Re: Training advice

[Jim Dillon <Jim.Dillon () CUSYS EDU>]

Teresa,

 

I'm may be reading into your new title more than may be appropriate, but
my guess, given your description of yourself as a prior techie/admin, I
believe your core development concerns are actually in communication and
negotiation in the managerial sphere.  Much of what you need to do your
job will depend on your ability to:

 

1.      Understand the goals and objectives of management
2.      Clearly communicate the risks and threats in terms they
understand, bad publicity and the bottom line $
3.      Influence, co-opt, convince, and otherwise make wise use of
human resources
4.      Program/personnel management and reporting (progress, issues,
metrics...)
5.      Present security imperatives clearly and concisely through
email, reports, presentations, etc.
6.      Discuss policy, legal initiatives with appropriate
tech-to-policy interpretation

 

It appears to me that you've taken a step away from "technical" security
into a more program management role, and you will have to learn even
more what terminology no longer works and how to overcome that.  I once
spent half an annual planning meeting suffering from the consequences of
academic arguing about the term "social engineering" because I used it
to describe an audit engagement.  The manager's in the room had a
different sociological interpretation of that term and they lost no time
in arguing, berating, and simply wasting time over making that clear,
proving their ignorance of the topic, but nonetheless defeating the more
important discussion plans we had established. 

 

You may also see some of the U's offering SANS or Vigilar training for
certifications such as CISA, CISM, and CISSP.  While technically these
will probably not challenge you as much or seem as relevant, you may
find the preparation for sitting for one of these certifications may be
a good nomenclature and communication development exercise, as well as
good for broadening your perspective on your new job requirements.  You
can get this training generally at under $1000 through Higher Ed circles
(I did through the Big 12) and it may be more enlightening about your
up-n-coming responsibilities than focusing on yet another technical
issue arena - you'll always have those cropping up and changing on you.

 

Just another possibility, but I think you may want to give it some
consideration.

 

Best regards,

 

Jim

 

*****************************************

Jim Dillon, CISA, CISSP

IT Audit Manager, CU Internal Audit

jim.dillon () cusys edu

303-492-9734

*****************************************

 

 

________________________________

From: Vanderbilt, Teresa [mailto:tvanderb () OZARKS EDU] 
Sent: Monday, June 18, 2007 1:02 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Training advice

 

I recently stepped into the title of Security Manager. We're a small
school and this is a new position for us. I'd only maintained the
servers, switches and firewalls before. I have no one to mentor me and
very little budget for training. I can spend approximately $3-5K on
formal training this year. I was thinking of a good online class so all
the money goes toward training rather than hotels and travel. Until now,
everything I've learned has been mostly on my own; although I recently
attended Pentration Testing Training. What other training, both formal
and informal, would benefit me and my school the most? I've been
thinking of CCNA and I would like to learn how to use Snort since it's
free. Will CCNA be beneficial or should I buy a good beginners book on
Snort. Am I way off the mark for what I need to study? I need to get up
to speed quickly and can't afford to guess at what I need. Please help.

Thanks in advance, 
Teresa Vanderbilt 
University of the Ozarks