Not All Education is Equal
One of the most critical yet overlooked components to having a secure environment is ensuring that your internal team responsible for protecting sensitive information assets has the knowledge, skills and abilities to make the right decisions. By making that investment on the front end, you are minimizing the possibility that you’ll pay dearly on the back end.
But, all education is not equal. There is the type of education where you learn basic concepts and how to employ those concepts, from a high level – this gives you knowledge. Then, there’s the type of education that gives you the ability to think and act while using knowledge, experience, understanding, common sense and insight – this is applied knowledge or wisdom.
My view is that anyone can teach or learn about tools. Things become really interesting and employees become even more valuable to their organizations when they truly understand the theory and logic behind why they should do a certain type of testing. This is, for example, the difference between a vulnerability assessment and a penetration test. With the former, you run a series of tests and conclude that there either are or aren’t vulnerabilities present. It’s a very cut-and-dried process. Penetration testing uses a much more creative approach that more heavily relies on the skills of the tester to uncover vulnerabilities that may not present themselves through automated scanning activities. It’s more about how things stack together to create a larger impact or larger vulnerability and using applied knowledge or wisdom to identify and exploit those attack vectors.
Next time you sign yourself or your employees up for a training course ask yourself if you are seeking knowledge, wisdom, or simply looking to check off a box. I’d love to hear your thoughts!