Counting the cost of security training

To invest or not to invest

By Don Parker, 5th November 2004

It has been said before that the cost of IT training for those of us in the computer security industry is really quite high. After all, there is not only the cost of the course itself, but also the associated costs of hotels, food, and rental vehicles if the course is out of town. This quickly adds up to a rather tidy sum for managers trying to maximize their often decreasing budgets. But have those same managers considered what is the cost of not providing training to their staff?

IT managers often have difficult decisions to make, and to offer training or not is certainly one of them. Do you provide your analysts with regular training through accredited vendors, or decide not to do so in light of the financial cost? Quite a few managers I know personally choose not to. They believe that if they provide training for their analysts that they will lose them to other firms. While this can be a very valid argument, it is also one on the razor's edge - by that I mean you run the risk of your employee becoming irritated at any lack of investment in them and their future, and they simply leave. Several of my peers have left perfectly good companies for this very reason. All of them felt that they deserved a job which provided them with current and up to date training. Perhaps nowhere in IT does that ring more true than in the evolving field of security.

Those who have left a company due to training issues show that education is very valuable indeed. As a security analyst, for example, you must not only stay current with technology, but also improve your core skill set. Whether this is done by studying a programming language like C or PERL, or any of the many others, is immaterial. The point is that you have to stay current, else your skill set may start rusting out.

Long gone are the days of cradle-to-grave employment. In our current employment environment you can pretty much count on the fact that you will be in a new job several years from now, and very likely with a new company. To that end you need to keep your knowledge current.

You will be offering very little added value to your employer if you do not strive to maintain, and more importantly update your skills. Right or wrong, many employees believe that it is up to the employer to provide that training - and with that same reasoning, most believe it should not be the employee who pays out of pocket for these courses.

This is a classic Catch-22 situation, and the decision on training versus employee retention can be a difficult one to make. Reality dictates that most companies simply do not provide adequate training for their staff simply due to financial constraints - and in fact, it may not be important to their long-term objectives. Outside of the government, military, and large enterprises you are very often out of luck when it comes to training dollars. That is a rather bleak reality for the employee of a small-to-mid size company.

Paying dividends

If you own or manage staff in a small-to-mid size company, it would pay you great dividends to set aside some money for training. You need not send your staff out on numerous courses a year to keep them happy. Upon an initial hiring of a new employee you should tell them that as part of their benefits they shall be given perhaps one course (or however many) per year where all the costs will be covered. The best and brightest security courses are not cheap, but their benefit to your organization can be worth their weight in gold.

These initiatives would show your next prospective hire that you are definitely serious about helping to maintain their skills and investing in them as an employee. One way I would suggest to do it is by letting them know that they personally have a certain dollar amount allotted to them for training, and they can then give you a wish list of courses they would like to go on.

Too often it has happened that a new piece of networking gear is bought and installed without any training provided on how to setup and configure it properly. All you may get is a situation whereby you are told, "here is the manual for X piece of equipment, read up on it and learn how to use it." I would argue this is why there are so many poorly configured machines out there causing major security headaches and allowing for breaches by intruders, exposing valuable company data.

One has little choice at times but to simply read the manual, but it is a poor way of doing business. This comes back to another prevalent idea, such that, "all this security stuff does nothing for me except to be sucking up my dollars." Management often thinks this way when they do not see, or understand, the benefits of the technology. It is largely due to the fact that because the latest worm or virus has not affected them, and thus they do not see the need to provide training for their security staff. However, we all know that the very reason they were not affected is because they had trained and competent security staff.

For the many people out there who pull double or triple duty at times, getting the latest training is even more important. Nowadays having the system administrator deal with related technology such as routers, in addition to all his other security functions, is all too common. These are not trivial components to configure. Learning on the job is a good way to learn, but it still cannot replace the proper training - yet so few want to shell out the money for it. I believe this is why you see so many network security jobs with an insanely long list of required skills, often starting with a particular certification. The person who left that job may indeed have had those skills, but how many other people realistically have such a diverse skill set - and do the job properly? To expect a prospective employee to have system administration experience plus be able to configure and maintain a router, for example, on top of specialized security knowledge is a little much.

Many of the jobs I have seen advertised have come to this. They want everything yet give you very little in return to help you continually improve your skill set. And again, I believe this is simply due to a company no longer wanting to shell out large dollars on training. They demand that you have all of this knowledge prior to being hired. The problem is, if your company is not willing to provide you with this training how are you ever going to get it? We must all admit that management has a delicate balancing act and I for one don't envy them. Do you train or do you not train? Yet as a manager you must always remember one thing: it is an inevitable fact that you will always lose people no matter what you do. However, an individual who sees that a company is truly interested in investing in him personally will be more likely to stick around.

Don Parker, GCIA GCIH, specializes in intrusion detection and incident handling. In addition to writing about network security he enjoys a role as guest speaker for various security conferences.