REDMOND, Wash., Feb. 16, 2005 — When a school district asked David Koopmans a few years ago to rid its IT system of a fast-spreading virus, the district clearly had some learning of its own to do — on network and computer security.
The district’s IT staff didn’t know where to begin or how to help prevent similar problems in the future. At the time, the school district wasn’t alone. Rarely did Koopmans, managing consultant for the professional services firm Quilogy, and other consultants get called in to offer IT security training until an organization suffered a significant security breach.
But times are changing. IT professionals and organizations are getting proactive about security guidance. They’re stepping up prevention in response to high-profile computer viruses and online security attacks, as well as new government regulations. Annual spending on information security training and education in the United States alone is expected to reach $1 billion by 2006 — a 16 percent increase from last year, according to analyst firm IDC.
“There’s a growing sense of urgency out there,” says Thomas Peter, director of training at New Horizons Computer Learning Centers of Western Washington. “Businesses have seen how some of the large-scale events, worms and viruses have propagated and caused major outages.”
Microsoft CEO Steve Ballmer signaled the company’s commitment to security guidance in October 2003. He vowed that Microsoft would train half a million IT professionals, developers and partners on security best practices in one year. The company succeeded, and the number continues to grow, with more than 750,000 people having completed the training over the past 16 months.
Microsoft also has expanded and improved its security training and certification resources. IT professionals and developers can choose from a wide variety of online and classroom-based training courses, including no-charge e-learning clinics and other online materials offered through its Security Guidance Center. In addition, the company has added technical certifications with security specializations for IT professionals who need to continually update their ability to design and manage secure IT systems.
A variety of Microsoft’s security guidance training resources — including no-charge, hands-on labs, e-learning clinics, online skills assessments and other resources — are on display this week at RSA Conference 2005 in San Francisco, the IT industry’s largest security trade show. In his keynote address, Microsoft Chairman and Chief Software Architect Bill Gates pointed to security guidance — prescriptive resources, comprehensive training programs and international outreach — as one of the three pillars of the company’s strategy for helping customers better prepare for today’s evolving security threats. Gates also reinforced Microsoft’s continued investment in new security-related technology and its work with governments, law enforcement and the IT industry.
The projected increase in corporate spending on IT training and certification reflects the recent jump in overall spending on security. Almost a third of businesses surveyed by the Computing Technology Industry Association (CompTIA) in 2003 dedicated 10 percent or more of their IT budgets to security training and certification. Just one year prior, less than a quarter of those businesses spent as much.
“IT professionals and business customers have told us that new technology and tools are only part of the solution to the security challenges they face today,” says Rich Kaplan, corporate vice president in the Security Business & Technology Unit at Microsoft. “Training for employees and certification for IT professionals are also critical. Microsoft is committed to offering a broad selection of training and certification resources to help our customers adopt best practices and implement appropriate safeguards.”
Microsoft Security Certification Rated “Hottest” in 2004
The demand for Microsoft’s security certifications demonstrates the increased emphasis on security. Globally, more than 4,000 people have achieved Microsoft Certified Systems Engineer (MCSE): Security certification since its introduction in 2003. This is equivalent to more than 20 percent of all who have received MCSE on Windows Server 2003, which launched shortly after the security certification. An additional 17,000 people are on the path to MCSE: Security certification, having completed three or more of the required exams. Interest among IT professionals has been so great, in fact, that CertCities.com rated MCSE: Security the fastest-growing or “Hottest Certification of 2004.”
“Since launching the Microsoft security certifications less than two years ago, we’ve experienced tremendous interest and positive feedback from IT professionals,” says David Lowe, senior product manager at Microsoft Learning. “IT organizations are realizing the importance of keeping their security skills up-to-date. They’re taking steps to follow our security guidance and adopt best practices.”
To earn a Microsoft security specialization, IT professionals must pass the same core exams as the base credential and then pass a number of security-specific exams (three for MCSE: Security and two for MCSA: Security) in key areas such as security implementation and security design. One of the exam options is CompTIA Security+, a platform-neutral industry standard of competency for IT professionals who need to demonstrate a foundation-level of security skills. To help prepare for the exams, students can take instructor-led and online training courses offered directly by Microsoft and by Microsoft Certified Partners for Learning Solutions, or read self-paced training kits available from Microsoft Press.
Tim McKellips, a practice lead for the solutions provider Inacom Information Systems, says Microsoft’s security certifications are quickly gaining respect among IT professionals and employers. One reason is the rigor of Microsoft’s exams. They require applicants to demonstrate a broader range of knowledge by combining lessons from the training courses with practical, real-world problem solving.
“You can’t just take the (preparatory) classes and sit in a test booth,” to pass the certification exams, McKellips says. “These exams require you to apply what you learn. You can’t just regurgitate what’s in the books.”
In an IT labor market that’s still recovering, McKellips views Microsoft’s security certifications as one way IT professionals can differentiate themselves. “Now, people have a way to say, `I went this extra yard,'” he explains. “It’s a strong selling point.”
Training Reduces Challenges of IT Security
A quarter or more of all students who attend the Microsoft training courses at New Horizons Computer Learning Centers of Western Washington are working toward certification. The rest are simply trying to get smarter about IT security, Peter says.
New Horizons and other training partners offer a broad variety of Microsoft courses. These classes range from half-day security clinics and hands-on labs to five-day security courses taught by Microsoft Certified trainers. The classes are taught in environments that allow students to ask questions on the spot and practice what they learn, using classroom computers in simple and complex computing environments. Microsoft also has incorporated security concepts into many of its traditional classes on server products and developer tools, so those seeking training from companies such as New Horizons are now exposed to security concepts even in classes that don’t focus exclusively on security.
The Microsoft Security E-Learning Clinics, which are available at no charge, deliver content similar to that in the company’s monthly Security Webcasts for IT professionals and developers. The format allows students to learn at their own pace. Lessons can be interrupted, and topics are indexed for easy access or repeated use. Also available at no charge, Microsoft Official Hands-On Labs Online allow students to practice implementing the same security best practices detailed in the clinics. Students perform the tasks in a safe, networked environment that uses Microsoft Virtual Server technology.
Microsoft Certified Trainers use the related Virtual PC technology to run multiple PC-based operating systems simultaneously on one workstation. This gives trainers and students a safety net when testing security configurations. Virtual PC also shortens the time to reconfigure a system if the trainer or student wants to eliminate an experimental configuration.
“People are getting a higher quality product all around from Microsoft in the area of security guidance,” McKellips says. “Everything is more useful.”
Despite these additional resources, Nick Morris still notices some students get worried at the beginning of his Microsoft security courses: “They think they’ve got a lot of work ahead of them,” says Morris, a consulting engineer for Inacom.
Morris reassures them by explaining how Microsoft’s security guidance provides the knowledge they need to maintain the security defense that is at the heart of the current versions of most Microsoft products. Once they have this knowledge, they can maintain security defense of their IT systems as they perform other recurring network and system maintenance.
“It isn’t more work, just method,” Morris tells them. “It’s not extra coding, rather learning how to do it right the first time.”
Other preconceived notions about IT security also appear to be changing. Peter says Microsoft’s certifications and other increased security guidance have boosted the company’s credibility among security watchdogs and businesses that need objective measurements of their employees’ security knowledge. “These people figure IT security isn’t a focus or priority unless a technology company offers certifications,” Peter says.
The fact that Microsoft covers the cost of so many of it security training sessions — including e-learning, hands-on labs and customer onsite training — further demonstrates the company’s commitment. Peter adds: “It’s evident to a lot of people that Microsoft is willing to put its money where its mouth is, to demonstrate that Windows is capable of handling the highest level of security. You just need the right levels of security and skills to get there.”
Microsoft’s own research shows a marked increase in the faith its customers now have in the company to help them improve their IT security. Among large and mid-market business, the percentage that says Microsoft provides information to keep their systems secure is up from 25 percent in fall 2003 to 31 percent in fall 2004. Among corporate accounts, the percentage increased from 23 percent to 29 percent.
The school district that Koopmans rescued has been pleased since he helped it upgrade to a new version of Windows Server and Active Directory, which allows them to automate their security and other system updates and rules. The district’s IT staff took Microsoft courses on how to maintain Active Directory and keeps up-to-date on security and other fixes through Microsoft’s Automatic Updates service. The IT staff also uses Group Policy to guide the district’s broad security strategy. So far, the district has avoided viruses and other major attacks.
“They trust their process,” Koopmans explains. “They’ve learned how to keep up on patches and maintain control with their administrative tools.”
In other words, the school district now does its IT security homework.