing benefits will you get from the training provider, if any ? Is there a continuation path for the training ? Will the trainers be available for future questions or issues that may arise ? Is there a student community you can join, to discuss the course with other student ? Or in other words, what kind of “post customer service” can you expect ?
These 10 questions should cover all the important elements you should verify before committing your valuable time and limited training budget to any service provider. The average person only gets a limited number of training opportunities per year, therefore you should always maximize the return you receive.