1. What are the
objectives of the training ?
What will the training do for you ? Anyone
promising you that you will be a “hardcore penetration tester” or a “security
expert” after their 5 day class has never run a pentest, or otherwise has no
clue what they are talking about. Learning *any* profession in 5 days is
unrealistic, let alone one as complex as IT Security, or penetration testing.
This is one of the first questions I ask before attending a training… its
allows me to set my goals for the course and gives me a baseline for my
expectations.
2. What topics does
the course cover ?
Always read the syllabus of the course you want to
attend, before you attend it. Try finding other people who have taken the
class, (if possible) and get their opinion. Try to see if the syllabus follows
a reasonable methodology, or if it’s just a collection of topics. If you see a
list of 1,500 tools on the syllabus – expect to spend around 0.6 minutes per
tool.
3. Who is your
trainer ?
Are they well known in their field ? Do they have
training experience ? Are they involved in the security community ? Do they
practice what they preach? Although these are 4 separate questions, they all
relate to one thing – the ability of the trainer to provide the goods you paid
so dearly for. Finding a GOOD InfoSec trainer is NOT easy. Most computer genii
are usually lacking in their social skills – something a good trainer must
have.
4. What previous
reviews does the class have ?
Running a few internet searches for the name of
your class, or the name of the trainer is a must. Find out what people have to
say about their experiences – during and after the class. Although you can’t
believe *everything* on the internet, taking an average of all the reviews will
usually give you a solid idea of what you are getting into.
5. What is the
ratio of students to trainers ?
How many students will there be in the class ? Some
training providers cram more than 40 students in one class – often with a
single instructor. During a 5 day period, a trainer can’t give personal
attention to 40 people, no matter what. In general, smaller classes mean a more
intimate environment, more attention from the trainer, and a more productive
and engaging experience.
6. What is the
ratio between theory and hands-on exercises ?
Remember the famous saying “In theory, there is no
difference between theory and practice – But in practice, there is”. If you
don’t exercise what you learn, you are less likely to retain or understand it
as nothing replaces practical experience. Ask for a rough ratio estimate
of “theory vs. exercise” for your class – anything above 40% class-time spent
on exercises is a good sign. Of course, this greatly depends on the quality of
the exercises too.
7. How often is the
course updated ? Is the material relevant to modern day situations ?
Learning methods and techniques on antiquated
systems will bring you little benefit in the real world. Hacking a Windows 2000
SP4 machine with RCP DCOM doesn’t cut it any more. On the other hand, don’t
expect to learn “Bypassing Windows 7 Stack Protection” in an introductory
buffer overflows course. You need to gauge the balance between these two
elements carefully.
8. What are the pre-requisites for
the class ?
How should you prepare yourself for the class ? Do
you need to refresh your knowledge on certain topics? Nothing is more
frustrating than coming to a class, and then lagging behind because you are not
up to par with the class requirements. Not good for your learning experience,
and not good for your self esteem – on the other hand “no pre-requisites
required” might indicate lack of depth. If the pre-requisites were defined well
by the training provider, it’s definitely a good resource to use to evaluate
the relevancy of the course to you.
9. Is there a certification involved
? What is it’s value ?
The
“value” of a certification can be measured in the real world using two main
indicators:
- The “market value” of the certification – how popular is this certification in the workforce ? Is the certificate recognized and appreciated by the industry ? And of course, will it help you get a (better) job ?
- The “practical value” of the certification – or as Eddie Murphy would say “WHAT HAVE YOU DONE FOR ME LATELY?”. What real world skills does the certificate prove? If it proves you can memorize 100 questions, you might not be up to the job when confronted with a real world scenario.
10. What post training benefits are
provided?
What ongoing benefits will you get from the
training provider, if any ? Is there a continuation path for the training ?
Will the trainers be available for future questions or issues that may arise ?
Is there a student community you can join, to discuss the course with other
student ? Or in other words, what kind of “post customer service” can you
expect ?
These 10 questions should cover all the important
elements you should verify before committing your valuable time and limited
training budget to any service provider. The average person only gets a limited
number of training opportunities per year, therefore you should always maximize
the return you receive.