Counting the cost of security training

To invest or not to invest

  • alert
  • submit to reddit

Internet Security Threat Report 2014

It has been said before that the cost of IT training for those of us in the computer security industry is really quite high. After all, there is not only the cost of the course itself, but also the associated costs of hotels, food, and rental vehicles if the course is out of town. This quickly adds up to a rather tidy sum for managers trying to maximize their often decreasing budgets. But have those same managers considered what is the cost of not providing training to their staff?

IT managers often have difficult decisions to make, and to offer training or not is certainly one of them. Do you provide your analysts with regular training through accredited vendors, or decide not to do so in light of the financial cost? Quite a few managers I know personally choose not to. They believe that if they provide training for their analysts that they will lose them to other firms. While this can be a very valid argument, it is also one on the razor's edge - by that I mean you run the risk of your employee becoming irritated at any lack of investment in them and their future, and they simply leave. Several of my peers have left perfectly good companies for this very reason. All of them felt that they deserved a job which provided them with current and up to date training. Perhaps nowhere in IT does that ring more true than in the evolving field of security.

Those who have left a company due to training issues show that education is very valuable indeed. As a security analyst, for example, you must not only stay current with technology, but also improve your core skill set. Whether this is done by studying a programming language like C or PERL, or any of the many others, is immaterial. The point is that you have to stay current, else your skill set may start rusting out.

Long gone are the days of cradle-to-grave employment. In our current employment environment you can pretty much count on the fact that you will be in a new job several years from now, and very likely with a new company. To that end you need to keep your knowledge current.

You will be offering very little added value to your employer if you do not strive to maintain, and more importantly update your skills. Right or wrong, many employees believe that it is up to the employer to provide that training - and with that same reasoning, most believe it should not be the employee who pays out of pocket for these courses.

This is a classic Catch-22 situation, and the decision on training versus employee retention can be a difficult one to make. Reality dictates that most companies simply do not provide adequate training for their staff simply due to financial constraints - and in fact, it may not be important to their long-term objectives. Outside of the government, military, and large enterprises you are very often out of luck when it comes to training dollars. That is a rather bleak reality for the employee of a small-to-mid size company.

Paying dividends

If you own or manage staff in a small-to-mid size company, it would pay you great dividends to set aside some money for training. You need not send your staff out on numerous courses a year to keep them happy. Upon an initial hiring of a new employee you should tell them that as part of their benefits they shall be given perhaps one course (or however many) per year where all the costs will be covered. The best and brightest security courses are not cheap, but their benefit to your organization can be worth their weight in gold.

These initiatives would show your next prospective hire that you are definitely serious about helping to maintain their skills and investing in them as an employee. One way I would suggest to do it is by letting them know that they personally have a certain dollar amount allotted to them for training, and they can then give you a wish list of courses they would like to go on.

Too often it has happened that a new piece of networking gear is bought and installed without any training provided on how to setup and configure it properly. All you may get is a situation whereby you are told, "here is the manual for X piece of equipment, read up on it and learn how to use it." I would argue this is why there are so many poorly configured machines out there causing major security headaches and allowing for breaches by intruders, exposing valuable company data.

One has little choice at times but to simply read the manual, but it is a poor way of doing business. This comes back to another prevalent idea, such that, "all this security stuff does nothing for me except to be sucking up my dollars." Management often thinks this way when they do not see, or understand, the benefits of the technology. It is largely due to the fact that because the latest worm or virus has not affected them, and thus they do not see the need to provide training for their security staff. However, we all know that the very reason they were not affected is because they had trained and competent security staff.

For the many people out there who pull double or triple duty at times, getting the latest training is even more important. Nowadays having the system administrator deal with related technology such as routers, in addition to all his other security functions, is all too common. These are not trivial components to configure. Learning on the job is a good way to learn, but it still cannot replace the proper training - yet so few want to shell out the money for it. I believe this is why you see so many network security jobs with an insanely long list of required skills, often starting with a particular certification. The person who left that job may indeed have had those skills, but how many other people realistically have such a diverse skill set - and do the job properly? To expect a prospective employee to have system administration experience plus be able to configure and maintain a router, for example, on top of specialized security knowledge is a little much.

Many of the jobs I have seen advertised have come to this. They want everything yet give you very little in return to help you continually improve your skill set. And again, I believe this is simply due to a company no longer wanting to shell out large dollars on training. They demand that you have all of this knowledge prior to being hired. The problem is, if your company is not willing to provide you with this training how are you ever going to get it? We must all admit that management has a delicate balancing act and I for one don't envy them. Do you train or do you not train? Yet as a manager you must always remember one thing: it is an inevitable fact that you will always lose people no matter what you do. However, an individual who sees that a company is truly interested in investing in him personally will be more likely to stick around.

Copyright © 2004, SecurityFocus logo

Don Parker, GCIA GCIH, specializes in intrusion detection and incident handling. In addition to writing about network security he enjoys a role as guest speaker for various security conferences.

Related stories

Virus-obsessed firms ignore insider risk
Phishing for dummies: hook, line and sinker
Free training offer is latest spam scam

Internet Security Threat Report 2014

More from The Register

next story
George Clooney, WikiLeaks' lawyer wife hand out burner phones to wedding guests
Day 4: 'News'-papers STILL rammed with Clooney nuptials
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
PEAK IPV4? Global IPv6 traffic is growing, DDoS dying, says Akamai
First time the cache network has seen drop in use of 32-bit-wide IP addresses
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
prev story


Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.