Addressing Training Excuses
Looking at common excuses and dealing with them
I was on a course a little while ago and had a discussion with a couple of people regarding getting the funding required for training. This conversation made me think about the wide variety of training excuses that both managers and employees come up with. I would like to dispel a few of these.
The “I can’t let my employees go for that long” excuse
You can’t “lose” your people for a week-long CISSP course because they’re too busy trying to figure out how to do things on their own? I guess your employees get no vacation time or sick days either? I’ll say this as honestly as I possibly can: If you don’t have CISSP holders (or a real equivalent) on staff, chances are very good you have a horrible cyber security program. More on this later.
The “Training is too expensive” excuse
This may very well be true in the 10 person company that is barely getting by and everyone is eating ramen noodles just trying to stay afloat. A Fortune 500 company with billions in the bank? I think this is a symptom of leadership that frankly doesn’t have a clue or appreciation for the hamster wheel that is IT and especially IT security. Let’s take cloud security for instance. You refuse to send your employees on CCSP or CCSK training because it’s “too expensive”. Your staff then dump hundreds of thousands of PII records into an open S3 share which leads your company to the front page of the Wall Street Journal as the latest data breach in the cloud and the regulators are calling your CEO. How expensive is that exercise? I’ll bet it’s a whole lot more than an on-site training session.
The “If I train them they will leave” excuse
My personal favorite! This excuse is so horrible that anyone who uses this one should hang their heads in shame. Let’s dig into this one a little bit. Great employees in IT are those that are always at the cutting edge. These are the ones that if your company is a decade behind in technology they will leave for more advanced companies. Refusing them training will lead to you losing the best and brightest because they’ll go somewhere that trains them. So who does that leave you with? Employees that don’t care about advancing themselves and your company at the same time. See the fallacy in the logic of “they’ll leave if I train them”?
The ”I can subscribe them to a $4.99/month training package” excuse
Ask yourself a couple of questions here. First, are you really equipping your people with the right tools to excel at their position? Secondly, when exactly are they expected to take this training? At night? The answer is they’ll never do it and they’ll likely resent you for thinking so little of them.
The “If they get certified they’ll ask for a raise” excuse
Ah yes, along the lines of the train them they’ll leave excuse. What is more expensive? A $5000 raise to an existing employee or training a new employee?
The “Why should I pay? All our training is free from our vendors” excuse
Oh. My. God. You aren’t actually serious here, are you? Warren Buffet has an expression that goes “Never ask a barber if you need a haircut”. By relying solely on vendor training, you’re first off dealing with point solutions, not a holistic approach to security like that delivered by any vendor agnostic training (CISSP, CISM come to mind). Secondly, there is no vendor in the world that will include missing functionality in their training. You’re going to have an employee base that knows what buttons to click in a particular product, not an understanding of what weaknesses exist in your cyber security program and how to address them outside of a point solution.
The employee’s “Certification is meaningless” excuse
Ok, I’m going to preface this by stating openly that I have dealt with many individuals who don’t have any certification but are rock stars. These people do exist, but if this applies to you, you are doing yourself a massive disservice. Like it or not, certification does impact your bottom line. I agree in principle with the “certification is a baseline” statement I’ve heard from people who haven’t spent the time to get certified. Do yourself a favor and just do it. Final thought on this one, there was a season finale episode of The Apprentice (USA) where there were two remaining contestants. One guy had an MBA, the other didn’t have a degree. When the guy without the degree tried to spin it as a positive, Trump shot him down and said while it’s true a degree isn’t everything, not having one isn’t an advantage. Employers will look at you the same way.
In cyber security these days certification helps both the company and the employee. Dismissing training as an unjustifiable expense or supporting with half-measures shouldn’t be accepted anymore. Do the right thing and send your employees for authorized training. Check out our course catalog for a listing of all our offerings and benefit from our leading customer service.