Training, professional development, learning, etc. are all terms that has caused much controversy in the various domains but specifically in the information security domain. All of these terms serve a specific purpose and aim to provide one with the necessities to perform in the domain, progress in their career and simply earn more. I would like you to bear with me the introduction I will serve now as it is necessary to analyze and understand the reasons for choosing a specific training program, a conference to attend or a certain career path.

Educational activities were identified back in 1956 by Bloom to fall into one of three domains; Cognitive (Knowledge), Psychomotor (Skills) and Affective (Attitude) also known as KSA. The US federal government job openings require candidates to provide a series of narrative statements to determine the best fit for a job that also matches the KSA. Only in this
case KSA is slightly different and refers to Knowledge, Skills and Abilities. Professional development (not career development) in my view point depends on the type and amount of Knowledge, Skills and Abilities you possess. Generally speaking, the mainstream for knowledge acquisition is training courses and reading.

Whereas the mainstream for skills acquisition would be the hands-on labs, shadowing others or the trial and error efforts you exert while performing certain tasks on the job. The tricky part is usually the ability. I believe that you cannot provide someone with an ability he does not have. It’s simply a gift by the creator! However, you can easily develop someone’s existing abilities. Take for example the ability to memorize. If one has a good memory, you can help her/him develop that in a more organized manner to allow him to memorize more. On the other hand, you cannot simply inject, for example, analytical abilities into someone who doesn’t simply have it.

Now let us move on to the practical application of the above in the information security domain. I believe that picking the correct career path and accordingly the relevant training domain should be based on the abilities you possess. For example if you have the ability to come up with “what if” scenarios you might pick a career in the Governance, Risk & compliance domains in information security. On the other hand, if your outstanding ability is in the analytical domain, then forensics might be your best domain of choice. Choosing your career path eliminates a set of professional development paths that does not fit with your aspirations. Now let us come to the hard part; choosing the right training course and the right provider.

One of the main criterion I consider when choosing the right training provider is how comprehensive the training curriculum this provider offers? When considering comprehensiveness, you ought to think about depth and breadth . By depth I mean how many levels I have to go through to complete a certain training track. Through going through fewer courses or levels ( ex. Fundamental, intermediate or advanced ) might be tempting to a trainee , it does not necessarily means that you are served the right ” value for money ” .

The type of education you ought to aspire to should provide you with the right knowledge and skills. While knowledge might seem, more or less, to be standard across several training providers, it is not in fact.

To evaluate that, lookup the authors of the training materials and how frequently it is updated. Authors’ experience and exposure means that more of the practical information will be included in the courses. The frequency of update is a “double edged sword”. While the less frequently the material is updated means that knowledge is outdated, training material that is updated all the time means that the training you just attended a couple of months ago will soon  lose its market value. I would always tend to the more frequently updated choice in the advanced courses while opt for the less frequently updated in the fundamental courses that rather provide the learner with concepts and basics. Coming back to the issue of breadth, I am here referring to the number of knowledge domains the covered by the training tracks the vendor offers. For example, it is common for an incident handling professional to emerge into a forensics analyst. It is also common for a penetration tester to want to expand his knowledge into specific security issues related to virtualization and cloud security.

Training providers that offer a breadth of information security training are generally better. This is because it is much easier for you to get used to a model for training and certification and continue with that model. Trainer certification methods are among the criteria you should consider. The more aggressive the approach of the training vendor in certifying trainers, the better the quality of the trainer who will be delivering to you. In fact the aggressiveness of the training provider in qualifying trainers is part of the overall certification aggressiveness. As much as this might make the professional development harder, the more aggressive the certification process is, the more recognized the certificate would be in the job market afterwards. It is also worth noting that all the previous qualities does not really come for free.

You will commonly pay much more for higher quality training and certification. Accordingly, financials on the short term are sometimes a major hurdle that prevents you from attending the actual training you aspire to. Given the years of experience the author of these words have had in the training domain, I can safely say that although 50% of the success of any professional development depends on the curriculum, the training provider and the trainer, the remaining 50% depends on the trainee choosing the right focus, motivation to learn and ability. My advice would simply be choose wisely, focus on a career path, think in terms of knowledge and skills while considering your abilities, and finally consider the value of the certification you earn.

About The Author

Ahmed Elashmawy, Principle Consultant at Securemisr