A colleague was lamenting the other day that she had just lost another one of her best security engineers, someone she had been training and grooming for over two years. The guy was wooed away by another company after being offered a 20 percent increase in salary, some stock and an increase in benefits. My first question was, “Were you able to counter with anything close,” and secondly, “Did the guy want to stay?” The answers were “Yes, but not enough,” and “Yes, but not enough!”

If you’ve been in this business for any length of time, you’ve been faced with this same situation. You spend a lot of time and money training someone to the point where they are valuable and can work independently, then boom — someone steals them away leaving a huge hole in your organization. As you prepare for the worst, you should always avoid staffing single points of failure. The way to do that is by training.

Training can be expensive, but the alternative is certainly more costly in the long run. Good technical training is an incredible incentive so we should be completely transparent with our employees and use it to the advantage of everyone. Training should be a core component of employee compensation because good people work where they are appreciated.

Training comes in many shapes and doesn’t always mean sending your staff out for a week, although immersion is certainly the most efficient kind of training. Sometimes immersion training doesn’t fit the schedule so taking an evening or on-line class makes more sense. Sometimes, simply giving your employees some time each week for research and reading about new technology is enough. Regardless, if you aren’t training your staff, you aren’t doing them or your company any favors.

Unfortunately, some people seem to make the training issue more complex than necessary. A CISO told me recently that they don’t even budget for training anymore because funding they spend on training is just wasted on the employee’s next employer. Another explanation is, “If I spend my training budget early in the year and the employee leaves, I won’t have any training money for my other employees until next year.” What?

If you don’t fund for training because your employees are just going to leave anyway or you don’t send your employees to training until the end of each year, how up-to-date and competent is your staff?
A staff that doesn’t receive training results in poor analysis of logs, patches and updates completed improperly, and a general lack of awareness of the threats we face on a daily basis.

To those who say they can’t afford training, my only reply is: How can you afford not to

30 seconds on…

Training is crucial
The security arena these days moves too fast and changes too often. There is a simple formula today’s enterprises can follow: If your staff is not staying current with technology, then they are falling behind.

The costs are high
Managers must get it into their heads that in today’s world, inadequately trained and poorly qualified staff are significantly less efficient and more costly in the long run than well-trained employees.

Fostering incentive

The marketplace of today may seem callous to many. Showing attention to your employees through training shows loyalty and is a huge employee incentive. Use it for the employee’s and the company’s advantage.

Be creative
Training doesn’t have to cost thousands of dollars. There is an alternative that offers the added benefit of instilling pride. Ask employees to research and deliver a presentation to your staff on a technical subject. It’s a win-win!