If I was the acting Chief Information Security Officer I think training is the most
important thing money can be spent on. You could spend money on fancy tools and such but
when the rubber meets the road training is the most powerful tool. Funding training in the
department is extremely important to instill cybersecurity ideas into the department. If
everyone is trained properly then people will have a greater understanding of what is going on
and why the policies are the way they are.
Picture this your fancy tools are destroyed by a cyber attack so how do you contain it
without them? Simply put the tools are only as good as the user themselves. Good training
promotes good practices which proliferate from person to person. I feel some people neglect
the training because they believe they can hire less then stellar people. Then use their fancy
tools to fill in the gaps but that can only go so far.
Overall I am a firm believer in the human operator being the most important asset in the
room. There is a level of nuance that machine don’t get on edge cases for security. These edge
cases are precisely why they get paid the big bucks. Having well trained people can also curb the
need for expensive fancy tools and could save money down the road. In conclusion investing in
your human assets is the most important thing in a companies cybersecurity department.