Compliance Management, Privacy

How to make training an incentive for employees to stick around

A colleague was lamenting the other day that she had just lost another one of her best security engineers, someone she had been training and grooming for over two years. The guy was wooed away by another company after being offered a 20 percent increase in salary, some stock and an increase in benefits. My first question was, “Were you able to counter with anything close,” and secondly, “Did the guy want to stay?” The answers were “Yes, but not enough,” and “Yes, but not enough!”

If you've been in this business for any length of time, you've been faced with this same situation. You spend a lot of time and money training someone to the point where they are valuable and can work independently, then boom — someone steals them away leaving a huge hole in your organization. As you prepare for the worst, you should always avoid staffing single points of failure. The way to do that is by training.

Training can be expensive, but the alternative is certainly more costly in the long run. Good technical training is an incredible incentive so we should be completely transparent with our employees and use it to the advantage of everyone. Training should be a core component of employee compensation because good people work where they are appreciated.

Training comes in many shapes and doesn't always mean sending your staff out for a week, although immersion is certainly the most efficient kind of training. Sometimes immersion training doesn't fit the schedule so taking an evening or on-line class makes more sense. Sometimes, simply giving your employees some time each week for research and reading about new technology is enough. Regardless, if you aren't training your staff, you aren't doing them or your company any favors.

Unfortunately, some people seem to make the training issue more complex than necessary. A CISO told me recently that they don't even budget for training anymore because funding they spend on training is just wasted on the employee's next employer. Another explanation is, “If I spend my training budget early in the year and the employee leaves, I won't have any training money for my other employees until next year.” What?

If you don't fund for training because your employees are just going to leave anyway or you don't send your employees to training until the end of each year, how up-to-date and competent is your staff?
A staff that doesn't receive training results in poor analysis of logs, patches and updates completed improperly, and a general lack of awareness of the threats we face on a daily basis.

To those who say they can't afford training, my only reply is: How can you afford not to

30 seconds on...

Training is crucial

The security arena these days moves too fast and changes too often. There is a simple formula today's enterprises can follow: If your staff is not staying current with technology, then they are falling behind.

The costs are high
Managers must get it into their heads that in today's world, inadequately trained and poorly qualified staff are significantly less efficient and more costly in the long run than well-trained employees.

Fostering incentive

The marketplace of today may seem callous to many. Showing attention to your employees through training shows loyalty and is a huge employee incentive. Use it for the employee's and the company's advantage.

Be creative
Training doesn't have to cost thousands of dollars. There is an alternative that offers the added benefit of instilling pride. Ask employees to research and deliver a presentation to your staff on a technical subject. It's a win-win!
Mark Weatherford

Mark Weatherford is the Chief Information Security Officer at AlertEnterprise, the Chief Strategy Officer (and a Board member) at the National Cybersecurity Center, and the Founding Partner at Aspen Chartered Consulting, where he provides cybersecurity consulting and advisory services to public and private sector organizations around the world.

Mark has held a variety of executive-level cybersecurity roles including Global Information Security Strategist at Booking Holdings, Chief Cybersecurity Strategist at vArmour, a Principal at The Chertoff Group, Chief Security Officer at the North American Electric Reliability Corporation, and Chief Information Security Officer for the state of Colorado. In 2008 he was appointed by Governor Arnold Schwarzenegger to serve as California’s first Chief Information Security Officer and in 2011 he was appointed by the Obama Administration as the Deputy Under Secretary for Cybersecurity at the U.S. Department of Homeland Security.

Mark is a former naval officer where he served as a cryptologist and was Director of Navy Computer Network Defense Operations, Director of the Navy Computer Incident Response Team (NAVCIRT), and established the Navy’s first operational red team.

He is an investor and on the Advisory Board of several cybersecurity technology companies where he has a very successful track record in helping startups through the M&A process to acquisition.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.