Maintaining Employee Skill Level

May 13, 2017 by Infosec

What are the employer responsibilities?

New employees, straight out of an educational institution, arrive at our doorstep with a certain set of basic abilities to accomplish a specific group of tasks. If they didn’t, we wouldn’t hire them, obviously.

As they become proficient, they pick up skills which consequently allow them to expand their repertoire. However we cannot rely on osmosis to furnish everything they require to advance. We need them to actively seek to expand their skills so they increase their value to the company.

Company-Paid Training

They, on the other hand, have already fulfilled their responsibility by virtue of priming the pump, likely with a somewhat costly education. If you need them to have additional skills that will benefit the company, then it’s up to the company to underwrite the cost of obtaining those skills, on company time.

Most training has a measurable ROI (Return On Investment) for the company. It might be more difficult to assess with something like First Aid and CPR training (until some boardroom executive keels over and needs attention at least). On the whole, over its lifetime, training repays the company many times over, to the tune of thousands of dollars.

Without significant assurances of advancement, or conversely, having the financial risk of training undertaken by the employer, they have no particular reason to enhance their skills—certainly not at their own expense—for the company’s benefit. They need to be offered incentives.

Extrinsic vs. Intrinsic

The problem lies in choosing the correct incentives. The most common mistake is to assume that money is the answer, and much of the time it really isn’t. Fair wages for work is fine, but it is extrinsic in nature. This short video makes an important point about choosing wisely.

Building From the Ground Up

There is certainly no problem with running your business like a sports team and snagging high performing experts. By the same token, a sports team selects amateurs from an entry draft and molds them into what they need them to be. You can’t have a basketball team full of Michael Jordans, any more than you can have a hockey team full of Wayne Gretzkys, or a baseball team full of Mike Trouts.

As you saw in the video, the goal needs to have an intrinsic value for the participant; it has to fascinate, and challenge; but it requires the possibility of failure just as much as it requires the chance of success. You might think that you could sit forever in front of a broken slot machine that wins every time, but in truth, most of us couldn’t handle winning, without a chance of failure, for more than a couple of hours before we were bored to tears.

Supporting Employee Growth

Nothing will put the kibosh on employee enthusiasm faster than a lack of appreciation by supervisors and managers. Remember: employees don’t quit companies; they quit bad supervisors and managers.

It only takes a moment to draw someone aside (especially within earshot of fellow employees) and say “Thank you for staying late the last three nights to finish the Johnson account presentation. It was phenomenal, and they really loved it.”

It’s even more important to identify little “extras” that people undertake without the expectation that they’ll be rewarded. For example, your two receptionists, Phil and Marcy, who always keep a couple of bowls of hard-candies or chocolates on the desk for visitors, and supply fresh cut flowers twice a week. Tell them you appreciate their efforts, and give them a budget so they know you’re sincere.

Your obligation is to encourage employees to strive for personal excellence—to take ownership of their responsibilities. You need to provide them with resources and the tools they need to accomplish their tasks. They require clearly defined responsibilities, but more importantly, an easy way to measure their performance themselves so they can track their personal progress.

Keeping Abreast of Developments

In the IT Security industry it is even more important than elsewhere to be aware of changes. What you knew last week might not help you tomorrow. It requires constant vigilance and continuous education to stay apprised of the current threats.

Keeping apprised of the dangers is a full-time task. Understanding the attack vectors and knowing how to harden the system against them is just one of the keys to abrogating the threat. Pre-positioning defenses (such as e-mail filtering) can eliminate 99% of the threats if done properly. The rest is about education and making sure employees don’t open suspicious e-mails or execute attachments.

The Best Choice

You certainly cannot do any better than to hire CISSP (Certified Information Systems Security Professional) experts to keep your system safe. The difficulty is that the International Information System Security Certification Consortium or (ISC)², which is a nonpartisan group responsible for certifying IT security professionals, only has 106,000 (ISC)² members in the entire world holding the CISSP certification.

They have been with us since 1989, setting the de facto standard for System Security, and building the universally accepted Common Body of Knowledge (CBK). It’s only recently with the advent of The Cloud, combined with the sheer virulence of the most recent attacks by criminals or criminal organizations, that the demand has skyrocketed for these experts.

There are simply not enough to go around. Particularly since the industry (just in the United States) is seeking to hire 65,000 new CISSPs every year. Where will they come from? Your own ranks!

That’s right, your own IT people, who are already familiar with your systems, can be trained and certified. Not only does it convey status amongst your customers and clients to have CISSPs onboard, it’s your primary line of defense against the evil so-and-sos that want to cause your business harm; that want to steal your secrets; that want to extort money out of your company through ransomware blackmail.

CISSP is not some laissez faire affair. It is tightly regulated, requiring active participation of CISSPs. They must accumulate 40 Continuing Professional Education (CPE) credits every year, and be re-certified every three years. The examinations are not easy; they take up to 6 hours to complete; they include multiple techniques for assessing knowledge; and they require a 70% pass rate.

CISSP Re-certification

We specialize in Information Security Training. Whereas it is nearly impossible for you to find a CISSP to hire, we can train members of your own staff to the (ISC)² standard, ending that interminable search for those qualified experts.

And all this is completely aside from the fact that the immense benefit CISSP qualifications confer directly benefit the company. It should not be up to the employee to undertake these costs to help you protect your company.

Who should attend?

There are number of people who might benefit from an attending CISSP training. You’ll have to choose amongst your own people in order to determine where the greatest benefit from the knowledge could be achieved.

  • Security Analyst
  • Security Auditor
  • Security Architect
  • Chief Information Security Officer
  • Director of Security
  • IT Director/Manager
  • Network Architect
  • Security Consultant
  • Security Manager
  • Security Systems Engineer


CISSP is a cornerstone in the information security industry. You can build upon it with what are called “concentrations” that include additional specializations in architecture, engineering, management, and suchlike. If an IT specialist were moved into management, obtaining a management addendum would assure that it continued to be valuable.

The Takeaway

Aside from the fact that the company should pay for education and training that directly benefits them there is another aspect to consider. According to the U.S. Government, it is actually a matter of law for people involved with Information Assurance.

The Department of Defense (DoD) issued Directive 8570 under the auspices of the Information Assurance Workforce Improvement Program. It says that every DoD employee and any contractor working with the DoD must have training and certification in information security.

If you ever want to do business with the government you will be required to have a secure information handling system. They accept a number of certifications, particularly including CISSP, for both technical and management positions among their ranks, and would be glad to see it as one of the characteristics of your organization.

There is no such thing as useless knowledge, but without knowledge sometimes you can feel pretty useless. It’s going to continue to be difficult to locate CISSPs to hire for the foreseeable future. Your best choice is, and always has been, to promote from within—so train your own people.

It’s going to be faster because they’re already knowledgeable about your systems. It’s going to be cheaper because they already work for you. But most importantly, it will build loyalty because employees appreciate it when you take an active role in helping them grow.

Get this in the works today. It’s important, and you have sat on the sidelines long enough. It’s time to take control and end the fruitless search for these rare experts. You know the old expression: If you want a job done right, do it yourself!

Posted: May 13, 2017
Articles Author
View Profile

Notice: Undefined index: visitor_id12882 in /www/resourcesinfosecinstitute_601/public/wp-content/plugins/infosec-user-info/infosec-user-info.php on line 117